Lucky for me there are other people who write new content that somehow relates to this blog so I have a chance to point to them and say “cool stuff, look there!”.
My good friend Itzik Kotler has just written a blog post about bypassing DLP systems using some of our elements from last year’s DefCon talk (and BSides, and Hashdays, and Brucon, you get the idea…). It features some awkwardly written code (yours truly) and some wickedly useful evasion techniques (still mostly unhandled ).
This is a translation of the original article published in Calcalist on May 20th 2012.
A group of professional hackers, employed by the most sensitive organizations to detect security breaches, are showing how to gain access to critical information, or take down the power for a whole city – and what is needed in order to protect from such attacks.
If you believe hollywood, breaking into computers or networks is the easiest thing in the world. The hacker just sits in front of the keyboard, types in a few commands, and immediately finds itself in a top-secret database. In reality, it is naturally a more complicated affair: the hacker can’t break into a secure network in a couple of minutes, and not always without leaving the keyboard. He needs to gather intelligence, plan, go out and talk to people. A real hacker is essentiality a detective, a spy, and a bit of an actor.
In this article, in cooperation with experts from Security Art, among which Yoram Golandsky the CEO, and Iftach Ian Amit the Vice President of Consulting, we present the true work of hackers, and detail how a real breach into a secure computer network is performed. Security Art’s employees are hackers for hire – computer security professionals, who get hired by companies in order to break into their own networks and expose their security flaws.
The scenarios that we built here are based on actual attacks performed by Security Art (all client names have been dropped for confidentiality reasons). Others are probability scenarios – such that are based on the knowledge of Security Art’s experts about computer networks, the protections used in them, and their proven ability to manipulate and circumvent them.
The information brought here is not considered secret or as a mean to provide hackers with tools. It has already been published publicly in conferences, and is considered domain knowledge among security experts and hackers, and in any case is not detailed enough to be used maliciously. One thing this guide does show: with enough knowledge, determination and sophistication, there is no computer network or database that is fully protected from computer attackers. Not even a biometric database in which millions of shekels have been invested.
The target: infiltrating into an internal communication network of a company.
Intelligence gathering: For weeks, the attacker gathers relevant information on the company and its employees. Identifying employees through social networks such as LinkedIn and Facebook, building detailed profiles on them (from email addresses to hobbies). From such information the attacker identifies that in the near future a trade conference will be attended by some of the company’s employees.
The bait: The attacker builds a site similar to the one used by the conference. The domain used for the fake site is very similar to the real one (for example – aclc.com instead of adc.com). An email from the fake domain is sent to the employees that have been identified as relevant to the conference, inviting them to visit the conference website for updates (while using the phishing domain).
The catch: A few minutes after the email is sent, one of the employees clicks on the link provided in it, and browses to the phishing site. In the fake site, embedded attack code runs, and scans the employees computer for vulnerabilities.
The infiltration: The attack code identified a vulnerability in the employee’s browser, exploits it, and run a trojan application on it. This provides the attacker full control over the PC, without the employee ever taking note.
Data exfiltration: The attacker can track every activity performed on the PC – from keystrokes, through full access to any resource the user has privilege to on the network. The information includes contracts, development plans, strategic documents, confidential business communications with customers, and even encryption keys that provide access to encrypted data.
Expanding the breach: The attacker enjoys the same privileges of the employee’s compromised PC – financial systems, internal operational systems, file servers. Even when the employee has limited access, the attacker can leverage the initial privileges in order to get to restricted resources – by compromising the company’s main server.
How to prevent the breach: The company must equip itself with more advanced (adequate) technical means to filter content and separate the internal resources; educating and training the employees about safe browsing and use of the Internet; self tracking of the organization’s intelligence profile on the Internet.
The target: Abusing the capabilities of smartphones, or when the company’s network is well protected.
Intelligence gathering: First, the brand and model of the smartphones used by the company is identified, as well as which employees use them with their business email. Then, a traveling employee is located and targeted using his business email – which will be opened on the smartphone.
The trap: A malicious email containing an infected PDF file is sent to the employee. The PDF will install a trojan on the smartphone once opened. The trojan runs persistently on the phone, while mapping all the networks the phone is connected to (WiFi, 3/4G, etc). Additionally, it provides full access to all the information stored on the smartphone, as well as to the interesting features of it such as location services, opening up the microphone and camera in order to stream audio and video back to the attacker.
