Judgment Day: April 12 th 2015 The Internet of Things: Who is in Control? Johannes B. Ullrich, 1.

Slides:



Advertisements
Similar presentations
Implementing Tableau Server in an Enterprise Environment
Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Wi-Fi Structures.
IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Introduction to Broadband HamNet
Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
1 Panda Malware Radar Discovering hidden threats Technical Product Presentation Name Date.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
April WebEx Intel ® Active Management Technology (AMT) LANDesk Provisioning LANDesk Server Manager.
Basic Network Training. Cable/DSL Modem The modem is the first link in the chain It is usually provided by the ISP and often has a coax cable connector.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Module 4 - Networking MIS5122: Enterprise Architecture for the IT Auditor.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
PC Maintenance: Preparing for A+ Certification Chapter 25: The Internet.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Honeypot and Intrusion Detection System
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Network Management Tool Amy Auburger. 2 Product Overview Made by Ipswitch Affordable alternative to expensive & complicated Network Management Systems.
Module 11: Remote Access Fundamentals
1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
NESDIS/ORA March 2004 IT Security Incident Recovery Plan and Status April 12, 2004 Joe Brust, ORA Technical Support Team Lead.
Security at NCAR David Mitchell February 20th, 2007.
Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Microsoft Management Seminar Series SMS 2003 Change Management.
Dshield VPS Sensors request Intro by Erik Bais on behalf of ISC SANS
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.
NetModule Cloud Solution Professional M2M Networking out of the Cloud © 2014 NetModule AG Slide 1.
GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE ) Johannes B. Ullrich, Ph.D, SANS
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.
Simon Prasad. Introduction  Smartphone and other mobile devices have made it so easy to stay connected.  But this easy availability may lead to personal.
A presentation by John Rowley for IUP COSC 356 Dr. William Oblitey Faculty member in attendance.
Cyber Security: Today’s Threats and Mitigations Jonathan Homer, Cyber Security Analyst Idaho National Laboratory.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
SOHO Security Recommendations. Change default user/password Of the AP/router Typical  admin – admin  root – root  root – 1234  Admin - There are web.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
LTEC Assignment 3 Part 1 Shannon Smith /sls0571.
WannaCry/WannaCrypt Ransomware
Troubleshooting Networked Video
WannaCry/WannaCrypt Ransomware
Instructor Materials Chapter 1: LAN Design
Critical Security Controls
Security and Encryption
Advanced Penetration testing
VCE Practice Test Questions Answers
Intro to Ethical Hacking
Server-to-Client Remote Access and DirectAccess
Intro to Ethical Hacking
Securing the Internet of Things: Key Insights and Best Practices Across the Industry Theresa Bui Revon IoT Cloud Strategy.
Designing IIS Security (IIS – Internet Information Service)
Advanced Penetration testing
Presentation transcript:

Judgment Day: April 12 th 2015 The Internet of Things: Who is in Control? Johannes B. Ullrich, 1

About Me Dean of Research, SANS Technology Institute SANS Internet Storm Center Created DShield.org Instructor for SANS Past: Physicist, Web Developer Living in Jacksonville, FL 2

3

Are We in Control? 4 Quantified Self Data Internet of Things Devices

Quantified Self: Dawn to Dusk 5 Photo: Withings.com

Quantified Self: Dawn to Dusk 6 Photo: thevesl.com

Quantified Self: Dawn to Dusk 7 Photo: Progressive

Quantified Self: Dawn to Dusk 8 Photo: Fitbit

Hello Barbie 9

Quantified Self: Dawn to Dusk 10

Home / Small Business 11

Enterprise Networks 12

Municipal/Gov Networks 13

The “Internet of Things” 14

New Protocols: IPv6 Easier to Scale then IPv4 Auto configuration Extensible Integrated with various Layer 2 options 15

New Protocols: 6LoWPAN / IEEE IPv6 over Low power Wireless Personal Area Network Easier network management Low Power Low Hardware Requirements Security 16

Risks: New Wireless Protocols IEEE / 6LoWPAN AES identified as encryption algorithm Key Management challenge: Auto configuration / on-boarding at scale IPSec (IKEv2) may not work due to power constraints 17

Example: LIFX Light Bulbs Light Bulbs communicate via 6LoWPAN with each other (mesh) One light bulb acts as router/controller to connect to Wi-Fi (802.11) Pre-shared AES key hardcoded. Same for all bulbs 6LoWPAN is used to exchange WiFi credentials (which are now at risk) Solution: Derive 6LoWPAN key from Wi- Fi Password. 18

Risks: New Attack Platforms Many devices use customized versions of commodity operating systems (Linux/Windows) Wide range of architectures, not just x86 Embedded systems can even be found inside conventional systems 19

