Security - SAT Expo
Transcript
Security - SAT Expo
Sicurezza informatica via cavo, wireless e satellite:segreti e soluzioni, II sessione [ PROACTIVE SECURITY AND FIELD EXPERIENCES ] Raoul Chiesa Founder & CTO, @ Mediaservice.net Divisione Sicurezza Dati/DSD-LAB Steering Committee, CLUSIT Italian Association for the Computer Security Board of Director’s Member, Director of Communications, ISECOM Institute for Security and Open Methodologies, USA Authorized International Trainer, ISECOM OPST & OPSA Official Certification Programs Southern Europe Reference Member, T.S.T.F. Telecom Security Task Force, USA, EU, ASIA COPYRIGHT Questo insieme di slide è protetto dalle leggi sul copyright e dalle disposizioni dei trattati internazionali. Il titolo ed i copyright relative alle slide (ivi inclusi, ma non limitatamente a, ogni immagine, fotografia, animazione, video e testo) sono di proprietà degli autori indicati. Le slide possono essere riprodotte ed utilizzate liberamente dagli istituti di ricerca, scolastici ed universitari afferenti al Ministero della Pubblica Istruzione per scopi istituzionali, non a fine di lucro. Ogni altro utilizzo o riproduzione (ivi incluse, ma non limitatamente a, le riproduzioni a mezzo stampa, su supporti magnetici o su reti informatiche locali e pubbliche) in toto o in parte è vietata, se non esplicitamente autorizzata per iscritto, a priori, da parte del/degli autore/i. L’informazione contenuta in queste slide è ritenuta essere accurata alla data della pubblicazione. Essa è fornita per scopi meramente didattici e non per essere utilizzata in progetti di impianti, prodotti, ecc. L’informazione contenuta in queste slide è soggetta a cambiamenti senza preavviso. L’autore non si assume alcuna responsabilità per il contenuto di queste trasparenze (ivi incluse, ma non limitatamente a, la correttezza, completezza, applicabilità ed aggiornamento dell’informazione). In ogni caso non può essere dichiarata conformità all’informazione contenuta in queste slide. In ogni caso questa nota di copyright non deve mai essere rimossa e deve essere riportata anche in utilizzi parziali. (C) 1996-2004 Raoul Chiesa (C) 2002-2004 @ Mediaservice.net Srl AGENDA 14.45 – AN INTRODUCTION TO PROACTIVE SECURITY • The company • The speaker • What we do • Our clients • Proactive Security • Schools & methodologies • ISECOM’s Security Proactive Square 15.30 - IT SECURITY AND SAT COMMS: THE LINKS • Applying Proactive to the world of satellite’s communications: a real overview • Typical security issues THE SATELLITE AND THE BUSINESS WORLD: A CASE STUDY ON END-USER APPLICATIONS • Finance environments • Editorial group environments • Telecommunications environments 16.15 – ASSET & PROBLEMS: HISTORICAL ISSUES AND FIELD EXPERIENCES • Smart Card, Decoder, Router, NoC, Dealers • Penetration Testing Case Studies ZOOM: SAT ROUTER’S FIELD EXPERIENCES (BLACK BOX SECURITY TESTING) • Router X • Router Y 16.45 - (A THEORICAL) CASE STUDY: SAT-OPERATOR SECURITY • Points of attack • Vulnerabilities: Devices, Applications, Network • Lessons that have been learnt SECURITY SAT-COMMS R&D: SOME RESULTS ON ROUTER’S SECURITY 17.15 - Q&A THE COMPANY • We’r not a “dot-com sec-company” [Est. 1997] • Privately owned by security professionals, no VCs • Vendor-independent: no resell, no (re)distribute ! • D.S.D. ( Data Security Division ) since 1998 • Wide Background, Direct Experience • Internal Tiger Team (’99) • On-the-Edge consulting expertise • Unconventional technologies builder • Vendors & Carriers External Audit Team • Strong R&D ( national/intl: scouting, black-box testing, distributed research, contributes to the world’s security community ) • Top & Large Companies’s final choice ( Corporate, Telco, IT, Industry, Chemical, Editorial, Finance, Healthcare and P.A. Environments ) • Third-party selected partnerships THE SPEAKER • Hacking skills started back in 1986 • From 1989 to 1995 high level hacking and phreaking experiences • Ice Trap operation, 1995-96: SCO/FBI, Interpol, Criminalpol • Co-Founder of @ Mediaservice.net in 1997 (a l0pht focus) • Papers & articles for standard and specialized press • Interviews with mass-media (independent point