The spying: The location services feature enables the attacker to pinpoint the user to a specific location, and turn on the microphone and camera when inside the company offices. The calendar is used to identify important meetings, in which the microphone and camera will be turned on again. The result: access to classified information, which includes personal and professional conversations, which may not even exist on the company network.
Everybody’s network: If the employee connects the smartphone to the company’s WiFi, such a connection can enable the attacker to infiltrate it, while easily bypassing most protections that exist towards the official Internet perimeter. Even if the internal network is separate from the WiFi network, such access is still valuable, as other company PCs are connected to it, and can be targeted and breached (for example – during meetings in which employees bring their laptops to and connect to the WiFi in the meeting room). Even more dangerous: when an employee visits other companies (clients) and connects to their wireless networks, while exposing them to further attacks.
How to prevent the breach: Employees can be supplied with company issues phones, which have been hardened and secured. Alternatively, advanced security modules can be installed on employee owned phones. Furthermore, a proactive approach is required in monitoring and mapping the internal network for anomalies.
Installing spy software using a flash drive
The target: A defense contractor’s internal network, which is physically separate from the external networks.
Intelligence gathering: Much like the first phase of the first scenario. In this case the target is to understand in which internal network the interesting information resides.
For establishing a baseline of how the organization works, full mapping of both personnel as well as physical locations of the organization is performed. Based on the professional background of specific employees published in sites such as LinkedIn, employees can be mapped to which products they work on, and in which divisions. Location services such as FourSquare enable associating physical locations to the employee’s profile – thus revealing the actual office in which the secure network operates in.
In a specific attack which Security Art’s employees performed, a call was made to the office that was targeted. In order to verify the targeted employee’s details, the attacker impersonated another company employee (“it’s easiest to claim you are from marketing, then you have a good enough excuse for your ignorance…”), talked to the development team lead, and corroborated the information gathered so far. Additionally, the attacker managed to identify that there was an internal voice over IP network in use – which could be leveraged later to exfiltrate the sensitive data.
The con: The attacker arrives at the targeted office, bearing a branded USB thumb drive. He hands it over to the receptionist, claiming: “I just found this outside, I think someone from this office dropped it, let’s plug it in and see who’s is it!”. The unsuspecting receptionist plugs the thumb drive into the PC and opens up the files on it. Another alternative for the drop is to leave the thumb drive at the cafeteria, or to hand it over to an employee that’s about to enter the building.
The infection: Once the drive is plugged in, a malicious code runs and installs a trojan. The trojan maps the internal network, locates the relevant data, and encodes it into audio signals.
The call: The trojan maps the voice over IP network and impersonates a handset to initiate a call to the attacker’s voicemail outside the organization. It then “plays” the encoded audio signals from the previous phase. Now the attacker can download the voicemail, decode the audio signals back into binary data, and access the sensitive information.
Command and control: The attacker can further furnish the trojan to call into a conference call number and stay connected to it. In such a scenario, the attacker can join into the conference call anytime, and send simple instructions to the trojans connected to it using the DTMF tones generated by the phone handset.
Hot to prevent the breach: The company should block the option to connect external devices to the organization PCs. Additionally, monitoring of the VoIP network is critical in order to find suspicious activities.
Powering off a city
The target: attacking the power supply infrastructure of vast regions by taking over smart meters that use cellular communications.
Intelligence gathering: Smart meters are in a pilot phase in Israel. Several suppliers participate in this pilot. The attacker gathers intelligence on the suppliers, and tries to identify vulnerabilities in the produce that are being tested.
Stealing the data: The attacker uses specialized equipment to set up a cell tower, which impersonates a legitimate cell provider’s tower. It then causes the smart meter to “trust” it, and communicate through it. Now the attacker has full access to the data gathered from the smart meters, and change it before passing it along to the electric company monitoring and operations center.
The hit: Using the information gathered, the attacker can damage the production systems: by falsely reporting a higher or lower utilization than the actual one, the production rate will be modified, causing rolling blackouts through extensive regions.
