(ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking

#Cybersecuregov

From Zero to 60: Advancing the Cybersecurity Workforce

The Next APT: Advanced, Persistent Tracking

Jarad Kopf and G. S. McNamara

3 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Introduction

» Persistent tracking mechanisms very prevalent and growing

» Tech conglomerates such as Google have flirted with this type of new technology

» Not limited to cookies anymore, these tracking mechanisms come in many forms


Why should you care?

» Privacy concerns

» These technologies are extremely

accurate

» Perhaps violating your organization’s

policy


Evercookies

» Goal: Identify unique client even after standard cookies have been removed

» Storage mechanisms include: Flash Cookies, Silverlight Isolated storage, HTTP ETags*, many more


Evercookie FAQs

» Do evercookies work cross-browser?

» Does the browser or server have to install anything?


Evercookie Repopulation

Image: https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf

https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf




ETag Overview

» One storage mechanism of Evercookies

» ETag (Entity Tag) part of HTTP protocol• provides for web cache validation

» Can be used as opaque identifier assigned by a web server to a specific version of a resource found at a URL


ETag Mechanism

Im1e.coage: https://lucbm/randomprojects/cookielesscookies/

https://lucb1e.com/randomprojects/cookielesscookies/







HSTS Overview» HSTS: web security policy

mechanism to protect HTTPS websites from downgrade attacks

» Allows web servers to declare that web browsers should only interact using secure connections

» Your browser can remember this – this is set when the server sends back an HTTP header with a parameter field named Strict-Transport-Security


Abusing HSTS

» HSTS potential for tracking is specified in RFC 6797

» No known cases in the wild yet

Images taken from: https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/)

https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/






Fingerprinting (Type 1 of 2): Device


Fingerprinting (Type 2 of 2): Canvas


Let’s tell a story…

(If I were evil)


A world full of corporate assets


We might even allow BYOD


We’ve hardened our network


And we trust our ISP


But what about the phones?


The carrier wouldn’t meddle with our data

“Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine”http://www.wired.com/2014/10/verizons-perma-cookie/


The data gathered would never then be sold

“Relevant Mobile Advertising Program”

http://www.verizonwireless.com/support/relevant-mobile-ad/


Selling location data is inconceivable

“Carriers Sell Users’ Tracking Data in $5.5 Billion Market” http://www.bloomberg.com/news/articles/2013-06-06/carriers-sell-users-tracking-data-in-5-5-billion-market


Location lacks impact

“ISIS Fighter Accidentally Geotagged Tweets And Revealed His Not-So Secret Location”http://www.mtv.com/news/2038989/isis-twitter-geotagging-fail/


If only used for ads, is this OK?


Ads are safe

“Malware in ads turn computers into zombies”

http://www.usatoday.com/story/tech/2015/01/20/malvertising/21889547/


Well, if you stick to legitimate sites

“Malvertising hits The New York Times”

http://www.dailyfinance.com/2009/09/14/malvertising-hits-the-new-york-times/


This ‘malvertising’ economy won’t catch on

“Malvertising Abuses Real-Time Bidding on Ad Networks”https://threatpost.com/ad-networks-ripe-for-abuse-via-malvertising/111840


It’s probably just run by kids

“APTs Target Victims with Precision, Ephemeral Malvertising”https://threatpost.com/apts-target-victims-with-precision-ephemeral-malvertising/108906


Besides, cyber-physical isn’t real

“'Operation DeathClick' targets defense contractors”http://archive.federaltimes.com/article/20141017/IT/310170016/-Operation-DeathClick-targets-defense-contractors


Malware doesn’t even work on phones

“Ads 'biggest mobile malware risk'”

http://www.bbc.com/news/technology-26447423


It only works on “real” computers

“Now e-cigarettes can give you malware”

http://www.theguardian.com/technology/2014/nov/21/e-cigarettes-malware-computers


The future isn’t mobility anyway

“BYOD: Many Call It Bring Your Own Malware (BYOM)”

http://blogs.cisco.com/security/byod-many-call-it-bring-your-own-malware-byom


And the small details don’t matter

“Two US power plants infected with malware spread via USB drive”http://arstechnica.com/security/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive/


Next-Gen Tracking is a blind spot.


This was just one idea


Policy Scandals


EU Cookie Law

» Into effect May 2012» EU requires prior

informed consent for storage of or access to information stored on a user’s machine• Many exemptions

» Tools like Google Analytics fall under jurisdiction


So what now?

»Talk to legal about policy

updates

»Talk to IT about control


“The greatest victory is that which requires no battle.”― Sun Tzu, The Art of War

Jarad Kopf, M.S., [email protected]

G. S. McNamara, [email protected]

Documents

(ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking