Upload
sensepost
View
645
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Presentation by Luc de Graeve at the Gordon institute of business science in 2001. This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
Citation preview
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Security in e-CommerceSecurity in
e-Commerce
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
1. CASE STUDYWake up call February 2000
2. THE BASICSUnderstanding the ‘Net
Understanding DoS
3. THE NEW KID ON THE BLOCK - HELLO DDoSIntroducing Co-ordinated Distributed Attacks
Profile of a typical attack
Common DDoS attack tools
4. DEFENDING YOURSELF & YOUR FRIENDSStrategies for availability
Join the team - global defense efforts
Getting greasy
5. RESPONDING TO DoS ATTACKSWhat to do when your number’s up
6. THE BOTTOM LINEQuestions & Conclusions
AGENDAAGENDAAGENDAAGENDA
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
IntroductionIntroductionIntroductionIntroduction
• About me
• SensePost
• Objective
• Approach
• References:– http://www.sensepost.com
discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention- Charles Tomlinson- Rudimentary Treatise on the Construction of Locks- 1850
discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention- Charles Tomlinson- Rudimentary Treatise on the Construction of Locks- 1850
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Just in case you missed out on the whole ordeal last
week, we were hacked 4 times by an elite group called r 139.
So we thought we would help the hackers out by hacking
our own page to save them some time...
Just in case you missed out on the whole ordeal last
week, we were hacked 4 times by an elite group called r 139.
So we thought we would help the hackers out by hacking
our own page to save them some time...
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
We’re trying to make banking…
Simpler. Better. Faster.
We’re trying to break banking…
Simpler. Better. Faster.
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
What Hackers do:What Hackers do:What Hackers do:What Hackers do:
• Steal
– Information - to use and to sell
– Money from accounts
– Goods through e-buying
– Resource - time and equipment
• Talk, Boast
• Leave backdoors open
– Launch new attacks
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
How do they do it?How do they do it?How do they do it?How do they do it?
• Social engineering
• Networking
• Resources from the web...
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
• Information gathering• Foot printing• ID servers/services by portscan• ID OS, services types (MS, IIS)• Check vulnerability databases• Run vulnerability checker (whisker)• Search for exploit tool / build exploit tool• Use tool• Gain control• De- face, delete, cover tracks.
How do they do it 2?How do they do it 2?How do they do it 2?How do they do it 2?
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
February FunFebruary FunFebruary FunFebruary Fun
• Major attack launched between February 7 and 14 2000
• Approximately 1,200 sites affected
• Including a number of high profile sites:– CNN.com, Yahoo, eBay, Amazon, Dell, Buy.com
• Simple bandwidth usage
• Yahoo! Attack lasted from about 10:30 a.m. till 1 p.m.
– requests totaled roughly 1 gigabit per second
• Canadian teen “Mafiaboy” arrested in April– pleads guilty to 55 charges in Montreal, November
2000
– Faces 2 years & US$650
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
February Fun - the aftermathFebruary Fun - the aftermathFebruary Fun - the aftermathFebruary Fun - the aftermath
• FBI estimates that DoS attacks during
February 2000 cost $1.2 billion
• eBay‘s share price fell 25% the day after its
Website was taken down costing them a total
of US1,2bn. They reportedly spent US$ 100
000 in securing their site against further
attacks.
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
DoS using Amplifiers - SMURFDoS using Amplifiers - SMURFDoS using Amplifiers - SMURFDoS using Amplifiers - SMURF
check:www.netscan.org
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
New Kid on the block - DDoSNew Kid on the block - DDoSNew Kid on the block - DDoSNew Kid on the block - DDoS
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Profile of a typical attackProfile of a typical attackProfile of a typical attackProfile of a typical attack
• Initiate a scan phase in which a large number of hosts (100,000 or more) are probed for a known vulnerability.
• Compromise the vulnerable hosts to gain access.
• Rootkit
• Install the tool on each host.
• Use the compromised hosts for further scanning and compromises.
• Via automated processes a single host can be compromised in under 5 seconds
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Building an attack networkBuilding an attack networkBuilding an attack networkBuilding an attack network
• August 1999, a trinoo network of 2,200 systems used against the University of Minnessota and others
• Assuming 3 to 6 seconds for each host, pre-selection of the target systems, gives 2 - 4 hours to set up
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
The challenge of DDoSThe challenge of DDoSThe challenge of DDoSThe challenge of DDoS
• You may be down• Spoofed addresses
– Technically difficult to trace
• Diverse network ownership– You don’t control the infrastructure
– Neither does your ISP
• Different Time Zones– Hello, is that Singapore?
