Hacking Team Hacked? - Lessons learned!
-
Upload
sba-research-ggmbh -
Category
Technology
-
view
88 -
download
2
Transcript of Hacking Team Hacked? - Lessons learned!
SECURITY AFTERWORKSSummer Special: Hacking Team Hacked?!
1
Agenda
1) Hacking Team Hacked? – Lessons Learned!- The Company- The Hack- The Revelations- The Take-Aways
2) Aktuelle Lücken in RC43) sbaPRIME Kick-Off Event
4) Gemütlicher Ausklang22015 - SBA Research gGmbH
SBA – Key Facts
• Founded in 2006 • biggest research center for IT security and one of the largest
security service providers in the DACH countries• Know-how in research, audits, consulting, implementation
and operation under one roof• Over 90 employees and approx. 70+ FTEs• Management
– Edgar Weippl, Research& Science– Andreas Tomek, Services & Sales– Markus Klemen, General Management & Secure Software
32015 - SBA Research gGmbH
SBA – Action Fields & Values
• Research– Teaching at UAS & universities – national & international– Security research & prototypes
• Competencies– Pool of experts for information security– Innovative approaches like security & insurance with AON– Consulting, trainings, Managed Services, product implementation from
research & practice• Responsibility
– Common good & studies (e.g. Heartbleed analysis)– Providing knowledge– Platform for security (events, ISC2, IEEE, etc.)
42015 - SBA Research gGmbH
HACKING TEAM HACKED
The Company
5
Hacking Team
• Italian company (Milan) founded in 2003– Venture Capital supported
• Several offices (USA, Asia)• ~50 employees
• Sells malware & related services to– Governments– Government agencies– Private companies
• Main software is called RCS (Remote Control System)62015 - SBA Research gGmbH
RCS Unique Selling Points (USPs)
72015 - SBA Research gGmbHSource: https://wikileaks.org/spyfiles/files/0/31_200810-ISS-PRG-HACKINGTEAM.pdf
HACKING TEAM HACKED
The Hack
8
The Hack
92015 - SBA Research gGmbHSource: https://twitter.com/mattblaze/status/618107272552677377
The Hack
• ~ 400GB of data published via bitTorrent– Internal E-Mails– Internal Presentations– Customer Data– Internal Software (e.g. pirated IDA Pro)– Source Code– Images– Phone Conversations
102015 - SBA Research gGmbH
Who did it?
• Unknown: Attribution is very hard• Some hints online like…
112015 - SBA Research gGmbH
HACKING TEAM HACKED
The Revelations
12
HT violated their customer policy
132015 - SBA Research gGmbH
Customer Lists
142015 - SBA Research gGmbH
Customer Statistics
152015 - SBA Research gGmbH
HT did a Waltz with Bashir
• Why is this bad?• Sudan president Omar
Al Bashir wanted for war crimes!
162015 - SBA Research gGmbH
HT possibly did a demo in Austria (in 2012)
172015 - SBA Research gGmbH
HT knows they do “bad” things … and prepare for bad press
182015 - SBA Research gGmbH
Valid Certificates
• HT tries to install their malware via known-good channels – e.g. official Android Marketplace
• Lesson Learned: This raises (again) questions about the CA system
192015 - SBA Research gGmbH
What was HT doing with absolute paths like “C:\Utenti\pippo\pedoporno.mpg”?
