(ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking
-
Upload
g-s-mcnamara -
Category
Documents
-
view
62 -
download
1
Transcript of (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking
![Page 1: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/1.jpg)
![Page 2: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/2.jpg)
#Cybersecuregov
From Zero to 60: Advancing the Cybersecurity Workforce
The Next APT: Advanced, Persistent Tracking
Jarad Kopf and G. S. McNamara
![Page 3: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/3.jpg)
3 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Introduction
» Persistent tracking mechanisms very prevalent and growing
» Tech conglomerates such as Google have flirted with this type of new technology
» Not limited to cookies anymore, these tracking mechanisms come in many forms
![Page 4: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/4.jpg)
4 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Why should you care?
» Privacy concerns
» These technologies are extremely
accurate
» Perhaps violating your organization’s
policy
![Page 5: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/5.jpg)
5 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Evercookies
» Goal: Identify unique client even after standard cookies have been removed
» Storage mechanisms include: Flash Cookies, Silverlight Isolated storage, HTTP ETags*, many more
![Page 6: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/6.jpg)
6 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Evercookie FAQs
» Do evercookies work cross-browser?
» Does the browser or server have to install anything?
![Page 7: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/7.jpg)
7 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Evercookie Repopulation
Image: https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf
![Page 8: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/8.jpg)
8 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
ETag Overview
» One storage mechanism of Evercookies
» ETag (Entity Tag) part of HTTP protocol• provides for web cache validation
» Can be used as opaque identifier assigned by a web server to a specific version of a resource found at a URL
![Page 9: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/9.jpg)
9 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
ETag Mechanism
Im1e.coage: https://lucbm/randomprojects/cookielesscookies/
![Page 10: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/10.jpg)
10 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
HSTS Overview» HSTS: web security policy
mechanism to protect HTTPS websites from downgrade attacks
» Allows web servers to declare that web browsers should only interact using secure connections
» Your browser can remember this – this is set when the server sends back an HTTP header with a parameter field named Strict-Transport-Security
![Page 11: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/11.jpg)
11 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Abusing HSTS
» HSTS potential for tracking is specified in RFC 6797
» No known cases in the wild yet
Images taken from: https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/)
![Page 12: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/12.jpg)
12 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Fingerprinting (Type 1 of 2): Device
![Page 13: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/13.jpg)
13 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Fingerprinting (Type 2 of 2): Canvas
![Page 14: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/14.jpg)
14 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Let’s tell a story…
(If I were evil)
![Page 15: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/15.jpg)
15 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
A world full of corporate assets
![Page 16: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/16.jpg)
16 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
We might even allow BYOD
![Page 17: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/17.jpg)
17 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
We’ve hardened our network
![Page 18: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/18.jpg)
18 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
And we trust our ISP
![Page 19: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/19.jpg)
19 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
But what about the phones?
![Page 20: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/20.jpg)
20 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
The carrier wouldn’t meddle with our data
“Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine”http://www.wired.com/2014/10/verizons-perma-cookie/
![Page 21: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/21.jpg)
21 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
The data gathered would never then be sold
“Relevant Mobile Advertising Program”
http://www.verizonwireless.com/support/relevant-mobile-ad/
![Page 22: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/22.jpg)
22 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Selling location data is inconceivable
“Carriers Sell Users’ Tracking Data in $5.5 Billion Market” http://www.bloomberg.com/news/articles/2013-06-06/carriers-sell-users-tracking-data-in-5-5-billion-market
![Page 23: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/23.jpg)
23 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Location lacks impact
“ISIS Fighter Accidentally Geotagged Tweets And Revealed His Not-So Secret Location”http://www.mtv.com/news/2038989/isis-twitter-geotagging-fail/
![Page 24: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/24.jpg)
24 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
If only used for ads, is this OK?
![Page 25: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/25.jpg)
25 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Ads are safe
“Malware in ads turn computers into zombies”
http://www.usatoday.com/story/tech/2015/01/20/malvertising/21889547/
![Page 26: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/26.jpg)
26 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Well, if you stick to legitimate sites
“Malvertising hits The New York Times”
http://www.dailyfinance.com/2009/09/14/malvertising-hits-the-new-york-times/
![Page 27: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/27.jpg)
27 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
This ‘malvertising’ economy won’t catch on
“Malvertising Abuses Real-Time Bidding on Ad Networks”https://threatpost.com/ad-networks-ripe-for-abuse-via-malvertising/111840
![Page 28: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/28.jpg)
28 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
It’s probably just run by kids
“APTs Target Victims with Precision, Ephemeral Malvertising”https://threatpost.com/apts-target-victims-with-precision-ephemeral-malvertising/108906
![Page 29: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/29.jpg)
29 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Besides, cyber-physical isn’t real
“'Operation DeathClick' targets defense contractors”http://archive.federaltimes.com/article/20141017/IT/310170016/-Operation-DeathClick-targets-defense-contractors
![Page 30: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/30.jpg)
30 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Malware doesn’t even work on phones
“Ads 'biggest mobile malware risk'”
http://www.bbc.com/news/technology-26447423
![Page 31: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/31.jpg)
31 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
It only works on “real” computers
“Now e-cigarettes can give you malware”
http://www.theguardian.com/technology/2014/nov/21/e-cigarettes-malware-computers
![Page 32: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/32.jpg)
32 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
The future isn’t mobility anyway
“BYOD: Many Call It Bring Your Own Malware (BYOM)”
http://blogs.cisco.com/security/byod-many-call-it-bring-your-own-malware-byom
![Page 33: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/33.jpg)
33 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
And the small details don’t matter
“Two US power plants infected with malware spread via USB drive”http://arstechnica.com/security/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive/
![Page 34: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/34.jpg)
34 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Next-Gen Tracking is a blind spot.
![Page 35: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/35.jpg)
35 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
This was just one idea
![Page 36: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/36.jpg)
36 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Policy Scandals
![Page 37: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/37.jpg)
37 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
EU Cookie Law
» Into effect May 2012» EU requires prior
informed consent for storage of or access to information stored on a user’s machine• Many exemptions
» Tools like Google Analytics fall under jurisdiction
![Page 38: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/38.jpg)
38 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
So what now?
»Talk to legal about policy
updates
»Talk to IT about control
![Page 39: (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking](https://reader033.fdocuments.in/reader033/viewer/2022042819/55cee3b7bb61ebb8078b4574/html5/thumbnails/39.jpg)
39 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
“The greatest victory is that which requires no battle.”― Sun Tzu, The Art of War
Jarad Kopf, M.S., [email protected]
G. S. McNamara, [email protected]