HSB15 - Thijs Bosschert - Radically Open Security
-
Upload
splend -
Category
Technology
-
view
1.011 -
download
0
Transcript of HSB15 - Thijs Bosschert - Radically Open Security
![Page 1: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/1.jpg)
Thijs Bosschert
27 oktober 2015, Den Haag [email protected] [email protected]
Wat hebben we geleerd van de Hacking Team hack?
![Page 2: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/2.jpg)
May 12, 2014
Radically Open Security
Non-Profit Computer Security Consultancy
We're an idealistic bunch of security researchers,
networking/forensics geeks, and Capture The
Flag winners that are passionate about making
the world more secure. We believe in
transparency and openness. And our goal is to
secure the society that allows us to run a
company in the first place.
https://radicallyopensecurity.com/
![Page 3: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/3.jpg)
May 12, 2014
Thijs Bosschert
Freelance Security Professional
• Incident Response
• Forensics
• Penetration tester
• Security researcher
• Trainer
• CTF player (Eindbazen, Hack.ERS)
![Page 4: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/4.jpg)
May 12, 2014
Worldwide IR
![Page 5: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/5.jpg)
May 12, 2014
HackingTeam
Source: http://www.hackingteam.it/
![Page 6: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/6.jpg)
May 12, 2014
HackingTeam
Remote Control System
Take control of your targets and monitor them
regardless of encryption and mobility. It doesn’t
matter if you are after an Android phone or a
Windows computer: you can monitor all the
devices. Remote Control System is invisible to
the user, evades antivirus and firewalls…
Source: http://www.hackingteam.it/images/stories/galileo.pdf
![Page 7: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/7.jpg)
May 12, 2014
HackingTeam
Remote Control System
Hack into your targets with the most advanced
infection vectors available. Enter his wireless
network and tackle tactical operations with ad-hoc
equipment designed to operate while on the
move. Keep an eye on all your targets and
manage them remotely, all from a single screen.
Be alerted on incoming relevant data and have
meaningful events automatically highlighted.
Source: http://www.hackingteam.it/images/stories/galileo.pdf
![Page 8: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/8.jpg)
May 12, 2014
You will be hacked
Source: https://twitter.com/hackingteam/status/563356441885835264
![Page 9: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/9.jpg)
May 12, 2014
Imagine this
Source: https://wikileaks.org/hackingteam/emails/
![Page 10: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/10.jpg)
May 12, 2014
You have been hacked
Source: https://twitter.com/hackingteam/status/563356441885835264
![Page 11: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/11.jpg)
May 12, 2014
How was it done?
Source: https://twitter.com/GammaGroupPR
![Page 12: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/12.jpg)
May 12, 2014
How was it done?
Source: http://0x27.me/HackBack/0x00.txt
![Page 13: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/13.jpg)
May 12, 2014
0x00.txt
● Mapping out the target
● Scanning & Exploiting
● Escalating
● Pivoting
● Have Fun
Source: http://0x27.me/HackBack/0x00.txt
![Page 14: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/14.jpg)
May 12, 2014
Denial
Source: Twitter
![Page 15: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/15.jpg)
May 12, 2014
Bad response
Source: Twitter
![Page 16: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/16.jpg)
May 12, 2014
Bad press reactions
Source: http://www.hackingteam.it/index.php/about-us
![Page 17: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/17.jpg)
May 12, 2014
~400 GB
![Page 18: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/18.jpg)
May 12, 2014
WikiLeaks Email DB
Source: https://wikileaks.org/hackingteam/emails/
![Page 19: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/19.jpg)
May 12, 2014
0 days & exploits
● CVE-2015-0349 – Adobe Flash Player
● CVE-2015-2425 – IE 11
● CVE-2015-2426 – OpenType Font Driver
● CVE-2015-5119 - Adobe Flash Player
● CVE-2015-5122 - Adobe Flash Player
● CVE-2015-5123 - Adobe Flash player
![Page 20: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/20.jpg)
May 12, 2014
Weak passwords
● P4ssword
● Passw0rd
● wolverine
● universo
● HTPassw0rd
● Passw0rd!81
+ Password reusage
Source: http://pastebin.com/bxYXHFMu
![Page 21: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/21.jpg)
May 12, 2014
Code like everyone is watching
def content(*args)
hash = [args].flatten.first || {}
process = hash[:process] || ["Explorer.exe\0",
"Firefox.exe\0", "Chrome.exe\0"].sample
process.encode!("US-ASCII")
path = hash[:path] || ["C:\\Utenti\\pippo\\pedoporno.mpg",
"C:\\Utenti\\pluto\\Documenti\\childporn.avi",
"C:\\secrets\\bomb_blueprints.pdf"].sample
path = path.to_utf16le_binary_null
Source: https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence/file.rb
![Page 22: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/22.jpg)
May 12, 2014
CIS Critical Security Controls
Source: SANS 20 Critical Controls Poster
![Page 23: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/23.jpg)
May 12, 2014
CIS Critical Security Controls
Source: SANS 20 Critical Controls Poster
![Page 24: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/24.jpg)
May 12, 2014
~400 GB
![Page 25: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/25.jpg)
May 12, 2014
What went wrong?
● Weak passwords usage and re-usage
● No network Segmenting and protection
● No data encryption
● No secure email
● No data classification
● No monitoring
● Incorrect incident response procedures
● Usage of illegal software
![Page 26: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/26.jpg)
May 12, 2014
Security level
Source: http://lockheedmartin.com
![Page 27: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/27.jpg)
May 12, 2014
Protection level
Source: http://www.slideshare.net/jaredcarst/cyber-threats-cybersecurity-are-you-ready
![Page 28: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/28.jpg)
May 12, 2014
Wat hebben we geleerd?
Als security bedrijf ben je een
gewild target voor aanvallers, dan
kan je maar beter zorgen dat je
daar dan ook op voorbereid bent.
![Page 29: HSB15 - Thijs Bosschert - Radically Open Security](https://reader031.fdocuments.in/reader031/viewer/2022021918/5886d2021a28ab776a8b49cd/html5/thumbnails/29.jpg)
May 12, 2014
Questions?
https://radicallyopensecurity.com/
http://www.thice.nl
@ThiceNL
http://nl.linkedin.com/in/bosschert
Thijs Bosschert