Thank you for collaborating
with your local h4¢k3r$ !
                h4¢
C:
C:>format C:Y/N _
Christian “Check your Wifi”...
Start to think out of the box…

… and realize what hackers know that you
don't… !




Because they WILL use it to their ad...
Let’s try to think out of the box…

 • How can we make 4 triangles,
   with 6 matches… ?




          © Bell Canada, 2009...
?
                                            ?
© Bell Canada, 2009. Tous droits réservés
You have to think out of the
             box, just like the hackers do…
                                                 ...
Overview of the presentation

•   Public information gathering
•   The WiFi Landscape
•   Social Networks / Social hacking...
Public information gathering
•   Whois, nslookup / dig, ARIN, RF monitoring, etc…
•   Google (Maps / Earth, Groups, Blogs,...
The WiFi Landscape

• Use Radio frequencies
• Electromagnetic shared medium, think hub !
• Physical environment dependenci...
New vector to protect from….
• Protect network from unauthorized users
  • Rogue AP, session hijacking, eavesdropping
• Pr...
Don’t
• Disclose personal information in the SSID name
  of your network
• Relying on masking your SSID is useless:
  – Pr...
© Bell Canada, 2009. Tous droits réservés
© Bell Canada, 2009. Tous droits réservés
© Bell Canada, 2009. Tous droits réservés
DOS attack require expensive equipements
• Micro-wave fork attack
• WiFi jammer

                                         ...
We are protected…
• We have firewall
   – Facing Internet ! (dude!!!)
   – We provide a corporate Lan access jack
      • ...
Authentication & encryption

• We use encryption
  – WEP-RC4 or TKIP-RC4, AES-CCMP
• We use authentication
  – PSK or Ente...
Working @ home

• I use WEP, WPA-PSK
  – you are acting like a rogue AP, if your home network
    is not protect
• Anayway...
Rogue threats

• Good guys friendly/unaware
  – Implement by users to facilitate network
    access, always against organi...
Ad-Hoc mode
• Ad-hoc mode are insecure
  – All stations control the communication no APs
  – Unencrypted or WEP
     • Loo...
Free WiFi acces
              Wonderfull Hot spot

• Hot spot controller only identifies
  authorized user by MAC+IP add
•...
Hot spot cont….

• Hotspot are identified only by SSID
• Station reach for the highest signal
• High power soft-AP may be ...
Hot spot…Sidejacking.

• Common for popular sites to do authentication
  over HTTPS (Gmail)
  – and reverts to HTTP after ...
Hot spot injections Airpw

•   begin page_html
•   match ^(GET|POST)
•   ignore ^GET [^ ?]+.(jpg|jpeg|gif|png|tif|tiff)
• ...
Hot spot recommendations

• Lack of layer 2 security require stronger
  upper-layer defences
• Personal firewall, HIPS, AV...
Black Berry

• They are secure, but users are not always
• Social engineering vulnerability
  – Malware download, turn de ...
6 things to consider

•   Security policy
•   Strong authentication
•   Strong encryption
•   Monitoring
•   Auditing
•   ...
Social Engineering

 What is social engineering?




 Is there any social engineers in the room ?

              © Bell Ca...
Social Networks and Social Engineering




               © Bell Canada, 2009. Tous droits réservés
Social Engineering + Social Networks =



• Some people post their life
   – (Kids, vacations, etc..)
• Security relies on...
Social Networks and Social Engineering



• Microblog (Max 140 characters -> SMS)
• Security relies on a username/password...
Spam

• What is it ?
  Did you know that 86.4% of all e-mail in Sep 09 was spam ?

• Who ?

• Why ?

• When ?

• How ?


 ...
Phishing

• What is it ?
  Did you know that 1 in 437 e-mails comprised a phishing attack?

• Who ?

• Why ?

• When ?