How to prevent the breach: monitoring critical points in the smart meter system, and having dual checks and controls over any information that is related to production and usage.
A long draught (almost a month) in this blog is finally coming to an end after I had some great conversations with good friends at the cyber un-conference here in Israel. One of the obvious discussions is around the use of the term cyber (surprise). The general agreement is that the term has been violated pretty badly by security consulting firms and vendors trying to jump on the “cyber” bandwagon without a slim clue of what they are talking about (another shocker!).
But seriously now, we are all to blame for using the term once in a while (yours truly not excluded), while we all refer to different things. So, let’s try to get some order in the media hype and understand (at least the way I see it) what is this cyber we are talking about.
Disclaimer: this is what I believe that Cyber actually refers to. Your mileage may vary…
For me, cyber starts from way up. Beyond technology and Internet, and even beyond warfare and conflict. Cyber is first and foremost a domain. Much like air, land, sea, and space. A domain is (from the Merriam-Webster dictionary):
1. a. complete and absolute ownership of land
b. land so owned
2. a territory over which dominion is exercised
As such, domains that are not under the direct ownership, are treated by sovereign countries as first and foremost economical factors that affect their well-being. Most importantly, shared, or international domains are crucial to enabling international trade, communication, travel and freedom (especially air, sea and space). Such domains are referred to as “global commons“.
Now think of the Internet and the underlying parts that make it work. Computers, network equipment, cabling, satellite communications and other elements that are owned by a variety of private companies, governments, and are under different jurisdictions around the world. Because it is so hard to pinpoint the ownership of a specific part of the Internet, it is much simpler to treat it as a general domain, and as such, a global common. This is exactly how most modern countries act, and how it, much like the other global commons, became an element of conflicts when such countries escalate diplomatic efforts into actions. A good example of how this works can be seen in the work that NATO are putting to address this exact question. Note how a lot of the efforts are placed first on the legal and cooperative elements before addressing the battlefield (NATO and Cyber Defense – PDF) .
So we went from an economical domain that supports communications, trade and information, to an element which countries may use as part of their available conflict management against other countries. Enter: cyberwar. What most abuses of the term these days do not take into account, that cyberwar, much like airwar, seawar, spacewar and landwar is almost never a singular element in a conflict. It is part of a larger strategy and a mean of affecting diplomatic efforts to achieve some goal at a national or international level. Hence, cyber-weapons are never products or pieces of software, but more generally tactics that are deployed in order to gain an advantage in the cyber common in conjunction with other tactics and strategies used in other domains.
I’m sorry that this isn’t the “sexy” cool thing that some consultant that used to do vulnerability assessments is trying to pitch to you, or some product that a vendor is trying to sell you in preparation to the imminent cyberwar that will erupt any minute now and eject all the CD trays of the PCs in your organization. It’s more in the lines of a broader understanding of what elements that would be used in the cyber common would affect us as individuals, organizations, cultures and countries that we should be concerned about. It’s more about how countries are developing capabilities that would be used to gain an advantage over their adversaries in diplomatic conflicts. Whether on an ongoing basis – much like “normal” spying and intelligence gathering is done in times of peace, or in times when more active measures are taken.
The bottom line is that the “Cyber” term is first handled at the higher levels which may have nothing to do with some virus or worm hitting a nuclear plant, and only then translated to the tactics used to protect or attack assets which have some manifestation in that domain.
Now we can all get back to abusing the term. At least we knowhow we are going to abuse it .
This paper has been published in several security conferences during 2011, and is now being made fully available (as well as a PDF version for downloading)
Penetration testing and red-team exercises have been running for years using the same methodology and techniques. Nevertheless, modern attacks do not conform to what the industry has been preparing for, and do not utilize the same tools and techniques employed by such tests. This paper discusses the different ways that attacks should be emulated, and focuses mainly on data exfiltration.
The ability to “break into” an organization is fairly well documented and accepted, but the realization that attacks do not stop at the first system compromised did not get to all business owners. As such, this paper describes multiple ways to exfiltrate data that should be used as part of penetration testing in order to better simulate an actual attack, and stress the organization’s security measures and detection capabilities of data that leaves it.
Modern attack trees employ multiple realms of information that are not necessarily extensively tested and protected by organizations. Some of these paths involve not only technical factors, but also human, business, and physical ones.
