Positive-Research-2016-Eng.Pdf
Total Page:16
File Type:pdf, Size:1020Kb
03 05 07 09 11 13 15 CONTENTS 17 19 21 23 Editorial Note. Insecure Security and the Key Trends of 2016 ..............................................................................2 25 27 TOP 15 Leaks of 2015 .....................................................................................................................................................................3 29 Vulnerabilities in Corporate Information Systems in 2015: Worse than Expected ...................................6 31 33 Network Perimeter Life in Pictures .....................................................................................................................................10 35 Intelligent Transport Systems ................................................................................................................................................16 37 39 Cybersecurity at Sea ....................................................................................................................................................................19 41 Web Application Vulnerabilities in 2015 .........................................................................................................................23 43 45 Web Application Firewalls: Ways to Protect Your Site .............................................................................................27 47 Financial Sector: Key Vulnerabilities in 2015 .................................................................................................................31 49 51 Developing Secure Online Banking Apps: Identifying Key Challenges and Opportunities ...........35 Lost keys: following SSH ...........................................................................................................................................................38 Detect Generated Domain Names using Machine Learning Techniques .................................................42 Attacking SS7: Mobile Operators Security Analysis in 2015 ................................................................................44 How to build Big Brother: Critical Vulnerabilities in 3G/4G Modems ..............................................................47 HackerSIM: Blamestorming .....................................................................................................................................................52 1 The 4G Modem: Deciphering Updates ............................................................................................................................57 Spoofing and Intercepting SIM Commands Through STK Framework (Android 5.1 and Earlier) (CVE-2015-3843) .....................................................................................................................60 Probes Launched to Spy on Drones: Sensation or Legitimate Threat? ........................................................64 Antivirus Vulnerabilities Review Q1 2016 .......................................................................................................................66 53 How to Hack PayPal in 73 seconds .....................................................................................................................................68 55 From Telemetry to Open Source: an Overview of Windows 10 Source Tree ............................................69 57 59 Rules for IDS/IPS Suricata: Helpful Additions but a Losing Battle ...................................................................72 61 Vulnerability Assessment According to CVSS 3.0 ......................................................................................................74 63 65 Password Procedures: Experts Advise on How to Protect Your Account....................................................80 67 The MiTM Mobile Contest: GSM Network Down at PHDays V ..........................................................................82 69 71 Digital Substation Takeover: Contest Overview .........................................................................................................86 73 Hacking Internet Banking at PHDays V ............................................................................................................................87 75 77 Best Reverser Write-Up: Analyzing Uncommon Firmware ..................................................................................88 79 WAF Bypass at Positive Hack Days V ..................................................................................................................................91 81 83 Competitive Intelligence Contest at PHDays V ...........................................................................................................93 85 Children’s Day at Positive Technologies: Hacker-Style New Year Party ...................................................... 100 87 89 About Positive Technologies ............................................................................................................................................... 102 91 93 95 97 99 101 103 // EDITORIAL POSITIVE RESEARCH 2016 02 04 EDITORIAL NOTE 06 08 10 Insecure Security and 12 14 16 the Key Trends of 2016 18 20 22 When you read cybersecurity news, these thoughts probably we noticed that industrial security hasn't yet evolved to meet IS 24 crossed your mind: how do they estimate efficiency of security standards. The ICS protection relies on outdated threat models 26 tools or damage caused by hacker attacks? Honestly, we often that don't take into account the increased influence of comput- 28 doubt these things too. This is what security is all about — con- er components. Many digital ICS vulnerabilities that our experts 30 stantly facing the unknown. Each year Positive Technologies detected could cause serious incidents, even though the systems 32 specialists conduct hundreds of studies analyzing security of examined often meet the requirements of industrial security. On 34 networks, devices, and applications as real hackers would do. the other hand, common IS approaches cannot be fully applica- 36 Security monitoring and research bring many discoveries. You ble to industrial operations due to different protocols, weather 38 may find modern tendencies in information security in our annu- conditions, etc. However, our experience in cooperation with the 40 al publication titled “Positive Research”. Russian Railways company indicates that there can be a positive 42 outcome, where a new discipline called ICS security may be born 1. APT trend. Targeted cyberattacks are not new, but this 44 (p. 18). 46 year they marked a steep increase in number and effectiveness. 48 However, according to our experts, the majority of cyberat- 5. Full metal trojan. While news about software backdoors is 50 tacks in 2016 were not technically advanced — exploitation of not a surprise anymore, hardware backdoors are on the cusp of unknown vulnerabilities (0-days) took place in less than 20% of realization (p. 69). Hardware backdoors like undocumented com- the cases. Attackers prefer well-known exploits that require min- mands in microprocessors may be built into any hardware. In the imum effort (p. 6, 10). future, a whole new generation of “evil” devices will emerge — with useful functionality but designed to meet adversaries' goals. Targeted threats have become more complex. For example, ad- The existence of a huge amount of cheap gadgets with next versaries may hack victim's partners first or use the results of a to no security like home routers, USB modems, and web cams, mass attack to conduct a targeted one, usually to steal personal doesn't help the matter either. data (p. 3). 2 6. Security tools as a threat. Numerous studies are dedi- 2. Web boom. In the past, attacks on large companies were cated to vulnerabilities in antiviruses and other security tools. conducted through workstations (attacks on browsers or virus Security systems now present a threat as many of them have es- spam). But the last year 30% of the attacks targeted corporate re- calated privileges (antiviruses, scanners, SIEM) or manage major sources including web services. In many cases, the web provides data flows (IDS/IPS, WAF). There are well known cases of hack- direct access to corporate infrastructure and confidential data. At ing public services for dynamic files analysis (aka “sandboxes”). the same time, for the last three years the percentage of web ap- Experts recommend improving antiviruses and firewalls (p. 27 plications where critical vulnerabilities are detected has increased and 66), but the entire trend fuels concerns as no protection to 70% (p. 23). 52 tool once installed can guarantee security. Modern security is a 54 Online financial services are representative of this trend. The collection of processes, including incident monitoring and inves- 56 amount of fraud around online payments is growing and the tigation, attack detection, and threat related data exchange. We 58 security level of banking applications is still quite low. 90% of can predict further developments of SOCs and cloud solutions 60 OLB systems suffer from critical vulnerabilities, most of which are dedicated to IS data processing. The first attempt at this type of 62 caused by authorization procedure flaws (p. 31). Banks rarely fully complex approach on the government's level is the creation of 64 understand the level of their exposure to outsider attacks. Our the Russian State System of Cyberattack Detection, Prevention, 66 experts discovered 80 ATMs seen from the internet on the perim- and Elimination. This may kickstart