Download presentations or read below for summaries:
Demyo, Inc. capabilities:
• Founded in 2011
• All we do is 100% InfoSec
• Consists of HIGHLY experienced team
• Team members have the following top level Information Security certifications: CISSP, GSNA, GSEC, CEH, LPT, CISA, CISM, GCIH, CCNA, GCIA, CCNP
• We speak: English, Spanish, Portuguese, Russian, Ukrainian, Lithuanian
• Web Application Penetration Testing
• Host Based Audit
• Digital Forensics
• Incident Response
• Threat Intelligence
• Vulnerability Assessment
• Source Code Review
• Social Engineering
• Security Training
• Network Penetration Testing
Web Application Penetration Testing
• OWASP methodology
• Commercial, Open Source, and proprietary tools are used
• Vulnerabilities are rated High, Medium, and Low according to risk
• Highly technical report + executive summary 1 pager report
Network Penetration Testing
• Internal LAN pen testing
• External WAN pen testing
• Enumerating Services
• Finding Holes
• Exploiting Holes
Host based audit
• Security Configuration Review
• Policy Compliance Review
• LDAP Policies Review
• Antivirus Antimalware Review
• Logs Audit
Digital Forensics
• Who, What, When?
• Making Forensic Copy
• Memory analysis
• Selective files analysis
• Full HDD image analysis if needed
• Building the time line
Threat Intelligence
Vulnerability Assessment
• HIPAA, PCI, SOX, GLBA, ISO compliance
• Merge and Acquisition support
• Security Best Practices
• Post Incident Support
Source Code Review
• Automatic source code scanning tools
• Manual source code review
• Greping through code for high risk functions and methods
• Checking input validation
Incident Response
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned
Social Engineering
• Weakest factor is still human
• Will bypass all firewalls / Intrusion Detection Systems / Intrusion Prevention Systems / Full Packet Capture Devices and any technical means in between
• How do we prevent SE?
Training
• Security Awareness training
• Technical and Managerial InfoSec training
• Penetration Testing training
• Instructors are HIGHLY experienced InfoSec Analysts
Contact Us for any infosec needs
• Email: almaz@demyo.com
• Call: +1 201 665 6666
• Visit: www.demyo.com
Insight Into Russian Black Market:
sh-3.2# whoami
• Alan Kakareka, CISSP, GSEC, CEH, LPT
• Masters degree in science from Florida International University
• CTO and founder of Demyo, Inc.
• Based in Miami, Florida, USA.
And I enjoy green letters on black background
What are the most dangerous countries?
Where all the goodies are?
• Unknown – Unknown:
• Forums, various websites
• Known – Known:
• IM, typically ICQ
Lets take a look at 2 underground forums
• https://exploit.in/forum/ – pretty small
• https://forum.antichat.ru/- one of the bigger ones
Small vs big
https://exploit.in/forum
341k messages, 35k users.
How many of all messages are sale / buy / trade?
Roughly 10-15% of all messages are related to sell / buy / trade Another 90% is how to program this, how to hack this, how to solve this kind of issue, etc.
Let’s see what can we buy?
How about root access to mysql.com
Anybody wants to guess the price?
Later on in the news….
Auction system for serving malware – “vDele”
Software to build your own botnet -“andromeda botnet”
Also available
• Credit card numbers
• Paypal accounts
• Online banking accounts
• Email spamming services
• Cell phone spamming services (by text messages) and / or calls
• 0-day exploits (rarely)
• Custom malware, spyware, tools
• Plain hacking services
• DDOS
• Full identity (CC + SSN + DOB + address + email with password + online banking credentials + mothers maiden name + dogs name + etc.)
0-day exploits (rarely)
• If a black hat has 0-day it is much more profitable do something with it than selling it
• If you are white hat hacker, sell it to company’s who are buying bugs like ZDI
https://forum.antichat.ru/
• 2 million messages, 104k users
How many messages are related to buy / sell / trade.
Almost 10% of all messages are related to trading
How do they trust each other?
Another way is by endorsing from the forum owner
Means of payment
• No paypal….. WHY????
• Webmoney
• Liberty Reserve
• Yandex Money
• Crypto FTW
• F2F – almost never
• Most popular is WEBMONEY
Closed sections
• Typically there are 3 access levels
• 1st level – make some useful posts
• 2nd level – get to know somebody and post some sensitive data
• 3rd level – be well known in community, post some real goodies
Limiting access only to higher profile people
Prices…
• How much is this, how much is that?
• Depends what language you speak
• If you ask in Russian – 100 bucks
• If you ask in English – 200 bucks
SPAM
• Emails sent vs Emails in Inboxes
• 1 million SPAM emails in inbox – 200 USD
Actual pricing
• Private virustotal.com type service – 40 USD / month, unlimited amount of files
• Why do you need a private virustotal.com service? When virustotal.com is free???
• DDOS – 100 to 400 USD a day, depending on traffic amount.
• DDOS sales/discussions are getting forbidden in many public Russian forums, why???
• CC – 0.1 USD to 5 USD depending on amount and/or quality
Actual pricing
• Paypal – 1% to 10% of the balance, also depending on account type and other factors
• Online Banking – 1% to 10% percent of the balance, depending on the bank, account type and other factors
• Email:pass combo – FREE, unless it is sorted, verified for validity, and is bundled with other accounts
• Full identity (CC + SSN + DOB + address + email with password + online banking credentials + mothers maiden name + dogs name + etc.) – about 100 USD
• Many, many, many other types of services and goods – agreed price
Other factors
• Paypal and Online Banking – 1% to 10% of the balance depending on account type and other factors
o User logs in into his account once every 6 months
o Password to users email is available as well
o This particular bank DOES allow online transfers
o User logs in into his account daily
o Password to users email is not available
o This particular bank DOES NOT allow online transfers
How many Russian resources are there?
