©2010 hewlett-packard development company, l.p. the information contained herein is subject to...
TRANSCRIPT
©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
1
Stefan Schmid – Manager Central & Eastern Europe & Middle East & North [email protected]
Marcel Rölli – Sales Manager CH/[email protected]
Josef Meier – Solution Architect D/A/[email protected]
SECUREHP TippingPoint & Omicron AGAus einem Guss - IT-Sicherheit von HP
©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
2
Agenda- Analyse RSA Hack- Aktuelle Angriffsmethoden im Detail- Live Demo Aurora „drive by hack“- Q&A
©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
3
Analyse RSA Hack
44
Security Advisory for
Adobe Flash Player, Adobe Reader and Acrobat (CVE-2011-
0609)
By: Will Gragido (Sr.Product Line Manager, DVLabs)
On March 14, 2011 Adobe Systems Incorporated released a notification related to the existence of a critical vulnerability in its Adobe Flash Player 10.2.152.33. The vulnerability in question also had certain implications on other, earlier versions of the tool.
A complete list of the versions of the Adobe tool and corresponding operating systems affected can be seen below:
Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems Adobe Flash Player 10.2.154.18 and earlier for Chrome users Adobe Flash Player 10.1.106.16 and earlier for Android
The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.
The resultant condition associated with this vulnerability (CVE-2011-0609) may result in application / system crashes or allow for an attacker to seize control of an affected system. Reports of this vulnerability having been exploited in the wild have been noted as part of targeted attacks via a Flash (.swf) file embedded within a Microsoft Excel (.xls) file that is delivered to its targeted as an email attachment.
While the team at Adobe Systems Incorporated works to finalize its fix for this vulnerability we wanted to ensure that our customer base was aware that HP DVLabs is working on a filter to address it. Our intent is to release the filter Thursday March 17, 2011 barring no unforeseen quality assurance (QA) issues. We encourage you to continue visiting this blog for information regarding this vulnerability and filter. We encourage you to monitor the following blog for the latest on Adobe Systems Incorporate vulnerability information.
Filter: 10920 'SMTP: Malicious Adobe Shockwave Flash Player File Download
55
The RSA attack
Internet
LAN
2. Intruder targets a few employees(Spear Phishing) with Excel attachment over 2 day interval“2011 Recruitment plan.xls”
3. Malicious E-mail delivered(but blocked by local SPAM filters)
1. Intruder prepares Malicious Excel document
4. User notices E-mail in SPAM folder, and opens Excel file…
5. Adobe Flash zero day exploit in .XLSinstalls back door “Poison Ivy”
6. Intruder now observes user role, privileges & keystrokesGets domain admin access
7. Intruder now uses domain access to reach sensitive servers & exfiltrate database
8. Intruder now has SecureID informationOWNED
66
The RSA attack
What happened? Potential consequences?
– RSA Open letter “Recently, our security systems identified an extremely sophisticated cyberattack in progress being mounted against RSA”
– Coviello CEO went on to say it “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”
– One possibility, said Whitfield Diffie, a computer security specialist who was an inventor of cryptographic systems now widely used in electronic commerce, is that a “master key” — a large secret number used as part of the encryption algorithm — might have been stolen.
RSA tauscht nach Hack bis zu 40 Millionen SecurID-Tokens aus!Quelle: http://www.heise.de vom 07.06.2011
Tippin
gPoint K
unden ware
n seit
17.03.2
011geschütz
t!
7
Aktuelle Angriffsmethoden im Detail- SQL Injection- PHP Code Injection- HTTP Shell command exec- Aurora Exploit
8
SQL Injection - Beispiel
Ablauf des Angriffs
Auswirkung ohne IPS
Der Angreifer erlangt sensible Unternehmensdaten oderes kommt zur unbemerkten Datenmanipulation.
Folgende Informationen könnten verändert werden:
- Website Inhalte – Beispiel LizaMoon Attack- Preise- User (Passwörter)- Lieferzeiten- Etc...
Der Angreifer gibt Datenbank-Befehle (SQL) über Eingabefelder einer Web-Applikation ein.
Internet
DMZ
WWW/Datenbank Server
TCP 80 geöffnet!
9
SQL Injection - Beispiel
1' UNION ALL SELECT user, password FROM mysql.user; -- priv;#'
TippingPoint Kunden sind durch derzeit 163 SQL-InjectionFilter geschützt.
10
PHP Code Injection - Beispiel
Ablauf des Angriffs
Auswirkung ohne IPS
Der Angreifer erlangt sensible Unternehmensdaten oderes kommt zur unbemerkten Datenmanipulation.
Weitere mögliche Folgen:
- Verlust adminstrative Kontrolle (Nutzung als BotClient oder P2P Server
- Manipulation der Server Konfiguration- Verlust/Manipulation von Daten
Der Angreifer versucht ausführbaren Quellcode (PHP) über Eingabefelder einer Web-Applikation in das Server-System einzuschleußen.
Internet
DMZ
Webserver
TCP 80 geöffnet!
TippingPoint Kunden sind durch VulnerabilityFilter geschützt.
11
HTTP Shell command exec - Beispiel
Ablauf des Angriffs
Auswirkung ohne IPS
Der Angreifer erlangt sensible Unternehmensdaten oderes kommt zur unbemerkten Datenmanipulation.
Weitere mögliche Folgen:
- Verlust adminstrative Kontrolle (Nutzung als BotClient oder P2P Server
- Manipulation der Server Konfiguration- Verlust/Manipulation von vetraulichen Daten
Der Angreifer versucht Befehle an das Betriebsystemüber die HTTP Anfragen abzusetzen.
Internet
DMZ
Webserver
TCP 80 geöffnet!
12
Beispiel – command Execution
; cat /etc/passwd & cat /etc/shadow
TippingPoint Kunden sind durch Vulnerability Filter geschützt.
13
Live Demo AuroraDon‘t be scared!