Download presentations or read below for summaries:

• Demyo, Inc. Capabilities
• Insight Into Russian Black Market
• Detecting System Intrusions

Demyo, Inc. capabilities:

• Founded in 2011
• All we do is 100% InfoSec
• Consists of HIGHLY experienced team
• Team members have the following top level Information Security certifications: CISSP, GSNA, GSEC, CEH, LPT, CISA, CISM, GCIH, CCNA, GCIA, CCNP
• We speak: English, Spanish, Portuguese, Russian, Ukrainian, Lithuanian

• Web Application Penetration Testing
• Host Based Audit
• Digital Forensics
• Incident Response
• Threat Intelligence
• Vulnerability Assessment
• Source Code Review
• Social Engineering
• Security Training
• Network Penetration Testing

Web Application Penetration Testing
• OWASP methodology
• Commercial, Open Source, and proprietary tools are used
• Vulnerabilities are rated High, Medium, and Low according to risk
• Highly technical report + executive summary 1 pager report

Network Penetration Testing
• Internal LAN pen testing
• External WAN pen testing
• Enumerating Services
• Finding Holes
• Exploiting Holes

Host based audit
• Security Configuration Review
• Policy Compliance Review
• LDAP Policies Review
• Antivirus Antimalware Review
• Logs Audit

Digital Forensics
• Who, What, When?
• Making Forensic Copy
• Memory analysis
• Selective files analysis
• Full HDD image analysis if needed
• Building the time line
Threat Intelligence

Vulnerability Assessment

• HIPAA, PCI, SOX, GLBA, ISO compliance
• Merge and Acquisition support
• Security Best Practices
• Post Incident Support

Source Code Review

• Automatic source code scanning tools
• Manual source code review
• Greping through code for high risk functions and methods
• Checking input validation

Incident Response

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned

Social Engineering

• Weakest factor is still human
• Will bypass all firewalls / Intrusion Detection Systems / Intrusion Prevention Systems / Full Packet Capture Devices and any technical means in between
• How do we prevent SE?

Training

• Security Awareness training
• Technical and Managerial InfoSec training
• Penetration Testing training
• Instructors are HIGHLY experienced InfoSec Analysts

Contact Us for any infosec needs

• Email: almaz@demyo.com
• Call: +1 201 665 6666
• Visit: www.demyo.com

Insight Into Russian Black Market:

sh-3.2# whoami

• Alan Kakareka, CISSP, GSEC, CEH, LPT
• Masters degree in science from Florida International University
• CTO and founder of Demyo, Inc.
• Based in Miami, Florida, USA.

And I enjoy green letters on black background
What are the most dangerous countries?

Where all the goodies are?
• Unknown – Unknown:
• Forums, various websites
• Known – Known:
• IM, typically ICQ

Lets take a look at 2 underground forums

• https://exploit.in/forum/ – pretty small
• https://forum.antichat.ru/- one of the bigger ones

Small vs big

https://exploit.in/forum
341k messages, 35k users.

How many of all messages are sale / buy / trade?

Roughly 10-15% of all messages are related to sell / buy / trade Another 90% is how to program this, how to hack this, how to solve this kind of issue, etc.

Let’s see what can we buy?

How about root access to mysql.com

Anybody wants to guess the price?

Later on in the news….

Auction system for serving malware – “vDele”

Software to build your own botnet -“andromeda botnet”

Also available

• Credit card numbers
• Paypal accounts
• Online banking accounts
• Email spamming services
• Cell phone spamming services (by text messages) and / or calls
• 0-day exploits (rarely)
• Custom malware, spyware, tools
• Plain hacking services
• DDOS
• Full identity (CC + SSN + DOB + address + email with password + online banking credentials + mothers maiden name + dogs name + etc.)

0-day exploits (rarely)

• If a black hat has 0-day it is much more profitable do something with it than selling it
• If you are white hat hacker, sell it to company’s who are buying bugs like ZDI

https://forum.antichat.ru/
• 2 million messages, 104k users

How many messages are related to buy / sell / trade.

