The document describes an upcoming cyber security conference presentation on hands-on threat demonstrations. The agenda includes demonstrations of malware installation via a malicious USB drive, capturing usernames and passwords on a rogue open wireless network, hacking into a wireless network protected with WPA2-PSK, and social engineering executives on social media using a fake profile. The speaker is introduced as an experienced cybercrime investigator and security advisor who will demonstrate these attack scenarios live. Attendees are encouraged to learn techniques to defend against these types of attacks.
Exploring the Future Potential of AI-Enabled Smartphone Processors
ECSA Cyber Security Conference 2011
1. ECSA
Cyber
Security
Conference
2011
Some
hands-‐on
threat
demonstra.ons
Cyber
Security
2011
(13-‐Dec-‐2011)
Filip
Maertens
Avydian
Cyber
Defense
Cyber
Defense
Group
2. Agenda
➤ Demo
1:
The
Curious
Case
of
Benjamin
BuGon
➤ Demo
2:
Thanks
for
the
free
Wi-‐Fi
➤ Demo
3:
Hm.
Now,
I
need
free
Wi-‐Fi
➤ Demo
4:
Social
Engineering
on
social
networks
➤ Demo
5:
IntercepTng
GSM
networks
Cyber
Defense
Group
3. About
the
speaker
➤ Cybercrime
invesTgator
and
tacTcal
cyber
security
advisor
➤ Head
of
Cyber-‐Security
at
European
Corporate
Security
AssociaTon
➤ CISSP,
CISM,
CISA,
CPO,
CFE
…
and
CCSP
(“cer.fied
common
sense
prac..oner”)
➤ MSc.
InformaTon
Risk
and
BSc.
InformaTon
OperaTons
➤ Mobile
aficionado
(building
mobile
channels
for
Fortune
500
banks)
Cyber
Defense
Group
4. Demo
1
–
The
Curious
Case
of
Benjamin
BuBon
(or
how
curiosity
killed
the
cat)
Cyber
Defense
Group
5. The
ABack
-‐
PreparaDon
➤ Prepare
a
USB
with
a
maliciously
cra[ed
file
and
drop
it
somewhere.
Then
wait.
➤ ExploitaTon
of
human
weakness
➤ ExploitaTon
of
system
weakness
Cyber
Defense
Group
6. The
ABack
–
PreparaDon
(2/2)
➤ Make
a
good
payload:
➤ Obfuscated
key-‐logger
➤ Adobe
Acrobat
Reader
10.x
0day
exploit
(PDF)
➤ Once
the
Acrobat
is
exploited,
our
key-‐logger
is
silently
installed
Cyber
Defense
Group
7. The
ABack
–
ExecuDon
(Step
1)
Cyber
Defense
Group
8. The
ABack
–
ExecuDon
(Step
2)
Live
Demo:
Silent
install
of
key-‐logger
Cyber
Defense
Group
9. Defending
against
the
aBack
➤ Don’t
take
candy
from
a
stranger:
➤ Always
approach
unknown
storage
hardware
with
great
cauTon
➤ Do
not
open
files
(seriously)
➤ …
and
if
you
must,
open
it
in
an
isolated
test
environment
➤ PracTce
sound
personal
system
security
pracTces
Cyber
Defense
Group
10. Demo
2
–
Thanks
for
the
free
Wi-‐Fi!
(or,
if
something
looks
to
be
good
to
be
true…
it
usually
is)
Cyber
Defense
Group
11. The
ABack
-‐
PreparaDon
➤ Prepare
a
rogue
access
point:
➤ Deny
access
to
exis.ng
Access
Point
➤ Set
up
your
own
Access
Point
(with
sslstrip)
➤ Intercept
all
traffic
going
over
the
wire
➤ ExploitaTon
of
human
weakness
➤ ExploitaTon
of
system
weakness
Cyber
Defense
Group
12. The
ABack
–
ExecuDon
Live
Demo:
Capture
usernames
+
passwords
of
a
user
Cyber
Defense
Group
13. Defending
against
the
aBack
➤ Never
assume
(“it
makes
an
ass
of
u
and
me”):
➤ Always
ask
for
the
SSID
of
the
Hotel
or
public
area
➤ Be
vigilant
/
aware
of
abnormal
behavior:
➤ Someone
in
a
parked
car
with
a
laptop
➤ Unusual
slow
Internet
access
➤ Abnormal
traceroute
paths
➤ Abnormal
SSL
cerTficates
presented
(or
broken
cerTficates)
➤ Automated
connects
aren’t
automated
any
more
Cyber
Defense
Group
14. Demo
3
–
Hm.
Now,
I
need
free
Wi-‐Fi!
(wireless
hacking
for
fun
and
profit)
Cyber
Defense
Group
15. The
ABack
-‐
PreparaDon
➤ Set
up
a
Linux
machine
with
a
wireless
card
➤ Put
network
card
in
promiscuous
mode,
so
it
starts
to
listen
to
all
wireless
traffic
around
you
➤ Capture
all
traffic
and
do
this
unTl
you
have
capture
a
WPA
Handshake
session.
➤ Decode
the
passphrase
(PSK)
by
doing
offline
cracking.
