Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Примеры работ «Перспективного мониторинга» за 2015 год

367 views

Published on

Десятка интересных практических примеров наших работ за 2015 год. Доклад на RuCTF 2016.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Примеры работ «Перспективного мониторинга» за 2015 год

  1. 1. White hat Cases of the year 2015 TOP-10 Maxim Avdyunin
  2. 2. LLC Advanced Monitoring Corporate Group
  3. 3. Advanced Monitoring Criminal Code of Russia. Article 272. Illegal Accessing of Computer Information. Criminal Code of Russia. Article 273. Creation, Use, and Dissemination of Harmful Computer Viruses Criminal Code of Russia. Article 274. Violation of Rules for the Operation of Computers, Computer Systems, or Their Networks vs We are the white hat hackers!
  4. 4. Informational development and Communications ministry of the Perm Territory The Federal Service for State Registration, Cadastre and Cartography (Rosreestr) Khabarovsk Territory government JSC Russian Railways PJSC «Uralkali» etc. Customer List Advanced Monitoring
  5. 5. Information Security Audit Software Security AuditPenetration testing Software development IS Incident Monitoring Digital Forensics Competitive Intelligence
  6. 6. Our arsenal Network Scanners IP-Tools nmap Vulnerability Scanners MaxPatrol Nessus Traffic Analyzers Wireshark Intercepter-ng Ettercap-ng GigaStor Tcpdump Web Vulnerability Scanner Acunetix Burp Suite Nikto arachni sqlmap Exploit frameworks Metasploit Online bases: 0day.today rapid7.com exploit-db.com Static Analyzers PVS-Studio Cppcheck Clang SonarQUBE Disassemblers / Debuggers IDA OllyDbg WinDbg Immunity Debagger GDB Brute force software hydra John the Ripper hashcat Developer tools Visual Studio Eclipse IDLE
  7. 7. Cases of the year Top 10
  8. 8. Case 1/10 «Bad news» Client Government contractor Task and setting Perform a black box penetration testing Work done A spear phishing attack on client personnel was performed with two “news” letters about parking fees and pensions, containing web link to a script, that intercepted user authentication information
  9. 9. Case 1/10 «Bad news» Results  More then a half of staff followed at least one of the links  Nobody reported suspicious letters to a client’s Information Security Department  Client’s IT-infrastructure has been fully compromised during the testing  Information Security Department activity has been logged and log was included in a final report
  10. 10. Case 2/10 «Leaky front-end» Client Large governmental organization Task and setting Perform a server-client sales system information security audit Work done Client terminal reverse engineering, its web-interface instrumental examination, and also penetration testing and fuzzing of its server components have been performed
  11. 11. Results  Fuzzing procedure that guaranteed server malfunction has been developed  A variety of vulnerabilities have been found in client software. Those vulnerabilities could allow an attacker to: o Tamper with the information on the client o Send modified data to the server o Clone client terminals Case 2/10 «Leaky front-end»
  12. 12. Case 3/10 «Shakespearean tragedy» Client A theater Setting Leak of confidential financial information about directory salary It’s publication on the Internet Backlash from Client’s personnel Task Find the source of the leak and people responsible
  13. 13. Case 3/10 «Shakespearean tragedy» Work done Leaked materials were analyzed and a list of potential malefactors was created Information on their computers was copied and examined Source data searched in the file archives and potential leakage paths were determined Results Leakage sources were determined and recommendations for their closure were made Client was given a list of suspects
  14. 14. Case 4/10 «Blowing the lid off» Client Shipment tracking information provider Task and setting Some web-sites offered for sale information distributed by our Client without any legal ways to. The task was to find out how they get the information and if possible deanomize them Work done To complete the task an open source intelligence research was performed and sites of interest were analyzed instrumentally
  15. 15. Case 4/10 «Blowing the lid off» Results The following information has been acquired:  The list of people affiliated with the web resources in question  Their personal and contact information, social relations, etc.  Confidential information, legal documents in particular
  16. 16. Case 5/10 «Watchmen» Client Large IT-Company Task and setting A Client asked Advanced monitoring to develop a system of information security incident monitoring in his network and protocols for an on-the-spot incident response, and to create corresponding rules for the corporate intrusion detection system. Work done  Advanced Monitoring has established an Information Security Operation Center (AM ISOC)