• ...
Example of Phishing




             © Bell Canada, 2009. Tous droits réservés
Example of Phishing




             © Bell Canada, 2009. Tous droits réservés
XSS example                         Web Site
                                  (very popular)




User
                   ...
XSS example                         Web Site
                                  (very popular)




User
                   ...
Another Example <Metasploit>




             © Bell Canada, 2009. Tous droits réservés
Spamming + phishing = Lo$$ & Profit$


                           Lo$$ & Profit$




                                     ...
The infamous botnet


                 Relay
                 Japan


  Relay
  Russia

               IRC Servers
       ...
Methodes of propagation




             © Bell Canada, 2009. Tous droits réservés
X                        OK




© Bell Canada, 2009. Tous droits réservés
© Bell Canada, 2009. Tous droits réservés
Peer to peer botnet




            © Bell Canada, 2009. Tous droits réservés
Fast flux botnet




             © Bell Canada, 2009. Tous droits réservés
Botnet controled via Twitter




            © Bell Canada, 2009. Tous droits réservés
Botnet controled via Google Groups




            © Bell Canada, 2009. Tous droits réservés
Security in surface…




                     Intrusion Detection


                                            Antivirus
...
Security in depth



                                        Intrusion Detection
                                         ...
Information security sometimes
require solutions, that may not be in
              “a box”…




          © Bell Canada, 2...
Questions ?




© Bell Canada, 2009. Tous droits réservés
Upcoming SlideShare
Loading in...5
×

Thank you for collaborating with your local hackers

1,029

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,029
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Thank you for collaborating with your local hackers