• Language– Sprechen Sie Deutsch?
• National boundaries• Differing legislation• Protecting legitimate users
– You can’t block 196.4.160.0/16
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001
Marcus H. SachsUS Department of Defense
2001 will also see continued development of distributed denial of service attack networks.These attack networks will no longer rely on manual establishment by the attacker, but willautomatically establish themselves through the use of mobile code and html scripting.
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001
Peter G. NeumannSRI International
We are likely to see some organized, possibly collaborative, attacks that do some real damage, perhaps to our critical infrastructures, perhaps to our financial systems, perhaps to government systems all of which have significant vulnerabilities.
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001
Bruce MoultonFidelity Investments
Hactivism and other cyber attacks emanating from countries with weak or non-existent legal sanctions and investigative capabilities will escalate. This is likely to be the root of at least one headline-grabbing cyber incident (much bigger than DDOS or LoveBug) that will send a loud wake-up call to the commercial sector.
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Commercial CrimeCommercial CrimeCommercial CrimeCommercial Crime
• Commercial crime up 3.5% from last year
– R 3.4 billion in the first half of '99 alone
• 84.3% of cases involved fraud
– 25,000 incidents
– R 2.9 billion
• Gauteng occupies a first position with regard to Commercial Crime
• www.saps.org.za
SECURITY STATISTICS
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Computer CrimeComputer CrimeComputer CrimeComputer Crime
• 61% of the organizations surveyed have
experienced losses due to unauthorized
computer use.
• The average loss resulting from security
breaches in all categories was approximately
$ 1,000,000
FBI / CSI Survey, 1999SECURITY
STATISTICS
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
CyberCrime Costs MoneyCyberCrime Costs MoneyCyberCrime Costs MoneyCyberCrime Costs Money
SECURITY STATISTICS
“Just ask Edgars, the clothing retail group, which lost more than R1m after a
computer programmer brought down more than 600 stores for an entire day.”
Financial Mail - April 2000
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Computers & Commercial CrimeComputers & Commercial CrimeComputers & Commercial CrimeComputers & Commercial Crime
SECURITY STATISTICS
KPMG:
‘63% of top-level managers in South Africa rate their company's dependence on IT for the
successful running of business as "Extremely High”’
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Did they have it coming?Did they have it coming?Did they have it coming?Did they have it coming?
SECURITY STATISTICS
• Access control 93%
• Biometrics 9%
• Encrypted files 61%
• Anti-virus software 98%
• Reusable passwords 61%
• Firewalls 91%
• Encrypted log-in/sessions 46%
• Physical security 91%
• PCMCIA, smart cords, one-time tokens 39%
• Intrusion detection 42%
• Digital Ids, certificates 34%
FBI / CSI Survey, 1999
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
• Theft of proprietary info 20%
• Sabotage of data or networks 15%
• Telecom eavesdropping 10%
• System penetration by outsider 24%
• Insider abuse of net access 76%
• Financial fraud 11%
• Denial of service 25%
• Virus contamination 70%
• Unauthorized access to info by insider 43%
• Telecom fraud 13%
• Active wiretapping 2%
• Laptop theft 54%
Threat Distribution - USAThreat Distribution - USAThreat Distribution - USAThreat Distribution - USA
SECURITY STATISTICS
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Threat Distribution - RSAThreat Distribution - RSAThreat Distribution - RSAThreat Distribution - RSA
SECURITY STATISTICS
Some form of breach 89%
Virus incident 87%
Theft of equipment 80%
E-mail intrusion 27%
Loss of company documents 12%
Breach of confidentiality 8%
External systems attack 8%
Internal systems attack 6%
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
The value of statisticsThe value of statisticsThe value of statisticsThe value of statistics
• What we know:– There is a threat to our Information Resources
– The threat has direct financial implications
– The threat is growing
– A large part of the threat is internal
– There are a number of distinguishable trends
• What we don’t know:– How accurate are the statistics?
– Are international statistics relevant in SA?
– Are international solutions relevant in SA?
– What does this all mean to me?
You need to determine your own unique risk profile
SECURITY STATISTICS
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
• Loss in productivity
• Human resources
– Internal & external
• Loss of reputation
• Lost confidence
– in your service & in e-business in general
• Lost transaction revenue
• Lost customer base
• Share price manipulation
– Share holders, staff, working capital
• Liability costs
What me worry?! What me worry?! What me worry?! What me worry?!
