HSB15 - Thijs Bosschert - Radically Open Security
3 likes1,344 views
The document discusses lessons learned from the hacking of Hacking Team, an Italian company that sells surveillance technology to governments. It describes how Hacking Team was compromised after using weak passwords, failing to properly secure their network and data, and not following security best practices. Over 400GB of internal documents and source code were leaked, exposing exploits and surveillance tools. The takeaway is that security companies must practice rigorous security and prepare for being a prime target if they want to advise others on security.
![May 12, 2014
Code like everyone is watching
def content(*args)
hash = [args].flatten.first || {}
process = hash[:process] || ["Explorer.exe0",
"Firefox.exe0", "Chrome.exe0"].sample
process.encode!("US-ASCII")
path = hash[:path] || ["C:Utentipippopedoporno.mpg",
"C:UtentiplutoDocumentichildporn.avi",
"C:secretsbomb_blueprints.pdf"].sample
path = path.to_utf16le_binary_null
Source: https://github.com/hackedteam/rcs-
common/blob/master/lib/rcs-common/evidence/file.rb](https://image.slidesharecdn.com/2-thijs-bosschert-151029084019-lva1-app6892/85/HSB15-Thijs-Bosschert-Radically-Open-Security-21-320.jpg)
HSB15 - Thijs Bosschert - Radically Open Security
- 1. Thijs Bosschert 27 oktober 2015, Den Haag info@radicallyopensecurity.com thijs@radicallyopensecurity.com Wat hebben we geleerd van de Hacking Team hack?
- 2. May 12, 2014 Radically Open Security Non-Profit Computer Security Consultancy We're an idealistic bunch of security researchers, networking/forensics geeks, and Capture The Flag winners that are passionate about making the world more secure. We believe in transparency and openness. And our goal is to secure the society that allows us to run a company in the first place. https://radicallyopensecurity.com/
- 3. May 12, 2014 Thijs Bosschert Freelance Security Professional • Incident Response • Forensics • Penetration tester • Security researcher • Trainer • CTF player (Eindbazen, Hack.ERS)
- 4. May 12, 2014 Worldwide IR
- 5. May 12, 2014 HackingTeam Source: http://www.hackingteam.it/
- 6. May 12, 2014 HackingTeam Remote Control System Take control of your targets and monitor them regardless of encryption and mobility. It doesn’t matter if you are after an Android phone or a Windows computer: you can monitor all the devices. Remote Control System is invisible to the user, evades antivirus and firewalls… Source: http://www.hackingteam.it/images/stories/galileo.pdf
- 7. May 12, 2014 HackingTeam Remote Control System Hack into your targets with the most advanced infection vectors available. Enter his wireless network and tackle tactical operations with ad-hoc equipment designed to operate while on the move. Keep an eye on all your targets and manage them remotely, all from a single screen. Be alerted on incoming relevant data and have meaningful events automatically highlighted. Source: http://www.hackingteam.it/images/stories/galileo.pdf
- 8. May 12, 2014 You will be hacked Source: https://twitter.com/hackingteam/status/563356441885835264
- 9. May 12, 2014 Imagine this Source: https://wikileaks.org/hackingteam/emails/
- 10. May 12, 2014 You have been hacked Source: https://twitter.com/hackingteam/status/563356441885835264
- 11. May 12, 2014 How was it done? Source: https://twitter.com/GammaGroupPR
- 12. May 12, 2014 How was it done? Source: http://0x27.me/HackBack/0x00.txt
- 13. May 12, 2014 0x00.txt ● Mapping out the target ● Scanning & Exploiting ● Escalating ● Pivoting ● Have Fun Source: http://0x27.me/HackBack/0x00.txt
- 14. May 12, 2014 Denial Source: Twitter
- 15. May 12, 2014 Bad response Source: Twitter
- 16. May 12, 2014 Bad press reactions Source: http://www.hackingteam.it/index.php/about-us
- 17. May 12, 2014 ~400 GB
- 18. May 12, 2014 WikiLeaks Email DB Source: https://wikileaks.org/hackingteam/emails/
- 19. May 12, 2014 0 days & exploits ● CVE-2015-0349 – Adobe Flash Player ● CVE-2015-2425 – IE 11 ● CVE-2015-2426 – OpenType Font Driver ● CVE-2015-5119 - Adobe Flash Player ● CVE-2015-5122 - Adobe Flash Player ● CVE-2015-5123 - Adobe Flash player
- 20. May 12, 2014 Weak passwords ● P4ssword ● Passw0rd ● wolverine ● universo ● HTPassw0rd ● Passw0rd!81 + Password reusage Source: http://pastebin.com/bxYXHFMu
- 21. May 12, 2014 Code like everyone is watching def content(*args) hash = [args].flatten.first || {} process = hash[:process] || ["Explorer.exe0", "Firefox.exe0", "Chrome.exe0"].sample process.encode!("US-ASCII") path = hash[:path] || ["C:Utentipippopedoporno.mpg", "C:UtentiplutoDocumentichildporn.avi", "C:secretsbomb_blueprints.pdf"].sample path = path.to_utf16le_binary_null Source: https://github.com/hackedteam/rcs- common/blob/master/lib/rcs-common/evidence/file.rb
- 22. May 12, 2014 CIS Critical Security Controls Source: SANS 20 Critical Controls Poster
- 23. May 12, 2014 CIS Critical Security Controls Source: SANS 20 Critical Controls Poster
- 24. May 12, 2014 ~400 GB
- 25. May 12, 2014 What went wrong? ● Weak passwords usage and re-usage ● No network Segmenting and protection ● No data encryption ● No secure email ● No data classification ● No monitoring ● Incorrect incident response procedures ● Usage of illegal software
- 26. May 12, 2014 Security level Source: http://lockheedmartin.com
- 27. May 12, 2014 Protection level Source: http://www.slideshare.net/jaredcarst/cyber-threats-cybersecurity-are-you-ready
- 28. May 12, 2014 Wat hebben we geleerd? Als security bedrijf ben je een gewild target voor aanvallers, dan kan je maar beter zorgen dat je daar dan ook op voorbereid bent.