of view) CLUSIT, ISECOM, TSTF Member of the Board CLIENT PORTFOLIO (EXTRACT) Arma dei Carabinieri (ROS, Central Command in Rome), Hospital S. Giovanni Battista, Torino (Ospedale delle Molinette), Banca Mediocredito Friuli Venezia Giulia, Bo*frost SpA, Bulgari SpA, CNR di Milano (Security Task Force) Telecom Italia SpA (Italy and abroad group companies), Editorial Group “L’Espresso” (La Repubblica, Kataweb, Radio DJ, etc..), ITC/ILO - International Training Center of the ILO (ONU), Mirato SpA (Malizia, Clinians and Intesa brands – pharmaceutical/chemical sector), NoiCom SpA, Pirelli SpA – Corporate Security Department, TIM SpA, Vodafone Omnitel SpA, University of Udine, University of Milano (DSI), UNICRI – United Nations Interregional Crime and Justice Research Institute (ONU), Zyxel Telecommunications Inc. (TAIWAN), Watchguard Technologies Inc. (USA). WHO WE ARE • An independent team of security professionals • +10 years expertise in high-level penetration testing & security consulting • Specialized in telco and corporate environments • Independent researchers, independent auditors • We enjoy “impossible” missions and hard-to-solve security issues • T.S.T.F. International Consulting Team Members (+40 telecommunication operators audited in 4 USA, Australia, Asia, Europe) We’r not the ones that “talk”, we’re the ones that AUDIT, TEST, REPORT. WHAT WE DO • Proactive Security (I’m going to explain you this) • Real-Time Security - Secured Production Systems (Web, Mail, FTP and SMS systems) - Defense Systems (Firewall, xIDS and Monitoring systems - Security Managed Services - S.O.C. • Post-Attack Security - Log Analysis - Computer Forensics - Criminal Profiling • Specialized Security Training - Certified Security Classes (OPST, OPSA) - Ethical Hacking for Corporates - L.E.A. Security (authorities only) • IT & TLC Security Consulting MEDIA RELATIONSHIPS (EXTRACT) • Magazines/Newspapers: Apogeo Editore, Fondazione Ugo Bordoni-Telèma, Hackers & C, ICT Security Magazine, Il Sole 24 Ore Internet News, Internos, La Repubblica, La Stampa, Linux & C, MAX, Mondadori My Tech, Panorama/Panorama Web, PC Magazine Italia, Zeusnews. • Books: Feltrinelli, Pearson Italia, Sperling & Kupfler, Apogeo Editore: scientific supervisors and writers for italian editions of specialized books and manuals. Matrix Reloaded, The art of Deception, Security in Computing and Hacking: The Art of Exploitation. Proactive Security I [ a basic intro ] PROACTIVE SECURITY: WHAT’S THIS ?!? Proactive Security = Act BEFORE [and gain a better night-sleeping] WHY IS IT SO IMPORTANT ? Maybe for the consequences ? • Economic damages • Company’s image damages • Confidential informations and reserved projects theft • Law responsabilities (both civil and penal) • Resources abuse • Violation of international practices and standards • Revocation/suspension of certifications (ISO/BSI) • … you really have many reasons to care of. PROACTIVE SECURITY: from “schools”… Yesterday..we used to have different “schools”: - Automated testings (Vulnerability Scanning/Assessment) “our scanner use A.I. on neural networks, and everything is in HA“ - Manual testings (Ethical Hacking, Pentesting, Unconventional Security Testing) “we’ve got the most advanced & up-to-date hacking techniques” “we have the best hackers in the world (or whatever)” “...Uh, yeah, you know, we use lettonian people !” - Security through Obscurity Security Testing “...dear customer, you shouldn’t care about HOW we do it, that’s our job and we know how to do it, but we can’t explain you the ‘whys’ and the ‘hows’ !” PROACTIVE SECURITY: …to “methodologies” - Vulnerability Scanning/Assessment - Security Scanning - Penetration Testing - Risk Assessment - Security Auditing - Ethical Hacking - Posture Assessment & Security Testing DECISIONAL FACTORS: • Execution Costs • Execution Timings DISTINCTION FACTORS: • Applied methodology • Repetibility of the tests and comparision’s chance • Numeric classification of the “risk values” • Compliance with standards and legislations (ISO/BSI, Privacy laws, company policies, …) The PROs and the CONs • Automatized (Vulnerability Scanning, Security Testing) • Hand-made (Penetration