Difference between revisions of "Anatomy of a Hack"

Anatomy of a Hack:

Purpose: This is a class on basic security principles highlighted by real-life events and the consequences of what can happen when you do not attend to the basics of protection.

Hypothetical situations:

• Phishing email: iTunes says that they have determined that your credit card number is fraudulent. They give you a website to go to to fill out the correct credit card information. The email reads in part

Please click the following link to update your credit card information
and prevent disruption to your service. www.itunes.com

• Call from IT support at work: Sam, the head of IT calls to ask for your password so that he can fix you computer

• Email from a long lost cousins: A cousin you don't remember asks for you siblings email and address.

HBGary

The story:

Anonymous is a group of hacktivists who are responsible for actions that could be considered either good, bad or both. Many of their actions are illegal. HBGary was a technology security company which sold it's products to the US Federal Government (including the Department of Defense), information assurance companies, computer emergency response teams and computer forensic investigators. CEO Aaron Barr developed a technique which he thought would unmask the leaders of Anonymous using the timing of Anonymous IRC rooms matched up with social media posts though his lead programmer criticized his methodology. His intention was to sell the list to the FBI and other law enforcement agencies. When the Financial Times ran a story on this, Anonymous members attacked within 24 hours.

Chronology of the attack:

SQL INJECTION

• HBGary used a custom CMS on their site
• A Content Management System is a system that allows for creating, editing and publishing content without a need for programming or in-depth knowledge
  • Wordpress, etc
• No CMS is 100% safe but in this case a custom CMS was used which had gaping security holes in it, leaving it open to SQL injection attacks. If they'd used an off-the-shelf product, there could be thousands of users and bug reports. This custom CMS had no one reviewing it and fixing problems.
• SQL injection is a technique often used to attack databases through a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g. dump the database contents to the attacker). http://en.wikipedia.org/wiki/SQL_injection
• This exploits were used to dump the table of usernames and passwords out of the website.
• A plaintext password would appear as password
• These were encrypted using MD5, but because these were not salted a rainbow table attack
  • MD5 is cryptographic hash function
    • Imagine taking something that makes password into qbttxpse
    • This they did right
  • “Salting” is adding random bits to the encrypted data to make cracking it impossible or impractical
    • qbttxpse becomes something like qb1ttx01ps1e
  • Rainbow tables are used for reversing cryptographic hash functions
    • Because the passwords were not long and they were not salted, the program was able to figure out the hash ( moving everything 1 letter ahead in our example) and reverse it into a plain-text password
• Passwords and usernames were gotten

ROOT ACCESS

• Using the now-cracked passwords, the attackers were able to gain non-root access the server support.hbgary.com
• Root access is full-control or adminstrative access
• Using a known exploit for which the server had not been patched, they were able to take root access and removed gigabytes of information

PASSWORD REUSE

• Among others, high-level employees including the CEO and COO were gotten
• They had exempted themselves from password complexity requirements and used 6 all lower-case letters and 2 numbers
• These passwords were re-used all over the internet from Google to LinkedIn to Twitter.
• Aaron Barr's, the CEO that started this, re-used this password for the companies Google Apps Mail service.
• Because he was an administrator, any accounts could be gotten into simply by resetting their password.
• They did this for the account of a man named Greg Hoglund who founded HBGary and is known in the security world
• Through reading his emails they found out that he and a Nokia employee had SSH access to a server (rootkit.com) as well as possible root passwords for that server.

SOCIAL ENGINEERING

• At this point, Anonymous has access to most of the communications within HBGary. They know that Greg Hoglund is in Europe, two possible passwords to the server root and his security person from Nokia and contact info.
• They send an email from Hoglund's account to this person.

From: Greg Hoglund <greg@hbgary.com> ISun, Feb 6, 2011 at 1:59 PM
To: jussi <jussij@gmail.com>
im in europe and need to ssh into the server. can you drop open up
firewall and allow ssh through port 59022 or something vague?
and is our root password still 88j4bb3rw0cky88 or did we change to
88Scr3am3r88 ?
thanks

From: jussi jaakonaho <jussij@gmail.com> ISun, Feb 6, 2011 at 2:06 PM
To: Greg Hoglund <greg@hbgary.com>
hi, do you have public ip? or should i just drop fw?
and it is w0cky - tho no remote root access allowed

From: Greg Hoglund <greg@hbgary.com> ISun, Feb 6, 2011 at 2:08 PM
To: jussi jaakonaho <jussij@gmail.com>
no i dont have the public ip with me at the moment because im ready
for a small meeting and im in a rush.
if anything just reset my password to changeme123 and give me public
ip and ill ssh in and reset my pw.

• Once they had root access to that server they obtained further information and cracked all the poorly guarded username/password combinations again.

