Leader: ladies and gentlemen, this talk is very funny and very interesting, today we are going to talk about real things that are being seen on the internet. This conversation is a little different from what we're used to at Black Hat conferences because we're going to be talking about how attackers make money from their attacks.
We'll show you some interesting attacks that could be profitable, and tell you about the attacks that actually took place the night we went through Jägermeister and brainstormed. It was fun, but when we sobered up a bit, we talked to SEO people and really found out that a lot of people are making money from these attacks.
I'm just a brainless middle manager, so I'm resigning my seat and I want to introduce you to Jeremy and Trey, who are much smarter than me. I should have had a smart and fun introduction, but there isn't, so I'll show these slides instead.
Slides showing Jeremy Grossman and Trey Ford are shown on the screen.
Jeremy Grossman is the founder and CTO of WhiteHat Security, named one of InfoWorld's Top 2007 CTOs in 25, co-founder of the Web Application Security Consortium, and co-inventor of cross-site scripting attacks.
Trey Ford is the Director of Architectural Solutions at WhiteHat Security, with 6 years of experience as a security consultant for Fortune 500 companies, and one of the developers of the PCI DSS payment card data security standard.
I think these pictures make up for my lack of humor. In any case, I hope you enjoy their presentation, after which you will understand how these attacks are used on the Internet in order to make money.
Jeremy Grossman: Good afternoon, thank you all for coming. It's going to be a very fun conversation, although you won't see a zero-day attack or cool new technologies. We're just trying to be entertaining about the real things that happen every day that allow the bad guys to make a lot of money.
We are not trying to impress you with what is shown on this slide, but simply to explain what our company does. So, White Hat Sentinel, or "Guardian White Hat" is:
- unlimited number of assessments – control and expert management of client sites, the ability to scan sites regardless of their size and frequency of changes;
- wide coverage - authorized scanning of sites to detect technical vulnerabilities and user testing to identify logical errors in uncovered areas of business;
- Elimination of False Positives - Our task force reviews the results and assigns the appropriate severity and threat rating.
- development and quality control - the WhiteHat Satellite Appliance system allows us to remotely service customer systems through access to the internal network;
- improvement and improvement - realistic scanning allows you to quickly and efficiently update the system.
So, we audit any site in the world, we have the largest team of web application penetration testers, we perform 600-700 evaluation tests every week, and all the data that you will see in this presentation is taken from our experience in doing this type of work.
On the next slide you see the 10 most common types of attacks on world sites. This shows the percentage of vulnerability to certain attacks. As you can see, 65% of all sites are vulnerable to cross-site scripting, 40% allow information leakage, 23% are vulnerable to content substitution. In addition to cross-site scripting, SQL injections and the notorious cross-site request forgery are common, which did not make it into our top ten. But on this list there are attacks with esoteric names, which are described in vague terms and whose specificity lies in the fact that they are directed against certain companies.
These are authentication flaws, flaws in the authorization process, information leaks, and so on.
The next slide talks about attacks on business logic. The QA teams involved in quality assurance usually ignore them. They test what the software is supposed to do, not what it can do, and then you can see anything. Scanners, all those White/Black/Grey Boxes, (white/black/grey boxes), all those multi-colored boxes, fail to detect these things in most cases, because they are just fixated on the context of what the attack can be or what happens. looks like when it happens. They lack intelligence and don't know if anything worked at all or not.
The same goes for IDSs and WAFs, which also fail to detect flaws in business logic because HTTP requests look perfectly normal. We will show you that attacks related to flaws in business logic occur quite naturally, there are no hackers, no metacharacters and other oddities, they look like regular processes. The bottom line is that the bad guys love this kind of stuff, because business logic flaws make them money. They use XSS, SQL, CSRF, but these types of attacks are becoming more and more difficult, and we see that there have been fewer of them over the past 3-5 years. But they will not disappear by themselves, just as buffer overflows will not go anywhere. However, the bad guys think about how to use more sophisticated attacks because they believe that the "really bad guys" are always looking to capitalize on their attacks.
I want to show you some real tricks that you can take advantage of and use in the right way to protect your business. Another purpose of our presentation is that you might ask questions about ethics.