Test, Ethical Hacking) The first methodology is based on the quality of the securitytesting tool (a product); it’s not that easy to reproduce the tecnical skill and motivations of an attacker… Would an hacker ever buy a software to attack your company ? We suggest the use of automated tools in order to plan cyclic Internal Vulnerability Assessments, but it cannot be a serious way to take a real screenshot of the existing situation and the effective technical risk level. The second technique produces the best results, but the testings must be executed by a Tiger Team with huge and proved expertise and skills. TODAY: THE PROACTIVE SECURITY SQUARE Proactive Security II [ Know Your ENEMY ] KNOW YOUR ENEMY: HACKER’S PROFILING PSYCHOLOGICAL PROFILE DANGEROUSNESS LEVEL Wannabe Lamer NULL (I’d like to be an hacker, but I can’t…) Script Kiddie LOW (The script boy) Cracker HIGH (Burned ground, the Distructor) Ethical Hacker MEDIUM (The “ethical” hacker’s world) Quiet, paranoid, skilled hacker MEDIUM (The very specialized and paranoid attacker) Cyber-Warrior HIGH (The soldier, hacking for money) Industrial Spy HIGH (Industrial espionage) Government agent HIGH (Governative agent: CIA, Mossad, FBI, etc. – Cuckoo’s Egg docet) KNOW YOUR ENEMY: TARGETS PSYCHOLOGICAL PROFILE TARGET Wannabe Lamer End-user (I’d like to be an hacker, but I can’t…) Script Kiddie SME/specific security flaws (The script boy) Cracker Big Companies/PA/Finance/Telco (Burned ground, the Distructor) Ethical Hacker Vendor/System Integrator/Telco (The “ethical” hacker’s world) Quiet, paranoid, skilled hacker Big Companies/PA/Finance/Telco/R&D (The very specialized and paranoid attacker) Cyber-Warrior Multinationals “symbol” (The soldier, hacking for money) Industrial Spy Multinationals, ICT companies (Industrial espionage) Government agent Multinationals/Governments (Governative agent: CIA, Mossad, FBI, etc. – Cuckoo’s Egg docet) Attack tools grown up, intruder’s skills went down! BACK ! THE PROACTIVE SECURITY SQUARE SECURITY TESTING: HOW IT WORKS Ok, what’s in these “verification actions” ? Using different actions of Vulnerability Scanning, Penetration Test or attacks via Ethical Hacking, we actuate proactive verification systems, useful to point out weaknesses in the target systems, environments or goal network Deep Inside EXTERNAL INTERNAL FROM THE EXTERNAL Public Networks • Leased TCP/IP lines (CDN/CDA/ADSL/HDSL/F.R.) • Packet Switching lines (CDN or Frame Relay) • Telephone lines (PSTN/ISDN) • Satellite lines (mono/bidirectional) • Mobile (GSM, GPRS, 3G) FROM THE INTERNAL • INSIDER ABUSE PROFILE • INTERNAL L.A.N. (via RAS or on-site) • LAN-to-LAN PtP • LAN-to-LAN Public • LAN-to-LAN VPN Private Networks with public gateways • INTERNET linked • Point-to-Point • X.25/X.121 • DECnet • SNA • Dialin/Toll free access numbers • RAS • Suppliers gateways: SAP, trusted suppliers, trusted gateways, etc.. WHY HIRING AN EXTERNAL TIGER TEAM ? • You obtain an objective and impartial test of your data infrastructure • External T.T.s often use unconventional verification techniques, beyond the classic verification methodologies • Already knowing your information technology systems = interests conflict + useful informations for the attacks (e.g. 10 or 192.168 private IPs classes ? ) • Company’s preconceptions could influence a security testing “home-made” (blind view issues) • Third party confirmations supply guarantees to insurance and financial partners, as well as to the customers. CONSULTANT SELECTION: COMPANY OR FREELANCE ? Single freelance: • OK! He costs less: money (apparently) savings. • NOT OK ...he does not have availability on particular apparals, skill and infrastructures, in order to execute large-scale jobs or attacks on specific medias (e.g. RAS, PBX, X.25, OS different from Microsoft, Linux, Sun). • compromise #1: problems on availability, immediate reponse, target dimensions; • compromise #2 : lower-profile testings, low-vision on the targets; • compromise #3 : 3 heads work better that 1, we all know this: but if this could lead to missing vulnerabilities discover, this will mean a false sense of security on the client’s side. OPERATING SYSTEMS TESTED IN +10 