Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

Home Blog Papers Tools About Us VNSECURITY Contact Us CLGT Team How to Join Site Map Capture The Flag / CLGT Misc Security Anti-Virus Cryptography Exploitation Firewall Forensic Hardening Legal Issues Malware / Rootkit / Hostile Code Mobile Security Physical Security Reverse Engineering Software Security Vulnerabilities Web Security Site News VNSECON Ting Vit Posts Comments You are here: Home / Blog / Ting Vit

Gim st an ninh mng hay l lm th no ngn chn mt cuc tn cng DDoS trong 20
December 14, 2009 by thaidn Leave a Comment (rt ra t bi ni chuyn ti BarcampSaigon 2009) Network Security Monitoring or How to mitigate a DDoS attack in 20

1 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

View more presentations from thaidn. bt u th ti xin chia s mt cu chuyn. Cch y khng lu, web site ca mt khch hng b tn cng t chi dch v DDoS. Vo lc cao tro ca v tn cng, c hn 10.000 IP n t khp ni trn th gii lin tc gi hng ngn yu cu mi giy n h thng ca khch hng ny. Hnh nh (slide s 4) m qu v ang thy trn mn hnh gm c 2 phn nh. Phn trn l lu lng d liu ra vo h thng lc bnh thng, khng b tn cng. Phn di l lu lng d liu ra vo h thng ca ngay ti thi im ang b tn cng d di. Nh qu v cng thy, ch trong vng 10, t lc 16h10 n 16h20, lng d liu ra vo tng t bin ln gp gn 10 ln lc bnh thng. Nhng ng thi, ch trong vng cha ti 20, chng ti kim sot c v tn cng ny, v a ton b h thng tr li tnh trng bnh thng. Chng ti lm c nh vy tt c l nh vo vic p dng tt cc cng ngh v nguyn tc ca gim st an ninh mng. Nu qu v tng phi x l mt v tn cng DDoS, ti tin chc c mt cu hi m qu v phi t hi nhiu ln: chuyn g ang din ra vy? Ti sao h thng ca ti ang chy ngon lnh t dng li cng , khch hng khng s dng c na? Bn thn ti cho rng y l cu hi ti quan trng m bt k ai lm vic trong lnh vc an ninh mng u phi t hi v phi c cu tr li xc ng. Ngay ti thi im ny y, ngay khi qu v ang ngi y nghe ti trnh by, qu v c bit ai ang lm g u nh th no trn h thng ca qu v hay khng? Ti sao cu hi quan trng? Ti sao qu v cn phi bit c ai ang lm g u nh th no trn h thng ca qu v? n gin v chng ta khng th bo v mt h thng nu chng ta khng bit c trng thi ca h thng . V chng ta ch c th bit c trng thi ca mt h thng bng cch theo di n thng xuyn. Ni cch khc, chng ta phi bit c tt c cc hot ng v ang din ra trn h thng. Th nhn vo hot ng ca mt khch sn. m bo an ninh, ngi ta phi t camera theo di khp ni. Cc camera ny chc hn s a hnh nh v mt a im tp trung, ni c cc chuyn vin theo di 24/7 kp thi pht hin v i ph vi cc s c an ninh. Tng t nh th, mun m bo an ninh thng tin chng ta cng phi tin hnh theo di 24/7. Nhng trong
2 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