  1. 1. Thank you for collaborating with your local h4¢k3r$ ! h4¢ C: C:>format C:Y/N _ Christian “Check your Wifi” Frenette Michel “You’ve been H4x0r3d!” Cusin CSE Conference – Mont-Tremblant October 16, 2009 © Bell Canada, 2009. Tous droits réservés
  2. 2. Start to think out of the box… … and realize what hackers know that you don't… ! Because they WILL use it to their advantage, against you or your customers ! © Bell Canada, 2009. Tous droits réservés
  3. 3. Let’s try to think out of the box… • How can we make 4 triangles, with 6 matches… ? © Bell Canada, 2009. Tous droits réservés
  4. 4. ? ? © Bell Canada, 2009. Tous droits réservés
  5. 5. You have to think out of the box, just like the hackers do… 3 1 2 4 3 You know we’re getting at… Right ? © Bell Canada, 2009. Tous droits réservés
  6. 6. Overview of the presentation • Public information gathering • The WiFi Landscape • Social Networks / Social hacking / Engineering • Spamming, phishing & Cross-site Scripting • The infamous Botnets © Bell Canada, 2009. Tous droits réservés
  7. 7. Public information gathering • Whois, nslookup / dig, ARIN, RF monitoring, etc… • Google (Maps / Earth, Groups, Blogs, Images, etc…) • Wigle.net, Wireless Geographic Loggin Engine • Enterprise Register • Specialized tools (Maltego, Lazy Champ, Kismet, etc…) • Social Networking Sites • Did you know you were leaking that much..? © Bell Canada, 2009. Tous droits réservés
  8. 8. The WiFi Landscape • Use Radio frequencies • Electromagnetic shared medium, think hub ! • Physical environment dependencies • Users can move, Phy environment can change • CSMA/CA instead CSMA/CD, or transmit and pray • Indoor / outdoor • Antenna pattern • New security considerations © Bell Canada, 2009. Tous droits réservés
  9. 9. New vector to protect from…. • Protect network from unauthorized users • Rogue AP, session hijacking, eavesdropping • Protect users from unauthorized networks – Fake AP Network Users © Bell Canada, 2009. Tous droits réservés
  10. 10. Don’t • Disclose personal information in the SSID name of your network • Relying on masking your SSID is useless: – Provide a false sense of security – User don’t know and reach for other – The stations are broadcasting the SSID they’re trying to reach anyway (Probe requests) • Filtering MAC addresses is useless – Always transmit in clear text – Easy to spoof © Bell Canada, 2009. Tous droits réservés
  11. 11. © Bell Canada, 2009. Tous droits réservés
  12. 12. © Bell Canada, 2009. Tous droits réservés
  13. 13. © Bell Canada, 2009. Tous droits réservés
  14. 14. DOS attack require expensive equipements • Micro-wave fork attack • WiFi jammer Gighz, Usually 2.450 Gighz, just between Ch 8-9, in the ISM band and 500- 500- 1000 watts !!! Vs AP 4 watts © Bell Canada, 2009. Tous droits réservés
  15. 15. We are protected… • We have firewall – Facing Internet ! (dude!!!) – We provide a corporate Lan access jack • in the parking lot (WiFi) • We don’t have any wireless… neither policies ! – Neither wireless detection, ;-( – Laptop with WiFi card (ad-hoc mode) Internet © Bell Canada, 2009. Tous droits réservés
  16. 16. Authentication & encryption • We use encryption – WEP-RC4 or TKIP-RC4, AES-CCMP • We use authentication – PSK or Enterprise (Eg: Radius) – SSID, 802.1x, EAP-TLS, PEAP, etc, (PWD, Certificat) – EAP, Sitting on WEP/TKIP, AES ? – Always use strong password policy (LEAP— ASLEAP) © Bell Canada, 2009. Tous droits réservés
  17. 17. Working @ home • I use WEP, WPA-PSK – you are acting like a rogue AP, if your home network is not protect • Anayway, I use VPN to connect to the office – Your lucky, if it never drop when your not in front of your PC – Enforce layer 2 security even if you use VPN • All PCs at home are safe – Kids PCs, Playstation, lots of treath from the inside © Bell Canada, 2009. Tous droits réservés
  18. 18. Rogue threats • Good guys friendly/unaware – Implement by users to facilitate network access, always against organization policy (when they exist…) • Malicious – To provide network backdoor • Unintended – Authorized but misconfigured equipment © Bell Canada, 2009. Tous droits réservés
  19. 19. Ad-Hoc mode • Ad-hoc mode are insecure – All stations control the communication no APs – Unencrypted or WEP • Look the same or very close • With aircrack-ng you get the WEP key and import it in Wireshark to decrypt on the fly. – User may use windows bridging utility to give access to wire Lan from the ad-hoc segment © Bell Canada, 2009. Tous droits réservés
  20. 20. Free WiFi acces Wonderfull Hot spot • Hot spot controller only identifies authorized user by MAC+IP add • At login, a popup logoff window is opened, normally block by popup-bloker • Sessions stay active until inactivity timeout • Excellent receipt for session Hijacking – Script to monitor inactivity – Spoof MAC and IP address (Pickupline) © Bell Canada, 2009. Tous droits réservés
  21. 21. Hot spot cont…. • Hotspot are identified only by SSID • Station reach for the highest signal • High power soft-AP may be use to capture clients Hotspot AP © Bell Canada, 2009. Tous droits réservés