YEARS - AOS/VS - BBS Systems - Bull PAD - CICS/VTAM - Cisco IOS - CDC NOS – Control Data Corporation - DEC VAX/VMS and AXP/OpenVMS - DEC Ultrix - DEC Terminal Decserver - DG/UX Aviion General - DOS - DRS/NX - GS/1 - HP 3000 - HP/UX 9000 - IBM Aix - IBM OS/400 (AS/400) - Northern Telecom PBXs - IRIX SGI - VM/370 - PACX/Starmaster (Starmaster Gandalf) - Pick Systems - PRIMOS Prime Computer - RSTS - SCO - Shiva LAN Router - Sun Solaris - TOPS 10/20 - Unknown systems - VCX Pad - VM/CMS - IRIS Operating System (PDP and others) - XENIX - Linux - Motorola XMUX (Gandalf) - WANG Systems MAIN CHECKINGS AND TESTS Policies (External/Internal) Passwords Operating System (OS) Bugs Applications Bugs …. OUR METHODOLOGY APPROACH ATTACK PHASES Information Gathering The goal of this phase is obtaining all the available informations about the target, using public sources and tools. Services scanning In this second phase, the goal is obtaining all the available informations regarding the active services’ of the target machine(s), as well as their versions and releases. Security flaws identification & PoC/Attack Phase The goal here is to penetrate into the target system(s) and obtaining – whenever it’s possible – full operating privileges on the machine; demonstrate the theorized vulnerabilities; Proof of Concept using specific or “on-the-fly coded” exploits. Target Session The fourth phase on the security verification process looks for informations and trends on the target system itself; we also look for previous (unknown) break-ins or intrusions and we try to define and understand the management and administration level of the target box. Security Report The final Security Report contains: Executive Summary, Technical Summary, Attack Sessions, Evidences, as well as Tested Environment specifications, assigned Technical Risk Level, Suggestions and final Conclusions. BACK AGAIN THE PROACTIVE SECURITY SQUARE VULNERABILITY ASSESSMENT (SCANNING) THE PROACTIVE SECURITY SQUARE (1/7) YOU ARE HERE • • • • • Level 1 in the Security Testing Quality standards Automatized testings English language reports “fits for everybody” High number of false positive/negative (fake alerts, fake “security sensation” It just cares about the “IP” world SECURITY SCANNING THE PROACTIVE SECURITY SQUARE (2/7) YOU ARE HERE • • • • • Level 2 in the Security Testing Quality standards Automatized scannings, hand-made verifications Final report in italian and english language Manual tuning of the False Positives and Negatives We keep on to take care only of the IP areas PENETRATION TESTING THE PROACTIVE SECURITY SQUARE (3/7) YOU ARE HERE • Level 3 in the Security Testing Quality standards • Verification actions manually executed, following proprietary methodologies (pentester’s personal background or attack team specific know-hows) Final report is directly written by the executing Tiger Team and it’s sent in italian (or others) language to the final customer You can bundle special testing services (optionally), sich as Social Engineering,Trashing, Physical Intrusion, Web Applications Security Testing, black-box penetration test, etc... It does not stop at the “IP” world (RAS,X.25,DECnet,WiFi,Web, etc...) The execution time grows up on each single tested asset • • • • RISK ASSESSMENT THE PROACTIVE SECURITY SQUARE (4/7) YOU ARE HERE • • • • • Level 4 in the Security Testing Quality standards Evaluation and correlation actions, toward the datas mined from testing operations and the company’s risk values Results can be generated from the 3 previous technical analysis’ methodologies It needs a long exetion time If the technical testings results are somehow “false”, the whole risk analysis will pay the consequences (and the economic investments as well !) SECURITY AUDIT THE PROACTIVE SECURITY SQUARE (5/7) YOU ARE HERE • • • • Level 5 in the Security Testing Quality standards Auditing actions – tipically from the internal environment – of the whole IT information infrastructure: the analysis looks at the projectual, procedural and implementation points of view and security issues, exposures and flaws. It is manually executed, with a strong customizing final report, based on