Your SlideShare is downloading. ×
CSI - Poor Mans Guide To Espionage Gear
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

CSI - Poor Mans Guide To Espionage Gear

1,805
views

Published on

Presentation from CSI -Computer Security Institute Conference

Presentation from CSI -Computer Security Institute Conference


0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,805
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Poor Man's Guide To Network Espionage Gear: Return of the Beast Shawn Merdinger Independent Security Researcher & Consultant SEC-5 Computer Security Institute 33rd Annual 2006.11.7
  • 2. About the speaker Shawn Merdinger ● Independent security researcher & consultant – Current projects – VoIP device security ● Emergency communications system security ● Former positions – TippingPoint ● Cisco Systems (Security Technologies Assessment Team) ●
  • 3. British Spy Rock
  • 4. First-Generation Spy Rock?
  • 5. Warnings and Stuff This is academic research...the “how” not the “why” ● This is “dangerous information”...however ● You have the right/need to know – I have the right/need to talk – Oh yeah...and remember ● Devices (in context) may be illegal...don't use – Activities (in context) may be illegal...don't do –
  • 6. Objectives Academic information exchange ● My favorite cheap 'n mean gear (network focused) ● Attacks & countermeasures ● “The nasty” ● Resources ●
  • 7. Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●
  • 8. “Waiter, my mushroom soup tastes funny” Never underestimate the devastation of a “simple” attack
  • 9. Attacker Goals Attacker wants to accomplish... ● Gain network access via a device at victim's location – Attack internal/external hosts via TCP/IP – Attack phone/PDA/PC via Bluetooth – Passively gather information via sniffing – Establish other internal and external access – Impersonate services – Webserver, Database – Target a user – VIP VoIP connection –
  • 10. Attack Tools Typical opensource methods and tools ● Scanning & Probing – Sniffing – Exploiting – Covert communications, reverse crypto connections – Multiple protocols and entry points ● Wired LAN – 802.11b/g wireless – Bluetooth – RFID –
  • 11. NEDs My favorites ● Linksys WRT54G – Linksys NSLU2 – Nokia 770 – Gumstix – PicoTux – Plenty of others! ● Access Points, PDAs, Game platforms, etc. –
  • 12. Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●
  • 13. NED Characteristics Small, unobtrusive, ubiquitous, cute ● Low-cost, almost disposable ● Minimal power requirements ● Power over ethernet, battery, solar potential – Multiple attack vector capability ● Wired, Wireless, Bluetooth, RFID – Traditional forensics very difficult ● Ephemeral filesystems running in RAM – Try that Encase! ●
  • 14. NED Characteristics Outbound reverse connections back to attacker ● Crypto tunnels bypass firewalls, IDS/IPS – “Under the radar” common protocols DNS requests, – ICMP, HTTP/S are typically allowed through firewalls Proxies, anonymizers, bouncing through multiple boxes – Ported attack tools and exploits ● ARM processor-based – Hardware/software limitations and trade-offs – Dependent libraries, GUIs, etc. ● Don't expect Nessus GUI on Linksys routers ●
  • 15. NED Characteristics Stripped-down Linux ● BusyBox shell ● SSH, HTTP/S management ● Features like VPN tunnels, mesh networking ● On-the-fly software install as “packages” ● DNS, Apache, Asterisk – Attack tools and exploits – Powerful scripting languages: Python, Ruby –
  • 16. Linksys WRT54G Cheap, cute, heavily “hacked” and tweaked ● Secure with default Linksys firmware? ● Ubiquitous = the “new Windows” – Very likely unpublished exploits in the wild – Opensource alternatives to Linksys firmware ● OpenWRT – Package system ● Sveasoft – Mesh networking ● Un-leashing the WRT54G.... ●
  • 17. FairuzaUS for Linksys FairuzaUS: www.hackerpimps.com ● Command line interface over SSH Treo 650 SSH into FairuzaUS into compromised Windows box
  • 18. Upcoming Linksys EVDO & Wifi = WOW! ● Linux- based ● This will become popular ● Potential for abuse is big ●
  • 19. Nokia 770 Basics ● Debian Linux PDA – Slow CPU, low RAM – 802.11b & Bluetooth – Touchscreen keyboard – Software & Commercial Attack Platform Development – Immunity SILICA (Dave Aitel) ● http://immunitysec.com/products-silica.shtml HD Moore doing work on this platform (MetaSploit) ● Maemo project and security tool packaged ● Tcpdump, Nmap, Dsniff, Kismet, Bluetooth audit –