  17. 17.  AM ISOC has been integrated with Client’s network infrastructure and AM instrumental base (network scanners, traffic analyzers, etc)  Detection and response protocols have been established and tested in “combat environment” Results During a five months period:  29 information security incidents were detected and handled  34 signatures for Client IDS were developed Case 5/10 «Watchmen»
  18. 18. Case 6/10 «The Star-Spangled Scare» Client Large IT-company Task and setting Investigate an incident taken place in client’s network Work done Monitoring of a Client’s network showed an attempt of a ShellShock attack. Client’s resources were not vulnerable to the attack and no harm was done. Attack analysis showed that an intruder had been sending queries in the search for vulnerable resources from San-Antonio, US.
  19. 19. Connecting to a Command&Control server with the observation purpose showed that about 300 victims were successfully attacked and “zombified”. One of the infected IP-addresses turned out to belong to a Russian hosting provider «Radiosvyaz». Among the services hosted on that IP an e-mail server, operating a mail domain of a large regional generation company was found. As it turned out it was hacked by our intruder. Results Owners of a server were informed of the compartmentation of their web resource and it’s use as a part of a botnet. Case 6/10 «The Star-Spangled Scare»
  20. 20. Client Electronic publisher Task and setting Perform a security audit of a client application of an e-book distribution platform. Check the possibility of book theft. Work done Within the framework of the project an Android, iOS and Windows 8.1 versions of a client application for e-book download and read were reverse engineered. Research also included checking for traffic interception possibilities for the risk of unauthorized access to a copyrighted material. Case 7/10 «Booky buccaneers»
  21. 21. Case 7/10 «Booky buccaneers» Results  Three client application vulnerabilities were found and exploited  Unauthorized access to a distributed content and account data was gained  One server application vulnerability was found  Set of remedial measures for the vulnerabilities found and suggestions for the increase of the platform overall security were proposed
  22. 22. Case 8/10 «USB maneuvers» Client A large industrial company Task and setting Industrial facility dealing with national security information turned to Advanced monitoring for planning and organizing information security maneuvers with “infected” USB-drives scattered on client’s premises and collecting information of their usage after their connection to a computer.
  23. 23. Case 8/10 «USB maneuvers» Work done and results AM developed a USB-flash firmware suitable for a BadUSB attack that enabled an emulation of a two different devices after connecting that special firmware flash to a computer. After that in course of the attack a devise emulating a keyboard send a sequence of instructions that run a (undetectable by antivirus software) script on a victims machine. In current case potentially malicious script just sent information of the flash usage to a LAN server.
  24. 24. Case 9/10 «Wireless mayhem» Client Large IT-company Task and setting Check Client’s office space in order to detect unauthorized Wi-Fi hotspots.
  25. 25. Case 9/10 Work done A methodology of the use of laptop, Wi-Fi antenna and special software was created. Using this methodology Client’s office space was consistently examined. Wi-Fi signal map was build and all sources of the signal were found. Results Client’s office space of 30 rooms on two floors of the building was checked for hotspots. 10 legal and 25 illegal hotspots were found. «Wireless mayhem»
  26. 26. Case 10/10 «AM — the Privacy Protector» Client Large IT-company Task and setting Check if Windows 10 really spy on users Make a list of recommendations to disable such functionality
  27. 27. Case 10/10 «AM — the Privacy Protector» Work done and results Available recommendations were accumulated, checked (with Wireshark) and improved. A specialized tool for selective implementation of those recommendations was developed. Results An installation image with all recommendations applied was made and given to the Client The software developed was published openly: http://amonitoring.ru/cc/program/am-privacy- protector-w10/ And our experience and all the recommendations were also published: www.anti- malware.ru/analytics/Threats_Analysis/Windows_10_Threshold_2
  28. 28. Thanks for your time! Maxim Avdyunin LLC Advanced Monitoring info@AMonitoring.ru

×