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Whoah Cowboy!Whoah Cowboy!Whoah Cowboy!Whoah Cowboy!
icsa.net, February 2000:
„The Internet has now taken a drastic "hit" to its reliability and integrity due to the recent DDoS attacks. It is only through the cooperation and unification of all Internet users that we will find the solution-and stop DDoS from taking the Internet out from under our commerce, education, communities, and individuals.“
But has it really been all that bad?
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
The New Wave is hereThe New Wave is hereThe New Wave is hereThe New Wave is here
• We’re already seeing examples of the new generation of threats:
• DDoS– Yahoo / Ebay
• Trojans & Worms– Microsoft
• Semantic– Emulex Corp.– NIKE– Air Traffic Control
• Corporate Backdoors– Microsoft NSA backdoor?– 3COM Switch undocumented accessTRENDS
& FUTURE THREATS
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
• What is Risk?– Valuable resources + exploitable technology
• What is “Secure”?– When the financial losses incurred are at an
acceptable level
• Your “Risk-Profile”:– The value of your Information
– The degree of technological vulnerability
– A level of loss that is acceptable to you
Unique to your organisation. Today.
Determining your own riskDetermining your own riskDetermining your own riskDetermining your own risk
DEFINING RISK
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Objectives of a Risk AssessmentObjectives of a Risk AssessmentObjectives of a Risk AssessmentObjectives of a Risk Assessment
• Understand your own unique risk-profile.
• Determine whether a given system:
– safeguards assets.
– maintains data integrity.
– allow the goals of an organisation to be achieved.
• Identify significant computer security threats
• Measure yourself against defined standard
– Internal (policy)
– External (certification)
• Make informed decisions on how to spend– Time
– Money
– PeopleASSESINGYOURRISK
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
An effective AssessmentAn effective AssessmentAn effective AssessmentAn effective Assessment
• Independent and Objective
• Business aware but technology focused
• Prove its worth
• Concrete, practical recommendations
• Finite
• Honest
• Recursive...
ASSESINGYOURRISK
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Recursive AssessmentsRecursive AssessmentsRecursive AssessmentsRecursive Assessments
• Delta Testing– Monitor the effect of changes
• New exploits and vulnerabilities– Staying secure in a global battlefield
• Improved Methodologies– Tools, techniques, philosophies etc.
• Innovation– A chance to get to know you
• Extended Scope– There’s never enough time
• Enhanced Scope– Moving toward a
zero-defect environment
ASSESINGYOURRISK
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
..
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
Content removed
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Planning for disasterPlanning for disasterPlanning for disasterPlanning for disaster
• Be convinced that the Internet is not a friendly place
• Be prepared to detect of failure (malicious or accidental)
• Mirror critical resources
– geographically remote from the original
• Create transparent alternative entry points
• Implement switching in the case of failure
– Must be considered during the design phase
• Analyse, plan, communicate, test
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
Things to considerThings to considerThings to considerThings to consider
• The Internet is probably not your main income generator
• There’s more then one way to skin a cat– Physical attacks on infrastructure
– Hardware theft
– DNS & other upstream services
– Viruses & other content born attack
– Get "Slashdotted"
• Who’s responsible for your family jewels?
• It could get worse:– Imagine MS-based worm attack– http://www.hackernews.com/bufferoverflow/99/nitmar/nitmar1.html
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
THE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINE
THE BOTTOM LINE
1. Take security seriously
2. Don’t panic!
3. Value your information
4. Evaluate your risk
5. Be requirement driven,
not technology driven
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
questions?
GORDON INSTITUTE OF
BUSINESS SCIENCE
Security in e-Commerce
March 2001
© Luc de Graevewww.sensepost.com
• Information Systems Audit & Control Association:
– http://www.isaca.org.za/
• Configuring Cisco routers:
– http://www.cisco.com/warp/public/707/newsflash.html
• Archive of DDoS attack tools:
– http://packetstorm.securify.com/distributed/
• CERT:
– http://www.cert.org
– http://www.cert.org/contact_cert/certmaillist.html
• Paul Ferguson's DDoS resource page:
– http://www.denialinfo.com/
• Test whether your network space can be used as an amplifier:– http://www.netscan.org
• RFCs:– http://www.ietf.org
Useful ReferencesUseful ReferencesUseful ReferencesUseful References