Online polls and voting
So, at the beginning of the discussion of the shortcomings of business logic, let's talk about online surveys. Internet polls are the most common way to find out or influence public opinion. We will start with $0 profit and then look at the total of 5, 6, 7 months of scams. Let's start with a very, very simple survey. You know that every new website, every blog, every news portal conducts online surveys. That being said, no niche is too big or too narrow, but we want to see public opinion in specific areas.
I would like to draw your attention to one survey conducted in Austin, Texas. Since the Austin Beagle won the Westminster Dog Show, the Austin American Statesman decided to run an online Austin's Best in Show poll for central Texas dog owners. Thousands of owners submitted photos and voted for their favorites. Like so many other polls, there was no prize other than the right to show off your pet.
Web 2.0 system application was used for voting. You clicked "yes" if you liked the dog and found out if it was the best dog in the breed or not. Thus, you have voted on several hundred dogs posted on the site as candidates for the winner of the show.
With this method of voting, 3 types of cheating were possible. The first is countless voting, where you vote for the same dog over and over again. It's very simple. The second way is negative multiple voting, where you vote a huge number of times against a competitor dog. The third way was that literally at the last minute of the contest, you entered a new dog, voted for it, so that the possibility of getting negative votes was minimal, and you won by getting 100% positive votes.
Moreover, the victory was determined in percentage, and not by the total number of votes, that is, you could not determine which of the dogs scored the maximum number of positive ratings, only the percentage of positive and negative ratings for a particular dog was calculated. The dog with the best ratio of positive/negative scores won.
A friend of colleague Robert "RSnake" Hansen asked him to help her chihuahua Tiny win a contest. You know Robert, he's from Austin. He, like a super-hacker, closed up a Burp proxy and went the path of least resistance. He used cheating technique #1, running it through the Burp cycle for a few hundred or thousands of requests, and it brought the dog 2000 upvotes and put him in 1st place.
He then used Cheat Technique #2 against Tiny's competitor Chuchu. In the last minutes of the competition, he filed 450 votes against Chuchu, which further strengthened Tiny's position in 1st place with a vote ratio of more than 2: 1, but in the percentage of positive and negative reviews, Tiny still lost. On this slide, you see the new face of the cybercriminal, discouraged by this outcome.
Yes, it was an interesting scenario, but I think that the girlfriend did not like this performance. You just wanted to win the Chihuahua competition in Austin, but there was someone who tried to "hack" you and do the same. Well, now I'm handing over to Trey.
Creating artificial demand and making money on it
Trey Ford: The concept of "artificial DoS shortage" refers to several different interesting scenarios when we buy tickets online. For example, when booking a special seat on a flight. This can apply to any type of ticket, such as a sporting event or a concert.
In order to prevent repeated purchases of scarce items such as airplane seats, physical items, usernames, etc., the application locks the object for a period of time to prevent conflicts. And here there is a vulnerability associated with the ability to reserve something in advance.
We all know about the timeout, we all know about the end of the session. But this particular logical flaw allows us to choose a seat on a flight and then come back to make another choice without paying anything. Surely many of you often fly on business trips, but for me this is an essential part of the work. We have tested this algorithm in many places: you choose a flight, choose a seat, and only after you are ready, enter your billing information. That is, after you have chosen a seat, it is reserved for you for a certain period of time - from several minutes to several hours, and all this time no one else can book this seat. Because of this waiting period, you have a real opportunity to reserve all the seats on the plane, simply by returning to the site and booking the seats you want.
Thus, a variant of a DoS attack appears: automatically repeat this cycle for each seat on the plane.
We have tested this with at least two major airlines. You can find the same vulnerability with any other booking. This is a great opportunity to raise the price of your tickets for those who want to resell them. To do this, speculators simply need to book the rest of the tickets without any risk of financial loss. You can bust e-commerce that sells high-demand products like video games, game consoles, iPhones, and so on. That is, the existing lack of an online booking or reservation system makes it possible for an attacker to earn money on this or cause damage to competitors.
