1 / 34

Introduction

Introduction. Amy. Agenda – follow Amy for a day. Timing and coverage . Amy’s home. Amy’s router. Router-to-router worm (psyb0t, discovered on Netcomm NB5) MIPS CPUs running Linux Had a collection of ~55 shellcode attacks (30 – for LinkSys, 10 – for Netgear, 15 – for other types)

biana
Download Presentation

Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction Amy

  2. Agenda – follow Amy for a day Timing and coverage

  3. Amy’s home

  4. Amy’s router • Router-to-router worm (psyb0t, discovered on Netcomm NB5) • MIPS CPUs running Linux • Had a collection of ~55 shellcode attacks(30 – for LinkSys, 10 – for Netgear, 15 – for other types) • It could • Manipulate the DNS • Be an invisible MitM • Re-flash the router • Invisible for AV We see only where we look

  5. Amy’s car

  6. Amy’s car – bluetooth and MP3 vulnerabilities • Bluetooth vulnerability in mass-production 2009 car (Kohno & Savage) • Brakes, door locks and dashboard, remotely read tyre pressure

  7. Amy’s mobile phone • Android marketplace calamity in March 2011 • Zeus and SpyEye attacks on dual authentication • Phones usually have 2 CPUs and both can be attacked • Consumerisation of IT • IT policies • Sometimes – not a good thing! • Remote lock/wipe/backup • Will be misused • Computrace and LoJack on PCs – RPCNET.DLL from Absolute.com

  8. Guys, these smart devices are everywhere… You do protect me, don’t you?

  9. At a bank Timing and coverage

  10. Amy’s payment terminals • QIWI • Has 100,000 terminals in Russia alone • PWS trojan infection (PWS.OSMP) • Windows is in places you would not expect • Information screens in airports • Bluescreen on a boat navigation system in Amsterdam during CARO 2008 • It is not just Windows and Intel • Embedded Linux • MIPS • Android You only see where you look!

  11. Near a factory Timing and coverage

  12. Industrial processes (like 235U enrichment)

  13. At work Timing and coverage

  14. Amy’s computer has a bootkit Timing and coverage

  15. Pre-OS • MBR and boot-sector viruses • W95/CIH • BIOS quick-boot vulnerability (Schouwenberg) • Bootkits grow • EFI, UEFI and GPT (GUID Partition Table) • A standard of pre-OS environment and drivers • In the BIOS or in a separate partition • EFI is a platform like an OS • A protected place for malware droppers • Getting common - Macs, many laptops and PCs

  16. You cannot detect what you cannot see… Do you see this malware?

  17. EFI platform • EFI has scripting (NSH) • All open source • OVMF – virtual machines • NTFS.EFI – NTFS driver • EBC (EFI Byte Code) • 32-bit interpreted bytecode • Cross-platform • Computers can boot into EFI shell

  18. Enabling UEFI boot

  19. EFI shell startup video Youtubelink: http://www.youtube.com/watch?v=wrybDw9UL5E

  20. EFI shell

  21. EFI shell startup video and HEXEDIT.EFI demo Youtubelink: http://www.youtube.com/watch?v=kiRsaaS1mbM

  22. EFI shell commands (1/4)

  23. EFI shell commands (2/4)

  24. EFI shell commands (3/4)

  25. EFI shell commands (4/4)

  26. EFI nightmares • Nightmare scenarios • EFI bootsSends HDD image out (or selected files)Continues to boot the OS • EFI bootsEFI launches Windows in a virtual machineHas full control after that • EFI boots and drops malware into the file system • As powerful as BAT scripting. • Has networking • Has unrestricted access to local devices

  27. Guys, you need a wide and hardened net to catch all these nasties everywhere …

  28. Hardening the net • Protection should be where it is needed • OS ? • AV (when OS is lacking) ? • CPU • Trust • Isolation • Audit of data-flow • Economics • Security on CPUs • Open for security companies • Separate “security” core?

  29. Technological Trust • What can we trust? • Digital signatures – Yes (almost always) • SSL certificates – Maybe (mostly yes) • What would be nice to trust • OS • Software • LAN and WAN agents • TPM did not work

  30. Example: Trust enforced at the CPU level • A software vendor • Submits code to the root authority • Pays for a certificate • Gets a key back which matches the code • Then they can run their “trusted” code • Enforced in CPU, not by the OS! • Rather restrictive • If applied to all software • Perhaps OK if applied to “important” software • Or certain CPU opcodes which will get special security privileges • “Economics” driving security

  31. Conclusions • Malware gets into many new places • We see only where we look and if we have access • We need a wider, ubiquitous net • We would benefit from more low-level trust and security

  32. References • Routers: http://apcmag.com/Content.aspx?id=3687http://www.theregister.co.uk/2011/03/10/router_rooting_malware/ • Cars: http://www.technologyreview.com/computing/35094/?nlid=4233 • Mobile: http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.htmlhttp://www.f-secure.com/weblog/archives/00002135.html • Antitheft:http://www.geek.com/articles/news/stolen-pcs-disabled-over-internet-20030528/http://www.intel.com/technology/anti-theft/index.htmhttp://communities.intel.com/docs/DOC-2384http://shop.lenovo.com/ISS_Static/WW/AG/merchandising/US/PDFs/lenovo_anti_theft_protection.pdf • Qiwi: www.lenta.ru/news/2011/03/16/qiwi/ • ATMs: http://www.computerworld.com/s/article/9179796/Update_ATM_hack_gives_cash_on_demandhttp://www.computerworlduk.com/news/security/16042/more-dodgy-atms-in-las-vegas-found-by-defcon-attendees/ • Stuxnet: http://en.wikipedia.org/wiki/Stuxnethttp://www.f-secure.com/weblog/archives/00002066.html • EFI: http://software.intel.com/en-us/articles/efi-shells-and-scripting/www.tianocore.orghttp://www.logic.nl/Products/Technology/BIOS-and-EFI.aspx

  33. Questions

More Related