• …but we should keep calm…
202015 - SBA Research gGmbHSource: https://twitter.com/TheRegister/status/618137815923101696
Stored Customer Skype Calls
• Lesson Learned: Be very cautious when storing sensitive customer data
212015 - SBA Research gGmbH
Server Logins
• Lesson Learned: Do not keep plaintext password lists
222015 - SBA Research gGmbH
Their Passwords
• Lesson Learned:– Also Techies have
weak passwords
232015 - SBA Research gGmbH
HT bought 0days from Third Party Distributors
• Vitaliy Toropov• Netragard• Qavar• VUPEN• Vulnerabilities Brokerage Internationa (VBI)• Rosario Valotta• COSEINC• Ability Ltd• DSquare Security• Keen Team• LEO Impact Security• Security Brokers
242015 - SBA Research gGmbH
Many Exploits leaked (and patched)
• Flash – CVE-2015-5119 – CVE-2015-5122– CVE-2015-5123
• Windows Kernel– CVE-2015-2387– CVE-2015-2425 (IE)– CVE-2015-2426
• To be continued? ...252015 - SBA Research gGmbH
Mobile Malware
• Fake Apps – E.g. BeNews in GooglePlayStore
was available until 07.07.2015• Unclear if test or productive• Contains no exploit code
– To get accepted by app-stores– Loads exploit code upon opening the app– Valid Certificate! (Apple & Android)
262015 - SBA Research gGmbHSource: http://www.techspot.com/news/61427-how-hacking-team-published-fake-google-play-app.html
iOS
• Their agent cannot be installed on an iPhones without Jailbreak
272015 - SBA Research gGmbH
• WiFi Hacking Technology should be brought to victims via drones
• TNI (Tactical Network Injector)• Man-in-the-Middle of (Guest-) WLANs
282015 - SBA Research gGmbHSource: https://firstlook.org/theintercept/2015/07/18/hacking-team-wanted-infect-computers-drone/
HT backdoored their own products
• Lesson Learned: Be cautious which software vendor you trust
292015 - SBA Research gGmbH
HT uses UEFI BIOS Rootkit to keep RCS 9 Agent in Target System• Lesson Learned
– Do not only reinstall the OS after a security incident
– Policy Suggestion:
302015 - SBA Research gGmbHSource: http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/
0-Day Pricing
312015 - SBA Research gGmbH
HT wanted to sell to the Bavarian Police … but the person in charge was on vacation
322015 - SBA Research gGmbH
HT wanted to sell to Belgium … but Belgium had no Government then
332015 - SBA Research gGmbHSource: https://wikileaks.org/hackingteam/emails/emailid/602524
No Exploits for Tor Network
342015 - SBA Research gGmbH
HTTPSEverywhere
• HT sees HTTPSEverywhere (or more precise their SSLObservatory) as a risk
• Their rogue certificates might be exposed
352015 - SBA Research gGmbHSource: https://twitter.com/bcrypt/status/618132217382834176
Reactions…
• Leaked Exploits used in japanese APT campaign
• Discovered 9 days after HT leak
362015 - SBA Research gGmbHSource: https://www.fireeye.com/blog/threat-research/2015/07/second_adobe_flashz.html
Reactions…
372015 - SBA Research gGmbH
Reactions…
• Browsers begin to block Adobe Flash per default
382015 - SBA Research gGmbH
Reactions…
392015 - SBA Research gGmbHSource: http://www.marietjeschaake.eu/2015/07/written-questions-on-the-italian-company-hacking-teams-potential-violations-of-eu-sanctions/
Source: https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638
HACKING TEAM HACKED
The Take-Aways
40
What Users should learn (© Alexander Riepl from cert.at)
• Don't reuse passwords• Don't use weak passwords• Use Two-Factor-Authentication• Don't spend your day playing browser games• Don't have plaintext-password lists• Change default credentials
412015 - SBA Research gGmbH
A word on 2FAActivate were possible
• Check out https://twofactorauth.org/ for a quick review of your personal services
422015 - SBA Research gGmbH
What Admins should learn (© Alexander Riepl from Cert.at)
• Don't expose your monitoring systems to the network
• Have network monitoring in place• External reachable unpatched software is a no-
go- Update your CMS!
• Restrict or disable Flash on all managed devices• (Deploy) HTTPS and Strict Transport Security!