the effective client’s needings, taking also under consideration specific assets or company’s businesses. It can be the final result of proactive security methodologies, married with standard risk analysis methodologies (CRAMM, etc..) ETHICAL HACKING THE PROACTIVE SECURITY SQUARE (6/7) YOU ARE HERE • • • • Level 6 in the Security Testing Quality standards 360° degree verification attacks, aimed towards specific assets, services or infrastructures It requires FULL OPERATING AUTHORIZATION + “Free to Jail” (special options at point # 3) It is executed using unified actions of: 1. Penetration Testing (IP, xSDN, X.25/X.121, SAT, WiFi,Web Applications, …) 2. Phreaking 3. Social Engineering, Physical Intrusion, Trashing 4. Reverse Engineering 5. Black Box Penetration Testing CERTIFIED POSTURE SECURITY ASSESSMENT THE PROACTIVE SECURITY SQUARE (7/7) YOU ARE HERE • • • • • Top Level (7°) in the Security Testing Quality standard Repeated verification and matching actions (follow-up), executed in a time-frame defined and agreed with the client The analysis are based on initial knowledge factors (expressed in the vulnerabilities analysis, generated from the previous testing actions) and they are executed in full respect of the OSSTMM methodology (repeat and compare is possible, saving time & money !) and of its RAVs – Risk Assessment Values The final report is manually generated from the Tiger Team, it’s in client’s language and it is compliance to international guidelines and stadards, such as ISO/BSI, GAO, FISCAM The Security Report is OSSTMM Certified Proactive Security & SAT Security [ the dangerous relationships ] THE PROBLEM • • • • The main Telecommunications vendors (Nokia, Ericsson, Alcatel, etc.) are selling insecure software and systems to telcos. Telecommunications operators have a very poor understanding of security issues. Based on 5 years penetration testing experiences, TLC operators are the most vulnerable of all industry groups. Sophisticated hackers have an increased interest in telco security, communications and VAS hacking. In the SAT environment the facts are even worst: no-one ever cared about Proactive Security. Contents resell (movies, shows, sit-coms, etc) is moving to H.323 and other IP-based protocol. THE VENDORS • • • • Some vendors have decided to take an active stance in security (e.g. Nokia on GPRS, @Stake security advisories), however such initiatives are isolated and do not address most TLC security problems. Most vendors sell antiquated software full of bugs, running old and unpatched version of operating systems and daemons. Operators cannot fix the identified security weaknesses because it would void their warranty. Lately in these years, vendors discovered Linux as a good operating system for embedded applications: the security aspects are usually “forgotten”. The result of this ‘head in the sand’ approach is an increase in the threat: critical infrastructures are at risk. THE TLC OPERATORS • • • • Operators rely on vendors for secure solutions. Operators are primarily focused on network operations, software upgrades, network performance and other time-consuming routine tasks. Operators lack in-house expertise on TLC and hacking security. Operators are usually divided between the IT and Engineering, departments, creating two separate security domains. Most operators networks are open to hackers. THE PARADIGMA • Two different worlds, IT ed Engineering • Very different priorities SOME NUMBERS • Based on a 5-years study encompassing 21 network operators: 100% could be hacked from the Internet 90% could be hacked through PSTN, X.25 or ISDN. 72% had a security incident in the last 2 years 23% had appropriate perimeter security control 0% had all their mission-critical hosts secured 0% had comprehensive database security in place 0% had integrity measures protecting billing data THE ENEMY SAT fraud is still an attractive target: • • • • Cloning smart-cards. Bypassing toll, getting services without fees, setting up premium subscriptions, etc. (web hacking, operator’s hacking). Privacy invasions: interception of call-related data (e.g. contents, signalling data, billing data) via device’s or