Captcha decryption
Jeremy Grossman: Now let's talk about captcha. Everyone knows these annoying pictures that litter the Internet and are used to fight spam. Potentially, you can also profit from captcha. Captcha is a fully automated Turing test that allows you to distinguish between a real person and a bot. I discovered a lot of interesting things while studying the issue of using captcha.
Captcha was first used around 2000-2001. Spammers want to clear the captcha to sign up for free email services like Gmail, Yahoo Mail, Windows Live Mail, MySpace, FaceBook, etc. and send spam. Since captcha is used so widely, a whole market of services has emerged offering to bypass the ubiquitous captcha. Ultimately, this brings profit - an example is spamming. There are 3 ways to bypass the captcha, let's look at them.
The first is the flaws in the implementation of the idea, or shortcomings in the use of captcha.
So, answers to questions contain too little entropy, such as "write what 4 + 1 is equal to." The same questions can be repeated many times, while the range of possible answers is quite small.
The effectiveness of the captcha is checked in the following way:
- the test should be carried out in conditions when the person and the server are far from each other,
the test should not be difficult for the person; - the question should be such that a person can answer it within a few seconds,
Only the person to whom the question is asked should answer; - the answer to the question must be difficult for the computer;
- knowledge of previous questions, answers, or a combination of them should not affect the predictability of the next test;
- the test must not discriminate against people with visual or hearing impairments;
- the test should not have a geographical, cultural or linguistic bias.
As it turns out, creating a "correct" captcha is quite difficult.
The second disadvantage of captcha is the possibility of using optical character recognition OCR. A piece of code is able to read a captcha image no matter how much visual noise it contains, see which letters or numbers form it, and automate the recognition process. Studies have shown that most captchas can be easily cracked.
I will quote experts from the School of Computer Science at Newcastle University, UK. About the ease of cracking Microsoft captchas, they say this: “our attack was able to achieve a segmentation success rate of 92%, which implies that the MSN captcha scheme can be cracked in 60% of cases by segmenting an image and then recognizing it.” Just as easy was cracking the Yahoo captcha: “Our second attack achieved a segmentation success of 33,4%. Thus, about 25,9% of the captcha can be cracked. Our research shows that spammers should never use cheap human labor to bypass Yahoo captchas, rather they should rely on a low-cost automated attack."
The third way to bypass captcha is called "Mechanical Turk", or "Turk". We tested it against Yahoo captcha immediately after it was published, and to this day we do not know, and no one knows how to defend against such an attack.
This is the case when you have a bad guy who will run an "adult" site or online game from where users request some content. Before they can see the next picture, the site owned by the hacker will make a back-end request to an online system you know, say Yahoo or Google, grab a captcha from there and give it to the user. And as soon as the user answers the question, the hacker will send the guessed captcha to the target site and show the user the requested image from their site. If you have a very popular site with a lot of interesting content, you can mobilize a whole army of people who will automatically fill in other people's captchas for you. This is a very powerful thing.
However, not only people try to bypass captchas, business also uses this technique. Robert "RSnake" Hansen on his blog once talked to a Romanian "captcha solver", who said that he can solve from 300 to 500 captchas per hour at a rate of 9 to 15 dollars per thousand captchas solved.
He directly says that his team members work 12 hours a day, solving about 4800 captchas during this time, and depending on how difficult the captchas are, they can receive up to $ 50 a day for their work. This was an interesting post, but even more interesting are the comments that blog users left under this post. Immediately there was a message from Vietnam, where a certain Kwang Hung reported about his group of 20 people, who agreed to work for $ 4 per 1000 captchas solved.
The next message was from Bangladesh: “Hi! I hope you're all right! We are a leading processing company from Bangladesh. Currently, our 30 operators are able to solve more than 100000 captchas per day. We offer excellent conditions and a low rate - $2 per 1000 captchas from Yahoo, Hotmail, Mayspace, Gmail, Facebook, etc. We look forward to further cooperation."
Another interesting message was sent by a certain Babu: "I am interested in this work, please call me."
So that's pretty interesting. We can discuss how legal or illegal such activity is, but the fact is that people actually make money from it.
