unmasking anonymous: an eyewitness account of a hacktivist attack

Amichai Shulman, CTO

Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack

© 2012 Imperva, Inc. All rights reserved.


Agenda

2

Anonymous Overview and Background How They Attack: Anatomy of an Anonymous Attack

+ Recruiting and Communications + Reconnaissance and Application Attack + DDoS

Non-Mitigations Tools Mitigation Tools


Today’s Presenter Amichai Shulman – CTO Imperva

Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat

Lecturer on Info Security + Technion - Israel Institute of Technology

Former security consultant to banks & financial services firms Leads the Application Defense Center (ADC)

+ Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”


What/Who is Anonymous?

4

“…the first Internet-based superconsciousness.” —Chris Landers. Baltimore City Paper, April 2, 2008

“Anonymous is an umbrella for anyone to hack anything for any reason.”

—New York Times, 27 Feb 2012

“Anonymous is a handful of geniuses surrounded by a legion of idiots.”—Cole Stryker, New York Times, 27 Feb 2012


The Plot

5

Attack took place in 2011 over a 25 day period.

Anonymous was on a deadline to breach and disrupt a website, a proactive attempt at hacktivism.

The website was mostly informational but contained data and enabled some commerce.

The attack did not succeed.


On the Offense

6

Skilled hackers - This group, around 10 to 15

individuals per campaign, have genuine hacking experience and are quite savvy.

Nontechnical - This group can be quite large, ranging from a few dozen to a few hundred volunteers. Directed by the skilled hackers, their role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic.


On the Defense

7

Deployment line was network firewall, web application firewall (WAF), web servers and anti-virus.

Imperva WAF + SecureSphere WAF version 8.5 inline, high availability + ThreatRadar + SSL wasn’t used, the whole website was in HTTP

Unnamed network firewall and IDS Unnamed anti-virus


How They Attack: The Anonymous Attack Anatomy

8


1 -----------------------------------

Recruiting and Communications

9


Step 1A: An “Inspirational” Video

10


Step 1B: Social Media Helps Recruit

11


Setting Up An Early Warning System

12


Example

13


14

“Avoid strength, attack weakness: Striking where the enemy is most vulnerable.”

—Sun Tzu

2 ----------------------------------- Recon and Application Attack


Anonymous’ Attacks Mimic For-Profit Hackers

15

Hacker Forum Discussion Topics

16%

22%

19%

10%

12%

12% 9%

spam dos/ddos SQL Injection zero-day shell code brute-force HTML Injection

Source: Imperva. Covers July 2010 -July 2011 across 600,000 discussions


Step 1A: Finding Vulnerabilities

16

Tool #1: Vulnerability Scanners Purpose: Rapidly find application vulnerabilities. Cost: $0-$1000 per license. The specific tools:

+ Acunetix (named a “Visionary” in a Gartner 2011 MQ) + Nikto (open source)


Hacking Tools

17

Tool #2: Havij Purpose:

+ Automated SQL injection and data harvesting tool.

+ Solely developed to take data transacted by applications

Developed in Iran


Vulnerabilities of Interest

18

0

500

1000

1500

2000

2500

3000

3500

4000

Day 19 Day 20 Day 21 Day 22 Day 23

#al

erts

Date

Directory Traversal

SQL injection

DDoS recon

XSS


Mitigation: AppSec 101

Code Fixing

Dork Yourself

Blacklisting

WAF

WAF + VA

Stop Automated Attacks

19


3 -----------------------------------

DDoS

20


Hacking Tools

21

Low-Orbit Ion Canon (LOIC) Purpose:

+ DDoS + Mobile and Javascript variations + Can create 200 requests per second per browser window


Anonymous and LOIC in Action

22

0

100000

200000

300000

400000

500000

600000

700000

Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 28

Average Site Traffic

Mobile LOIC in Action

Tran

sact

ions

per

Day


LOIC Facts

23

LOIC downloads + 2011: 381,976 + 2012 (through March 19): 318,340 + Jan 2012=83% of 2011’s downloads!

Javascript LOIC: + Easy to create + Iterates up to 200 requests per minute + Can be used via mobile device.


BUT: DDoS Is Moving Up the Stack

24

Decreasing costs. Traditional DDoS attacks require a large investment on the attacker’s side, which include distributing the attack between multiples sources.

The DoS security gap. Traditionally, the defense against DDoS was based on dedicated devices operating at lower layers (TCP/IP). These devices are incapable of detecting higher layers attacks due to their inherent shortcomings: they don't decrypt SSL, they do not understand the HTTP protocol, and generally are not aware of the web application.

For more: http://blog.imperva.com/2011/12/top-cyber-security-trends-for-2012-7.html

http://blog.imperva.com/2011/12/top-cyber-security-trends-for-2012-7.html


Application DDoS

25

The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched

yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe

organizations will rush to patch this flaw en masse before being hit. —The Hacker News, July 30, 2011


But That Much Sophistication Isn’t Always Required

26


But That Much Sophistication Isn’t Always Required

27

Meet your target URL


Mitigation

28

WAF: It can decrypt SSL, understand HTTP and also understand the application business logic to analyze the traffic, sifting

out the DoS traffic.