Almost 10% of all messages are related to trading

How do they trust each other?

Another way is by endorsing from the forum owner

Means of payment

• No paypal….. WHY????
• Webmoney
• Liberty Reserve
• Yandex Money
• Crypto FTW
• F2F – almost never
• Most popular is WEBMONEY

Closed sections

• Typically there are 3 access levels
• 1st level – make some useful posts
• 2nd level – get to know somebody and post some sensitive data
• 3rd level – be well known in community, post some real goodies

Limiting access only to higher profile people

Prices…
• How much is this, how much is that?
• Depends what language you speak
• If you ask in Russian – 100 bucks
• If you ask in English – 200 bucks

SPAM

• Emails sent vs Emails in Inboxes
• 1 million SPAM emails in inbox – 200 USD

Actual pricing

• Private virustotal.com type service – 40 USD / month, unlimited amount of files
• Why do you need a private virustotal.com service? When virustotal.com is free???
• DDOS – 100 to 400 USD a day, depending on traffic amount.
• DDOS sales/discussions are getting forbidden in many public Russian forums, why???
• CC – 0.1 USD to 5 USD depending on amount and/or quality

Actual pricing

• Paypal – 1% to 10% of the balance, also depending on account type and other factors
• Online Banking – 1% to 10% percent of the balance, depending on the bank, account type and other factors
• Email:pass combo – FREE, unless it is sorted, verified for validity, and is bundled with other accounts
• Full identity (CC + SSN + DOB + address + email with password + online banking credentials + mothers maiden name + dogs name + etc.) – about 100 USD
• Many, many, many other types of services and goods – agreed price

Other factors

• Paypal and Online Banking – 1% to 10% of the balance depending on account type and other factors
o User logs in into his account once every 6 months
o Password to users email is available as well
o This particular bank DOES allow online transfers
o User logs in into his account daily
o Password to users email is not available 
o This particular bank DOES NOT allow online transfers

How many Russian resources are there?

• A LOT OF THEM
• http://forum.xakep.ru/default.aspx 1,5 million messages
• http://hackzona.ru/
• https://forum.k0d.cc/index1.php
• http://www.hack-info.ru/index.php
• https://forum.xeksec.com/
• http://aferizm.ru/
• http://grabberz.com/forum.php
• http://forum.kriminala.net/index.php
• http://www.xaker.name/forvb/index.php
• And so on….

How to find Russian resources

• Russian search engines
• http://www.rambler.ru/
• http://www.yandex.ru/
• Classic Google dork
• ‘Site:ru hacking’

Questions? And Contact info.
• Email: almaz@demyo.com
• Phone: +1 201 665 6666
• www.demyo.com

Detecting System Intrusions:

sh-3.2# whoami

• Alan Kakareka, CISSP, GSNA, GSEC, CEH
• MS MIS from Florida International University, USA
• CTO and founder of Demyo, Inc.
• Based in Miami, Florida, USA

What Is Wrong Here?

Pwned vs Clean

What Is Wrong Here?
Surprise!

Other hidden directories

• It could be ‘.. ‘ or ‘… ‘ as well
• That’s why you should always use ls –hal with ‘a’ switch
• More info on hidden directories
• http://www.linfo.org/hidden_file.html

What is wrong in shadow file?