  • 20. Linksys NSLU2 “Slug” US $75 ● Heavy OpenSource support ● Unslung, Openslug, DebianSlug – USB storage ● Bluetooth dongles ● Asterisk, WebCam, MP3 stream ● Try if you're looking for a weekend geek project ● I'm looking into this as a testing platform ●
  • 21. Gumstix Ultra-small computers ($120 +) ● Expandable “snap in” boards ● CF storage and 802.11b wireless – Single and dual Ethernet with POE – MITM hardware device with dual ethernet ● Bluetooth – USB, serial, PS/2 connectors – Used in BlueSniper, UltraSwarm – Developer CDs and environment –
  • 22. PicoTux Picotux 100 and 112 (US $100 +) ● World's smallest Linux computer – 35mm×19mm×19mm (size of RJ45 connector) – Power over ethernet – Telnet and HTTP server – Developer CDs and environment – Attacks ● Plenum off a Cisco CAT switch – “Serial to ethernet connector” –
  • 23. Other Gear KeyKatcher ● PS/2 and new USB version – New “U3” USB key technology ● Auto-run apps, installs, pull SAM on-the-fly,etc. – EVDO USB Key ● “Executive Gift USB” - Swiss Army USB/Knife ● Infected RFID tags ● Infects reader, which then infects other tags and DB – http://www.rfidvirus.org/papers/press_release.pdf ●
  • 24. Other Gear Linux Phones ● Customizable – Bluetooth, Wifi, cameras, etc. – Qtopia ● Security people “discussing ideas” – Prediction: top “hacker” phone – BlackDog ● Linux box on USB – Biometric auth ●
  • 25. Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●
  • 26. Spooky: Device Enclosures Free water cooler offer ;) ● Potential for power source – Legitimate reason for physical presence..and returning – Office décor ● Flower safe with X-mas tree & lights...plug 'n play – Exit Sign, fire extinguisher ● Dangerous to mess with emerg. Gear – But what if extra gear shows up? ● Wow, we have even more security now! –
  • 27. Spooky: 0wn3d Mesh Network Municipal networks beware! ● Build It ● EVDO gateway for Internet – Drive-by/Walk-by AP 0wn4g3 – Senao AP w/ YAGI = Sweeper – Run It ● Karma = DHCP for everybody – Shared crypto keys, cron jobs, remote ssh-fs mounts – 0wn it ● Attack everything, browser exploits on portal –
  • 28. Spooky: In-Transit “Marketing” Airports, train stations, bus stations, subways, etc. ● Bluetooth spamming with “scary” message content – 0wn3d wifi networks & Windows Messaging – Multiplier-effect ● Simultaneous at multiple hubs in US – “Scary message” – Huge productivity costs ● Wrong message – Used as diversion, secondary attack, etc. ● Virus/worm type attack like this is possible ●
  • 29. Of Course... Why not hack the marketing guy's gear instead? ● “CBS today said it is planning a marketing initiative that will allow mobile users with Bluetooth-enabled phones to download promotional clips from its new fall TV shows directly to their handsets at billboard locations in New York. The billboards in Grand Central station....” Digging a little deeper ● kameleon-media.com – “Remote data loading via a GPRS or Ethernet modem that ● connects directly the MobiPoint® to our server.”
  • 30. Spooky: Long-distance, the next best thing to being there Home-built Bluetooth/Wifi “Sniper” setups ● Bluetooth targets up to one mile 802.11b targets up to...?
  • 31. How far? 802.11b over 125 miles
  • 32. Maxing Out Current Gear Janus Scanner – DefCon 14 ● 8 Senao hi-power cards (125 mile wifi-record card) ● Amplifier 1-watt to “keep it legal” ● Linux, Kismet, etc. ● Pelican case ● Data encrypted ● 1 button operation ● Also “BlueBag” ● Target Bluetooth –
  • 33. Terrorism & RFID Passports US Passports will have RFID tags ● Each US State's Drivers' licenses probably next – RFID security weaknesses already found ● Reading tags at a distance is a documented threat ● The “Nightmare Scenario” ● Discussed in media already – NED (or cell) RFID scan for passports – Connected to explosive device ● Detonate X number in range ●
  • 34. Countermeasures Know the risks and threats ● Know your network devices and traffic ● User education, buy-in, ownership of the problem ● Policy and “best practices” ● Planned response vs. “Uh oh...” ● Calling the cavalry (specialists, Johnny Law) – Proactive measures ● Honeypots, Honeynets, Bluetooth-honeypot – Yet to see a RFID honeypot (sell to Wal-Mart?) –
  • 35. Looking Forward & Other Stuff More devices with network access ● “Why is my refrigerator scanning my network?” – Mobile devices will be targeted ● VoIP and the new-style phone tapping agenda ● VoIP phones as room taps – Capture VoIP traffic – Same old story ● New technology, adoption, poor security, etc. –
  • 36. Thanks! Questions? ● Feel free to contact me at shawnmer@io.com ●