The Anatomy and Security of an Anonymous Operation

greenpepperwhinnySecurity

Nov 3, 2013 (3 years and 1 month ago)

74 views

The Anatomy and Security of an Anonymous Operation

July 2012




Terry Ray


VP WW Security Engineering

What is Anonymous?

Perception


“[Anonymous is] the first Internet
-
based
superconsciousness
.”


Chris Landers.
Baltimore City Paper
, April 2, 2008



Hacktivists

fighting for moral
causes.


The 99%.


Reality


“Anonymous is an umbrella for
anyone to hack anything for any
reason.”


New York Times
, 27 Feb 2012



Targets include porn sites,
Mexican drug lords, Sony,
government agencies, banks,
churches, law enforcement and
Vladimir Putin.


Anyone can be a target.


2

The Plot


Attack took place in 2011
over a 25 day period.


Anonymous was on a
deadline to breach and
disrupt a website, a
proactive attempt at
hacktivism
.


10
-
15 skilled hackers.


Several hundred to
thousands supporters.


3

How They Attack: The Anonymous Attack Anatomy

4

Anonymous Attack on Customer Site

Web Application Protection Use Case

PHASE I

Phase III

PHASE II

Scanners such
as
Nikto

Havij

SQL
injection tool

LOIC application

SecureSphere stopped all

phases of attack

Business Logic
Attack

Technical Attack

Technical Attack

On the Offense







Skilled hackers

This group, around 10 to 15 individuals per campaign,
have genuine hacking experience and are quite savvy. Broad use of
anonymizing

services (
aProxy

& TOR).


Nontechnical

This group can be quite large, ranging from a few dozen
to a few hundred volunteers. Directed by the skilled hackers, their role is
primarily to conduct
DDoS

attacks by either downloading and using special
software or visiting websites designed to flood victims with excessive
traffic.

6

On the Defense


Deployment line was network firewall, IDS, WAF, web servers,
network anti
-
DOS and anti
-
virus.



Imperva WAF

+
SecureSphere

WAF version 8.5 inline, high availability

+
ThreatRadar

reputation (IP Reputation)

+
SSL wasn’t used, the whole website was in HTTP

7



1

Recruiting and Communications

8

Step 1A: An “Inspirational” Video

9

Step 1B: Social Media Helps Recruit

10

Setting Up An Early Warning System

11

Example

12



2

Recon and Application Attack

13

“Avoid strength, attack weakness: Striking where the enemy is
most vulnerable.”


Sun Tzu



Step 1A: Finding Vulnerabilities


Tool #1: Vulnerability Scanners


Purpose: Rapidly find application vulnerabilities.


Cost: $0
-
$1000 per license.


The specific tools:

+
Acunetix

(named a “Visionary” in a Gartner 2011 MQ)

+
Nikto

(open source)

14

Hacking Tools


Tool #2:
Havij


Purpose:

+
Automated SQL injection
and data harvesting
tool.

+
Solely developed to take
data transacted by
applications


Developed in Iran

15

Vulnerabilities of Interest

16

0
500
1000
1500
2000
2500
3000
3500
4000
Day 19
Day 20
Day 21
Day 22
Day 23
#alerts

Date

Directory Traversal
SQL injection
DDoS recon
XSS
SQLi

DT

XSS

Comparing to Lulzsec Activity



Lulzsec was/is a team of hackers focused on
breaking applications and databases.




‘New’ Lulzsec taking credit for recent attacks.
Militarysingles.com.




Our observations have a striking similarity to
the attacks employed by Lulzsec during their
campaign.




Lulzsec used: SQL Injection, Cross
-
site
Scripting and Remote File Inclusion (RFI/LFI).

Lulzsec Activity Samples



1 infected server ≈ 3000
bot

infected PC power



8000 infected servers ≈ 24 million
bot

infected PC power

Automation is Prevailing


In one hacker forum, it was boasted that one hacker had found
5012 websites vulnerable to
SQLi

through automation tools.


Note:



Due to
automation
, hackers can
be effective in small groups


i.e.
Lulzsec.