From a technical perspective, even though information security as a practice has been around ever since computer systems have been in use, organizations tend to focus on the issues that are well documented, and have a plethora of products that address them. On the other hand, attackers would do exactly the opposite – try to find infiltration paths that involve some human interaction (as humans are generally less secure than computers), and focus on elements that are less scrutinized by protection and control mechanisms. One example for such an attack path is using formats that are commonly used by organizations, and are known to contain multiple vulnerabilities. Such formats (like WinZIP, Rar, PDF, Flash) and applications (vulnerable Internet Explorer, Firefox, and other commonly used tools) are bound to be found in organizations – even if the installed versions are problematic from a security standpoint. This is due to the fact that a lot of internal applications are still enforcing the use of old versions of such tools (notably Internet Explorer).
The human element kicks in when trying to introduce the malicious code into the organization. A common and still highly useful attack avenue is the use of targeted phishing emails (spear-phishing) that provide an appealing context to the target which would make it more “legitimate” to open and access any content embedded in the email or referred by it (external links to sites that would carry the malicious code).
Another human element that can be easily exploited in getting malicious content into an organization is using physical devices that are dropped or handed to key personnel. This paper is read at a conference, where multiple vendors provide giveaways in the form of electronic media (be it CDs, or USB memory devices). A classic attack vector would use such an opportunity to deliver crafted malicious code over said media (or follow-up emails) to key personnel.
The last element of the infiltration attack surface is the physical one – gaining physical access to the offices or the target (or one of its partners) is easier than perceived, and provides the attacker multiple ways of getting their attack code onto the network. From casually tapping into open ports and sniffing the network via a remote connection (by plugging in a wireless access point), or simply plugging in an infected USB drive into various PCs, such attacks can be carried out by personnel that are not necessarily security professionals (we often use paid actors to carry out such engagements and gain a familiarity bonus for local accent and conversation context).
Data targeting and acquisition
Before launching the actual attack on the organization, the attacker will perform some basic intelligence gathering in order to properly select the target thorough which the attack would be conducted, as well as the data that is being sought after.
Such intelligence gathering would be done through open source intelligence, as well as onsite reconnaissance. From an organizational perspective, the ability to map out the information that is available through public channels on it is crucial. It provides a baseline on which the organization can prepare the threat model, which reflects the attacker’s intelligence data, and allows it to properly address any policy/procedure issues in terms of exposing data. Social media channels are one of the more popular means of intelligence gathering, and can easily be used to build an organizational map and identify the right targets to go through.
Finally – in terms of data targeting, the attacker would usually focus on intellectual property, financial and personal information – all of which would be easily sold on the open market and to competitors.
Once the target has been selected, and the data have been identified, the actual payload needs to be created and deployed using the attack tree that was chosen for infiltration. Such payload (often called an “APT” – Advanced Persistent Threat) is usually no more sophisticated than a modern banker Trojan that has been retooled for a singular targeted attack. Such Trojans are available for purchase on the criminal markets for $500 to $2,500, depending on the plugins and capabilities provided. These by themselves offer a fairly low detection rate by security software, but in order to assure a successful attack they are often further obfuscated and packed.
Command and Control
One of the main differences between targeted attacks and the more common malware is that targeted attacks need to take into consideration the fact that the connectivity between the payload and the attacker cannot be assured for long periods of time (and sometimes are consistently nonexistent). As such, the C&C (command & Control) scheme for such an attack needs to take that into considerations and the payload should be well equipped to operate fairly independently.
Nevertheless, some form of control communication is needed, and usually utilizes a hierarchical control structure, where multiple payloads are deployed into the organization at different locations, and are able to communicate with each other to form a “grid” that enables the more restricted locations to communicate through other layers to the attacker outside the organization.
So far we have reviewed how an attacker would infiltrate an organization, target the data it is after, and find a way to somehow control the payload deployed. Nevertheless, getting the actual data out is still a challenge, as more often than not, it is located so deep inside the network that traditional means of communications (DNS/HTTP tunneling for example) are not applicable.
However, the way that organizations build their infrastructure these days basically call for other means of getting the data out. Following are a few concepts that should be used for testing exfiltration capabilities as part of penetration testing – which have proved to be useful on multiple major corporations, as well as government/defense organizations.