4 -----------------------------------

Non-Mitigations

29


Anti-Virus is Irrelevant: Malware is NOT the MO

30

McAfee mea culpa

“The security industry may need to reconsider some of its fundamental assumptions, including

'Are we really protecting users and companies?’”

--McAfee, September 2011

Source: http://www.nytimes.com/external/readwriteweb/2011/08/23/23readwriteweb-mcafee-to-security-industry-are-we-really-p-70470.html?partner=rss&emc=rss

http://www.nytimes.com/external/readwriteweb/2011/08/23/23readwriteweb-mcafee-to-security-industry-are-we-really-p-70470.html?partner=rss&emc=rss


Anti-Virus Recommendation (From A Hacker!)

31

Use your existing anti virus or download a free one such as SpyBot Search And Destroy (Some AV is

better than none and at least it keeps basic viruses out, don't pay for it though because your

just funding the companies that make this problem worse). (Sic)

—Source: http://adamonsecurity.com/ , creator of RankMyHack.com

http://adamonsecurity.com/


I have IPS and NGFW, am I safe?

32

IPS and NGFWs do not prevent web application attacks. + Don’t confuse “application aware marketing” with Web Application

Security.

WAFs at a minimum must include the following to protect web applications: • Web-App Profile

• Web-App Signatures • Web-App Protocol Security • Web-App DDOS Security • Web-App Cookie Protection • Anonymous Proxy/TOR IP Security • HTTPS (SSL) visibility

Security Policy Correlation



33

IPS and NGFWs do not prevent web application attacks. + Don’t confuse “application aware marketing” with Web Application

Security.

However, IPS and NGFWs at best only partially support the items in Red: • Web-App Profile

• Web-App Signatures • Web-App Protocol Security • Web-App DDOS Security • Web-App Cookie Protection • Anonymous Proxy/TOR IP Security • HTTPS (SSL) visibility

Security Policy Correlation



34

• IPS & NGFW Marketing – They have at least one web-app feature so they market themselves as a solution.

• IPS & NGFW gaps to WAF – WAFs provide far more web-app features than IPS and NGFWs. IPS and NGFWs do not even meet the most minimal requirements of web application security.

• False Sense of Security - IPS and NGFWs are creating a false sense of security with their claims and are leaving organizations like the ones we have previously mentioned susceptible to web application penetration.



35

Polish Internal Security Agency French Presidential Site Austria Ministry of Justice Austria Ministry of Internal Affairs Austria Ministry of Economy Austria Federal Chancellor Slovenia NLB Mexican Interior Ministry Mexican Senate Mexican Chamber of Deputies Irish Department of Justice Irish Department of Finance Greek Department of Justice Egyptian National Democratic Party HBGary Federal Spanish Police Orlando Chamber of Commerce Catholic Diocese of Orlando Rotary Club or Orlando Bay Area Rapid Transit Syrian Defense Ministry Syrian Central Bank Syrian Ministry of Presidential Affairs Various Pornography sites Muslim Brotherhood UMG

Anonymous targets that we know of, so far…

US Department of Justice US Copyright Office FBI MPAA Warner Brothers RIAA HADOPI BMI Sony Amazon Church of Scientology SOHH Office of the AU Prime Minister AU House of Parliament AU Department of Communications Swiss bank PostFinance Fine Gael New Zealand Parliament Tunisia Government Zimbabwe Government Egyptian Government Malaysian Government Polish Government Polish Police Polish President Polish Ministry of Culture Polish Prime Minister Polish Ministry of Foreign Affairs

PayPal Mastercard Visa Itau Banco de Brazil US Senate CIA Citibank Caixa

How many of these organizations have AV, IPS and Next Generations Firewalls?

Why are the attacks successful when these technologies claim to prevent

them?


5 -----------------------------------

Mitigations

36


Automated Scanning Tools

37



38



39


Automated SQL Tool

40


Automated SQL Tool

41


Automated SQL Tool

42

Havij SQL attack attempt fails with errors due to WAF mitigation.


Blocking Traffic Based on Reputation

43



44

Real-time alerts and ability to block based on IP Reputation.



45

Real-time alerts and ability to block based on IP Reputation.


DDoS Traffic

46

~4000 hits take the website offline.


DDoS Traffic

47


DDoS Traffic

48

~4000 hits take the website offline.


DDoS Traffic

49

** Note 25x the amount of hits blocked, with no web outage in this example.



Webinar Materials

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link Webinar Slides

Get LinkedIn to Imperva Data Security Direct for…

http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609




www.imperva.com

- CONFIDENTIAL -

unmasking anonymous: an eyewitness account of a hacktivist attack

Technology

imperva waf

day period

application attack

anonymous attacks

anonymous attackanatomy8

attack weakness

plot attack

javascript loic