# cat /etc/shadow
root:$6$OFny79f/$LC5hcqZXNYKachPKheRh5WkeTpa/zO3y8OX3EUHrFkrFQAdLUTKwGjLPSdZ9uhwJQ9GmChLvbhPRbPw7lDTg90:15231:0:99999:7:::
daemon:x:15204:0:99999:7:::
bin:x:15204:0:99999:7:::
sys:x:15204:0:99999:7:::
www-data:15204:0:99999:7:::

pulse:*:15204:0:99999:7:::
rtkit:*:15204:0:99999:7:::
festival:*:15204:0:99999:7:::
postgres:!:15204:0:99999:7:::
apache:$6$LqrWIgqp$jdq1exB2GiBFgLL9kDlDkks30azWBJ1/mDU.to84mHn6nmzUzV7iHiMXK7rVm8.plMmaNKg9Yyu7ryw00r5VX.:15452:0:99999:7:::

What is wrong in running processes?

root@bt:~/. # ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 2844 1604 ? Ss Apr15 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S Apr15 0:00 [kthreadd]

root 10962 0.0 0.0 2740 476 ? S< 09:33 0:00 udevd –daemon
root 11550 0.0 0.0 0 0 ? S 11:13 0:00 [kworker/0:2]
root 11567 0.0 0.0 0 0 ? S< 11:15 0:00 [hci0]
root 11619 0.0 0.0 0 0 ? S 11:18 0:00 [kworker/0:1]
root 11654 0.0 0.0 0 0 ? S 11:23 0:00 [kworker/0:0]
root 11664 5.3 6.1 36092 31360 pts/1 S 11:24 0:00 ./httpd
root 11665 0.0 0.2 2764 1052 pts/1 R+ 11:24 0:00 ps aux
root 12015 0.0 1.7 34800 8736 ? S Apr16 0:00 /usr/lib/notification-daemon/notification-daemon

rootkits

• What is a rootkit?
• Software based
• Kernel level in variant of kernel extensions, or drivers
• Userland level
• Start with lsmod to list installed modules in kernel

Hardware based rootkits

• Hardware based
• Rootkit in Intel CPU:
http://www.overclockers.com/forums/showthread.php?t=600179
• Backdoored chips from China for Raptor F35 warplane
• Rootkits and backdoors in firmware
A Little Defense

Rootkit hunter http://rkhunter.sourceforge.net/

Most targeted commands by rootkits:
• netstat
• du
• find
• ifconfig
• inetd
• lsof

Users install rootkits themselves

• Conceal cheating on online games, Warden for WoW, STEAM, etc. Honeypots.
• Emulation software such as Alcohol 120%, daemon tools.
• Antitheft software, examples LoJack for laptops.

A proper way to analyze suspect system?

• Memory dump
• Selective HDD files analysis
• Full HDD analysis

Logs

• The fact is anybody barely looks at logs
• Unless….
• Sh*t hits the fan (but then it is too late already!)

Other weird stuff on the system

• Log files are missing completely
• Network interface is in promiscuous mode
• Immutable files on the system that cannot be deleted, find those with lsattr command
• Mysterious open ports and services
• More info:
• http://tldp.org/HOWTO/Security-Quickstart-HOWTO/intrusion.html

Known Good State

• Restore server from the full backup is a little risky
• If backdoor was installed on system before backup, that means all your backups are backdoored
• So restore OS from know good state and copy data into system

Removing Backdoors

• So you found a backdoor
• You removed it
• And you think you are safe
• Well, I really doubt it…
• You found just one of many….

Calculating Hashes On The Files

• Commercial tools and open source ones
• Commercial
• Tripwire
• Open source
• AIDE – http://aide.sourceforge.net/

robots.txt file

User-Agent: *
Disallow: /my/admin/directory
Allow: /
User-Agent: human
Disallow: /please/go/to/easier/target

Blocking SSH brute forcing

• iptables -N SSHSCAN
• iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j SSHSCAN
• iptables -A SSHSCAN -m recent –set –name SSH
• iptables -A SSHSCAN -m recent –update –seconds 300 –hitcount 3 –name SSH -j DROP

Block IPs who scan you

• 1. Move SSH from 22 to something else
• 2. Setup iptables that will block any IP who tries to connect to port 22
• 3……
• 4. PROFIT!

Questions And Contact Info

• Email: almaz@demyo.com
• Cell +1 201 665 6666
• www.demyo.com