4. Hacktivism
From Wikipedia:
HACK + ACTIVISM - the use of
computers and computer networks as a
means of protest; (…) hacktivism could
be defined as "the nonviolent use of
legal and/or illegal digital tools in
pursuit of political ends". These tools
include web site defacements, denial-of-
service attacks, information theft, (…)
Acts of hacktivism are carried out in the
belief that proper use of code will be
able to produce similar results to those
produced by regular activism or civil
disobedience.
4
5. What is Anonymous?
Reality
What they claim to be:
“Anonymous is an umbrella for
Anonymous is an Internet meme (…), anyone to hack anything for any
representing the concept of many reason.”
online and offline community users —New York Times, 27 Feb 2012
simultaneously existing as
an anarchic, digitized global brain. Targets include porn sites, Mexican
drug lords, Sony, government agencies,
banks, churches, law enforcement ,
Hacktivists fighting for moral causes.
airline, São Paulo’s Mayor and Vladimir
Putin.
Anyone can be a target.
5
6. The Plot - The anatomy of an Anonymous Attack
Attack took place in 2011 over a 25
day period.
Anonymous was on a deadline to
breach and disrupt a website, a
proactive attempt at hacktivism.
10-15 skilled hackers or “geniuses.”
Several hundred to a thousand
supporters.
6
7. On the Offense
Skilled hackers—This group, around 10
to 15 individuals per campaign, have
genuine hacking experience and are
quite savvy.
Nontechnical—This group can be quite
large, ranging from a few dozen to a few
hundred volunteers. Directed by the
skilled hackers, their role is primarily to
conduct DDoS attacks by either
downloading and using special software
or visiting websites designed to flood
victims with excessive traffic.
7
8. On the Defense
Deployment line was network firewall, WAF, web servers and anti-virus.
Imperva WAF
+ SecureSphere WAF version 8.5 inline, high availability
+ ThreatRadar reputation
+ SSL wasn’t used, the whole website was in HTTP
Unnamed network firewall and IDS
Unnamed anti-virus
8
12. Phase #2
Recon and Application Attack
“Avoid strength, attack weakness: Striking where the enemy is
most vulnerable.”
—Sun Tzu
12
13. Finding Vulnerabilities
Tool #1: Vulnerability Scanners
Purpose: Rapidly find application vulnerabilities.
Cost: $0-$1000 per license.
The specific tools:
+ Acunetix (named a “Visionary” in a Gartner 2011 MQ)
+ Nikto (open source)
13
14. Hacking Tools
Tool #2: Havij
Purpose:
+ Automated SQL injection
and data harvesting tool.
+ Solely developed to take
data transacted by
applications
Developed in Iran
14
16. Hacking Tools
Low-Orbit Ion Canon (LOIC)
Purpose:
+ DDoS
+ Mobile and Javascript variations
+ Can create 200 requests per second per browser window
16
17. Anonymous and LOIC in Action
700000
600000
LOIC in Action
Transactions per Second
500000
400000
300000
200000
Average Site Traffic
100000
0
Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 28
17
18. LOIC Facts
LOIC downloads
+ 2011: 381,976
+ 2012 (through March 19): 318,340
+ Jan 2012=83% of 2011’s downloads!
Javascript LOIC:
+ Easy to create
+ Iterates up to 200 requests per minute
+ Can be used via mobile device.
18
20. I’ve spent a lot of money…
And why I’m not Safe Yet?
20
21. I have IPS and NGFW, am I safe?
IPS and NGFWs do not prevent web application attacks.
+ Don’t confuse “application aware marketing” with Web Application Security.
WAFs at a minimum must include the following to protect
web applications:
• Web-App Profile
• Web-App Signatures
• Web-App Protocol Security
• Web-App DDOS Security Security Policy Correlation
• Web-App Cookie Protection
• Anonymous Proxy/TOR IP Security
• HTTPS (SSL) visibility
21
22. I have IPS and NGFW, am I safe?
IPS and NGFWs do not prevent web application attacks.
+ Don’t confuse “application aware marketing” with Web Application Security.
However, IPS and NGFWs at best only partially support the
items in Red:
• Web-App Profile
• Web-App Signatures
• Web-App Protocol Security
• Web-App DDOS Security Security Policy Correlation
• Web-App Cookie Protection
• Anonymous Proxy/TOR IP Security
• HTTPS (SSL) visibility
22
23. I have IPS and NGFW, am I safe?
• IPS & NGFW Marketing – They have at least one web-app feature so
they market themselves as a solution.
• IPS & NGFW gaps to WAF – WAFs provide far more web-app features than
IPS and NGFWs. IPS and NGFWs do not even meet the most minimal requirements of
web application security.
• False Sense of Security - IPS and NGFWs are creating a false sense of security
with their claims and are leaving organizations like the ones we have previously
mentioned susceptible to web application penetration.
23
24. Anonymous targets that we know of, so far…
US Department of Justice Polish Prime Minister Muslim Brotherhood
US Copyright Office Polish Ministry of Foreign Affairs UMG
FBI Polish Internal Security Agency PayPal
MPAA French Presidential Site Mastercard
Warner Brothers Austria Ministry of Justice Visa
RIAA Austria Ministry of Internal Affairs US Senate
HADOPI Austria Ministry of Economy CIA
BMI Austria Federal Chancellor Citibank
Sony Slovenia NLB Itau
Amazon Mexican Interior Ministry Banco do Brazil
Church of Scientology Mexican Senate Caixa Econômica Federal
SOHH Mexican Chamber of Deputies Tim Celular Brasil
Office of the AU Prime Minister Irish Department of Justice Presidência da República
AU House of Parliament Irish Department of Finance Petrobrás
AU Department of Communications Greek Department of Justice Receita Federal
Swiss bank PostFinance Egyptian National Democratic Party Ministério dos Esportes
Fine Gael HBGary Federal Rede Globo de Televisão
New Zealand Parliament Spanish Police Cielo (Visa)
Tunisia Government Orlando Chamber of Commerce Banco Central
Zimbabwe Government Catholic Diocese of Orlando HSBC Brasil
Egyptian Government Rotary Club or Orlando Bradesco
Malaysian Government Bay Area Rapid Transit Itau (Brasil)
Polish Government Syrian Defense Ministry Dilma (President)
Polish Police Syrian Central Bank Kassab (São Paulo Mayor)
Polish President Syrian Ministry of Presidential Affairs
Polish Ministry of Culture Various Pornography sites
24
27. Mitigation
Monitor social media
Twitter, Facebook, YouTube, blogspot, pastebin etc.
Use Google alerts
Protect applications
Web application firewalls, VA and code reviews
Analyze the alert messages generated by your security devices
The DDoS attack was preceded by a few-days-long phase of reconnaissance.
Daily analysis of alert information may help better prepare for tomorrow’s
attack.
IP reputation is very valuable
Most of the reconnaissance traffic could have been blocked
Threat Radar
27