thc t, theo quan st ca ti, rt t t chc VN c mt h thng gim st an ninh nh th. bo v h thng mng ca mnh, cc doanh nghip v cc t chc cng thng trin khai cc thit b nh tng la, phn mm chng v dit virus, thit b pht hin xm nhp, thit b ngn chn xm nhp. R rng h ngh rng, cc thit b ny m bo an ninh mng cho h nn h mi u t nhiu tin ca trin khai chng. Tht t hu ht nhng ngi gi quyn quyt nh u t cho an ton thng tin thng hay hnh ng theo th trng. V d nh cch y vi nm, tng la l mt. Ai cng u t lm h thng tng la nn chng ta cng phi lm tng la. Sau , cc gii php pht hin xm nhp ln ngi. By gi ci g ang l tro lu qu v bit khng? ISO 27001. Lnh o doanh nghip thy cc cc doanh nghip khc trin khai ISO 27001 nn h cng mun doanh nghip ca h phi t c chun ny. Ti khng ni rng tng la, thit b pht hin xm nhp hay t c cc chun nh ISO 27001 v ITIL l khng c tc dng, nhng cu hi chng ta cn phi t hi l: ti sao sau khi trin khai qu tri th t tin v tn thi gian nh th, chng ta vn b xm nhp, chng ta vn b tn cng? Liu ISO 27001 hay tng la c gip bn khc phc c mt v tn cng t chi dch v trong vng 20? Ri khi b xm nhp, c thit b t tin hay tiu chun no gip qu v bit c h thng ca qu v b xm nhp khi no, ti sao v nh th no hay khng? Ch c con ngi mi c kh nng lm vic . y l iu ti mun nhn mnh, cc thit b hay cc tiu chun s tr nn v tc dng nu chng ta khng c con ngi thng xuyn theo di, gim st h thng. Ngha l, chng ta cn cc chuyn gia gim st h thng c chuyn mn cao. Ti sao chng ta cn phi c chuyn gia, ti sao t bn thn cc thit b hay cc tiu chun khng th bo v h thng mng? Bi v nhng k tn cng rt thng minh, khng th d on v rt c th c ng lc cao nht l khi thng mi in t pht trin nh by gi. My mc v quy trnh khng th ngn chn c h, chc chn l nh th. My mc chc chn s thua khi chin u vi no ngi. l l do chng ta cn con ngi, cn nhng chuyn gia, bin an ninh mng thnh mt cuc chin cn sc hn gia ngi v ngi, thay v gia my v ngi. Cu hi t ra l cc chuyn gia an ninh mng cn g c th pht hin v x l cc s c an ninh mng cng nh xy dng cc k hoch phng th? Cu tr li ch c mt: tt c d liu m chng ta c th thu thp c trn h thng mng trong khi s c xy ra! Qu v cn nh v d ca ti v/v lm sao bo v an ninh cho mt khch sn? Ngi qun l c gng thu thp tt c cc d liu, y l hnh nh v m thanh, bng cc camera t khp ni trong khch sn, v h cn c cc chuyn gia lnh ngh phn tch cc hnh nh ny kp thi x l cc s c. H c h thng chng v pht hin chy, h c h thng chng trm, nhng nhng my mc ch l cng c, phn vic chnh vn phi do con ngi, l cc chuyn gia thc hin. Tm li, m bo an ninh, chng ta cn phi theo di gim st h thng mng 24/7, v lm chuyn chng ta cn c cc chuyn gia v cc chuyn gia cn d liu thc hin cng vic ca h. Gim st an ninh mng chnh l phng thc gip chng ta c th thc hin vic ny mt cch ti u nht. Vy gim st an ninh mng l g? Thut ng gim st an ninh mng c chnh thc nh ngha vo nm 2002 v v c bn n gm 3 bc: thu thp d liu, phn tch d liu v leo thang thng tin. thu thp d liu, chng ta s s dng cc phn mm hay gii php c sn trn th trng thu thp d liu ghi du hot ng ca cc my ch, thit b mng, phn mm ng dng, c s d liuNguyn tc ca thu thp d liu l thu thp cng nhiu cng tt, vi mc tiu l chng ta phi c y thng tin v trng thi, log file ca tt c cc thnh phn trong h thng cn phi bo v. Bi v c mun hnh vn trng cc loi tn cng v s c ATTT, chng ta khng th bit trc d liu no l cn thit c th pht hin v ngn

