RSA Security Summit London April 2014 – Digital Fraud; Setting the Scene

Presentation by Stephen Nicholas from Deloitte titled;

Digital Fraud; Setting the Scene

Where consumers lead..

–          94% UK consumers have shopped online in the past year

–          16% year on year growth in online spend

–          UK supermarket 10% of online revenue directly through mobile app

–          83% UK consumers have banked online in the last year

–          £91bn online card spend in 2013

…Fraudsters follow

–          Identity theft and account take over

–          Card not present

–          False refund claims

–          Finance and credit card applications

–          2 in 3 organisations believe the risk of digital fraud has increased in the past 2 years

–          41% of organisations have experienced digital fraud attacks

 

What is driving this?

–          Few deterrents or penalties

  • Few convictions / prosecutions
  • Stolen funds rarely recovered

–          Sophistication and scale

  • Record volumes of attacks
  • Agility from fraudsters, responding to change and controls

–          Low barriers to entry

  • Commoditised supply chain
  • All components available as a service

Fraud supply chain and business model is very mature with services, support, secure sites for buying and selling etc. all readily available.

 

What does this mean?

–          Loss of goods

–          Financial losses

  • £301 million 2013 UK fraud losses on remote card spend.
  • £41 million (Reported) 2013 online banking fraud losses.  Note – this is just the ‘reported’ (admitted to) amount. It is likely that the real number is a lot higher.
  • £105 million online losses suffered by retailers in 2013

–          Brand damage

–          Cost of security

–          Rejected business

–          Deterred business

  • 1 in 3 consumer stop doing business with those responsible
  • 73% of digital fraud affecting organisations ability to deliver new digital content / services

 

What are organisations doing?

–          92% view investment in fraud controls as a priority

  • But are we really investing in security and fraud?
  • What are your challenges in getting funding from the board? Examples include;
    • High costs
    • Unclear RTO
    • Organisation
    • Unsure on solutions
    • Impact

 

Final thoughts;

–          Do you know your threat landscape?

–          Do you know your controls – what is in place, how well is it working?

–          Would you know if you are attacked / breached?

–          Do you have understood action plans ready for then there is an attack or breach?

Basically cyber crime / cyber fraud is getting more sophisticated, more organised and more frequent.  However while businesses appear to be aware of the issues and there are known, very large costs associated with this, most businesses are not yet making the changes to combat this.

How do we get better board and business engagement?

K

RSA Conference Europe 2012 – Hacking the Virtual World

Jason Hart, SafeNet

This talk demonstrates some live tools and hacking demos, so starts with the standard disclaimer;

ALWAYS GET PERMISSION IN WRITING!

Performing scans, password cracking etc. against systems without permission is illegal.

Use any mentioned tools and URLs at your own peril!

CIA – Confidentiality, Integrity, Availability / Accountability / Auditability, while still important has gone out of the window in terms of being the core mantra for many security professionals and managers.

Evolution of the environment and hacking;

1st Age: Servers  – FTP, Telnet, Mail, Web – the hack left a footprint

2nd Age: Browsers – Javascript, ActiveX, Java etc.  These are getting locked down, slowly and incompletely

3rd Age: Virtual Hacking – Gaining someone’s password is the skeleton key to their life and your business.  Accessing data from the virtual world can be simple – Simplest and getting easier!

Virtual World – with virtual back doors.  This is the same for cloud computing and local virtual environments.  What do you do to prevent your virtual environment administrators copying VMs and even taking these copies home?  You need to prove both ownership and control of your data.

The question is posed – how much have we really learnt over the last 15 years or so?  We need to go back to basics and re-visit the CIA model.  Think of the concept of a ‘secure breach’, if our important data is protected and secure, being breached will still not gain access to this.

Demo against VMWare 4.1 update 1.  Using a simple scan, you can find multiple VMware serers and consoles directly to the internet, remember though these attacks can easily be launched from within your environment.

Outside of this talk, this raises the question – how segregated are your networks.  Do you have separate management, server, and database etc. networks with strong ACL policies between them?  If not I’d recommend re-visiting your network architecture.  Now.

