You are on page 1of 72

BLACK HATS

The good, The bad, and the ugly truth


Disclaimer
All views expressed here are of our own and do not represent
that of the companies which we work for.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


The Presenters
•  Who are we?
•  Why we hack?
•  What we hack?
•  Are we afraid to go to jail?
•  Can you teach me how to hack?

©  Copyright  Amin  Hamid  &  Earl  Marcus  


The Sexy Kambingz

©  Copyright  Amin  Hamid  &  Earl  Marcus  


The Hacker Culture
What Is Hacking
“Hacking is the practice of modifying the features of a system,
in order to accomplish a goal outside of the creator’s original
purpose.”
- whatishacking.org

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Who are Hackers

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Areas of hacking
•  Software hacking
–  Has been around since the 70’s.
–  Easy accessibility.
•  Hardware hacking
–  Gaining momentum.
–  Hardware is becoming cheaper thanks to China.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Software Hacking

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hardware Hacking

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hardware hacking

h9p://hackaday.com/2013/03/15/mug-­‐plo9er-­‐based-­‐on-­‐the-­‐eggbot/  

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hardware hacking

h9p://www.bradsprojects.com/electronics/Bradsprojects-­‐SuperPixelBros.html  

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hardware hacking

h9p://www.gameinformer.com/b/features/archive/2013/04/01/ben-­‐heck-­‐builds-­‐the-­‐ulOmate-­‐combo-­‐gaming-­‐system.aspx  

©  Copyright  Amin  Hamid  &  Earl  Marcus  


What makes a hacker

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Famous hackers
•  Gary McKinnon
•  TESO
•  John Draper
•  Kevin Mitnick
•  Robert Tappan Morris
•  The Masters of Deception (MOD)
•  Legion of Doom (LOD)

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Famous hackers
•  2600
•  Phrozen Crew
•  Chronic Dev Team
•  Chaos Computer Club (CCC)
•  Cult of The Dead Cow
•  Fail0verflow

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hacking & security
•  Software hacking
•  Hardware hacking
•  Social engineering

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Software hacking
•  Aims to discover security vulnerabilities in software.
•  Exploit development.
•  Malware development.
•  Exploit trading.
•  Software hacking focuses on:
–  Applications
–  Drivers
–  Firmware
–  Protocols
•  Exploit trading has gained interest from Government.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Exploit Development
•  Public:
–  Exploit-DB
–  Metasploit
–  Immunity Canvas
–  Core Impact
•  Commercial:
–  VUPEN
–  ZDI
–  EndGame Systems
–  ExploitHub
–  HBGary

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Full Disclosure
•  Tavis Ormandy disclosed a vulnerability in MS Windows to
the public on 17th May 2013:
–  http://seclists.org/fulldisclosure/2013/May/91
•  A public exploit emerged on 2nd May 2013:
–  http://seclists.org/fulldisclosure/2013/Jun/5
•  17 days from full disclosure to public exploit.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hardware Hacking
•  Aims to discover security vulnerabilities in hardware.
•  An easier approach compared to looking at the application
layer of the device.
•  Focuses on:
–  Embedded devices
–  Peripherals (e.g. hardware keyloggers)
–  Traditional and electronic locks

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hacking IPTV
1.  Find the serial port.
2.  Gain super user shell.
3.  Dump MTD blocks.
4.  Modify the file system.
5.  Re-flash the IPTV device with the new file system.
6.  Profit!

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hacking IPTV

USB  to  TTL  


Converter  

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hacking IPTV

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hacking IPTV

©  Copyright  Amin  Hamid  &  Earl  Marcus  


RFID Spoofer
•  Inspired by a postings on Hack-A-Day.
•  Created as a proof-of-concept (PoC) for social engineering.
•  Powered by an Arduino Nano.
•  RF coil recycled from a regular RFID tag.
•  Supports EM4100 protocol.
•  Doesn’t work with HID RFID tags….yet.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


RFID Spoofer

Wires..
DUH!  

3v  to  5v   16x2   Amp  


RF  Coil   Conv.   I2C   Circuit  

Arduino   AA  
16x2  LCD  
Ba9ery  

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Professional RFID Spoofer

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Social Engineering
•  Low tech hacking.
•  Involves gaining the individual’s trust, and then exploiting it
for personal gains.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hacking the ISP

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hacking the ISP

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hacking the ISP

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hacking the ISP

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hacking the ISP

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hacking the ISP

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Hacking The ISP

Bait   Compromise   Profit  

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Types of hackers
•  Black hats
•  White hats
•  Grey hats
•  Script kiddies
•  Consultants

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Attack Trend
•  The attack trend back then:
–  Server side exploitation
•  Exploiting server side vulnerabilities.
•  Exploiting web applications.
–  Social engineering
•  Not heavily relied on.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Attack Trend
•  The current attack trend:
–  Server side exploitation
–  Client side exploitation & social engineering
•  Phishing
•  Ransomware
•  Malware & botnets
•  Physical security
•  Drive-by attacks

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Cyberespionage

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Cyberespionage
“There is no evidence that the NetTraveler attackers used
advanced techniques like the exploitation of zero-day --
previously unknown -- vulnerabilities or sophisticated
malware like rootkits, the researchers said. "It is therefore
surprising to observe that such unsophisticated attacks can
still be successful with high profile targets.””

h9p://www.computerworld.com/s/arOcle/9239802/
Cyberespionage_campaign_39_NetTraveler_39_siphoned_data_from_hundreds_of_high_profile_targets_researchers_say  

