Black Hat 2011 – Intelligence Track
August 2011 by Michael Hayes CTO of B-4-U Inc. / ROBOTS-4-U
The delivery of new attack vectors can come from something as simple as an e-mail, with this being the deliberate beginning of APT type attack. Other less conventional approaches can be launched from a physical device like an UAV, and this in itself can produce a large number of new issues to deal with, that may perplex the traditional security person and the INFOSEC expert.
Michael Hayes CTO of B-4-U Inc. / ROBOTS-4-U
As we cruise through the conference, a couple of interesting seminars have shown up Weapons of Targeted Attack delivered by Ming-Chieh Pan (AKA Nanika) and Sung-ting Tsai (a.k.a. TT), plus Aerial Cyber Apocalypse by Richard Perkins and Mike Tassey.
What is interesting about the “Weapons of Targeted Attack”, is that these researchers are seeing some of the more interesting attacks launched by organizations in Asia. The two authors covered three main topics:
APT and Targeted Attack
Recent document exploit techniques
Future document exploit techniques
Part of the APT (Advanced, Persistent Threat) dialog, was the brief discussion on the recent attacks on RSA, COMODO and Lockheed Martin. The researchers highlighted that Taiwan has been targeted since 2004 with this type of APT attack.
How the Attack starts:
The seeds of destruction and mayhem usually start with purpose-built e-mails that target individuals in a Government or large organization. Many times these attacks are against DOD (Department of Defense) type organizations, or companies that support this group. Other targets include banks, treasury and other high value targets.
The initial e-mail attack is usually orchestrated against a non-technical individual in Marketing or Accounting, and the assault is a spear phishing attack, with the attacker understanding the victims. In fact, this attack is a social engineering attack. The attacking agent is typically looking for information, not short-term profit, many of these attacks are national security Issues.
How do they attack?
This attack is usually done with a compound or embedded document, recent attacks include e-mails with excel and embedded in this document are either adobe, flash or other objects, with known vulnerabilities.
The attacker starts with a beachhead on this single user and then expands the beachhead. Most security software cannot protect against this type of attack.
Other document types that have been used for exploits fall into the following types:
Hybrid Document Exploit (Modern doc is complicated, document object of other apps)
Embedded flash document (You will still get owned, even if up-to date on Microsoft)
Just a short comment on how to minimize these types of attacks: check the DEP (Data Execution Prevention) parameters in your configurations.
The researchers are spending time looking for future exploits, and will be focusing in on:
Advance Fuzzing Techniques
Ex. Flash Fuzzing
AVM usually causes a problem
Techniques to Against Migration technology
Techniques to bypass sandbox / Policy / access Control
We can move to another completely un-related set of topic, related to Aerial Cyber Apocalypse by Richard Perkins and Mike Tassey 8 This particular discussion is as much about physical security as it is about an interesting homemade aerial surveillance product, developed by two self-proclaimed “Hackers” in the traditional sense.
The two authors built a Small UAV for under $6K, which is about 4 ft, by 4ft, and can fly up to 20K ft. Some toy, they equipped it with a variety of wireless scanning devices including GSM, WiFI and Blue tooth. They also built the proto-type to connect to a back-end office that can run things like crackers for WAP and WEP, and route calls using VOIP to other carriers. Additionally they built a small ground station, to allow real-time exploitation of vulnerabilities discovered during the 60-90 minute fly-over.
So what about from a threat perspective?
This flying scanner is an example of low-cost entries that other countries or cartels could build. They can use these for surveillance, war driving / war flying, literally fly under the radar, and ignore borders and physical barriers. With this type of delivery system, most facilities that have been locked down cannot not see these threats and defend against them.
The more nefarious case is that this particular Aerial device can carry up to 20 lbs payload, and this can be used to deliver $100K to $200k of drugs, or other threats physical barriers are not a barrier with this technology anymore.