3 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

chn loi tn cng no. Nn kinh nghim ca ti l nu m lut php v cng ngh cho php, c thu thp ht tt c d liu m qu v c th. Nguyn tc th git lm cn hn b st c th p dng y. Nu phn mm c th gip chng ta lm cng vic thu thp d liu, th phn tch d liu v ra quyt nh, nh ni trn, chng ta cn c chuyn gia, bi ch c chuyn gia mi c th hiu r ng cnh ca d liu m phn mm thu thp c. Ng cnh l ti quan trng. Mt d liu c thu thp trong ng cnh A c th s c ngha rt khc vi cng d liu nu n thuc v ng cnh B. V d nh mt ngy p tri h thng thu thp d liu cnh bo rng mt s file chng trnh trn mt my ch quan trng b thay i. Nu nh xt ng cnh A l my ch ang c nng cp phn mm, th thng tin ny khng c nhiu ngha. Nhng nu nh ngoi ng cnh A , ni cch khc, khng c mt yu cu thay i phn mm no ang c p dng cho my ch c, th r rng rt c th my ch b xm nhp. V ch c nhng chuyn gia mi c th cung cp c nhng ng cnh nh th. Quy trnh gip cho chng ta leo thang thng tin. Leo thang thng tin l vic cc chuyn gia bo co ln trn cho nhng ngi c quyn quyt nh nhng vn m h cho l quan trng, cn phi iu tra thm. Nhng ngi c quyn quyt nh l nhng ngi c thm quyn, trch nhim v nng lc quyt nh cch i ph vi cc s c ANTT tim tng. Khng c leo thang thng tin, cng vic ca cc chuyn gia s tr thnh v ch. Ti sao phi phn tch pht hin cc s c ANTT tim tng nu nh chng c ai chu trch nhim cho vic x l chng? Quay tr li vi cu chuyn v tn cng t chi dch v m ti chia s ban u. H thng gim st an ninh mng ca chng ti thu thp tt c d liu lin quan n hot ng ca cc thit b nh tng la, my ch proxy, my ch web, cc ng dng web chy trn cc my ch web. Da vo ngun d liu phong ph ny, cc chuyn gia ca chng ti khng mt qu nhiu thi gian phn tch v nhn ra cc du hiu bt thng trn h thng. H leo thang thng tin bng cch thng bo cho ti, v ti quyt nh kch hot qu trnh i ph vi s c ANTT, y l i ph khi b tn cng t chi dch v. V mt k thut, chng ti ci t sn cc bin php kim sot t ng trn h thng gim st an ninh mng, nn cc chuyn gia ca ti ch phi theo di v tn cng xem c din tin g bt thng hay khng m khng phi thc hin thm bt k thao tc no. V mt hnh chnh, ti thng bo cho lnh o doanh nghip v cc n v nh Trung Tm Chm Sc Khch hng, Trung tm Vn hnh Data Center cng nh m knh lin lc vi cc ISP nh h tr gip nu nh ng truyn b qu ti. Nh qu v thy trong mt slide pha trc, ch cha ti 20, va ngay sau ln kch hot h thng phng th u tin, v tn cng c kim sot thnh cng. H thng gim st an ninh mng cng gip chng ti lm cc bo co gi lnh o cng nh gi cc c quan iu tra nh h tr truy tm th phm. Ton b phng thc gim st an ninh mng ch n gin nh th. n y l chng ta xong phn 1 ca bi trnh by ny. Tip theo ti s chia s mt s thng tin v h thng cng nh cng tc gim st an ninh mng. V mt k thut, chng ti khng mt qu nhiu thi gian cho vic thit k h thng v la chn gii php, bi v ngay t u chng ti xc nh y l mt lnh vc tng i mi m, thnh ra mt gii php hon chnh s khng c trn th trng. Thay vo , ging nh pht trin phn mm theo nguyn l agile, chng ti lm va lm va iu chnh. Chng ti khi u bng vic xy dng mt h thng log tp trung. Nh ni trn, y l cng on thu thp d liu. Trong qu trnh lm, chng ti nhn thy hu ht cc ng dng chy trn nn UNIX hay cc thit b mng u h tr sn chun syslog, thnh ra chng ti quyt nh chn phn mm m ngun m syslog-ng lm cng c chnh thu thp log. Tuy nhin c hai vn : cc my ch Windows mc nh khng h tr syslog; v mt s ng dng do chng ti t pht trin hay mua ngoi cng khng h tr syslog. i vi vn th nht, chng ti ci t thm mt phn mm cho cc my ch Windows, y cc s trn trn v h thng log ca chng ti. i vi vn