Once you find a vCentre server, the admin / password file is easily accessible and only hashed in in MD5.  This can be broken with rainbow tables very quickly.  You can then easily gain access to the console and thus control of the whole environment.

To make things even easier tools like metasploit make this sort of attack as simple as a series of mouse clicks.  I’d recommend checking out metasploit, it’s a great tool.

Look at www.cvedetails.com for details on just how many vulnerabilities there are, this site also classifies the vulnerabilities in terms of criticality and whether they impact CIA.  This is a great input into any risk assessment process.

Discussion around the pineapple wireless tool;

http://hakshop.myshopify.com/products/wifi-pineapple

In brief this tool can do things like;

–          Stealth Access Point for Man-in-the-Middle attacks

–          Mobile Broadband (3G USB) and Android Tethering

–          Manage from afar with persistent SSH tunnels

–          Relay or Deauth attack with auxiliary WiFi adapter

–          Web-based management simplify MITM attacks

–          Expandable with community modules

–          And much more – look it up if you are interested, it has huge capabilities!

This tool is only $99 for anyone who thought the barrier to entry for this type of functionality would be high.

Then try linking tool like this with the capabilities of software such a Cain and Abel;

http://www.oxid.it/cain.html

This is described as a password recovery tool, but can do so much more.  A prime example of the abilities of this tool is Arp poisoning such that you can see all the traffic on a given subnet / vlan.  I have personally used this to record (with approval of course!) VOIP calls in order to demonstrate the need to encrypt VOIP traffic.  Cain even nicely reconstructs individual call conversations for you!

This is another personal favourite of mine – if your VOIP is not encrypted, why not?  Does your board know if is trivially easy to record their calls or those of finance and HR etc. on your network?

Talk went on to cover some further easy attacks such as those using the power of Google search syntax to gain information such as from Dropbox, Skydrive, Google Docs etc.  An example was finding Cisco passwords in Google docs files.  This leads onto another question, are you aware of just how much data your organisation has exposed in the wild to people who merely know how to search intelligently and leverage the powerful searching capabilities of engines such as Google?

To make things even easier, Stach and Liu have a project called ‘Google Hacking Diggity Project’ that has created a feely downloadable tool for creating complex Google / Bing searches with specific tasks in mind such as hacking cloud storage etc.

This and various other attack and defence tools can be downloaded here;

http://www.stachliu.com/resources/tools/google-hacking-diggity-project/

I’d recommend you work with your organisation to use these constructively in order to understand your exposure and then plan to remediate any unacceptable risks you discover.  The live demonstration actually found files online with company usernames and passwords in, so this exposure is demonstrably real for many organisations.

Talk ended with a brief comment on social networking and how the data available here such as where you are from, which schools you went to etc. can give hackers easy access to the answers to all your ‘secret’ questions.

Remember the term ‘secure breach’ – are important data is all encrypted with strong, robust processes.  We were hacked, but it doesn’t matter.  The CI part of CIA is critical!

I loved this talk, some great demos and reminders of useful tools!

As mentioned at the start, please be sensible with the use of any of these tools and gain permission before using them against any systems.

K

RSA Conference Europe – Cybercrime, Easy as Pie and Damn Ingenious

James Lyne, Director of Technology Strategy, Sophos

Sophos current see >200,000 individual pieces of malicious code every day.

Cybercrime is becoming very professional with easy to access tools;

Sites exist for testing and quality assurance of malware, e.g. www.virtest.com – this site scans your malware with multiple (44) different anti-virus products to see if it is detected.  The benefit of this service is that it uses the vendors AV engines and signatures.  The site carries the assurance that no results will be sent back to the vendor or shared in any way so you can be assured that your malware will not be added to existing malware databases.

Another example is Gwapo that has youTube videos advertising their DDoS service.

Ransomware is also becoming common with malware that encrypts your drive(s) and requires payment to unencrypt it.  Some ransomware become a lot more scary and malicious with threats that illegal content such as child pornography is encrypted on your computer and if you don’t pay within xx hours or days the police will be sent details of how to unencrypt it.  Ransomware can be particularly harmful and effective as it does not require administrative access, for example if you have access to company files etc. they can be encrypted with your limited access.

