1

Keeping HackersOut of Your Organisation….

By Being Hacked!

Martin Overton, EMEA ERS Lead and Senior Security Consultant, Cyber Security Intelligence and Response Team (CSIRT)

2

Agenda

� Threatscape

� Real World “Hacking” Examples and Customer Stories:

– Networks

– End-Points

– Web Applications

– The Human

� Solutions

� Questions?

3

Number of vulnerabilities increase radically with emergence of new business models and technologies.

Mobility

Employees, customers, contractors, outsourcers

Bring your own IT

Social business

Cloud and virtualization

1 trillion connected objects (cars,

appliances, cameras)

30 billion RFID1

tags (products, passports,

buildings and animals)

1 billion workers will be remote or mobile

� 1 billion mobile Internet users

� 30 percent growth of 3G devices33 percent of all new business

software spending will be Software as a Service

Source: IBM X-Force® Trend Report, 2011

Exponentially growing and interconnecteddigital universe

Adopting new business models and embracing new technologies

4

Motivation and Sophistication is Evolving Rapidly

� Attackers have more resources

� Off-the-shelf tools are available for sale

� They will keep trying until they get in

5

The new security landscapeSophisticated attackers are a primary concern

Threat Profile TypeShare

of IncidentsAttack Type

Advanced threat / mercenary

� National governments

� Terrorist cells

� Crime Cartels

23%

� Espionage

� Intellectual property theft

� Systems disruption

� Financial Crime

Malicious Insiders

� Employees

� Contractors

� Outsourcers

15%

� Financial Crime

� Intellectual Property Theft

� Unauthorized Access/

Hacktivist � Social Activists 7%

� Systems disruption

� Web defacement

� Information Disclosure

Opportunist

� Worm and virus writers

� “Script Kiddies”

49%

� Malware propagation

� Unauthorized Access

� Web defacement

Po

ten

tial

Imp

act

Source: Government Accountability Office, Department of Homeland Security's Role in Critical Infrastructure

Protection Cybersecurity, GAO-05-434; IBM CyberSecurity Intelligence & Response Team, September 2012

6

2,641,350The Average Company Faces Per Week

Security Attacks1. Health & Social Services

2. Transportation

3. Hospitality

4. Finance & Insurance

5. Manufacturing

6. Real Estate

7. Mining, Oil & Gas

Top 7 Most ATTACKED Industries

62Security Incidents

The Average Company

Experiences Per Week

1. End user didn’t think before clicking

2. Weak password / default password in use

3. Insecure configuration

4. Use of legacy hardware or software

5. Lack of basic network security protection or

segmentation

Top 5 reasons WHY attacks were possible

Did you know...

Malicious Code

Sustained Probe or Scan

Unauthorized Access

Low-and-Slow Attack

Access/Credentials Abuse

Denial of Service

What IBM Sees

Categories of Attack

7

1. Double-clicking “on anything”

2. Disabling endpoint security settings

3. Using vulnerable, legacy software and hardware

4. Failing to install security patches

5. Failing to install anti-virus

6. Failing to report lost/stolen device

7. Connecting endpoint to a network from an insecure access point (i.e., Starbucks)

8. Using a second access point (i.e., AirCard) creating a bypass

9. Using weak/default passwords and/or using business passwords for personal use

10. Giving passwords over the phone

Top Reasons WHY Compromises Occur

end users/endpoints

1. Connecting systems/virtual images to the Internet before hardening them

2. Connecting test systems to the Internet with default accounts/passwords

3. Failing to update or patch systems/applications on a timely basis.

4. Failing to implement or update virus detection software

5. Using legacy/EOLed software and hardware

6. Running unnecessary services

7. Using insecure back end management software

8. Failing to remove old or unused accounts end user accounts.

9. Implementing firewalls with rules that don't stop malicious or dangerous traffic-incoming or outgoing.

10. Failing to segment network and/or adequately monitor/block malicious traffic with IDS/IPS

infrastructure

80-90% of all security incidents

can be easily avoided!

8

Screenshots from REAL Hacks, Customer Stories and a Video…

9

Network Hacked Step 1!

� Initial compromise was via a default Apache Tomcat manager user id and password…

10

Network Hacked Step 2!

� We then uploaded a special WAR file to

allow us to gain a

remote shell

access….

11

Network Hacked Step 3!

� Using this we dumped password hashes from the

system and created a user account which we then added to the local Administrator group….

12

Network Hacked Step 4!

� Then we could login using Microsoft Terminal Server Client…

13

Network Hacked Step 5!

� Which we then cracked to find the passwords…

� Including the Administrator!

