Blog‎ > ‎

32c3 comments, random ramblings, thoughts, notes, dump part IV

posted Feb 7, 2016, 12:16 AM by Sami Lehtinen   [ updated Feb 7, 2016, 12:16 AM ]
No reinvention of wheel. ;), Private data center, crowdfunding, data and system ownership. Lol what kind of fails with presentation material, can't open or find it. Breaking RSA with SDR. openage. Internet governance, technical alternatives, geeks. Cyberpunk, Cypherpunk. OMEMO. OTR (Off-The-Record). TextSecure. Infinite Garble Extension (IGE). Using multiple encryption keys to encrypt the payload key. So same message can be delivered to different users and they can decrypt it without sending the message several times or using shared private key. Just like Pretty Good Privacy (PGP) has done for ages. IDABuddy. PinMagic for RaspberryPi. Universal Basic Income. (This is interesting, because Finland is going to try it (?)). Solving Sybil attack problem. Money Creation, Credit Rating System. Distance vector with cost. Delay based routing metric. Universal Payment Channels, Scalable, Anonymous, Cross-Currency Payments. Escrow, Blockchain. Signed notes. Smart Conditions using Turing-complete code. Sounds familiar, I've been checking out multiple solutions like that. ISO8583. libusb.   "Amazon is reported to have some very close ties to spy agencies." Surprised? Nope. Writing secure, reusable and testable software. Attacker can create tarball of all world-readable data under /. Yep, that's just what I did. No reference, but it's somewhere in my blog. Turning systems into a botnet node. Easily doable. Reusability and testability. Web Server configuration and Security Testing. CloudABI, nuxi. Implants with remote exploitable issues, the unpatchable devices. Hardcoded credentials, Honeypots. Medical Device Hacking Made Legal via DMCA exception for researches. Nice!  Firmware update for pacemaker, nice... Debugging software inside your body. Many medical devices are legacy technology, no software updates. Devices are often back boxes with complex and un-secure proprietary software. Lack of regulations, wireless connectivity, potential cloud connectivity, large attack surface.  Building a secure web service. Using read and append-only file descriptors. POSIX. CloudABI. Advanced Persistent Threats (APT) and OPSEC Evolution. How it can significantly disrupt operations. OPSEC in 60 seconds. Assure success, Prevent Detection, Prevent Attribution. You need to know your enemy. The Hacking Team. Resurecting Spy Network. Many APT reports are aimed to generating PR for security companies. Also the malware and attacker guys of course do read the APT attack and threat reports. "Turla Satellite Traffic Hijacking" and "Stuxnet / Duqu / Flame / Duqu2", "Iron Tiger: Chinese, Careto: Spanish? Intentional false flag, maybe not, because the targets were such that only Spain would be interested about that information. Duqu2: Multiple false flags". This is just what the CIA espionage and counter intelligence documents said. It could be all too obvious and totally wrong. It's extremely hard to tell when it's true and when it isn't. Intelligence Gathering. Target prestudy and target report. Attack Plan and Execution. Planting falsified evidence and traces. Studying target defences and creating a map. Examining Security Vendor Backend capabilities: IDS, IPS, antivirus, signatures, logging. Looking for other players, has the system already been owned by other actors. Really, really try to hide your identity. Think about forensic analysis, compilers can leave lot of information in the compiled binary. Cyber Engagement, Cycle Evolution. Whenever possible, use OS-included tools, so you don't need to create custom code or install it into system. This could allow RAM only operations, yet allowing reinfecting the system when necessary. When it's time to fold or retreat. Compose Intelligence Requirements. It's hard to get enough information on attacker objectives. It's like having a stalker, you know you're being watched, but you might not know what they're actually after. PlugX RAT, C2 and DNS tunneling modes. Threat actors gain entry and act on objective. Stealing data is just one of the multiple options. Required action is to perform a meaningful, periodical Risk Assessment. Compiling target list. I there's no time-sensitive information, it's impossible to form attack pattern. Yet if you're having similar data or using similar platforms as other compromised organization. You're on the target list. POS credit card information theft, happened in waves and the targets didn't react before it happened for them. Everybody thought that they're not on the target list. So it's also important to perform a relevant Threat Assessment. Threat = Intent + Capability. (This is also why I think it's important to maintain capability, so it can be used when there's intent, motivation or a reason to use it.) Using decoys and social engineering. Pre-Engagement Stage. Publicly available sensitive data, lax security awareness allows probing the target (automatic / human). This means that the attacker can gain a lot of information before reaching your network. It's important to limit public information, also act outside your own perimeter and periodically refresh your and staff awareness. Engagement Stage. As we've seen, everyone has been hacked or compromised, everyone will be hacked, and everyone is hacked right now? It's not matter if, it's matter of when. Security is on going process. Unfortunately Lateral Movements aren't reported. With many obstacles on way in (Layered Security) there's many opportunities for the defender to intervene. Keeping and securing log authenticity as forensic evidence. It's not all about endless monitoring and alerts. Having enough data for post event analysis is vital. Backup & snapshot log files. (Actually one person (SWIM) is administering some systems which were compromised, unsurprisingly the attacker also took care of the log files when gaining root access to the system.) Having great logs and copies of thsoe can potentially save the day. It's important to have Backup Response Plan (BURP). It's like video surveillance, it doesn't make things secure, but helps enormously in after event analysis. Target Engagement Process list: Compose Intelligence Requirements, Compile Target List, Intelligence Gathering, Target Report, Attack Plan and Execution, Fold. Nation State Actors don't want attribution and exposure. Yet many other groups just don't care if they're caught. It's also very dangerous if defense publishes analysis too fast, because the attacker / actor can sill be in systems and just adjust their strategy in real-time based on the feedback they gained from defense blog. It's like playing poker with exposed cards. Getting earlier breach reports and information sharing and collaboration. Attribution based on IP address alone, with all these false flags, it's ridiculous. Using compromised systems as proxies and relays is trivial. Anything you can do to increase cost and risk of the attack, is always beneficial, do it. Of course the defense measures need to be risk accessed and protection measures need to be adjusted proportionally to the risk.

Lot of typos? Sure, I haven't proof read this obviously. It's just quick jotted notes.