432015 - SBA Research gGmbH
What Companies should learn (© Alexander Riepl from Cert.at)
• Don't assume you are not a target!• Don't be light-hearted!• OPSEC is hard - but try!• Open Source can help!• Develop an Information Security Management
System (ISMS)– This helps cover all the necessary topics and will make
you prepared for the day you get hacked.442015 - SBA Research gGmbH
Additional References
• Twitter– #HackingTeam– #HackingTeamTransparencyreport
• Good Article about the 0day market– http://tsyrklevich.net/2015/07/22/hacking-team
-0day-market/
• Wikileaks– https://wikileaks.org/hackingteam/emails 452015 - SBA Research gGmbH
AKTUELLE LÜCKEN IN RC4
HTTPS und mehr
46
Neue Angriffe auf RC4
• “All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS”
• “Attacks Only Get Better: Password Recovery Attacks Against RC4”
• USENIX Security 2015
472015 - SBA Research gGmbH
Neue Angriffe auf RC4
• RC4 = Stromchiffre von Ron Rivest• Extrem elegant, von 1987• HTTPS, WEP, WPA/TKIP, VPN, …
• Verwenden bekannte Schwachstelle (aus 2001)• Angriffe werden praktisch durchführbar (ca. 226,
227)• In Wirklichkeit: 75-300 Stunden
482015 - SBA Research gGmbH
Neue Angriffe auf RC4
• Immer noch weitest verbreitete Cipher im Internet• Gefährlich auch bei Downgrade Angriffen:
– FREAK, Logjam– „Export Cipher“, RC2, …
• RC4 in HTTPS:– zufällige Stichprobe von 2 Millionen Hosts– 61.74 % akzeptieren RC4– 16.03 % (=350.000) bevorzugen RC4!
492015 - SBA Research gGmbH
Neue Angriffe auf RC4
• Eigene Scans zu E-Mail:– IPv4-weit!– Mehr als 10 Milliarden TLS Handshakes– Mehr als 17 Millionen Hosts & Konfigurationen
502015 - SBA Research gGmbH
51Source: http://www.google.com/transparencyreport/saferemail/
Neue Angriffe auf RC4
• Wie kann ich mich schützen?– Modernen Browser verwenden (Chrome,
Firefox)– RC4 serverseitig verbieten
• Testen unter https://www.ssllabs.com/ – „Test your server“– „Test your browser“
522015 - SBA Research gGmbH
Neue Angriffe auf RC4
• RC4 ist tot!• RFC7465 (Draft): „Prohibiting RC4 Cipher Suites“
• Gute Konfigurationshilfen:– https://bettercrypto.org– RFC7525: Recommendations for Secure Use of
Transport Layer Security (TLS) …", May 2015
532015 - SBA Research gGmbH
ANKÜNDIGUNG
sbaPRIME Kick-Off Event: 5. November 2015
54
sbaPRIME Kick-Off Event5.November 2015• sbaPRIME = Kommunikations- und Informationsplattform
– Schnittstelle zwischen Forschung, Beratung und Wirtschaft
• sbaPRIME Kernangebote für Mitglieder– quartalsweise Events & Workshops– Austausch unter Mitgliedern– Gastvorträge internationaler Experten und Expertinnen– Informationsupdates, Security News & Whitepapers– zwei Kursteilnahmen pro Jahr– Analystengespräche– Review innovativer Security-Lösungen– Softwareprodukte aus dem Forschungsumfeld ohne Lizenzkosten– Möglichkeit sbaPRIME Inhalte mitzugestalten!
552015 - SBA Research gGmbH
sbaPRIME Kick-Off Event5. November 2015
Agenda
• sbaPRIME – Kerninhalte• Security Surveys at a glance – Überblick und Analyse von über 30 Studien im
Sicherheitsumfeld• Whitepaper – Sicherheitsstrategie hinsichtlich Legacy Systemen• Tools für Mitglieder – die sichere Dateiaustauschplattform SBox• Trainings für Mitglieder – mit Sicherheit geschult• Security Conferences at a glance – die interessantesten Inhalte wichtiger
Sicherheitskonferenzen• Feedback & Gestaltung von Inhalten• Gemütlicher Ausklang
562015 - SBA Research gGmbH
THANK YOU!
Have a nice week(-)end
57