Your SlideShare is downloading. ×
ECSA Cyber Security Conference 2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

ECSA Cyber Security Conference 2011

658
views

Published on

A session of Live Hacking demonstrations at the ECSA Cyber Security Conference 2011 (Belgium) to law enforcement and private community.

A session of Live Hacking demonstrations at the ECSA Cyber Security Conference 2011 (Belgium) to law enforcement and private community.

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
658
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. ECSA  Cyber  Security  Conference  2011  Some  hands-­‐on  threat  demonstra.ons    Cyber  Security  2011  (13-­‐Dec-­‐2011)        Filip  Maertens  Avydian  Cyber  Defense   Cyber  Defense  Group  
  • 2. Agenda  ➤  Demo  1:  The  Curious  Case  of  Benjamin  BuGon  ➤  Demo  2:  Thanks  for  the  free  Wi-­‐Fi  ➤  Demo  3:  Hm.  Now,  I  need  free  Wi-­‐Fi    ➤  Demo  4:  Social  Engineering  on  social  networks  ➤  Demo  5:  IntercepTng  GSM  networks   Cyber  Defense  Group  
  • 3. About  the  speaker  ➤  Cybercrime  invesTgator  and  tacTcal  cyber  security  advisor  ➤  Head  of  Cyber-­‐Security  at  European  Corporate  Security  AssociaTon  ➤  CISSP,  CISM,  CISA,  CPO,  CFE  …  and  CCSP  (“cer.fied  common  sense  prac..oner”)  ➤  MSc.  InformaTon  Risk  and  BSc.  InformaTon  OperaTons  ➤  Mobile  aficionado  (building  mobile  channels  for  Fortune  500  banks)   Cyber  Defense  Group  
  • 4. Demo  1  –  The  Curious  Case  of  Benjamin  BuBon     (or  how  curiosity  killed  the  cat)   Cyber  Defense  Group  
  • 5. The  ABack  -­‐  PreparaDon  ➤  Prepare  a  USB  with  a  maliciously  cra[ed  file  and   drop  it  somewhere.    Then  wait.  ➤  ExploitaTon  of  human  weakness  ➤  ExploitaTon  of  system  weakness   Cyber  Defense  Group  
  • 6. The  ABack  –  PreparaDon  (2/2)  ➤  Make  a  good  payload:   ➤  Obfuscated  key-­‐logger     ➤  Adobe  Acrobat  Reader  10.x   0day  exploit  (PDF)  ➤  Once  the  Acrobat  is   exploited,  our  key-­‐logger  is   silently  installed   Cyber  Defense  Group  
  • 7. The  ABack  –  ExecuDon  (Step  1)   Cyber  Defense  Group  
  • 8. The  ABack  –  ExecuDon  (Step  2)  Live  Demo:  Silent  install  of  key-­‐logger   Cyber  Defense  Group  
  • 9. Defending  against  the  aBack  ➤  Don’t  take  candy  from  a  stranger:   ➤  Always  approach  unknown  storage  hardware   with  great  cauTon   ➤  Do  not  open  files  (seriously)   ➤  …  and  if  you  must,  open  it  in  an  isolated  test   environment  ➤  PracTce  sound  personal  system  security   pracTces   Cyber  Defense  Group  
  • 10. Demo  2  –  Thanks  for  the  free  Wi-­‐Fi!    (or,  if  something  looks  to  be  good  to  be  true…  it  usually  is)   Cyber  Defense  Group  
  • 11. The  ABack  -­‐  PreparaDon  ➤  Prepare  a  rogue  access  point:   ➤  Deny  access  to  exis.ng  Access  Point   ➤  Set  up  your  own  Access  Point  (with  sslstrip)   ➤  Intercept  all  traffic  going  over  the  wire  ➤  ExploitaTon  of  human  weakness  ➤  ExploitaTon  of  system  weakness   Cyber  Defense  Group  
  • 12. The  ABack  –  ExecuDon  Live  Demo:  Capture  usernames  +  passwords  of  a  user   Cyber  Defense  Group  
  • 13. Defending  against  the  aBack  ➤  Never  assume  (“it  makes  an  ass  of  u  and  me”):   ➤  Always  ask  for  the  SSID  of  the  Hotel  or  public  area    ➤  Be  vigilant  /  aware  of  abnormal  behavior:   ➤  Someone  in  a  parked  car  with  a  laptop   ➤  Unusual  slow  Internet  access   ➤  Abnormal  traceroute  paths   ➤  Abnormal  SSL  cerTficates  presented  (or  broken  cerTficates)   ➤  Automated  connects  aren’t  automated  any  more   Cyber  Defense  Group  
  • 14. Demo  3  –  Hm.  Now,  I  need  free  Wi-­‐Fi!     (wireless  hacking  for  fun  and  profit)   Cyber  Defense  Group  
  • 15. The  ABack  -­‐  PreparaDon  ➤  Set  up  a  Linux  machine  with  a  wireless  card  ➤  Put  network  card  in  promiscuous  mode,  so  it   starts  to  listen  to  all  wireless  traffic  around  you  ➤  Capture  all  traffic  and  do  this  unTl  you  have   capture  a  WPA  Handshake  session.  ➤  Decode  the  passphrase  (PSK)  by  doing  offline   cracking.   Cyber  Defense  Group  