SciFi 20 Photo: Warner Brothers Photo: Paramount Pictures Photo: tailgrab.org

ISC Mission Global Network Security Information Sharing Community We share fast, ask readers for insight Expanding diverse sensors for automatic data collection Built around DShield platform Raw data available for others to analyze 21

ISC: The big picture 22

ISC Handlers Currently about 30 volunteer handlers Located worldwide and working in different industries 23

How to use our data Threat Intelligence – Diaries – IP Address Feeds – Domain Feeds Data is free to use for your own network (Creative Commons License) Share back! 24

Case #1 – Compromised Routers + phone call from ISP in Wyoming – Affects Linksys E1000/1200 – Scanning for Port 80/8080 – Latest firmware not affected – Reset of router clears malware 25

Case #1: Verification Check DShield Logs: No spike in port 80/8080, but they are always busy 26

Case #1: Honeypot Data Seeing “interesting” requests: GET /HNAP1/ HTTP/1.1 Host: a.b.c.d:8080 But nothing else… Something seems to be going on, publishing first “Diary” 27

Case #1: Experiment wget Cisco40033 Linksys … E4200 … 28

Case #1: Honeypot Setting up a simple Honeypot to simulate router (reply with correct HNAP response) Scanning routers now send exploit: POST /tmUnblock.cgi HTTP/1.1 Host: [ip of honeypot]:8080 Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH 29

Case #1: The Moon Worm 30

Case #1: Challenges MIPS Architecture No common virtual environments available Most reverse analysis tools are x86 centric Exploit requires specific firmware versions NO PATCH?!! 31

Case #2: Port 5000 Traffic 32

Case #2: Compromised DVRs Security Camera DVRs Exposed to Internet for remote monitoring 33

Case #2: Exploit Very simple exploit: default username/password (root/12345) used to telnet Various binaries copied to DVR – Bitcoin miner – Scanner for Synology Vulnerability – wget / helper tools 34

Case #2: Why Vulnerable? Simple Password Dialog Not possible to turn off telnet 35

Case #2: Who Did it? 36

Case #2: Who did it? 37

Case #2: Why Vulnerable? 38

Echo File Transfer echo -ne '\x00\x00\x00\x2f\x00\x00\x00\x1a\x00\x00 \x00\x00\x00\x00\x00\x05\x00\x00\x00\x00 \x00\x00\x00\x04\x00\x00\x00\x00\x00\x00 \x00\x31\x00\x00\x00\x00\x00 \x00\x00\x2a\x00\x00\x00\x1b\x00\x00\x00 \x14\x00\x00\x00' >> /var/run/rand0-btcminer-arm && echo -e '\x64\x6f\x6e\x65 ' 39

Case #3: Synology Disk Stations Vulnerable web based admin interface Exposed on port 5000 Allows remote code execution Exploited before patch became available Difficult to patch devices 40

Case #3: Synology Vulnerability History CVE : Hardcoded VPN Password CVE : webman vulnerability allows appending to arbitrary files CVE : read/write/delete files via directory traversal 41

Case #3: Iowa State Breach Iowa State stored student data including SSNs on Synology devices Devices got breached by Bitcoin miner campaign 5 devices breached 29,780 SSNs exposed 42

Case #3: Continuation … Synolocker 43 s?extra_data%5Bstart _date%5D=2015%2F0 4%2F11

Case #4: Handheld Inventory Scanners 44

Case #4: Targeted Attack 12 of 40 scanners delivered to a robotics/logistic company came with malware pre-installed Malware attacked network “from the inside” Targeting accounting systems Exfiltrating data Firmware downloaded from manufacturer site was infected as well 45

Case #4: Malware Details Scanner runs Windows XP Embedded Malware only detected due to network monitoring Not possible to install standard AV or Whitelist tools on scanner 46

Defensive Strategies 47

We need solutions that scale! 48

Network Segmentation Target: Air Conditioner network not sufficiently segmented, allowed for breach of “business” network. How many segments can we manage? Do all devices fit into the same segment? How do they talk to the rest of the network? 49

Onboarding Devices Accounting for devices / inventory Configuring security parameters (passwords, keys) Establishing baseline configuration Develop/Procure tools to provision devices at scale securely 50

Patching How are patches distributed / validated? Can automatic patching be used? Centralized patch management solutions? Inventory/Onboarding first. Needs to integrate with Patching 51

Logging / Monitoring What logs to collect and how? Flooded by meaningless logs? Setup “satellite collectors” that aggregate and pre-filter before sending to central log management system 52

Solution 1: Don’t buy crap Ask the right questions before purchasing devices: – Onboarding tools? – Logging standards? – Support contracts? 53

Solution 2: Scalable & Repeatable Processes Take what you learned from your desktop/server environment Automation! 54

Conclusion Are we still in control? Probably not… but not clear who is in control… the machines? The cloud? The miscreant pw0ning your machines? 55

Thanks! Questions? Daily Updates * Daily Podcast * Data Feeds LinkedIn 56

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.