4 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

th hai, vic u tin chng ti lm l xy dng mt quy nh v log ca cc ng dng. Trong quy nh ny chng ti yu cu tt c cc ng dng mun c cp quyn chy trn h thng ca chng ti th phi tha mn cc tiu ch v log cc s kin. Chng ti cng hng dn v cung cp th vin phn mm mu cc lp trnh vin c th tch hp vo phn mm c sn ca h. Syslog-ng l mt phn mm m ngun m tuyt vi. N hot ng cc k n nh, bn vng. Trong sut hn 3 nm trin khai h thng ny, chng ti cha bao gi gp s c phn mm ny. Nhng syslog-ng cng ch lm tt nhim v thu thp d liu, lm sao phn tch d liu ? Trn th trng lc by gi c kh nhiu cng c gip gii quyt vn ny. Chng ti ln lt th nghim cc cng c ny, v ri chng ti pht hin ra Splunk. Chng ti hay gi phn mm ny l Splunk ton nng. Mt cng c phn tch d liu trn c tuyt vi! Splunk rt hay, nhng nu khng c cc chuyn gia c k nng phn tch d liu khai thc Splunk th h thng cng s khng em li nhiu ch li. Ci hay ca Splunk l ch n lm cho cng vic phn tch log tng nh nhm chn tr nn cc k th v. Ch trong mt thi gian ngn, nhn vin ca ti b Splunk m hoc. Ci tn Splunk ton nng cng l do anh y t cho Splunk. Thnh ra chng ti cng khng mt qu nhiu thi gian hun luyn, bi v t bn thn gii php n th v cun ht con ngi ch ng tm hiu n. iu ti quan trng nht i vi mt h thng gim st an ninh l kh nng phn tch mt lng d liu ln mt cch nhanh chng. Splunk lm rt tt vic ny. Tuy vy trn th trng vn c cc gii php khc hon ton min ph nh ti lit k trn. Bn thn ti cho rng Hadoop + Scribe + Hive l mt hng nghin cu nhiu tim nng. Vi h thng ny, by gi chng ti c th an tm rng ti c th bit c chuyn g ang din ra trn h thng mng ca cc khch hng ca chng ti ngay ti thi im ti ang vit nhng dng ny. V pha lnh o doanh nghip, h cng an tm khi bit rng, chng ti c th pht hin, truy vt v i ph li vi bt k s c ANTT no din ra trn h thng ca h. Thc t l t khi trin khai gii php ny, chng ti gii quyt c 100% cc s c an ton thng tin trn h thng ca cc khch hng ca chng ti. Ngoi ra h thng ny cn gip chng ti pht hin v x l hn phn na cc s c an ton thng tin. C rt nhiu tnh hung, nu khng c s h tr ca h thng ny, chng ti s khng th gii quyt c vn . Li quay li vi cu chuyn b tn cng DDoS trn. Nhc li, mt khch hng ca chng ti tng b tn cng DDoS trn din rng vo h thng my ch Internet Banking. thi im cao tro, c hn 10000 IP gi hng ngn request/s n my ch ca h. Lm th no nhanh chng ly ra c danh sch 10000 IP ny, ngn chn chng trn h thng firewall, m khng chn nhm khch hng? Lm th no c th t ng ha qu trnh trn, chng hn nh c mi 15 s ly ra danh sch cc IP ang tn cng, cp nht b lc ca tng la? Vi h thng ny, chng ti ch cn son tho mt on script ngn ly ra danh sch IP ang gi hn 100 request/s ri ci t chng trnh t ng cp nht b lc ca firewall mi 15. Mt vn tng nh nan gii c th gii quyt nhanh gn l v rt r. Cc gii php chng DDoS s c 2 thnh phn chnh: pht hin v nh chn. Cc gii php c sn trn th trng nh cc thit b ca cc hng ln hay cc gii php m nh Iptables + Snort inline thng c gng phn tch cc packet/request phn loi chng theo thi gian thc. Ngha l khi c mt packet/request i vo, cc gii php ny s c gng xc nh xem packet c phi l mt phn ca v tn cng hay khng, nu phi th thc hin nh chn. S khc bit ca gii php ca chng ti so vi cc gii php chng DDoS ang c trn th trng l chng ti