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Root Cause analysis
Hackers are knocking on your windows, not
your front door.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Security Awareness
The problem:
•  Users are not aware of the emerging threats.
•  Users now become the main targets.
•  Breaking in is as easy as clicking on a link, or holding the
door for some one.
•  It only takes one compromised employee to take over the
entire network.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Case #1: Corp Espionage
•  Performed reconnaissance to gather intel:
–  Employee badge
–  Schedule
–  Samples names
–  Valuable trash
•  Forged employee badges
•  Physical infiltration:
–  Employee (Alex Gan)
–  A printer repair team
–  A cleaning lady

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Case #1: Corp Espionage
Alex Gan
•  Used a fake ID to gain physical access into the office.
•  Quietly took photos of confidential documents.
•  Quietly backdoored unlocked laptops and workstations.
•  Strategically placed trojanized USB sticks and DVDs.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Case #1: Corp Espionage
Xerox Repair Team
•  Arrived at the location with a trolley and 2 empty printer
boxes.
•  Escorted to the problematic printer.
•  Stole unshredded documents near the printer.
•  Confidential documents were among the documents that
were stolen.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Case #1: Corp Espionage
The Cleaning Lady
•  Gained physical access by posing as a cleaner.
•  Grabbed trash from trash cans.
•  Looked around for confidential documents on tables.
•  Cover blown by another cleaning lady.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Security Awareness
Suggestions:
•  Educate users in basic security fundamentals.
•  Perform security drills involving employees.
•  Emphasize on how important it is to always be alert.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Buying a ton of security solutions does not
make you invincible!

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Security Solutions
The problem:
•  Security solutions are only good up to a certain extent.
•  If not planned properly, the overall architecture can grow
overly complex.
•  Employee training is required for each solution.
•  Adds to the list of assets that require protecting.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Security Solutions
Suggestions:
•  Properly plan where security solutions should be placed.
•  Properly evaluate the capabilities of the proposed solution
or product.
•  Do not use default credentials for your security solutions.
•  Segregate the network properly.
•  Fine tune the firewall and IPS rules.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Got a leaky faucet?

Call a plumber, not an electrician.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Talent Acquisition
The problem:
•  Paper based qualifications versus actual real world skills
and experience.
•  Everyone lies in their resume.
•  Interviewer lacks basic technical security knowledge.
•  Hiring the wrong person for the job.
•  Counterproductive and a waste of money.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Talent Acquisition
Suggestions:
•  For technical security roles, look for technically skilled
individuals.
•  Include technical questions in your interview.
•  Pose scenarios to see how they think.
•  Interviewer must be technically sound and capable.
•  Skills are not really vital, but passion and drive are.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Policies are crap if you don’t enforce them.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Process & Policies
The problem:
•  Lack of proper processes and policies.
•  Processes and policies aren’t properly enforced.
•  Lack of action for offenses.
•  Lack of accountability.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Process & Policies
Suggestions:
•  Proper processes must be implemented and followed.
•  Enforce your policies!
•  Take action against offenders.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Your rules do not apply here.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Penetration Testing
The problem:
•  Rules and restrictions can skew the results of the test.
•  Common restrictions include:
–  Scope of assets to be tested
–  Time frame of testing
–  Methods that are allowed during the tests
•  Hackers do not follow rules.
•  Penetration tester lacks real world experience and skills.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Case #2: The Crab
•  External facing servers were really hardened with no
feasible way to get in.
•  Found a wireless access point protected by WEP encryption.
•  Network was segmented into several VLANs, though no
rules were enforced.
•  Compromised an unpatched desktop and used it as a pivot.
•  Found a database server with default super user
credentials.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Case #2: The Crab
•  Compromised the database server and found a domain
admin session.
•  Impersonated the domain admin, and created a new domain
admin account.
•  Total compromise of entire network:
–  Servers, laptops, desktops.
–  Corporate emails

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Penetration Testing
Suggestions:
•  Plan the penetration test properly.
•  Make sure that the environment is ideal for testing.
•  Evaluate the penetration tester.
•  Make sure the penetration test report has sufficient
information and evidence.
•  Allow the penetration tester to properly assess the impact
of each finding.
©  Copyright  Amin  Hamid  &  Earl  Marcus  
An incomplete inventory is a recipe for
disaster.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Inventory
•  An incomplete inventory can introduce a lot of problems:
–  Undocumented servers which are left neglected are easy
pickings for attackers.
–  Rogue devices could spawn without your knowledge.
–  Receiving abuse emails from third party organizations reporting
attacks from your network.
–  Prolongs incident response process.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Inventory
Suggestions:
•  Keep an inventory of all your assets:
–  Servers
–  Applications
–  Workstations & laptops
–  Network devices
–  Network ranges
•  Implement a process that ensures servers and applications are
recorded before put on production.
•  Ensure that the information is precise and current.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


When there’s something strange in your
neighborhood, who do you call?

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Incident Response
The problem:
•  Lack of an incident response team.
•  Inability to perform a thorough investigation during or after
a security incident.
•  Inability to learn and push forward.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


Incident Response
Suggestions:
•  Form an incident response team.
•  Incident response team must possess the following
criterias:
–  Technical skills and experience
–  Analytical and fact based
–  Determined

©  Copyright  Amin  Hamid  &  Earl  Marcus  


MISC
•  Office politics.
•  The divide between management and lower ranking
employees.
•  Patch management.
•  Identity management.
•  Tabletop exercises.

©  Copyright  Amin  Hamid  &  Earl  Marcus  


That’s all folks!
Q&A

©  Copyright  Amin  Hamid  &  Earl  Marcus