First off – the obvious: use “permitted” protocols to carry the information out. These are usually DNS traffic and HTTP traffic. The data itself may be sensitive and filtered by DLP mechanisms, and as such should be encrypted using a method that would not allow a filtering/detection device to parse through it. After encryption, the data can be sent out through services such as Dropbox, Facebook, Twitter, blog comments and posts, wikis, etc… These are often not filtered by the corporate control mechanisms, and are easy to set up if needed to (a WordPress blog for example, where the payload can post encrypted data using the attacker’s public key).
The next exfiltration method that usually works is simply printing documents. Obviously, we won’t print out the original data as it would be easily detected and shredded. Instead – the encrypted information can be sent to shared printers (which are easy to map in the network), and made to look like print errors (i.e. remove any header/footer from the encryption method we utilize). Printouts like that are more likely to end up in the paper bin rather than the shredder, and later extracted as part old-school dumpster-diving. Such documents just need to be OCR’d after their retrieval and decrypted to reveal the sensitive data that has been stolen. This method is usually more efficient where proper mapping of the paper disposal process of the target has been performed.
An alternative to printing the encrypted data uses the same means of exfiltration – the shared printers. When a shared printer is found to be a multi-function device with faxing capabilities, the payload can utilize it to fax out the encrypted documents.
In this situation the payload would still need to keep “operational awareness” as some DLP products would actually look at the fax queue for information that is not supposed to leave the organization, hence using the encrypted text is better form.
Exfiltrartion through VoIP
This is the main concept that is being displayed here. As VoIP networks are usually accessible to the local network (usually to accommodate soft-phones, and just a simpler network topology), crafted payloads are able to utilize this channel to exfiltrate data. The method proposed here is to initially sniff the network and observe recurring patterns of calls, and user identifications (to be later used when initiating the SIP call). After some initial pattern can be mapped out, the payload encodes the data to be exfiltrated form its binary format to audio.
A proposed encoding maps out the half-byte values of the data stream to a corresponding scale of audio tones using 16 distinct octaves on the human audible frequency range (20Hz to 20,000Hz). Therefore, a byte value is split into it’s high, and low values, and then the value is used to select an octave (out of the 16 available ones).
Sample 1: pseudo-code for voice encoding of data to 16-octave representation
The octave is then played for a short period of time (for example ½ second) on the final output voice channel. The final output is then played back on an opened SIP call that can be made to almost any number outside the organization (for example a Google voice account’s voicemail) for later decoding back to the original binary data.
For the decoding itself, an approximation analysis is performed on the input sound file in order to identify the maximum frequency detected for each “time slice” which carries the generated tone, and then comparing the frequency to the octaves used in generating the original sound. As sounds get distorted and downsampled as they go through older telephony systems, and cannot be guaranteed the same quality as used on pure VoIP circuits, the spacing between the frequencies used should be enough to create a distinction between tones.
Sample 2: pseudo-code for voice encoding of data to 16-octave representation
This method can obviously be optimized in several ways – first, using more octaves (as long as they are distant enough in their frequencies and non-harmonic) to represent more data in each tone being played, and again in the time each tone is played to essentially compress the data over less time.
The proof-of-concept that is being released along with this paper is intentionally designed to act as an example (although it can be easily tooled to carry out a significant amount of data, and has been used in several occasions to do so in penetration testing engagements to exfiltrate highly sensitive data).
In terms of protection against such exfiltration techniques, the recommended strategy is to basically extend the same kind of monitoring and scrutiny that is being applied to traditional electronic communication channels (web, email) to the VoIP channels. Although voice communication monitoring has been traditionally associated with more government type organizations, the move to VoIP enables small companies and businesses to extend the same security controls to the voice channel as well. DLP systems for example could easily be used to transcribe (voice to text) phone conversations, and apply the same filtering to them, while alerting on calls that contain non-verbal communications as suspicious.