� This same technique was used on another server

14

Network Hacked Final Step!

15

What Does The Previous Slide Mean?

� It means we have Domain Admin on the network.

� This means we now can access ANY system in the Domain.

� This means we can see ALL data on all systems in the Domain.

� In other words, we now own the network.

� We will tell you and do no harm, the bad guys work to other agendas!

16

Solution components:

� IBM penetration testing to identity and help correct exposure to the Internet

Business challenge:

Concerned about real hackers external attacks, they wanted to test exactly their systems and their monitoring and response infrastructure against a real hacker attacking from the internet

Solution:

� IBM discovered a critical vuln in one of the extensions installed on the CMS powering the public extranet.

� By exploiting this vuln, IBM was able to take control over the hosting server, establish a tunnel (internet->DMZ) and project the attacker machine on the private DMZ segment. The encrypted tunnel nullified network security protections like FW and IPS. The hacker could attack any internal service gaining access to other hosts and sensitive documents/databases.

Solution/Benefits:

� IBM provided detailed remediation recommendations to the customer and they were resolved quickly

Customer Win Story (Penetration Test):A large French company owning several brands, decided to assess their systems performing External and Internal penetration testing with IBM.

17

Customer Win Story (Application Test):A large bank assessed the security risks of internet facing applications and infrastructure

� Business challenge:– As a part of regular security practice large European bank

engaged IBM to verify security of their internet facing infrastructure and application.

� Solution:– IBM assessed infrastructure and found SQL injection flaw that

might be used by unauthorized attacker to gain access to sensitive data

– IBM also found SQL injection flaw in one of the application which enabled attacker full access to internal data

� Benefits:– IBM worked with the application developers to resolve the issues

– Client re-coded as recommended and then IBM retested: all issues were confirmed fixed

Vulnerabilities were found that allowed anybody to get access to confidential data

18

So Just How Easy is it to Hack a Web Application (Web Site)?

19

Social Engineering Testing

� This includes the following [1]

– Workstation/Laptop Security

– Tailgating

– USB Sticks

– Confidential Data

– Phishing (Email and Web)

– Phishing (Phone)

– Customer Specific Tests

[1] This is pick and mix solution and is often bespoke for the clients specific needs.

20

Definition:- Phishing

� The art of using social engineering to encourage the user to divulge

information

� The user receives an email directing them to a website which looks

official, but isn’t!

� The user is encouraged to enter account details, passwords etc.

� However, phishing can also be carried via VoIP, SMS or traditional

Phones or Mobiles.

21

Spear Phishing

� Phishing scam targeting a single company or organisation

– If your users received an email from “H.R.” asking them to confirm their username/password how many would?

� Attacks have a specific aim - to gain access to your internal systems

� Many so-called APT* or Targeted attacks use this as one of their main attack vectors.

� This is made easier by the vast amount of data most people give away via social media sites and services…

*Advanced Persistent Threat

22

Phishing (Email and Web)

This fake HSBC email contained a link to the fake HSBC website that was setup

specifically for this test. The fake website was hosted at the following URL:

http://hsbc.banking.services.http01.com/HSBC/

Below is a screenshot of the Phishing email sent to supplied addresses from a fake

HSBC email account HSBC.Alert@post.com :

23

Phishing (Email and Web)

This fake site was complete with a working password box that masked the

input (as in real life) and also asked the victim to install a new SSL Certificate (really a renamed payload from the USB stick).

24

Phishing (Email and Web)

� One of the victims clicked on the link in the bogus email and then proceeded to supply their “real” business account details.

The two redacted fields (between the | symbols after the 100000 entry)

contained the real HSBC login id and password for the HSBC account for

the victim.

25

Phishing (Phone)

� This part of social engineering testing requires phone calls to a pre-agreed

number or numbers and pretend to be from the helpdesk, supplier, or a customer

having problems with their account/service.

� The story is agreed with the customer before being used; often this will involve several stories and attacks from different vectors (customer, support, HR, etc.)

� Then there is Vishing and Smishing…

26

Solutions – Penetration Test Methodology

•Security is a Journey, not a

Destination…

•Uses the same techniques and tools as

the Bad Guys and Girls…

•Lots of manual testing using very

specialised skills…

•A very detailed report with findings,

including step by step details on exactly

how we hacked systems or people…

•Report includes a management

summary, full technical findings,

remediation instructions as well as

prioritized recommendations…

27

The Value of Penetration Testing

� IBM penetration testing services can deliver:

– An effective, affordable service that provides a “hacker’s-eye” view of a client’s security posture

– The identification of security issues before they are exploited, providing organizations an opportunity to prevent threats before they can impact the business

– Access to security experts and proven best practices and delivers a detailed action plan with remediation recommendations

– Assistance in ensuring regulatory compliance and business continuity

28

Additional Offerings

� IBM Penetration Testing Can and Often Does Include:

• Malware Defence Review

• SCADA Penetration Test

• Network Penetration Test

• On-site Penetration Test

• Application Assessment

• Application Code Analysis (web, java, mobile, etc.)

