The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security...
-
Upload
lesley-little -
Category
Documents
-
view
218 -
download
1
Transcript of The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security...
The Anatomy and Security of an Anonymous OperationJuly 2012
Terry Ray – VP WW Security Engineering
What is Anonymous?
Perception
“[Anonymous is] the first Internet-based
superconsciousness.” —Chris Landers. Baltimore City Paper, April 2,
2008
Hacktivists fighting for moral causes.
The 99%.
Reality
“Anonymous is an umbrella for anyone to hack anything for
any reason.” —New York Times, 27 Feb 2012
Targets include porn sites, Mexican drug lords, Sony, government agencies, banks, churches, law enforcement and Vladimir Putin.
Anyone can be a target.
2
The Plot
Attack took place in 2011 over a 25 day period.
Anonymous was on a deadline to breach and disrupt a website, a proactive attempt at hacktivism.
10-15 skilled hackers. Several hundred to
thousands supporters.
3
How They Attack: The Anonymous Attack Anatomy
4
Anonymous Attack on Customer SiteWeb Application Protection Use Case
PHASE I
Phase III
PHASE II
Scanners such as Nikto
Havij SQL injection tool
LOIC application
SecureSphere stopped all phases of attack
Business Logic Attack
Technical Attack
Technical Attack
On the Offense
Skilled hackers—This group, around 10 to 15 individuals per campaign, have genuine hacking experience and are quite savvy. Broad use of anonymizing services (aProxy & TOR).Nontechnical—This group can be quite large, ranging from a few dozen to a few hundred volunteers. Directed by the skilled hackers, their role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic.
6
On the Defense
Deployment line was network firewall, IDS, WAF, web servers, network anti-DOS and anti-virus.
Imperva WAF+ SecureSphere WAF version 8.5 inline, high availability+ ThreatRadar reputation (IP Reputation)+ SSL wasn’t used, the whole website was in HTTP
7
1Recruiting and Communications
8
Step 1A: An “Inspirational” Video
9
Step 1B: Social Media Helps Recruit
10
Setting Up An Early Warning System
11
Example
12
2Recon and Application Attack
13
“Avoid strength, attack weakness: Striking where the enemy is most vulnerable.”
—Sun Tzu
Step 1A: Finding Vulnerabilities
Tool #1: Vulnerability Scanners Purpose: Rapidly find application vulnerabilities. Cost: $0-$1000 per license. The specific tools:
+ Acunetix (named a “Visionary” in a Gartner 2011 MQ)+ Nikto (open source)
14
Hacking Tools
Tool #2: Havij Purpose:
+ Automated SQL injection and data harvesting tool.
+ Solely developed to take data transacted by applications
Developed in Iran
15
Vulnerabilities of Interest
16
Day 19 Day 20 Day 21 Day 22 Day 230
500
1000
1500
2000
2500
3000
3500
4000
Directory TraversalSQL injectionDDoS reconXSS
Date
#ale
rts
SQLi
DT
XSS
Comparing to Lulzsec Activity
• Lulzsec was/is a team of hackers focused on breaking applications and databases.
• ‘New’ Lulzsec taking credit for recent attacks. Militarysingles.com.
• Our observations have a striking similarity to the attacks employed by Lulzsec during their campaign.
• Lulzsec used: SQL Injection, Cross-site Scripting and Remote File Inclusion (RFI/LFI). RFI
index.php
Lulzsec Activity Samples
1 infected server ≈ 3000 bot infected PC power 8000 infected servers ≈ 24 million bot infected PC power
Automation is Prevailing
In one hacker forum, it was boasted that one hacker had found 5012 websites vulnerable to SQLi through automation tools.
Note:
• Due to automation, hackers can be effective in small groups – i.e. Lulzsec.
• Automation also means that attacks are equal opportunity offenders. They don’t discriminate between well-known and unknown sites.
US is the ‘visible’ source of most attacks
United States61.3%
United Kingdom
1.1%
Other19.2%
France2.1%
Undefined2.1% China
9.4%
Sweden4.4% United States
United KingdomOtherFranceUndefinedNetherlandsChinaSweden
During the Anonymous attack 74% of the technical attack traffic originated from anonymizing services and was detected by IP reputation.
Mitigation: AppSec 101
Code Fixing
Dork Yourself
Blacklist + IP Rep
WAF
WAF + VA
Stop Automated Attacks
3Application DDoS
22
LOIC Facts
Low-Orbit Ion Canon (LOIC) Purpose:
+ DDoS+ Mobile and Javascript variations
Other variations – HOIC, GOIC, RefRef
LOIC downloads+ 2011: 381,976 + 2012 (through May 10): 374,340+ June 2012= ~98% of 2011’s downloads!
23
Anonymous and LOIC in Action
24
Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 280
100000
200000
300000
400000
500000
600000
700000
Average Site Traffic
LOIC in Action
Tra
nsac
tions
per
Sec
ond
Application DDoS
25
The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched
yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe
organizations will rush to patch this flaw en masse before being hit.—The Hacker News, July 30, 2011
But That Much Sophistication Isn’t Always Required
26
But That Much Sophistication Isn’t Always Required
27
Meet your target URL
4Non-Mitigations
28
I have IPS and NGFW, am I safe?
IPS and NGFWs do not prevent web application attacks.
+ Don’t confuse “application aware marketing” with Web Application Security.
WAFs at a minimum must include the following to protect web applications:
29
• Web-App Profile• Web-App Signatures• Web-App Protocol Security• Web-App DDOS Security• Web-App Cookie Protection• Anonymous Proxy/TOR IP
Security• HTTPS (SSL) visibility
Security Policy Correlation
I have IPS and NGFW, am I safe?
IPS and NGFWs do not prevent web application attacks.
+ Don’t confuse “application aware marketing” with Web Application Security.
However, IPS and NGFWs at best only partially support the items in Red:
30
• Web-App Profile• Web-App Signatures• Web-App Protocol Security• Web-App DDOS Security• Web-App Cookie Protection• Anonymous Proxy/TOR IP
Security• HTTPS (SSL) visibility
Security Policy Correlation
31
Church of ScientologyMuslim BrotherhoodZappos.comMilitarySingles.comAmazonAustria Federal ChancellorHBGary FederalMexican Interior MinistryMexican SenateMexican Chamber of DeputiesIrish Department of JusticeIrish Department of FinanceGreek Department of JusticeEgyptian National Democratic PartySpanish PoliceOrlando Chamber of CommerceCatholic Diocese of OrlandoBay Area Rapid TransitPayPalMastercardVisa
Recent attacker targets….
Yahoo VoiceLinked InLast.fmFormspringeHarmonyUS Department of JusticeUS Copyright OfficeFBIMPAAWarner BrothersRIAAHADOPIBMISOHHOffice of the AU Prime MinisterAU House of ParliamentAU Department of CommunicationsSwiss bank PostFinanceEgyptian GovernmentItauBanco de BrazilUS SenateCaixa
How many of these organizations have AV, IPS and Next Generations Firewalls?
Why are the attacks successful when these technologies claim to prevent them?
5Demo
32