The concepts presented here in relation to advanced techniques in data exfiltration are not only theoretical. We have been observing progress in the way that advanced threats are addressing this issue, and adding more capabilities and techniques to the arsenal od data exfiltration beyond simply staging data in archives and pushing it out through FTP connections. The proliferation of VoIP networks that are being configured mainly for convenience with not much security concern into them have allowed us to observe a few cases where similar methods of utilizing such channels were used in the transmission of data outside of the targeted organization. Additionally, VoIP networks also allow simple bridges between networks with different classifications that may not have a direct data connection in the “classic” sense of a TCP/IP network infrastructure.
The other techniques mentioned in this paper (namely the use of covert channels in legitimate services such as blogs, social networks, Wikis, and DNS) are already in full use and should be a reality that corporate security should already address.
When attempting to address data exfiltration the first important thing to realize is that infiltration is almost taken for granted. With so many attack surfaces encompassing different facets of the organization (outside technical scopes), security managers need to realize that detection and mitigation of data exfiltration is an integral part of the strategic approach to security.
Identifying data in transit and in-motion is the basic element that allows detection of exfiltration paths, and many tools already allow organizations to address this issue. The missing components usually lie in the realms that traditional products and approaches neglect such as encrypted communications, and “new” channels such as VoIP. Addressing these channels is not an unresolved problem, and in our experience simple solutions can provide insight into the data carried in them.
For encrypted channels a policy (both legal as well as technical) of terminating such encryption at the organizational perimeter before it is being continued to the outside should be applied. This approach, coupled with an integration of existing DLP products to identify and detect misplaced data, will provide the required insight into such communications. An unknown data type carried over legitimate channels should be flagged and blocked until proven “innocent” (for example custom encryption used inside a clear-text channel that cannot be correctly identified and validated as legitimate).
For VoIP channels, the same approach that is being applied to the more traditional web and email channels should be used as well. Full interception and monitoring of such channels can be applied, even when not in real-time – such as recording all conversations, processing them using speech recognition software, and feeding the results back to the DLP. This approach yield the same results as a DLP installed on the email and web channels does. Additionally, the investment in terms of time, human resources, and materials is negligible when compared with the added security in terms of detection and mitigation of such threats, and complements the layered security approach that should have covered these aspects in the first place.
This paper covered both the more advanced infiltration techniques utilized by targeted attack on organizations (which should have been covered by the security industry to a point, although organizations are still struggling with this aspect), as well as raises the awareness to the more problematic issue of detecting data in transit outside of the organization as it is being exfiltrated. Several methods of exfiltration have been discussed, with the more evasive one being the use of voice channels on VoIP infrastructure.
We believe that the current practices do a disservice to the layered security approach that is being preached in the security industry by leaving gaping holes in the exfiltration paths monitoring and mitigation. While there may be claims of privacy issues, such gaps are similar in the way that data is being processed and inspected to existing channels, and should adhere to the same standards of privacy protection and abuse as traditional solutions that address data leakage do.
Just a quick share on something that made me very happy this week (that’s what happens when the wife is not around): Enabling AirPlay on a non-apple device to stream both music as well as video to my Boxee (on an Xtreamer Ultra Linux box).
Pascal Widdershoven has published a really simple and quick to install script here: Airplayer
Albert Zeyer has the equivalent one for playing audio: Shairport
Installation of both is fairly straightforward (just read the readme/install files) and worked flawlessly on my rig. Have fun!
After a long time of no updates, I’m finally back to a “normal” schedule, but as always – there’s some new project that emerges from just being around extremely smart people and accessibility of alcohol…
So, during an exciting tweeting session at the SecurityZone green room (which is never green BTW), where all of us geeks were relaxing and instead of actually talking to each other (again – we are all in the same room), we were exchanging gestures and an occasional snicker as we “discussed” things on twitter. At one point, the question of “why on earth can’t we make defense as sexy as we managed to make offense?” (in the context of information security of course).
0. Rediscover your passion for the job you have instead of whining about the job you don’t have.
1. Wake the fuck up and learn how your company works (for realz – not just the techie stuff)
2. Use everything you have. whatever the “bad” guys use is fair game for u as well. research vulns on attack tools…
3. Intelligence. Gather it. On you, on your threat communities. Now use it. Intelligently.
4. You have more information at your disposal than you think (logs. Lots of them). Figure out a way to use it.
5. Remember that it’s the users (humans) that will screw you up. Make sure your “plans” include dealing with them (not just tech)