• Social Engineering (“Hacking the Human”)

• Wireless Security Testing

• Emergency Response and Incident Management

29

Team Skills…Beyond Penetration/Application Testing…

� Reverse Engineering

� Hardware/Firmware Hacking, including rooting and jail-breaking

� Knowledge of iOS, Java, Android as well as the usual suspects…

� Malware, Exploits and bypassing security technologies

� Coding in C, C++, C#, Java (and derivatives), Perl, Python, PHP,Basic, Assembler, Shell scripting, Pascal, REXX, etc.

30

ERS HotlineHave an emergency? Call IBM ERS 24x7x365

(US) 1-888-241-9812

(WW) 1-312-212-8034

Best Practices: Ensure you have access to the resources and tools needed to respond quickly to the inevitable incident

� Clients should consider retaining expert security consultants prior to an incident. This ensures guaranteed access to resources, knowledge of your environment, and predictable response times.

� As an example, IBM’s Emergency Response Service

Subscription includes:

• Initial one-day workshop for incident planning

• 120 staff hours per year, which can be utilized remotely or on site at the client’s discretion for emergency response services or preventative services

We can perform these preemptive incident preparation services at the beginning or any

given time during the subscription:

• Active threat assessment

• Cyber Security Incident Response Program gap assessment

• Incident response training and simulated exercise

• Unlimited emergency declarations• Two seats on the X-Force Threat Analysis Service• Quarterly check point, remote support, and update on threat

landscape

31

Customer Win Story (ERS):An international defence contractor…

� Business challenge:– The FBI contacted the customer to inform them that they had been

hacked and that the attackers were stealing data from them as well

as “bugging” key executives laptops. They also suggested that they get help in finding and removing the malcode.

� Solution:– IBM identified the new (unknown) malware installed (and how it

was hidden)

– IBM identified how and to which remote systems the data was being “exfiltrated” to.

� Benefits:– IBM identified the new malware and identified how it installed, what

it did, etc.

– IBM created a “bespoke” detection and removal script for the customer. This “killed” the malware in memory and then deleted the malware from the system. It also sent reports of infections found and cleaned to the security manager.

– Client was delighted with our speed of action and the complete removal of the malware.

APT was found that allowed attackers to get access to confidential data including weapons systems code and blueprints as well as record executive meetings!

32

What can you do now?

� Be aware. Do security testing (penetration, application, process and procedures, etc.) for visibility and prioritization for proper risk management strategy

� Be proactive.Manage against vulnerabilities and carry out log analysis as well as baseline your “normal” network data flows for real-time detection and protection against sophisticated attacks

� Be prepared.Have an incident response plan in place to quickly respond and remediate against a breach, but don’t forget to test it…

When you do suffer a breach (and you will), who are you going to call?

33

Contact details…..

Martin Overton

Security Consultant, Ethical Hacker, Malware Specialist, Forensics, etc.

IBM ISS X-Force – EMEA CSIRT

� E-Mail: overtonm@uk.ibm.com

� Telephone: +44 (0)239 2563442

� Mobile: +44 (0)776 4666939

34

Questions?

35

Who I am, my background, skills, etc.

� My name is Martin Overton and I’m a hacker…

� Sun Alliance / Royal and SunAlliance– Joined 1988

– Commissioning PCs, Strategy (hardware and software)

– Responsible for Malware Research/Prevention (10 years), Ethical Hacker (2.5 years)

� Outsourced April 2002– Joined EMEA IGS Security June 2002 as Malware/Anti-Malware SME

– Moved to MSSD (EMEA) June 2004 to set up EMEA Virus CERT, Member of Global Virus CERT

– Moved to ISS X-Force Professional Security Services April 2008

– Also doing ethical hacking, computer forensics and application assessments as well as malware related work.

– Now the EMEA lead for ERS (but still doing the ethical hacking, etc.)

� Other– Helped set up Independent ISS UK User Group

– WildList reporter, Charter member of AVIEN

– Regular lecturer at University of Warwick (amongst others)

– Lots of published papers and presented at many international conferences, such as CompSec, EICAR and Virus Bulletin

– 25+ Years of knowledge on malware and related security threats

– 10+ Years of knowledge in ethical hacking, forensics and application testing