AFTERMATH

• Aaron Barr tried to negotiate with Anonymous. He lied to them repeatedly, not realizing they had all his emails and knew the truth.
• Over 40,000 internal emails, many of them containing very sensitive information, were posted to the Pirate Bay
• Over 1 TB of HBGary backup data was deleted
• Barr's iPad was remotely wiped
• All social media accounts for Barr were used to discredit and embarrass him
• HBGary's site was defaced and everything made public to shame them
• Aaron Barr had to shamefully bow out of a high-profile conference where he was to give a presentation about his work in an effort to garner more money.
• Information came out that HBGary and Barr were:
  • Spying on union organizations for the US Chamber of Commerce
  • Had plans to plant fake insiders within those organizations and then have them do something stupid to discredit the unions
  • Planned to create derisive 'humor pieces' on the US Chamber Watch which monitored the USCoC activities
  • Barr planned to release what he told was flawed information for millions of dollars, information he knew could or would get innocent people arrested
  • They were working on a presentation for Bank of America who wanted Wikileaks taken down. What they were proposing was mostly illegal. It included numerous cyber-attacks, creating internal strife within the funders of Wikileaks, spreading disinformation and a concerted media campaign to smear Julian Assange. They intended to disrupt all payments to the site and make it impossible to have further submissions. They also were in the process of creating unlicensed Windows games to release into the wild on Asian sites. These games contained backdoors from which they could launch attacks.
  • They planned to put pressure on civil liberties lawyers to make them fearful for their jobs and unwilling to offer more support or open criticism.
  • Everyone distanced themselves from Barr and HBGary.
  • Barr resigned in disgrace
  • HBGary's potential company sale and work disappeared and they went under.
  • It also came to light through this that the US Air Force sought from HBGary software from which they could control thousands of fake online personas on social media to gather information and spread the illusion of assent with the US government among a large portion of the populace.

LESSONS LEARNED

• Use tried and tested software. A custom CMS allowed the SQL injection that started this ball rolling. Anything on the web with public access should be secured in the stronges manner in every way possible
• Follow best security practices: This could apply to most of these mistakes in this example. By not salting their MD5 hash, they left their user info open to attacks by Rainbow Tables which has been around since 1980 and for which software is commonly available.
• Apply all the latest updates, especially security ones. If the servers had been patched for a widely known vulnerability, the attack could have been stopped.
• Best password practices. Length, upper and lower-case, numbers, non-alpha-numerical characters if possible. NEVER a common word or password and dictionary attacks.
• People with more power should have stronger passwords for security not weaker passwords for ease of use because they can object.
• NEVER re-use passwords. Firewall identities. Aaron Barr used the same password for many sites, including his personal social media sites, email, internal and external servers and personal iPad. Namechk.com
• Social engineering. The hardest to defend against and probably the most common hacking tools. In this case, a sense of urgency was used but they usually appeal to sexuality, greed or the human want/need to help. They could have had an agreed upon password or phrase not
  • Bradley Manning incident

Hacking Facebook

The story: A friend and are both interested in computer security. We were talking about hacking facebook accounts and he gave me permission to try to get into his

At that time, Facebook had a web page where you could reset the password if your email associated with your Facebook account had been compromised and you could no longer access it.

The form had the following fields

• The email you can now be contacted at
• The old email address
• The full name on the account
• DOB
• FB web address of account

I was to assume that all I knew was his full name and city he resided in.

I logged out of Facebook and cleared my cache. I logged back into the password reset page and:

• Gave them my email address. In real life I would have created a throwaway through proxies.
• I was able to find his email address because someone other than himself had posted it. I looked up his name and city and found a listing for a hobby group he was the leader for. Someone asked for information and a 3rd party listed his email.
• I had his name to start with but was able to access available information to get a middle name and was prepared with variations on his name if I did not immediately succeed.
• I could not get the DOB on any of the public info sites. He was raised out of the US
• Using the username portion of his email “username@email.com”, I was able to take the standard format profiles and add his username where mine was. I confirmed this was him and now hat the correct web address.

At this point, I could not get the DOB. I looked at publicly available information as to where my friend had lived in the US. I started searching for his name in conjunction with these cities. I found a city on the east coast where he'd had another public group he was involved with.

I then started looking at relatives and the places they had lived. I searched for their names and cities listed. I found a listing for his dad being involved with a volunteer organization. There was no information listed for contact. I read a newsletter stating his involvement with a certain individual in this organization. Posing as a relative of this individual, I contacted the organization and asked for his contact information. Because I knew his name and some information they probably considered private, they gave me his personal email address. I emailed him stating that I was a friend from that east coast city and knew him through that public group. I said I had a really nice gift for him but had forgotten his birthday. I was so embarrassed because we were good friends and would he please not tell my friend that I'd forgotten his birthday. The last piece of the puzzle was had.

LESSONS

• Firewall identities/Strategically don't re-use identities
• Be careful what you put online
• Insist on being behind a login for group sites
• Don't reuse usernames
• Social engineering – ask people to never reveal your information

RSA Security Tokens

RSA security owns SecurID which is a security token popular with government and defense companies. There is a seed number within the RSA system that, if compromised, will make those tokens useless. The attackers sent a spreadsheet out entitled “2011 Recruitment Plan” that had a 0-day Flash exploit implanted. Using these infected systems they were able to sniff traffic and find the keystore which they were able to escalate to steal them.

LESSONS

• 0-day exploits and virus creation to definition cycle.
• Heuristic programs
• Spear-phishing/phishing
• Social engineering
• Use administrative accounts judiciously
• Don't re-use passwords
• Patch
• Use 3rd part penetration testing

Stuxnet

STUXNET was a first, a guided missle of sorts... a worm that sought out only Siemans-made Iranian nuclear fuel centrifuges. The machines were air-gapped and so security was probably more lax than normal. The worm would lie in wait until the right times, override the alarms signalling anything being wrong and throw the centrifuges slightly off to ruin them.

• USB trick and history. Curiosity and voyeurism. Social engineering
• 0-day exploits for windows used
• They could have stopped USB use through policy, computer and real-life

OVER-ARCHING LESSONS

• You must be vigilant
• Learn and use best security practices
• People both overestimate their own security and underestimate the abilities of others to flaunt it.
• Don't do anything to piss people off and they won't have a reason to dig
• EVERYONE is vulnerable
• EVERYONE makes mistakes
• No matter how smart you are, you can be socially engineered
• Even if you are perfect, those around you are not