5 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

khng c gng phn loi v ngn chn cc packet/request theo thi gian thc. Thay vo , chng ti tch phn pht hin ra khi h thng phng th, v thc hin phn pht hin hon ton offline bng cch s dng thng tin t h thng NSM. C th, thng tin t h thng nh chn cng nh cc ngun khc nh web server, proxy hay firewall s c a vo h thng phn tch chy offline, ri kt qu phn tch ny s c cp nht ngc tr li cho h thng nh chn. Vi cch lm ny, gii php ca chng ti c th p ng c lng ti rt ln v chng ti khng phi tn qu nhiu resource phn tch on-the-fly mt packet hay request nh cc gii php khc. V cc hng pht trin trong thi gian ti, ti thy mt ng dng hay ho khc ca h thng gim st an ninh mng l n gip chng ti c th o lng c mc an ton ca h thng. C mt nguyn tc lu i ca qun l l: chng ta khng th qun l nhng g chng ta khng th o c. Do qun l c an ton thng tin, chng ta phi bin an ton thng tin thnh nhng thng s c th o c v so snh c. y l mt hng tip cn an ton thng tin t gc nhn ca ngi qun l m chng ti mun p dng cho cc khch hng trong thi gian sp ti. Ti liu tham kho: K s cc v DDoS vo HVAOnline http://taosecurity.blogspot.com Share and Enjoy: Filed under Firewall, Security, Ting Vit, Web Security Tagged with DDoS, mitigate DDoS, NSM

L hng nghim trng ca TLS/SSL

November 6, 2009 by thaidn 1 Comment Mt pht hin ht sc th v: The SSL 3.0+ and TLS 1.0+ protocols are vulnerable to a set of related attacks which allow a man-in-the-middle (MITM) operating at or below the TCP layer to inject a chosen plaintext prefix into the encrypted data stream, often without detection by either end of the connection. This is possible because an authentication gap exists during the renegotiation process at which the MitM may splice together disparate TLS connections in a completely standards-compliant way. This represents a serious security defect for many or all protocols which run on top of TLS, including HTTPS. Th v ch bao nhiu ngi, bao nhiu chuyn gia, bao nhiu nm qua dm v TLS/SSL m khng thy c l hng c v nh rt hin nhin m cc tc gi trn pht hin. C l nguyn nhn nhiu ngi dm nhng khng thy l v h ch dm TLS/SSL khi n ng mt mnh, m khng nhn vo bc tranh ln OSI, trong TLS/SSL ch l mt layer. Chuyn g s xy ra nu TLS/SSL khng hiu r c ch hot ng ca cc protocol bn trn n, nh HTTP, SMTP hay POP3? Ni cch khc, chuyn g s xy ra nu cc protocol mc Application khng hiu r c ch vn hnh ca TLS/SSL s dng cho ng cch? l lc l hng xut hin. Tng quan th l hng ny nm s thiu n r gia TLS/SSL v cc protocol trn n nh HTTP hay SMTP. Khai thc l hng ny th k tn cng c th chn thm mt on plaintext bt k vo TLS/SSL

6 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

encrypted stream gia client v server m c client v server u khng th pht hin c. y l mt l hng cc k nghim trng, bi v n ph v hon ton cam kt an ton ca b giao thc TLS/SSL. Ni mt cch *honh trng* th v mt l thuyt, nn tng ca thng mi in t ang chao o. Ti dng ch l thuyt v cho hng tn cng ny nguy him hn trong thc t, th cn c nhiu tr ngi phi vt qua (v s b vt qua). minh ha cho cu chuyn, v d gii thch, ti t ra mt v d nh sau: 0. Gi nh: * Ngn hng A c cung cp dch v Internet Banking a ch https://www.ebank.com. My ch ca ca h chy phn mm c l hng m chng ta ang bn y. Chng ta gi my ch ny l server. * tng cng an ninh, ngn hng A yu cu khi khch hng (gi c gi l client) s dng cc tnh nng c lin quan n giao dch ti chnh nm trong khu vc https://www.ebank.com /account/, th (browser ca) h phi c ci t client certificate cho ngn hng A cung cp. Lu l nhiu ngn hng VN thc hin ci ny lm nha. * Ngoi ra ngn hng A cn h tr khch hng truy cp bng (Safari trn) iPhone, lc khch hng s c chuyn n https://www.ebank.com/iphone/. Do iPhone c processor yu, nn ngn hng A cu hnh my ch web ca h s dng mt b ciphersuite yu hn b ciphersuite m h s dng cho cc khch hng thng thng. Ci ny trong thc t cng c nhiu cng ty trin khai. Ri by gi ti s s dng ci k thut va mi pht hin tn cng cc khch hng ca ngn hng A theo 3 hng tn cng m cc tc gi nu ra. h lu l y l loi tn cng MITM, ngha l attacker phi c quyn theo di, iu chnh d liu truyn qua li gia client v server nha. Attacker c th lm vic ny thng qua cc tn cng vo cc giao thc ARP hay DNS. 1. Hng tn cng s 1 i vi hng tn cng s 1, ti s li dng vic khi truy cp vo https://www.ebank.com/account/ th server s yu cu client phi trnh certificate. S bn di l ti ly t paper ca cc tc gi pht hin ra l hng ny. Ti thy ci s ny gii thch rt r l hng ny v cch thc tn cng theo hng th 1. Tht ra th hng th 2 v hng th 3 cng kh ging hng th 1, nn ti ngh nm r hng th 1 th s thy cc hng kia cng n gin.