Internet’s hacking. Unauthorized Access: illegal access to the broadcasting center and IT back-office. Recently one underground group announced it was reverse engineering Nokia software. Groups of sophisticated hackers are working on abusing many Sat-decoders running on embedded Linuxes. A US-based research group is working on a “secure decoder”. THE COMPETITION • • • • Traditional security shops: no knowledge of TLC specific issues, poor understanding of security procedures. Traditional TLC consultancies: very poor knowledge of security issues. “Big 5” audit firms: focused on policies, no real expertise (they outsource their jobs to people like us). In-house resources: Very dangerous. Internal fraud overlooked. Interdepartmental ego problems. Good security and bad security looks the same. DOING NOTHING… • … with your sat and tlc infrastructures today is like doing nothing with your Internet hosts in the 90’s. • It is an invitation for upcoming disasters. TYPICAL SECURITY ISSUES INTERNET LINK: Firewalls not updated/managed Lack of security policies Errors in the secure network design (DMZ, direct access to internal hosts, “bridge” systems not in a secured area) PSTN/ISDN LINKS: Not-presidiated access gateways (RAS, ISDN_Backup on routers, …) Missing hardening on RAS devices Default passwords Same phone numbers both for end-users (Pay-TV via xSTN) and IT management SAT-LINK: Unsecure SAT device (SAT IP routers) Missing hardening on SAT devices Internal exploitation, interception of passing datas END-USER APPLICATIONS & ASSETS • FINANCE ENVIRONMENT: stock-exchange datas download • PRESS ENVIRONMENT: news from the agencies • TLC ENVIRONMENT: Internet connectivity ASSETS: Smart Card/JAVA Card Sat Decoder (STB) Sat Router Centre of Broadcasting Dealers clonable, breakable, reversable easy to crash, RS-232 consolle we’ll discuss about this later ☺ hackable the weakest part of the chain A THEORICAL CASE STUDY: CoB ATTACK LAN 1 SIT LAN 2 SIT A THEORICAL CASE STUDY: CONTACT POINTS When talking about IT Security, we must NOT forget that attackers don’t use “just the Internet” Process Security Physical Security Information Security Communications Security Internet Security Wireless Security A THEORICAL CASE STUDY: Internet Presence ADMIN INTRANET ISP NEWS DMZ NSI Blue is considered under control. Red is in 3rd party control. SATELLITE OFFICE MOBILE OFFICE Yellow is 3rd party where some control can be maintained. A THEORICAL CASE STUDY: Attack Points ADMIN INTRANET ISP NEWS DMZ INTERNIC SATELLITE OFFICE Note the traditional defense points. Note what a hacker can attack to cause damage. MOBILE OFFICE LET’S PLAY IT AS A “MOBILE TELCO”… GSM Architecture GSM Operations Not WCS Multiple Fulfilment Vendors. Card payments & authorisation BANK Information access, supply for Internet information (APIs) and Interactive TV CARD AUTHORISATION ISCP Reporting DD payments DD Returns Security. ISCP SGSN TAP CLEARING HOUSE E-Wallet Card payments & authorisation GGSN IN Platform Certification and encryption WAP BANK I/F To WAP, SMSC, IN etc. CARD PAYMENTS Small Purchases (EFT) Portal. Information access device for Internet information (APIs) DD payments DD Returns External Billing for content supply Roaming call data IVR d r an me n data sto Cu riptio sc sub VMS Card payments SMC WWW Customer and subscription data, and real time billing CRM Tool ID & Address Validation CREDIT CHECK Customer details Normalised address Credit Scoring Customer Result of check manages integration of billing system and external validation agencies. Customer details, Credit score result Billing System & Golden Database Service requests and responses Customer and service administration, personalisation, content management, tariffing, SIM and number management, provisioning requests, call data collection, rating and billing (roaming, retail and interconnect), and payment collection Normalised call data Customer Result of check Bad Debt Database BLACKLIST ? Subscriber data Rated CDRs Pre-pay CDRs Unrated CDRs Mediation System Collection and normalisation of call data, and transfer of service requests to GSM network service requests, and responses AuC HLR BGW Call data SIM