Cyber
Defense
Group
16. The
ABack
–
ExecuDon
Live
Demo:
Hack
an
Access
Point
(WPA2-‐PSK)
Cyber
Defense
Group
17. Defending
against
the
aBack
➤ Don’t
use
Pre-‐Shared
Key
protecTon:
➤ But
if
you
have
no
choice,
make
it
extremely
long
(
>
35
chars)
➤ Change
the
PSK
every
month
or
quarter
➤ Change
the
SSID
to
a
non-‐default
SSID
➤ Don’t
use
WPA2-‐TKIP,
but
WPA2-‐AES
➤ Monitor
your
Internet
usage
to
check
for
excessive
bandwidth
usage.
➤ Have
a
firewall
between
the
AP
and
your
network.
Cyber
Defense
Group
18. Demo
4
–
Social
Engineering
on
Social
Networks
(trying
to
score
a
date
with
Sophie
Draufster)
Cyber
Defense
Group
19. The
ABack
-‐
PreparaDon
➤ Back
in
2010:
Sophie
Draufster
was
born
on
Facebook
and
LinkedIn
➤ Reason
for
existence:
Social
engineering
of
execuTves
of
large
consulTng
firms
➤ Results:
➤ Facebook
Friends:
105
➤ LinkedIn
Requests:
133
➤ Divulging
of
confidenTal
informaTon:
73
➤ Explicit
date
requests:
33
Cyber
Defense
Group
21. Defending
against
the
aBack
➤ Be
vigilant
and
know
who
you
are
talking
to:
➤ Why
would
a
(gorgeous
looking)
stranger
befriend
you
?
➤ Never
post
/
talk
/
tweet
/
…
classified
business
➤ Be
trained
to
detect
social
engineering
aGacks
(paranoia
can’t
hurt)
➤ Claim
your
own
idenTty
(before
someone
else
does)
➤ Social
networks
only
for
offline
trusted
friends
Cyber
Defense
Group
22. Demo
5
–
IntercepDng
GSM
networks
(build
your
own
tacTcal
intercepTon
device)
Cyber
Defense
Group
23. The
ABack
-‐
PreparaDon
Trixie
➤ Become
your
own
operator:
R/TFX900
Priceless
175
USD
➤ Universal
So[ware
Radio
Peripheral
➤ GNUradio
Project
➤ OpenBTS
/
OpenBSC
/
SMSqueue
USRP
800
USD
➤ OsmocomBB
➤ Asterisk
52
Mhz
➤ Under
1,500
USD
you
cover
up
to
37
USD
300
m
of
GSM
signal
(indoor)
+
2
channels
(850/900/1800/1900).
Cyber
Defense
Group
24. The
ABack
-‐
Background
(1/2)
➤ GSMA
is
not
too
worried,
though
:
“
…
intercept
approach
has
underesDmated
its
pracTcal
complexity
A
hacker
would
need
a
radio
receiver
system
and
the
signal
processing
so]ware
necessary
to
process
the
raw
radio
data.
CSMA,
Aug
2009
✓ UnderesDmated
complexity:
Ability
to
decrypt
A5
family
in
(near)
real
Tme
(2009)
✓ UnderesDmated
complexity:
IMSI
catching,
bypass
A3/A8,
…
(2010)
✓ Radio
receiver
system:
USRP
/
USRP2
+
GNUradio
+
OpenBTS
(you
know,
the
so]ware)
Cyber
Defense
Group
25. The
ABack
-‐
Background
(2/2)
If
it
looks
like
a
duck
,
walks
like
a
duck
,
talks
like
a
duck
=
it’s
a
duck
!
?
MCC=206,
MNC=020
Handset
registers
to
who
?
This
is
where
you
do
“Hello”
Cyber
Defense
Group
26. The
ABack
–
ExecuDon
Disclaimer
–
Only
used
for
test
and
protocol
analysis
purposes.
No
real
operator
MMC
or
MNC
data,
frequencies
and
spectrum
used.
No
operator
BTS,
BSC
or
HLR
infrastructure
is
(ab)used.
Live
Demo:
IntercepDon
of
SMS
Live
Demo:
IntercepDon
of
Voice
Call
Cyber
Defense
Group
27. The
ABack
–
Summary
OTP
over
SMS
Insecure
Making
calls
Insecure
Cyber
Defense
Group
28. Defending
against
the
aBack
➤ Sudden
and/or
repeated
network
signal
loss
➤ Sudden
3G
data
loss
(where
it
is
abnormal)
➤ Cryptographic
voice
streaming
over
3G
(A5.3)
➤ Sudden
downgrade
from
A5.1
to
A5.0/A5.2
➤ …
but
passive
intercepTon
=>
undetectable
from
handheld
Cyber
Defense
Group
29. Taking
it
to
an
non-‐defendable
level
Cyber
Defense
Group
30. ECSA
Cyber
Security
Conference
2011
Some
hands-‐on
threat
demonstra.ons
Cyber
Security
2011
(13-‐Dec-‐2011)
Filip
Maertens
filip.maertens@avydian.com
Cyber
Defense
Group