Transcript Presentation Title – Arial 32 pt, Bold, Black

The Anatomy and Security of an Anonymous Operation
July 2012
Terry Ray – VP WW Security Engineering
What is Anonymous?
Reality
Perception
“Anonymous is an umbrella for
anyone to hack anything for any
reason.”
“[Anonymous is] the first Internetbased superconsciousness.”
—Chris Landers. Baltimore City Paper, April 2, 2008
—New York Times, 27 Feb 2012


Hacktivists fighting for moral
causes.
The 99%.


2
Targets include porn sites,
Mexican drug lords, Sony,
government agencies, banks,
churches, law enforcement and
Vladimir Putin.
Anyone can be a target.
The Plot
 Attack took place in 2011
over a 25 day period.
 Anonymous was on a
deadline to breach and
disrupt a website, a
proactive attempt at
hacktivism.
 10-15 skilled hackers.
 Several hundred to
thousands supporters.
3
How They Attack: The Anonymous Attack Anatomy
4
Anonymous Attack on Customer Site
Web Application Protection Use Case
SecureSphere stopped all
phases of attack
PHASE I
Technical Attack
Scanners such
as Nikto
Phase III
Business Logic
Attack
PHASE II
Technical Attack
Havij SQL
injection tool
LOIC application
On the Offense
Skilled hackers—This group, around 10 to 15 individuals per campaign,
have genuine hacking experience and are quite savvy. Broad use of
anonymizing services (aProxy & TOR).
Nontechnical—This group can be quite large, ranging from a few dozen
to a few hundred volunteers. Directed by the skilled hackers, their role is
primarily to conduct DDoS attacks by either downloading and using special
software or visiting websites designed to flood victims with excessive
traffic.
6
On the Defense
 Deployment line was network firewall, IDS, WAF, web servers,
network anti-DOS and anti-virus.
 Imperva WAF
+ SecureSphere WAF version 8.5 inline, high availability
+ ThreatRadar reputation (IP Reputation)
+ SSL wasn’t used, the whole website was in HTTP
7
1
Recruiting and Communications
8
Step 1A: An “Inspirational” Video
9
Step 1B: Social Media Helps Recruit
10
Setting Up An Early Warning System
11
Example
12
2
Recon and Application Attack
“Avoid strength, attack weakness: Striking where the enemy is
most vulnerable.”
—Sun Tzu
13
Step 1A: Finding Vulnerabilities