orders, dispatched SIMS, Dispatch SIM Dealer codes, activation SIM orders, dealers codes information, money back GL updates & Roaming deactivations, general ledger updates Ernie SOG Service activation gateway MSC Billing gateway Commissions BANK I/F Sales and Dealer Data Warehouse PRINTING SAP SIM SAP Manufacturer Sales support, logistics and finance processing, Human Resource, and Materials Management Customer and subscription changes Document Imaging Electronic Queue Manager Service Centre Queue measurement tool Dealer information POS Activation FRAUD Multi Media Customer call -Outbound -Goods mvt inbound -Picking conf. inbound -Change serial# kits -Physical inv. inbound WCS Shops Retail Outlets Logistics Company Site rental Assets Shops & Dealers Screen Navigation Call (CLI) Per call ACD Distribute customer calls in call centre Caller ID, Service Level, Preferred Language CRM Tool Query type Caller ID and Preference IVR Identify customer, preference and satisfy simple queries Tool Diagnose problems and recommend solutions Screen navigation Predictive Dialler O/S Operator services Directory inquiries IMS Isaac Case Based Reasoning Manage customer tasks to completion Recommendation IVR Financial/Inventory Material master S inc IM + lud M ing SIS bla DN ck nu lis m tin be g I rs ME I GIS (Geographical Information System) Site, Dealer & Shops info Signal strength and coverage Scholar Knowledge System On-line call centre reference Radio planning tool Sites, faults & Links Sites administration, BTS build provision and transmission, operations and network faults logging LET’S PLAY IT AS A “MOBILE TELCO”… ZOOM: SAT ROUTER’S B.B. SECURITY TESTING B.B.= BLACK BOX MODE when testing the security of a device What we tested: Broadlogic Satellite Express XLT * (DVB to Multicast Router) SatLynx BBI Astra ViaSat LinkStar (ComSat Laboratories) * Now become SkyStream EMR 5000 “Edge Media Router” ZOOM: SAT ROUTER’S B.B. SECURITY TESTING What we found: 1) LACK of security in default accounts Web Management Interface: • Username: webadmin Password: webadmin Telnet Management Interface: • • Username: admin Username: installer Password: admin Password: installer System Users (hash MD5): • root:$1$t.TUJSEP$zZHajMrk7z.OQeRarFWkn1 • bsupport:$1$tAVIaSbI$0rvfQEs85kNelM/EoWD2R. ZOOM: SAT ROUTER’S B.B. SECURITY TESTING What we found: 2) Unsecure and bad-written web applications (CGIs, etc..) Very common (and known) secure programming issues have been found on all the tested devices. ZOOM: SAT ROUTER’S B.B. SECURITY TESTING ZOOM: SAT ROUTER’S B.B. SECURITY TESTING ZOOM: SAT ROUTER’S B.B. SECURITY TESTING What we found: 3) Proofed chances to abuse the device, launching attacks to other hosts (extracts from original report follow…) L’apparato da noi testato presenta una problematica sullo stack TCP/IP; il campo IP ID dei pacchetti è incrementale, pertanto un ipotetico attaccante può utilizzare il sistema come “ponte” per lanciare port scan (zombie scan). Tale operazione è effettuabile anche senza avere accesso diretto al sistema. Un esempio pratico è illustrato di seguito: in questo caso se nella rete fosse stato presente un IDS o un sistema di rilevazione dei portscan, l’indirizzo di provenienza non sarebbe quello dell’attaccante, ma quello del router XXXXX (con le ovvie conseguenze legali, anche per l’attuale legislazione italiana). Ulteriori informazioni su questa vulnerabilità possono essere reperite all’indirizzo: http://www.insecure.org/nmap/idlescan.html ZOOM: SAT ROUTER’S B.B. SECURITY TESTING Procediamo ora ad una dimostrazione pratica di quanto affermato, lanciando un port-scan sull’IP 10.200.8.12, indicando come IP sorgente il 10.200.8.7 (router XXXXXX sotto “ZombieScan”). root@Slap[~]: nmap -sI 10.200.8.7 -p 1,12,22,80,443,21 10.200.8.12 Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-09-08 11:18 CEST Idlescan using zombie 10.200.8.7 (10.200.8.7:80); Class: Incremental Interesting ports on 10.200.8.12: (The 3 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 80/tcp open http 443/tcp open https Nmap run completed -- 1 IP address (1 host up) scanned in 3.597 seconds root@Slap[~]: ZOOM: SAT ROUTER’S B.B. SECURITY TESTING