Die Präsentation wird geladen. Bitte warten

Die Präsentation wird geladen. Bitte warten

©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice 1 Stefan Schmid – Manager Central.

Ähnliche Präsentationen


Präsentation zum Thema: "©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice 1 Stefan Schmid – Manager Central."—  Präsentation transkript:

1 ©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice 1 Stefan Schmid – Manager Central & Eastern Europe & Middle East & North Africa Marcel Rölli – Sales Manager CH/A Josef Meier – Solution Architect D/A/CH SECURESECURE HP TippingPoint & Omicron AG Aus einem Guss - IT-Sicherheit von HP

2 ©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice 2 Agenda -Analyse RSA Hack -Aktuelle Angriffsmethoden im Detail -Live Demo Aurora drive by hack -Q&A

3 ©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice 3 Analyse RSA Hack

4 44 Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat (CVE ) By: Will Gragido (Sr.Product Line Manager, DVLabs) On March 14, 2011 Adobe Systems Incorporated released a notification related to the existence of a critical vulnerability in its Adobe Flash Player The vulnerability in question also had certain implications on other, earlier versions of the tool. A complete list of the versions of the Adobe tool and corresponding operating systems affected can be seen below: Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris operating systems Adobe Flash Player and earlier for Chrome users Adobe Flash Player and earlier for Android The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems. The resultant condition associated with this vulnerability (CVE ) may result in application / system crashes or allow for an attacker to seize control of an affected system. Reports of this vulnerability having been exploited in the wild have been noted as part of targeted attacks via a Flash (.swf) file embedded within a Microsoft Excel (.xls) file that is delivered to its targeted as an attachment. While the team at Adobe Systems Incorporated works to finalize its fix for this vulnerability we wanted to ensure that our customer base was aware that HP DVLabs is working on a filter to address it. Our intent is to release the filter Thursday March 17, 2011 barring no unforeseen quality assurance (QA) issues. We encourage you to continue visiting this blog for information regarding this vulnerability and filter. We encourage you to monitor the following blog for the latest on Adobe Systems Incorporate vulnerability information. Filter: 'SMTP: Malicious Adobe Shockwave Flash Player File Download

5 55 The RSA attack Internet LAN 2. Intruder targets a few employees (Spear Phishing) with Excel attachment over 2 day interval 2011 Recruitment plan.xls 3. Malicious delivered (but blocked by local SPAM filters) 1. Intruder prepares Malicious Excel document 4. User notices in SPAM folder, and opens Excel file… 5. Adobe Flash zero day exploit in.XLS installs back door Poison Ivy 6. Intruder now observes user role, privileges & keystrokes Gets domain admin access 7. Intruder now uses domain access to reach sensitive servers & exfiltrate database 8. Intruder now has SecureID information OWNED

6 66 The RSA attack What happened? Potential consequences? –RSA Open letter Recently, our security systems identified an extremely sophisticated cyberattack in progress being mounted against RSA –Coviello CEO went on to say it could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. –One possibility, said Whitfield Diffie, a computer security specialist who was an inventor of cryptographic systems now widely used in electronic commerce, is that a master key a large secret number used as part of the encryption algorithm might have been stolen. RSA tauscht nach Hack bis zu 40 Millionen SecurID-Tokens aus! Quelle: vom http://www.heise.de TippingPoint Kunden waren seit geschützt!

7 7 Aktuelle Angriffsmethoden im Detail - SQL Injection - PHP Code Injection - HTTP Shell command exec - Aurora Exploit

8 8 SQL Injection - Beispiel Ablauf des Angriffs Auswirkung ohne IPS Der Angreifer erlangt sensible Unternehmensdaten oder es kommt zur unbemerkten Datenmanipulation. Folgende Informationen könnten verändert werden: -Website Inhalte – Beispiel LizaMoon Attack -Preise -User (Passwörter) -Lieferzeiten -Etc... Der Angreifer gibt Datenbank-Befehle (SQL) über Eingabefelder einer Web-Applikation ein. Internet DMZ WWW/Datenbank Server TCP 80 geöffnet!

9 9 SQL Injection - Beispiel 1' UNION ALL SELECT user, password FROM mysql.user; -- priv;#' TippingPoint Kunden sind durch derzeit 163 SQL-Injection Filter geschützt.

10 10 PHP Code Injection - Beispiel Ablauf des Angriffs Auswirkung ohne IPS Der Angreifer erlangt sensible Unternehmensdaten oder es kommt zur unbemerkten Datenmanipulation. Weitere mögliche Folgen: -Verlust adminstrative Kontrolle (Nutzung als BotClient oder P2P Server -Manipulation der Server Konfiguration -Verlust/Manipulation von Daten Der Angreifer versucht ausführbaren Quellcode (PHP) über Eingabefelder einer Web-Applikation in das Server-System einzuschleußen. Internet DMZ Webserver TCP 80 geöffnet! TippingPoint Kunden sind durch VulnerabilityFilter geschützt.

11 11 HTTP Shell command exec - Beispiel Ablauf des Angriffs Auswirkung ohne IPS Der Angreifer erlangt sensible Unternehmensdaten oder es kommt zur unbemerkten Datenmanipulation. Weitere mögliche Folgen: -Verlust adminstrative Kontrolle (Nutzung als BotClient oder P2P Server -Manipulation der Server Konfiguration -Verlust/Manipulation von vetraulichen Daten Der Angreifer versucht Befehle an das Betriebsystem über die HTTP Anfragen abzusetzen. Internet DMZ Webserver TCP 80 geöffnet!

12 12 Beispiel – command Execution ; cat /etc/passwd & cat /etc/shadow TippingPoint Kunden sind durch Vulnerability Filter geschützt.

13 13 Live Demo Aurora Dont be scared!


Herunterladen ppt "©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice 1 Stefan Schmid – Manager Central."

Ähnliche Präsentationen


Google-Anzeigen