Tool #1: Vulnerability Scanners
Purpose: Rapidly find application vulnerabilities.
Cost: $0-$1000 per license.
The specific tools:
+ Acunetix (named a “Visionary” in a Gartner 2011 MQ)
+ Nikto (open source)
14
Hacking Tools
 Tool #2: Havij
 Purpose:
+ Automated SQL injection
and data harvesting
tool.
+ Solely developed to take
data transacted by
applications
 Developed in Iran
15
Vulnerabilities of Interest
4000
3500
DT
3000
#alerts
2500
Directory Traversal
SQLi
2000
SQL injection
DDoS recon
1500
XSS
1000
XSS
500
0
Day 19
Day 20
Day 21
Date
16
Day 22
Day 23
Comparing to Lulzsec Activity
• Lulzsec was/is a team of hackers focused on
breaking applications and databases.
• ‘New’ Lulzsec taking credit for recent attacks.
Militarysingles.com.
• Our observations have a striking similarity to
the attacks employed by Lulzsec during their
campaign.
• Lulzsec used: SQL Injection, Cross-site
Scripting and Remote File Inclusion (RFI/LFI).
Lulzsec Activity Samples
 1 infected server ≈ 3000 bot infected PC power
 8000 infected servers ≈ 24 million bot infected PC power
Automation is Prevailing
 In one hacker forum, it was boasted that one hacker had found
5012 websites vulnerable to SQLi through automation tools.
Note:
•Due to automation, hackers can
be effective in small groups – i.e.
Lulzsec.
• Automation also means that
attacks are equal opportunity
offenders. They don’t
discriminate between well-known
and unknown sites.
US is the ‘visible’ source of most attacks
France Undefined
2.1%
2.1%
Other
19.2%
United Kingdom
1.1%
China
9.4%
Sweden
4.4%
United States
61.3%
United States
United Kingdom
Other
France
Undefined
Netherlands
China
Sweden
During the Anonymous attack 74% of the technical attack traffic
originated from anonymizing services and was detected by IP
reputation.
Mitigation: AppSec 101
Dork Yourself
Blacklist + IP Rep
WAF
WAF + VA
Stop Automated
Attacks
Code Fixing
3
Application DDoS
22
LOIC Facts
 Low-Orbit Ion Canon (LOIC)
 Purpose:
+ DDoS
+ Mobile and Javascript variations
 Other variations – HOIC, GOIC, RefRef
 LOIC downloads
+ 2011: 381,976
+ 2012 (through May 10): 374,340
+ June 2012= ~98% of 2011’s downloads!
23
Anonymous and LOIC in Action
700000
Transactions per Second
600000
LOIC in Action
500000
400000
300000
200000
Average Site Traffic
100000
0
Day 19
24
Day 20
Day 21
Day 22
Day 23
Day 24
Day 25
Day 26
Day 27
Day 28
Application DDoS
The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a
widespread SQL service. The flaw is apparently known but not widely patched
yet. The tool's creators don't expect their attacks to work on a high-profile target
more than a couple of times before being blocked, but they don't believe
organizations will rush to patch this flaw en masse before being hit.
—The Hacker News, July 30, 2011
25
But That Much Sophistication Isn’t Always Required
26
But That Much Sophistication Isn’t Always Required
Meet your target URL
27
4
Non-Mitigations
28
I have IPS and NGFW, am I safe?
 IPS and NGFWs do not prevent web application attacks.
+ Don’t confuse “application aware marketing” with Web Application
Security.
 WAFs at a minimum must include the following to
protect web applications:
•
•
•
•
•
•
•
29
Web-App Profile
Web-App Signatures
Web-App Protocol Security
Web-App DDOS Security
Web-App Cookie Protection
Anonymous Proxy/TOR IP Security
HTTPS (SSL) visibility
Security Policy Correlation
I have IPS and NGFW, am I safe?
 IPS and NGFWs do not prevent web application attacks.
+ Don’t confuse “application aware marketing” with Web Application
Security.
 However, IPS and NGFWs at best only partially support
the items in Red:
•
•
•
•
•
•
•
30
Web-App Profile
Web-App Signatures
Web-App Protocol Security
Web-App DDOS Security
Web-App Cookie Protection
Anonymous Proxy/TOR IP Security
HTTPS (SSL) visibility
Security Policy Correlation
Recent attacker targets….
Yahoo Voice
Church of Scientology
Linked In
Muslim Brotherhood
Last.fm
Zappos.com
Formspring
MilitarySingles.com
eHarmony
Amazon
US Department of Justice
Austria Federal Chancellor
US Copyright Office
HBGary Federal
FBI
Mexican Interior Ministry
MPAA
Mexican Senate
Warner Brothers
Mexican Chamber of Deputies
How
many
of
these
organizations
AV, IPS and Next Generations
RIAA
Irish Department have
of Justice
HADOPI
Irish Department
of Finance
Firewalls?
BMI
Greek Department of Justice
SOHH
Egyptian National Democratic Party
Office
of the
Prime
Minister successful
Spanish Police
Why
areAUthe
attacks
when these technologies claim to prevent
AU House of Parliament
Orlando Chamber of Commerce
them?
AU Department of Communications Catholic Diocese of Orlando
Swiss bank PostFinance
Bay Area Rapid Transit
Egyptian Government
PayPal
Itau
Mastercard
Banco de Brazil
Visa
US Senate
Caixa
31
5
Demo
32