  22. 22. Hot spot…Sidejacking. • Common for popular sites to do authentication over HTTPS (Gmail) – and reverts to HTTP after authentication • Raison they can support HTTPS for all users – HTTPS is an option you have to select • The attack consist to retrieve the session cookie, no need of your credentials – Attacker can impersonate the user – Doesn’t affect the active session © Bell Canada, 2009. Tous droits réservés
  23. 23. Hot spot injections Airpw • begin page_html • match ^(GET|POST) • ignore ^GET [^ ?]+.(jpg|jpeg|gif|png|tif|tiff) • response content/page_html • ----------------------------------------------------------------- • HTTP/1.1 200 OK HTTP req • Connection: close sniff • Content-Type: text/html HTTP response • <html><head><title>HELLO CSE!</title> • </head><body> • <blink><font size=+5 color=red> • Hello CSE! I'm watching you ! • </font> • </blink> • <p> HTTP req Internet © Bell Canada, 2009. Tous droits réservés
  24. 24. Hot spot recommendations • Lack of layer 2 security require stronger upper-layer defences • Personal firewall, HIPS, AV is a must and – Patch, patch, patch • Restrict permitted SSID • Use VPN tunnelled traffic at hotspots • Security awareness for Hot spot utilisation © Bell Canada, 2009. Tous droits réservés
  25. 25. Black Berry • They are secure, but users are not always • Social engineering vulnerability – Malware download, turn de BB into a remote cam or microphone or redirect mail © Bell Canada, 2009. Tous droits réservés
  26. 26. 6 things to consider • Security policy • Strong authentication • Strong encryption • Monitoring • Auditing • Security awareness © Bell Canada, 2009. Tous droits réservés
  27. 27. Social Engineering What is social engineering? Is there any social engineers in the room ? © Bell Canada, 2009. Tous droits réservés
  28. 28. Social Networks and Social Engineering © Bell Canada, 2009. Tous droits réservés
  29. 29. Social Engineering + Social Networks = • Some people post their life – (Kids, vacations, etc..) • Security relies on a username/password – Could be easy to get in • ID spoofing – Could ask money to the victim’s known contacts • Koobface – Worm – Infected 2.9M machines just in the US (Soc. Eng.) • Install a Web Server and fake antivirus, send fake messages, • Foils CAPTCHA, Steal Data, • Hijack Web sessions, Change Domain Name System (DNS) © Bell Canada, 2009. Tous droits réservés
  30. 30. Social Networks and Social Engineering • Microblog (Max 140 characters -> SMS) • Security relies on a username/password – Could be easy to get in • ID spoofing – Could ask money to the victim’s known contacts • New way of spamming • Are used to control Botnets • All kind of information could be posted on it (same as forums, BB) – Corporate – Sensitive – Etc.. © Bell Canada, 2009. Tous droits réservés
  31. 31. Spam • What is it ? Did you know that 86.4% of all e-mail in Sep 09 was spam ? • Who ? • Why ? • When ? • How ? © Bell Canada, 2009. Tous droits réservés
  32. 32. Phishing • What is it ? Did you know that 1 in 437 e-mails comprised a phishing attack? • Who ? • Why ? • When ? • How ? • Here’s some examples… © Bell Canada, 2009. Tous droits réservés
  33. 33. Example of Phishing © Bell Canada, 2009. Tous droits réservés
  34. 34. Example of Phishing © Bell Canada, 2009. Tous droits réservés
  35. 35. XSS example Web Site (very popular) User Web Site (vulnerable to XSS) © Bell Canada, 2009. Tous droits réservés
  36. 36. XSS example Web Site (very popular) User Web Site (vulnerable to XSS) © Bell Canada, 2009. Tous droits réservés
  37. 37. Another Example <Metasploit> © Bell Canada, 2009. Tous droits réservés
  38. 38. Spamming + phishing = Lo$$ & Profit$ Lo$$ & Profit$ ng Ph mi is am hi ng Sp © Bell Canada, 2009. Tous droits réservés
  39. 39. The infamous botnet Relay Japan Relay Russia IRC Servers (Internet Relay Chat) Relay China IRC client Cuba © Bell Canada, 2009. Tous droits réservés
  40. 40. Methodes of propagation © Bell Canada, 2009. Tous droits réservés
  41. 41. X OK © Bell Canada, 2009. Tous droits réservés
  42. 42. © Bell Canada, 2009. Tous droits réservés
  43. 43. Peer to peer botnet © Bell Canada, 2009. Tous droits réservés
  44. 44. Fast flux botnet © Bell Canada, 2009. Tous droits réservés
  45. 45. Botnet controled via Twitter © Bell Canada, 2009. Tous droits réservés
  46. 46. Botnet controled via Google Groups © Bell Canada, 2009. Tous droits réservés
  47. 47. Security in surface… Intrusion Detection Antivirus Firewall © Bell Canada, 2009. Tous droits réservés
  48. 48. Security in depth Intrusion Detection Communications and Communications and Security Policy Security Policy Operations Management Operations Management Antivirus Firewall Organizational Security Organizational Security Access Control Access Control Information Classification Information Classification Systems Development and Systems Development and Maintenance Maintenance Personnel Security Personnel Security Business Continuity Business Continuity Management Management Physical and Environmental Physical and Environmental Compliance Compliance Security Security * 10 domains of security - ISO 17799 © Bell Canada, 2009. Tous droits réservés
  49. 49. Information security sometimes require solutions, that may not be in “a box”… © Bell Canada, 2009. Tous droits réservés
  50. 50. Questions ? © Bell Canada, 2009. Tous droits réservés
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×