Date post: | 15-Aug-2015 |
Category: |
Documents |
Upload: | g-s-mcnamara |
View: | 61 times |
Download: | 1 times |
#Cybersecuregov
From Zero to 60: Advancing the Cybersecurity Workforce
The Next APT: Advanced, Persistent Tracking
Jarad Kopf and G. S. McNamara
3 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Introduction
» Persistent tracking mechanisms very prevalent and growing
» Tech conglomerates such as Google have flirted with this type of new technology
» Not limited to cookies anymore, these tracking mechanisms come in many forms
4 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Why should you care?
» Privacy concerns
» These technologies are extremely
accurate
» Perhaps violating your organization’s
policy
5 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Evercookies
» Goal: Identify unique client even after standard cookies have been removed
» Storage mechanisms include: Flash Cookies, Silverlight Isolated storage, HTTP ETags*, many more
6 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Evercookie FAQs
» Do evercookies work cross-browser?
» Does the browser or server have to install anything?
7 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Evercookie Repopulation
Image: https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf
8 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
ETag Overview
» One storage mechanism of Evercookies
» ETag (Entity Tag) part of HTTP protocol• provides for web cache validation
» Can be used as opaque identifier assigned by a web server to a specific version of a resource found at a URL
9 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
ETag Mechanism
Im1e.coage: https://lucbm/randomprojects/cookielesscookies/
10 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
HSTS Overview» HSTS: web security policy
mechanism to protect HTTPS websites from downgrade attacks
» Allows web servers to declare that web browsers should only interact using secure connections
» Your browser can remember this – this is set when the server sends back an HTTP header with a parameter field named Strict-Transport-Security
11 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Abusing HSTS
» HSTS potential for tracking is specified in RFC 6797
» No known cases in the wild yet
Images taken from: https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/)
12 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Fingerprinting (Type 1 of 2): Device
13 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Fingerprinting (Type 2 of 2): Canvas
14 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Let’s tell a story…
(If I were evil)
15 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
A world full of corporate assets
16 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
We might even allow BYOD
17 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
We’ve hardened our network
18 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
And we trust our ISP
19 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
But what about the phones?
20 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
The carrier wouldn’t meddle with our data
“Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine”http://www.wired.com/2014/10/verizons-perma-cookie/
21 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
The data gathered would never then be sold
“Relevant Mobile Advertising Program”
http://www.verizonwireless.com/support/relevant-mobile-ad/
22 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Selling location data is inconceivable
“Carriers Sell Users’ Tracking Data in $5.5 Billion Market” http://www.bloomberg.com/news/articles/2013-06-06/carriers-sell-users-tracking-data-in-5-5-billion-market
23 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Location lacks impact
“ISIS Fighter Accidentally Geotagged Tweets And Revealed His Not-So Secret Location”http://www.mtv.com/news/2038989/isis-twitter-geotagging-fail/
24 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
If only used for ads, is this OK?
25 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Ads are safe
“Malware in ads turn computers into zombies”
http://www.usatoday.com/story/tech/2015/01/20/malvertising/21889547/
26 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Well, if you stick to legitimate sites
“Malvertising hits The New York Times”
http://www.dailyfinance.com/2009/09/14/malvertising-hits-the-new-york-times/
27 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
This ‘malvertising’ economy won’t catch on
“Malvertising Abuses Real-Time Bidding on Ad Networks”https://threatpost.com/ad-networks-ripe-for-abuse-via-malvertising/111840
28 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
It’s probably just run by kids
“APTs Target Victims with Precision, Ephemeral Malvertising”https://threatpost.com/apts-target-victims-with-precision-ephemeral-malvertising/108906
29 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Besides, cyber-physical isn’t real
“'Operation DeathClick' targets defense contractors”http://archive.federaltimes.com/article/20141017/IT/310170016/-Operation-DeathClick-targets-defense-contractors
30 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Malware doesn’t even work on phones
“Ads 'biggest mobile malware risk'”
http://www.bbc.com/news/technology-26447423
31 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
It only works on “real” computers
“Now e-cigarettes can give you malware”
http://www.theguardian.com/technology/2014/nov/21/e-cigarettes-malware-computers
32 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
The future isn’t mobility anyway
“BYOD: Many Call It Bring Your Own Malware (BYOM)”
http://blogs.cisco.com/security/byod-many-call-it-bring-your-own-malware-byom
33 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
And the small details don’t matter
“Two US power plants infected with malware spread via USB drive”http://arstechnica.com/security/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive/
34 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Next-Gen Tracking is a blind spot.
35 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
This was just one idea
36 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
Policy Scandals
37 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
EU Cookie Law
» Into effect May 2012» EU requires prior
informed consent for storage of or access to information stored on a user’s machine• Many exemptions
» Tools like Google Analytics fall under jurisdiction
38 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
So what now?
»Talk to legal about policy
updates
»Talk to IT about control
39 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce
“The greatest victory is that which requires no battle.”― Sun Tzu, The Art of War
Jarad Kopf, M.S., [email protected]
G. S. McNamara, [email protected]