• A LOT OF THEM
• http://forum.xakep.ru/default.aspx 1,5 million messages
• http://hackzona.ru/
• https://forum.k0d.cc/index1.php
• http://www.hack-info.ru/index.php
• https://forum.xeksec.com/
• http://aferizm.ru/
• http://grabberz.com/forum.php
• http://forum.kriminala.net/index.php
• http://www.xaker.name/forvb/index.php
• And so on….
How to find Russian resources
• Russian search engines
• http://www.rambler.ru/
• http://www.yandex.ru/
• Classic Google dork
• ‘Site:ru hacking’
Questions? And Contact info.
• Email: almaz@demyo.com
• Phone: +1 201 665 6666
• www.demyo.com
Detecting System Intrusions:
sh-3.2# whoami
• Alan Kakareka, CISSP, GSNA, GSEC, CEH
• MS MIS from Florida International University, USA
• CTO and founder of Demyo, Inc.
• Based in Miami, Florida, USA
What Is Wrong Here?
Pwned vs Clean
What Is Wrong Here?
Surprise!
Other hidden directories
• It could be ‘.. ‘ or ‘… ‘ as well
• That’s why you should always use ls –hal with ‘a’ switch
• More info on hidden directories
• http://www.linfo.org/hidden_file.html
What is wrong in shadow file?
# cat /etc/shadow
root:$6$OFny79f/$LC5hcqZXNYKachPKheRh5WkeTpa/zO3y8OX3EUHrFkrFQAdLUTKwGjLPSdZ9uhwJQ9GmChLvbhPRbPw7lDTg90:15231:0:99999:7:::
daemon:x:15204:0:99999:7:::
bin:x:15204:0:99999:7:::
sys:x:15204:0:99999:7:::
www-data:15204:0:99999:7:::
pulse:*:15204:0:99999:7:::
rtkit:*:15204:0:99999:7:::
festival:*:15204:0:99999:7:::
postgres:!:15204:0:99999:7:::
apache:$6$LqrWIgqp$jdq1exB2GiBFgLL9kDlDkks30azWBJ1/mDU.to84mHn6nmzUzV7iHiMXK7rVm8.plMmaNKg9Yyu7ryw00r5VX.:15452:0:99999:7:::
What is wrong in running processes?
root@bt:~/. # ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 2844 1604 ? Ss Apr15 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S Apr15 0:00 [kthreadd]
root 10962 0.0 0.0 2740 476 ? S< 09:33 0:00 udevd –daemon
root 11550 0.0 0.0 0 0 ? S 11:13 0:00 [kworker/0:2]
root 11567 0.0 0.0 0 0 ? S< 11:15 0:00 [hci0]
root 11619 0.0 0.0 0 0 ? S 11:18 0:00 [kworker/0:1]
root 11654 0.0 0.0 0 0 ? S 11:23 0:00 [kworker/0:0]
root 11664 5.3 6.1 36092 31360 pts/1 S 11:24 0:00 ./httpd
root 11665 0.0 0.2 2764 1052 pts/1 R+ 11:24 0:00 ps aux
root 12015 0.0 1.7 34800 8736 ? S Apr16 0:00 /usr/lib/notification-daemon/notification-daemon
rootkits
• What is a rootkit?
• Software based
• Kernel level in variant of kernel extensions, or drivers
• Userland level
• Start with lsmod to list installed modules in kernel
Hardware based rootkits
• Hardware based
• Rootkit in Intel CPU:
http://www.overclockers.com/forums/showthread.php?t=600179
• Backdoored chips from China for Raptor F35 warplane
• Rootkits and backdoors in firmware
A Little Defense
Rootkit hunter http://rkhunter.sourceforge.net/
Most targeted commands by rootkits:
• netstat
• du
• find
• ifconfig
• inetd
• lsof
Users install rootkits themselves
• Conceal cheating on online games, Warden for WoW, STEAM, etc. Honeypots.
• Emulation software such as Alcohol 120%, daemon tools.
• Antitheft software, examples LoJack for laptops.
A proper way to analyze suspect system?
• Memory dump
• Selective HDD files analysis
• Full HDD analysis
Logs
• The fact is anybody barely looks at logs
• Unless….
• Sh*t hits the fan (but then it is too late already!)
Other weird stuff on the system
• Log files are missing completely
• Network interface is in promiscuous mode
• Immutable files on the system that cannot be deleted, find those with lsattr command
• Mysterious open ports and services
• More info:
• http://tldp.org/HOWTO/Security-Quickstart-HOWTO/intrusion.html
Known Good State
• Restore server from the full backup is a little risky
• If backdoor was installed on system before backup, that means all your backups are backdoored
• So restore OS from know good state and copy data into system
Removing Backdoors
• So you found a backdoor
• You removed it
• And you think you are safe
• Well, I really doubt it…
• You found just one of many….
Calculating Hashes On The Files
• Commercial tools and open source ones
• Commercial
• Tripwire
• Open source
• AIDE – http://aide.sourceforge.net/
robots.txt file
User-Agent: *
Disallow: /my/admin/directory
Allow: /
User-Agent: human
Disallow: /please/go/to/easier/target
Blocking SSH brute forcing
• iptables -N SSHSCAN
• iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j SSHSCAN
• iptables -A SSHSCAN -m recent –set –name SSH
• iptables -A SSHSCAN -m recent –update –seconds 300 –hitcount 3 –name SSH -j DROP
Block IPs who scan you
• 1. Move SSH from 22 to something else
• 2. Setup iptables that will block any IP who tries to connect to port 22
• 3……
• 4. PROFIT!
Questions And Contact Info
• Email: almaz@demyo.com
• Cell +1 201 665 6666
• www.demyo.com