You can get easily access ‘crime-packs’ containing various tools for exploiting and attacking tool kits.  Examples include; Firepack, ice-pack, crimepack, blackhole etc.  Some of these even come with CR tools built in!  Additionally in keeping with the times some are available as cloud based services that you can subscribe to.  Many come with technical support contacts as well.

The tools have very simple gui based interfaces for creating your own malware based on existing payloads etc.  They are also very regularly updated with new code and make use of polymorphism to try and evade detection.

As an example blockhole has features such as;

–          Blacklisting / blocking to try and prevent researchers from security companies accessing the application and infected machines

  • Only hit IPs once
  • IP blacklist
  • Referrer URL blacklist
  • TOR blacklist
  • Import blacklisted ranges (e.g. fro cloud services)

–          Auto updating / patching

–          Can target multiple client vulnerabilities simultaneously

–          Java 0-days almost as soon as they were available

–          AV scanning add ins to check if the attack is being identified by host AV systems

A few comments on adopting a more ‘offensive’ stance, this is a grey area and may be legally questionable in some jurisdictions so you should be careful when looking at these options.  Some options in escalation of scale order;

–          Bit of poking – DNS, name servers and ‘affiliations’

–          Web bug, image or alike

  • Pretty easy to legally get away with
  • Sadly basic information

–          Javascript. Web Shell. Querying more information

  • Borderline, depending on your jurisdiction

–          Full hog – exploitage

  • Oh, you didn’t patch Java in your system either? – use the attackers exploit, in this case java against their own jave based site / application
  • Where they are, what they are doing.

Two steps forward.. Using IPv6 as an example, many machines now have IPv6 on as a default, simple router flood attack available on current Backtrack etc. can max out CPU and even crash the machine.  You may not care about IPv6 yet, but if you are not disabling it or securing it you could be opening up new attack vectors in your organisation without realising it.  The message again is to understand your environment and the risks you face.

Key take away points from this talk are;

–          Consider upcoming technologies even if you are not using them yet

–          Consider any investigative / offensive moves very carefully

  • I’d recommend improving your forensics capabilities, gather solid, admissible evidence to hand to legal investigators

–          Watch the basics

  • Assumptions kill us
  • Yes people can be that silly

–          Everything in moderation – Hype hurts

On a closing not, the tools and sites mentioned in this post are real and currently accessible.  Search for and use with care and at your own peril!

K

Attack Mitigation – Assume the worst

I have recently been catching up on what was happening at the RSA conference from San Francisco this year and what some of the key security trends are.  One thing that has jumped out is the move from ‘we can protect you’ to you are or will be hacked so what can we do to mitigate the damage and catch the malicious individual or group.

This has been coming for a few years with the increasing use of cyber-warfare by governments and the military, and the emergence of APT (Advanced Persistent Threat) where well funded criminal gangs will expend a lot of time, money and skill to gain long term and potentially subtle footholds in company systems.  These factors, along with all the ‘standard’, existing threats and continued successes of social engineering attacks such as Phishing have lead many security leaders to suggest that you have likely already experienced a breach and you will, not may, experience breaches in the future.

This is backed up by research from the Ponemon institute that suggests 70-80% of organisations have experienced a data breach within the last 20 months.

So in addition to the standard perimeter and control type solutions there are now vendors and consultancy firms offering solutions to limit the damage that occurs when these preventative measures fail, and at the same time capture as much information as possible to aid in the tracking down and capture of the attacker(s).

This is an interesting wake up call for both the security industry and all companies – the protective measures we have relied upon for years work, but they are far from infallible and will fail when face with a concerted effort or a duped user who already has system access.

A couple of interesting references covering this in more depth;

Dark Reading – http://www.darkreading.com/advanced-threats/167901091/security/news/232602708/security-s-new-reality-assume-the-worst.html

Bruce Schneier – http://www.schneier.com/blog/archives/2012/04/attack_mitigati.html

The Dark Reading article is particularly interesting, and it’s well worth reading both sections.

Remember – your company’s systems will be breached.. What will you have in place to minimise the damage and assist in preventing the attackers from doing the same to more organisations?

K