  • 16. The  ABack  –  ExecuDon  Live  Demo:  Hack  an  Access  Point  (WPA2-­‐PSK)   Cyber  Defense  Group  
  • 17. Defending  against  the  aBack  ➤  Don’t  use  Pre-­‐Shared  Key  protecTon:   ➤  But  if  you  have  no  choice,  make  it  extremely  long  (  >  35  chars)   ➤  Change  the  PSK  every  month  or  quarter   ➤  Change  the  SSID  to  a  non-­‐default  SSID   ➤  Don’t  use  WPA2-­‐TKIP,  but  WPA2-­‐AES  ➤  Monitor  your  Internet  usage  to  check  for  excessive   bandwidth  usage.  ➤  Have  a  firewall  between  the  AP  and  your  network.   Cyber  Defense  Group  
  • 18. Demo  4  –  Social  Engineering  on  Social  Networks     (trying  to  score  a  date  with  Sophie  Draufster)   Cyber  Defense  Group  
  • 19. The  ABack  -­‐  PreparaDon  ➤  Back  in  2010:  Sophie  Draufster  was  born  on   Facebook  and  LinkedIn  ➤  Reason  for  existence:  Social  engineering  of   execuTves  of  large  consulTng  firms  ➤  Results:   ➤  Facebook  Friends:  105   ➤  LinkedIn  Requests:  133   ➤  Divulging  of  confidenTal  informaTon:  73   ➤  Explicit  date  requests:  33   Cyber  Defense  Group  
  • 20. The  ABack  -­‐  Results   Cyber  Defense  Group  
  • 21. Defending  against  the  aBack  ➤  Be  vigilant  and  know  who  you  are  talking  to:   ➤  Why  would  a  (gorgeous  looking)  stranger  befriend  you  ?   ➤  Never  post  /  talk  /  tweet  /  …  classified  business   ➤  Be  trained  to  detect  social  engineering  aGacks  (paranoia   can’t  hurt)  ➤  Claim  your  own  idenTty  (before  someone  else  does)  ➤  Social  networks  only  for  offline  trusted  friends   Cyber  Defense  Group  
  • 22. Demo  5  –  IntercepDng  GSM  networks    (build  your  own  tacTcal  intercepTon  device)   Cyber  Defense  Group  
  • 23. The  ABack  -­‐  PreparaDon   Trixie  ➤  Become  your  own  operator:   R/TFX900   Priceless   175  USD   ➤  Universal  So[ware  Radio  Peripheral   ➤  GNUradio  Project   ➤  OpenBTS  /  OpenBSC  /  SMSqueue   USRP   800  USD   ➤  OsmocomBB   ➤  Asterisk   52  Mhz  ➤  Under  1,500  USD  you  cover  up  to   37  USD   300  m  of  GSM  signal  (indoor)  +  2   channels  (850/900/1800/1900).   Cyber  Defense  Group  
  • 24. The  ABack  -­‐  Background  (1/2)  ➤  GSMA  is  not  too  worried,  though  :   “  …  intercept  approach  has  underesDmated  its  pracTcal  complexity   A  hacker  would  need  a  radio  receiver  system  and  the  signal  processing     so]ware  necessary  to  process  the  raw  radio  data.  CSMA,  Aug  2009   ✓  UnderesDmated  complexity:  Ability  to  decrypt  A5  family  in  (near)  real  Tme  (2009)   ✓  UnderesDmated  complexity:  IMSI  catching,  bypass  A3/A8,  …  (2010)   ✓  Radio  receiver  system:  USRP  /  USRP2  +  GNUradio  +  OpenBTS  (you  know,  the  so]ware)   Cyber  Defense  Group  
  • 25. The  ABack  -­‐  Background  (2/2)   If  it  looks  like  a  duck   ,  walks  like  a  duck   ,  talks  like  a  duck   =   it’s  a  duck  !   ?  MCC=206,  MNC=020   Handset  registers  to  who  ?   This  is  where  you  do  “Hello”   Cyber  Defense  Group  
  • 26. The  ABack  –  ExecuDon  Disclaimer  –  Only  used  for  test  and  protocol  analysis  purposes.  No  real  operator  MMC  or  MNC  data,  frequencies  and  spectrum  used.  No  operator  BTS,  BSC  or  HLR  infrastructure  is  (ab)used.    Live  Demo:  IntercepDon  of  SMS  Live  Demo:  IntercepDon  of  Voice  Call   Cyber  Defense  Group  
  • 27. The  ABack  –  Summary   OTP  over  SMS   Insecure     Making  calls   Insecure     Cyber  Defense  Group  
  • 28. Defending  against  the  aBack  ➤  Sudden  and/or  repeated  network  signal  loss  ➤  Sudden  3G  data  loss  (where  it  is  abnormal)  ➤  Cryptographic  voice  streaming  over  3G  (A5.3)  ➤  Sudden  downgrade  from  A5.1  to  A5.0/A5.2  ➤  …  but  passive  intercepTon  =>  undetectable  from  handheld   Cyber  Defense  Group  
  • 29. Taking  it  to  an  non-­‐defendable  level   Cyber  Defense  Group  
  • 30. ECSA  Cyber  Security  Conference  2011  Some  hands-­‐on  threat  demonstra.ons    Cyber  Security  2011  (13-­‐Dec-­‐2011)        Filip  Maertens  filip.maertens@avydian.com   Cyber  Defense  Group