What we found: 4) “Default” SNMP Community (public, private) Some of the tested devices had SNMP capabilities. In all the cases, the community used by SNMP used to be “default” ones. (extract from the final reports) “In general on all the tested SIT it is possible to gain access on a number of system information, but on a particular SIT it was possible to use the default SNMP community (which cannot be modified) to gain access to detailed system information, such as the satellite coordinates.” ZOOM: SAT ROUTER’S B.B. SECURITY TESTING What we found: 5) TELNET access with NULL password (!) In another black-box testing, we found a device with TELNET opened and without a managing password….this is really sad ZOOM: SAT ROUTER’S B.B. SECURITY TESTING root@Slap[]: telnet 10.200.8.1 Trying 10.200.8.1... Connected to 10.200.8.1. Escape character is '^]'. Password: Logged in as root help ? help version alias unalias delay script doscript setprompt repeat systat mcbstat mcbprt memstat syscnt pbconf sysconf niprt util plog ptime echo msgtrace nochkdest chkdest putuseconput conolog time date sendtime uptime bc bread read lread bwrite write lwrite bcopy bcmp memtest hwreset reboot setprad restart kill setqsize poll initp resetp devstart devstop attach unattach prtstat show clrstat config prtconfig enable disable setloop clrloop settrace prtcache reseticache passwd rloginauth whoami login logout rlogout exit nvram_fstat nvram_parms nvram_init nvram_open nvram_read nvram_create nvram_write nvram_close nvram_copy nvram_lseek mdbselect mdbfiletype mdbread mdbwrite mdbdatavalid dblist dbprint dbprintdef dbsetvalue dbsetfield dbadd dbdelete dbdeleteall ksetprint ethnrtsho ethprtsho ethnrtadd ethprtadd ethsetprom ethclrprom ethtest ethenabcast ethdisbcast ethsetloop ethclrloop setipaddr proxytcpstatus arpadd arpdelete arpproxyadd arpproxydel arpproxylist ping riproutes disproutecb addsroute showtree showextnodes stressroute rtprt nhtprt hrtprt rtlook hrtlook mrtprt addmroute delmroute savebootparms switchbb bbrcvrinfo setdbready kdbpr R&D RESULTS: WHAT HAS BEEN LEARNT (Extract from the main italian reports) I test effettuati hanno rilevato gravi problematiche di sicurezza sugli apparati satellitari, sia a livello progettuale che implementativo. Sono inoltre ipotizzabili ulteriori vulnerabilità, rilevabili con analisi specifiche più approfondite. L’insieme delle vulnerabilità rilevate può portare alle seguenti tipologie di abuso e frode: Utilizzo del target device come sistema ponte per attacchi verso terzi e conseguenti responsabilità legali (civili e penali); Utilizzo del target device come “Zombie Scan” verso terzi e conseguenti responsabilità legali (civili e penali); Abusi e frodi economiche nel caso di connessione di tipo “a traffico” alla rete Internet; Intercettazione di tutto il traffico IP, da e verso il link satellitare; Redirect del traffico IP, da e verso il link satellitare; DoS, negazione di servizi; Isolamento della connessione Internet satellitare; Riconfigurazione dei servizi; Installazione di strumenti di intercettazione dati sui segmenti LAN ove il device è attestato. R&D RESULTS: SOME TIPS (Extract from the main italian reports) Riteniamo possibile e consigliamo ai produttori la stesura da parte di società terze ed indipendenti di White Paper tecnici, Security ed Hardening Policy, Configuration & Installation Security Guideline per i dispositivi oggetto di analisi, al fine di prevenire vulnerabilità e security exposure particolarmente impattanti sugli utilizzatori finali. Concludiamo sottolineando la necessità di security testing anche dal lato delle connessioni satellitari (IP), al fine di verificare la possibilità di abuso da parte di attacker remoti e provenienti dalla rete pubblica Internet. DOMANDE & RISPOSTE QUESTIONS & ANSWERS CONTACTS UNCONVENTIONAL TECHNOLOGIES FOR THE CORPORATE SECURITY & IMAGE Raoul Chiesa, Chief Technical Officer @ Mediaservice.net (OPST, OPSA) Mail Contacts [email protected] [email protected] [email protected] Web Contacts http://www.mediaservice.net/ http://osstmm.mediaservice.net/ http://www.TSTF.net/ http://www.isecom.org/ (General Enquiries) (Security Enquiries) (Personal Enquiries)