7 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

C 4 bc khi trin khai tn cng ny: * Bc 1: client truy cp vo https://www.ebank.com. Lc ny client s kt ni n attacker, v gi CLIENT_HELLO bt u giao thc TLS/SSL. Attacker s tm dng ci kt ni ny v lu msg CLIENT_HELLO li dng trong bc 3. * Bc 2: attacker m kt ni n server tht. Hai bn s bt tay theo giao thc TLS/SSL to thnh mt session. Sau khi hon tt bt tay, attacker gi mt HTTP request, i loi nh: POST /account/transfer?amount=1000&receiver=attacker HTTP/1.1\r\n * Bc 3: server thy c mt request n khu vc /account/ nn n tm thi dng x l request ny li v nh ni trn, n yu cu attacker phi a client certificate cho n xem. Ci hay y, mc du attacker khng c (private key ca) certificate ca client, nhng hn vn c th *proxy* ci certificate t client ln server, m khng b bn no pht hin c. Server bt u qu trnh xc thc bng vic gi mt msg HELLO_REQUEST ngc li cho attacker. Attacker nhn c msg ny th hn gi CLIENT_HELLO m hn lu bc 1 ngc li cho server. Ri c th, attacker ng gia, chuyn msg qua li gia client v server cho n khi qu trnh xc thc bng client certificate kt thc thnh cng. Lu l c 2 loi msg m attacker s gi. Loi th nht (trn s l nhng msg kt thc hoc bt u t ct m) l nhng msg m hn phi gii m/m ha trc khi gi i. V d nh hn nhn Certificate t pha client th hn s m ha ci msg ny li, ri mi gi cho server. Loi th hai (trn s l nhng msg mu hng v ) l nhng msg m hn khng c c (v khng c key), hn ch lm mi vic l nhn t client th gi qua server v ngc li. * Bc 4: qu trnh xc thc client certificate kt thc thnh cng, server tip tc x l ci request ca attacker trn, v tr kt qu li cho attacker (lu l attacker s khng c c kt qu ny). im yu l y. Nh chng ta thy, khi attacker gi request bc 3, lc hn cha c xc thc. Ni

8 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

cch khc, lc ny request ca hn l unauthenticated request. Vic xc thc din ra sau , v sau khi xc thc ri th server li quay li x l tip ci unauthenticated request ca attacker. Lu , bc ny, trnh b tnh nghi, attacker c th tip tc tr kt qu v cho client ng kt ni li mt cch m p. 2. Hng tn cng s 2 Trc khi bt u gii thch hng s 2, ti mun nhn mnh ny: tt c 3 hng tn cng ny u hng n chm credential ca client gi cc authenticated request n server. Credential y c th l certificate (nh hng s 1) hay cookie/session (nh hng s 2 v s 3). Nu ch p dng cho HTTPS, nhn mt gc no , cc hng tn cng ny rt ging vi tn cng CSRF. Nn nu ng dng ca bn c cc phng thc phng chng CSRF ri hay nu ng dng ca bn khng chp nhn thay i state bng GET, th tm thi cng khng phi c g lo lng. i vi hng s 1, ti li dng client certificate gi mt authenticated request. trng hp cc server khng xc thc bng certificate, ti s s dng hng tn cng s 2. Hng tn cng ny cng c 4 bc: * Bc s 1: tng t nh hng tn cng s 1. * Bc 2: attacker m kt ni n server tht. Hai bn s bt tay theo giao thc TLS/SSL to thnh mt session. Sau khi hon tt bt tay, attacker gi mt HTTP request, i loi nh: GET /iphone/login HTTP/1.1\r\n Host: ebank.com\r\n Connection: keep-alive\r\n \r\n GET /account/transfer?amount=1000&receiver=attacker HTTP/1.1\r\n Host: ebank.com\r\n Connection: close\r\n X-ignore-this: * Bc s 3: server thy c request n /iphone/ nn n tm thi dng x l request ny li v, nh ni phn gi nh, server s bt u qu trnh renegotiate li chn mt b ciphersuite yu hn. Vn y l server s buffer li ton b nhm unauthenticated request ny, khi m renegotiate xong th li quay li x l ht tt c. Trong qu trnh renogotiation, vai tr ca attacker cng tng t nh bc s 3 ca hng tn cng s 1, ngha l hn cng ch *proxy* msg qua li gia client v server, cho n khi qu trnh renegotiate kt thc thnh cng. * Bc s 4: lc ny, client thy handshake xong ri, nn bn thn n s gi tip ci HTTP request ca n dng: GET /index HTTP/1.1\r\n Cookie: AuthMe=Now\r\n \r\n Chuyn bt ng din ra y. Server n s gom nhm unauthenticated request bc 2 (do attacker gi) v ci authenticated request ny (do client gi) ri x l chung mt ln. Nguyn nhn server x l nh th l do
9 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