Gaining access to other people's accounts
Trey Ford: The next scenario we'll talk about is making money by taking over someone else's account.
Everyone forgets passwords, and for application security testing, resetting passwords and registering online are two distinct, purposeful business processes. There is a big gap between the ease of password reset and the ease of registration, so you should strive to make the password reset process as easy as possible. But if we try to simplify it, there is a problem, because the easier it is to reset the password, the less security.
One of the most notorious cases involved online registration using Sprint's user verification service. Two members of the White Hat team used Sprint to sign up online. There are a couple of things you need to verify to prove you are you, starting with something as simple as your cell phone number. You need online registration for things like managing a bank account, paying for services, and so on. Buying phones is very convenient if you can do it from someone else's account and then make purchases and more. One of the scams is to change the billing address, order a whole bunch of mobile phones to be delivered to your address, and the victim will be forced to pay for them. Maniacs-stalkers also dream of such an opportunity: to add a GPS tracking function to the phones of their victims and track their every movement from any computer.
So, Sprint offers some of the simplest questions to verify your identity. As we know, security can be provided either by a very wide range of entropy, or by highly specialized questions. I'll read you part of the Sprint registration process because the entropy is very low. For example, there is a question like this: “select a car brand registered at the following address”, and the brand options are given: Lotus, Honda, Lamborghini, Fiat, and “none of the above”. Tell me, which one of you guys has any of the above? As you can see, this hard puzzle is just a great opportunity for a college student to get cheap phones.
The second question is: “Which of the listed people lives with you or lives at the address below”? It's very easy to answer this question, even if you don't know the person at all. Jerry Stifliin - this last name has three "ays", we'll get to that in a second - Ralph Argen, Jerome Ponicki and John Pace. The interesting thing about this enumeration is that the names are completely random, and they all follow the same pattern. If you calculate it, then it will not be difficult for you to determine the real name, because it differs from randomly chosen names by something characteristic, in this case, three letters "i". Thus, Styflyin is clearly not a random name, and it is easy to guess, this person is your target. It's very, very simple.
The third question: “in which of the following cities have you never lived or have you ever used this city in your address?” - Longmont, North Hollywood, Genoa or Butte? We have three densely populated areas around Washington, so the answer is obvious - it's North Hollywood.
There are a couple of things about Sprint online check-in that you need to be careful about. As I said before, you can be seriously harmed if an attacker is able to change the delivery address for purchases in your billing information. What is really scary is that we have a Mobile Locator service.
With it, you can track the movements of your employees, since people use mobile phones and GPS, and you can see on the map where they are. So, in this process, other rather interesting things happen.
As you know, when resetting a password, an e-mail address prevails over other methods of user verification and secret questions. On the next slide, there are many services that offer to specify your email address if the user is having difficulty logging into their account.
We know that most people use email and have an email account. Suddenly people wanted to find a way to make money from it. You will always know the victim's email address, enter it into the form, and you will have the opportunity to reset the password for the account you want to manipulate. Then you use it on your network, and this mailbox will become your golden vault, the main place from where you can steal all the other accounts of the victim. You will receive the entire subscription of the victim, taking possession of just one mailbox. Stop smiling, this is serious!
The next slide shows how many millions of people use the corresponding mail services. People actively use Gmail, Yahoo Mail, Hotmail, AOL Mail, but you don't have to be a super hacker to take over their accounts, you can keep your hands clean by outsourcing. You can always say that there is nothing to do with it, you didn’t do anything like that.
So, in China, the online service "Password Recovery" is based, where you pay for them to hack into "your" account. For 300 yuan, which is about $43, you can try to reset the password of a foreign mailbox with an 85% success rate. For 200 yuan, or $29, you will have a 90% success rate resetting your home mail service mailbox password. A thousand yuan, or $143, is worth hacking into the mailbox of any company, but success is not guaranteed. You can also outsource password cracking on 163, 126, QQ, Yahoo, Sohu, Sina, TOM, Hotmail, MSN, etc.
BLACK HAT USA conference. Get Rich or Die: Making Money Online Using Black Hat Methods. Part 2 (link will be available tomorrow)
Some ads 🙂
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, , 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com