Automation also means that
attacks are equal opportunity
offenders. They don’t
discriminate between well
-
known
and unknown sites.

US is the ‘visible’ source of most attacks

United States

61.3%

United Kingdom

1.1%

Other

19.2%

France

2.1%

Undefined

2.1%

China

9.4%

Sweden

4.4%

United States
United Kingdom
Other
France
Undefined
Netherlands
China
Sweden

During the Anonymous attack 74% of the technical attack traffic
originated from
anonymizing

services and was detected by IP
reputation.

Mitigation:
AppSec

101

Code Fixing

Dork Yourself

Blacklist + IP Rep

WAF

WAF + VA

Stop Automated
Attacks



3

Application
DDoS

22

LOIC Facts


Low
-
Orbit Ion Canon (LOIC)


Purpose:

+
DDoS

+
Mobile and
Javascript

variations



Other variations


HOIC, GOIC,
RefRef



LOIC downloads

+
2011: 381,976

+
2012 (through May 10): 374,340

+
June 2012= ~98% of 2011’s downloads!



23

Anonymous and LOIC in Action

24

0
100000
200000
300000
400000
500000
600000
700000
Day 19
Day 20
Day 21
Day 22
Day 23
Day 24
Day 25
Day 26
Day 27
Day 28
Average Site Traffic

LOIC in Action

Transactions per Second

Application
DDoS

25

The effectiveness of
RefRef

is due to the fact that it exploits a vulnerability in a
widespread SQL service. The flaw is apparently known but not widely patched
yet.

The tool's creators don't expect their attacks to work on a high
-
profile target
more than a couple of times before being blocked, but they don't believe
organizations will rush to patch this flaw en masse before being hit.


The Hacker News
, July 30, 2011

But That Much Sophistication Isn’t Always Required

26

But That Much Sophistication Isn’t Always Required

27

Meet your target URL



4

Non
-
Mitigations

28

I have IPS and NGFW, am I safe?


IPS and NGFWs
do not
prevent web application attacks.

+
Don’t confuse “application aware marketing” with Web Application
Security.



WAFs at a
minimum

must include the following to
protect web applications:



29



Web
-
App Profile



Web
-
App Signatures



Web
-
App Protocol Security



Web
-
App DDOS Security



Web
-
App Cookie Protection



Anonymous Proxy/TOR IP Security



HTTPS (SSL) visibility

Security Policy Correlation

I have IPS and NGFW, am I safe?


IPS and NGFWs
do not
prevent web application attacks.

+
Don’t confuse “application aware marketing” with Web Application
Security.



However,
IPS and NGFWs
at best only
partially

support
the items in
Red:



30



Web
-
App Profile



Web
-
App Signatures



Web
-
App Protocol Security



Web
-
App DDOS Security



Web
-
App Cookie Protection



Anonymous Proxy/TOR IP Security



HTTPS (SSL) visibility

Security Policy Correlation

31

Church of Scientology

Muslim Brotherhood

Zappos.com

MilitarySingles.com

Amazon

Austria Federal Chancellor

HBGary

Federal

Mexican Interior Ministry

Mexican Senate

Mexican Chamber of Deputies

Irish Department of Justice

Irish Department of Finance

Greek Department of Justice

Egyptian National Democratic Party

Spanish Police

Orlando Chamber of Commerce

Catholic Diocese of Orlando

Bay Area Rapid Transit

PayPal

Mastercard

Visa



Recent attacker targets….

Yahoo Voice

Linked In

Last.fm

Formspring

eHarmony

US Department of Justice

US Copyright Office

FBI

MPAA

Warner Brothers

RIAA

HADOPI

BMI

SOHH

Office of the AU Prime Minister

AU House of Parliament

AU Department of Communications

Swiss bank
PostFinance

Egyptian Government

Itau

Banco

de Brazil

US Senate

Caixa





How many of these organizations have AV, IPS and Next Generations
Firewalls?


Why are the attacks successful when these technologies claim to prevent
them?



5

Demo

32