ci c keep-alive request u tin. Thnh ra lc ny nhm request tr thnh nh sau (mu cam l attacker gi, mu xanh l client gi): GET /iphone/login HTTP/1.1\r\n Host: ebank.com\r\n Connection: keep-alive\r\n \r\n GET /account/transfer?amount=1000&receiver=attacker HTTP/1.1\r\n Host: ebank.com\r\n Connection: close\r\n X-ignore-this:GET /index HTTP/1.1\r\n Cookie: AuthMe=Now\r\n \r\n y ci header X-ignore-this v hiu ha ci request GET /index HTTP/1.1 ca client, ng thi chm lun cookie ca client gn vo ci unauthenticated request GET /account/transfer?amount=1000& receiver=attacker. Rt hay! 3. Hng tn cng s 3 y l hng tn cng mnh nht, khng cn server phi c cu hnh c bit g thc hin. S khc bit c bn gia tn cng ny vi hai hng tn cng va ri l trong trng hp ny, client bt u quy trnh renegotiation. tng thc hin tn cng rt ging vi hng 2, ch khc nhau bc s 2, attacker s khng gi GET /iphone/login na m gi trc tip lun request ca hn, km theo mt ci X-ignore-this header. Ngay sau khi gi ci request , attacker s forward ci CLIENT_HELLO thu c bc 1 sang cho pha server bt u quy trnh renegotiation. Khi renegotiate xong, client s gi request ban u ca mnh n server, lc ny ton b request s trng nh sau (phn mu cam ca attacker gi, phn mu xanh ca client gi): GET /account/transfer?amount=1000&receiver=attacker HTTP/1.1\r\n Host: ebank.com\r\n Connection: close\r\n X-ignore-this: GET /index HTTP/1.1\r\n Cookie: AuthMe=Now\r\n \r\n Tng t trn, X-ignore-this v hiu ha request ca client v chm cookie bin request ca attacker thnh authenticated. Khng cn keep-alive, khng cn server phi c cu hnh c bit g c! Share and Enjoy: Filed under Cryptography, Ting Vit, Vulnerabilities, Web Security Tagged with mitm, renegotiation, ssl, tls

Microsoft Security Essentials phin bn chnh thc

September 29, 2009 by lamer Leave a Comment Ci m mnh tht s quan tm khng phi v cht lng sn phm dit virus ny (n tt, ok,

10 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

http://www.computerworld.com/s/article/9134753 /Antivirus_testing_outfit_Microsoft_Security_Essentials_makes_the_grade) m l: 1. Cn ai mun b 290.000 mua mt sn phm dit virus ba xo kia khng? 2. Cn t sng cho cc sn phm dit virus cho Windows na khng? Khi c tin ny c l bn c th download th MSE ti http://www.microsoft.com/Security_essentials/. Share and Enjoy: Filed under Anti-Virus, Malware / Rootkit / Hostile Code, Ting Vit Tagged with

Chuyn nh
June 10, 2009 by leenmie Leave a Comment T hm nay chuyn nh qua y. Welcome home. Share and Enjoy: Filed under Misc, Ting Vit Tagged with

