Download presentation
Presentation is loading. Please wait.
Published byKatrina Ball Modified over 9 years ago
1
Security Update Vincent BRILLAULT HEPiX Spring 2014, Annecy
2
Vincent Brillault Crypto-Currencies 2
3
Uncontrolled currencies Create an account == Generate new address Wallet: list of addresses & private keys Exchanges with real currencies Vincent Brillault3 Crypto-Currencies HEPiX Spring 2014, Annecy
4
Vincent Brillault4 Transactions everywhere (chains) HEPiX Spring 2014, Annecy A_1 B_1 C_1 4 BTC (B_1) 2 BTC (B_1) 5 BTC (B_1) 11 BTC For A_1 2.3 BTC (C_1) 0.2 BTC (C_1) 2.5 BTC For A_1 11 BTC (A_1) 2.5 BTC (A_1) 12 BTC For D_1 1.5 BTC For A_2
5
Block: – Contains aggregated valid transaction – Proof of work: hard computer problem BTC: hash(block) < target Miners: – Hash blocks until someone find good one – Paid: Per solved block Per transaction (if it included a mining fee) Vincent Brillault5 Block Chain & Miners HEPiX Spring 2014, Annecy
6
Vincent Brillault6 Exchange rates: BTC USD HEPiX Spring 2014, Annecy © Blockchain.org
7
Vincent Brillault7 Mining malwares HEPiX Spring 2014, Annecy © Kaspesky
8
Vincent Brillault8 Interesting transactions HEPiX Spring 2014, Annecy
9
Vincent Brillault9 Interesting transactions HEPiX Spring 2014, Annecy
10
Vincent Brillault10 Why ? HEPiX Spring 2014, Annecy Make money out of botnets ([CG]PU -> $$) Very low traceability: – No link address user (except exchanges) – Laundering: create new addresses and move coins
11
Forbidden by VO AUPs Increasing number of incidents: – Tests – Benchmarks – Malicious jobs Cost: – CPU time – Forensics, investigations … Vincent Brillault11 EGI / WLCG: mining jobs HEPiX Spring 2014, Annecy
12
VOs: – Remind users of the AUPs – Make examples (temporary ban users) ? Sites: – Look for standard mining software – Monitor network (connection to known pools) Virtualization: detection by sites harder Vincent Brillault12 What can we do for the grid ? HEPiX Spring 2014, Annecy
13
Vincent Brillault SSL/TLS & x509 13
14
Apple SSL: Wrong certificate validation GNUTLS: Wrong certificate validation Vincent Brillault14 Broken SSL libraries HEPiX Spring 2014, Annecy
15
Vincent Brillault15 HeartBleed: What ? HEPiX Spring 2014, Annecy © XKCD
16
Vincent Brillault16 HeartBleed HEPiX Spring 2014, Annecy Reason: – No input sanitization! – Openssl maintained by 6 peoples (1 paid) Costs: – All password changed – Certificates revoked & rekeyed
17
Vincent Brillault17 HeartBleed: “fixed” HEPiX Spring 2014, Annecy
18
Vincent Brillault18 HeartBleed: Lesson Learned HEPiX Spring 2014, Annecy
19
Vincent Brillault19 Grid impact HEPiX Spring 2014, Annecy Lots of services protected by old versions Most vulnerable (web)sites fixed promptly – Thanks! Client certificates can’t be leaked on servers Still pending: clients vulnerability: – Hard to detect – Hard to abuse (require MITM)
20
Vincent Brillault20 X509 Validation HEPiX Spring 2014, Annecy Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Chad Brubaker and Suman Jana
21
Vincent Brillault Windigo 21
22
Vincent Brillault22 Windigo HEPiX Spring 2014, Annecy Large scale malicious operation – Targeting mainly servers – Without using 0-days or vulnerability (mostly) Two parts: – Botnet building – Botnet exploitation (making money)
23
Vincent Brillault23 Botnet building: Ebury HEPiX Spring 2014, Annecy Ebury already presented during last HEPiXs Two versions: – Malicious SSHD binary (old version) – Malicious libkeyutil library (loaded for sshd) Malicious activity: – Backdoor based on magic ssh version string – Credential Exfiltration
24
Vincent Brillault24 Ebury Exfiltration HEPiX Spring 2014, Annecy Credentials exfiltrated: – Password from compromised servers – Password to compromised servers – Private ssh keys from compromised servers Exfiltration: – Encoded DNS query: passwords & username – Shared memory: privates keys & passwords
25
Vincent Brillault25 Ebury Exfiltration HEPiX Spring 2014, Annecy DNS queries: – Domain Generation Algorithm: identify server – Protections: Redundancy (old): compare 2 requests Signature (new): Sign exfiltration IP with private key Shared memory – Every credential is stored to memory – Backdoor (‘cat’) used to fetch them – Easily identifiable (0666 & big): recently fixed
26
Vincent Brillault26 Botnet exploitation HEPiX Spring 2014, Annecy Send spam from the backdoor Perl/Calfbot: send spam from servers Linux/Cdorked: – Redirect users to malicious websites – Infects clients & sent spam Activity dissimulation (proxy)
27
Vincent Brillault27 Botnet exploitation HEPiX Spring 2014, Annecy © EsET
28
Vincent Brillault28 Botnet propagation HEPiX Spring 2014, Annecy © EsET
29
Vincent Brillault29 Grid ? HEPiX Spring 2014, Annecy No infection so far in EGI ! Stay careful: could easily propagate
30
Vincent Brillault30 Protection/Detection HEPiX Spring 2014, Annecy Protection: – Kerberos authentication not targetted – 2 factor authentication Detection: – rpm –Va (at least keyutils-libs & openssh-server) – https://github.com/eset/malware-ioc
31
Vincent Brillault New threat 31
32
Vincent Brillault32 Surveillance HEPiX Spring 2014, Annecy Theoretical physics is not protected: international center in Italy targeted! © usnewsghost.wordpress.com
33
Vincent Brillault33 Hardware interception HEPiX Spring 2014, Annecy
34
Vincent Brillault34 Man In The Middle HEPiX Spring 2014, Annecy
35
Vincent Brillault Questions ? 35
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.