Ngh nh 90/2008/N-CP v Thng t 12/2008 /TT-BTTTT

February 9, 2009 by lamer Leave a Comment C iu l, ngoi cc vn k thut c bn khc, bn thn trung tm iu phi li s dng nhng a ch th in t nh th ny y: office@vncert.vn canhbaothurac@vncert.vn canhbaothurac@gmail.com canhbaothurac@yahoo.com.vn Th nht, trang web ca trung tm ca B TTTT c a ch http://antispam.vncert.gov.vn m l no khng to c mt vi a ch th cng domain, hoc t nht l @vncert.gov.vn? Th hai, domain vncert.vn khng th hin c tnh qun l ca Nh nc. Domain ny hon ton nh mt domain thng mi thng thng. Th ba, v t hi nht, l s s dng nhng dch v min ph nh gmail.com v yahoo.com.vn thu nhn

11 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

cc thng tin nhy cm. iu ny s to iu kin cho nhng k gi danh to ra cc ti khon tng t canhbaothurac nh canhbaospam, canhbaovncert, v.v L no trung tm iu phi chng th rc li tip tay cho nhng k ri th rc? Share and Enjoy: Filed under Legal Issues, Ting Vit Tagged with Previous Page Next Page

VNSEC on Facebook
VnSecurity
Like 581

You can find most of our members on irc.freenode.net, channel #vnsec.

Follow @vnsec VNSEC Live Tweets 1,217 followers

vdchuyen "Coffee vs. beer: which drink makes you more creative?" by @MikaelCho medium.com/what-i-learned, drink too much beer but no creative ?
2 minutes ago reply retweet favorite

vdchuyen "Coffee vs. beer: which drink makes you more creative?" by @MikaelCho medium.com/what-i-learned
5 minutes ago reply retweet favorite

eugeneteo Broadcasting Act, Chapter 28 egazette.com.sg/pdf.aspx?ct=sl #Singapore

4 hours ago reply retweet favorite

eugeneteo Singapore's online licensing rule a sign of more to come zdnet.com/sg/singapores- /cc @eileenscyu well-written.
5 hours ago reply retweet favorite

eugeneteo I would like to reach out to security folks at NTU and SUTD. Can someone please connect me to them? Thanks!
5 hours ago reply retweet favorite

vnsec [Secuinside CTF 2013] movie talk bit.ly/17yGXmz

16 hours ago reply retweet favorite

Join the conversation

Archives

12 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

Categories

Recent Posts [Secuinside CTF 2013] movie talk [Secuinside CTF 2013] Reader Writeup [Secuinside CTF 2013] pwnme writeup [Secuinside CTF 2013]Trace Him Writeup Analysis of nginx 1.3.9/1.4.0 stack buffer overflow and x64 exploitation (CVE-2013-2028) Recent Comments [Secuinside CTF 2013] pwnme writeup (8) 2b: So, in the case we can leak base address of program (to build ROP), Do we still... longld: We still need some codes that can return status, e.g send back something after... Analysis of nginx 1.3.9/1.4.0 stack buffer overflow and x64 exploitation (CVE-2013-2028) (1) pip010: could you please summarize it for any app-developer out there, what were the... CMarkup Use After Free Vulnerability CVE-2012-4782 (14) S3ize: why is Use after Free?? I see its simple BOF. D: Disclaimer VNSECURITY.NET has no relation with any other website called themself VNSECURITY such as vnsecurity.com (VHF), vnsecurity.vn, vnsecurity.info Tags
2009

2010 2011 2012 aslr blackhat Capture The Flag / CLGT CLGT codegate conference Cryptography CSAW
DDoS debugger DEFCON exploit format string gentoo Hack.lu hackinthebox Hacklu hitb Israel lighttpd mitigate DDoS mitm network

CTF
Blogroll

NSM OSX police renegotiation VNSECON wordpress zine

return-oriented-programming return-to-libc rop ropeme security check sha1 ssl

stack guard tls vietnam

Eugene Teo longld thaidn Xandora Xwings Friends ARTeam Blue Moon HackInTheBox Sapheads

13 of 14

5/31/2013 3:43 PM

Ting Vit : VNSECURITY / CLGT TEAM

http://www.vnsecurity.net/c/tieng-viet/page/2/

security.org.my The Hacker's Choice Xfocus Return to top of page Posts Comments Powered by WordPress Copyright 2013 All Rights Reserved VNSECURITY TEAM

14 of 14

5/31/2013 3:43 PM