0
Poor Man's Guide To Network Espionage Gear Shawn Merdinger Independent Security Researcher CRT-9 Computer Security Institu...
British Spy Rock
First-Gen Spy Rock?
Obligatory Speaker Slide <ul><li>Shawn Merdinger </li></ul><ul><ul><li>Independent security researcher & corporate irritan...
Warnings and Stuff <ul><li>This is academic research...the “how” not the “why”  </li></ul><ul><li>This is “dangerous infor...
Objectives <ul><li>Academic information exchange </li></ul><ul><li>My favorite cheap and mean gear </li></ul><ul><li>Attac...
Agenda <ul><li>Objectives </li></ul><ul><li>Attackers </li></ul><ul><li>Network Espionage Devices (NEDs) </li></ul><ul><li...
Got bad soup? <ul><li>Devestating yet “simple” attack </li></ul>
Attacker Goals <ul><li>Attacker wants to accomplish... </li></ul><ul><ul><li>Gain internal access via a device at victim l...
Attack Tools <ul><li>Typical opensource methods and tools </li></ul><ul><ul><li>Scanning & Probing </li></ul></ul><ul><ul>...
NEDs <ul><li>My favorites </li></ul><ul><ul><li>Linksys WRT54G </li></ul></ul><ul><ul><li>Nokia 770 </li></ul></ul><ul><ul...
NED Characteristics <ul><li>Small, unobtrusive, ubiquitous, “cute” </li></ul><ul><li>Low-cost, disposable at victim's loca...
NED Characteristics <ul><li>Outbound reverse connections back to attacker </li></ul><ul><ul><li>Crypto tunnels bypass fire...
NED OS & Software <ul><li>Stripped-down Linux </li></ul><ul><li>BusyBox shell </li></ul><ul><li>SSH, HTTP/S management </l...
Linksys WRT54G <ul><li>Cheap, cute </li></ul><ul><li>Secure with default Linksys firmware? </li></ul><ul><ul><li>Ubiquitou...
FairuzaUS for Linksys <ul><li>FairuzaUS:  www.hackerpimps.com </li></ul>Treo 650 SSH into FairuzaUS  into compromised Wind...
Nokia 770 <ul><li>Basics </li></ul><ul><ul><li>US $300 </li></ul></ul><ul><ul><li>Slow CPU, low RAM </li></ul></ul><ul><ul...
Gumstix <ul><li>Ultra-small computers ($120 +) </li></ul><ul><li>Expandable “snap in” boards </li></ul><ul><ul><li>CF stor...
PicoTux <ul><li>Picotux 100 and 112 (US $100 +) </li></ul><ul><ul><li>World's smallest Linux computer </li></ul></ul><ul><...
Spooky: Device Enclosures <ul><li>Free water cooler offer ;) </li></ul><ul><ul><li>Potential for power source </li></ul></...
Spooky: 0wn3d Mesh Network <ul><li>Municipal networks beware! </li></ul><ul><li>Build It </li></ul><ul><ul><li>EVDO gatewa...
Spooky: In-Transit “Marketing” <ul><li>Airports, train stations, bus stations, subways, etc. </li></ul><ul><ul><li>Bluetoo...
Spooky: Long-distance, the next best thing to being there <ul><li>Home-built Bluetooth/Wifi “Sniper” setups </li></ul><ul>...
How far?  802.11b over 125 miles
Countermeasures <ul><li>Know the risks and threats </li></ul><ul><li>Know your network devices and traffic </li></ul><ul><...
Looking Forward <ul><li>More devices with network access </li></ul><ul><ul><li>It's only going to get worse.... </li></ul>...
Questions? <ul><li>Thanks! </li></ul><ul><li>Contact: shawnmer @ gmail.com </li></ul>
Upcoming SlideShare
Loading in...5
×

Csi Netsec 2006 Poor Mans Guide Merdinger

567

Published on

"Poor Mans Guide To Network Espionage Gear" - Computer Security Institute NETSEC 2006

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
567
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Csi Netsec 2006 Poor Mans Guide Merdinger"

  1. 1. Poor Man's Guide To Network Espionage Gear Shawn Merdinger Independent Security Researcher CRT-9 Computer Security Institute NetSec 2006 2006.06.14
  2. 2. British Spy Rock
  3. 3. First-Gen Spy Rock?
  4. 4. Obligatory Speaker Slide <ul><li>Shawn Merdinger </li></ul><ul><ul><li>Independent security researcher & corporate irritant </li></ul></ul><ul><ul><li>Current indy projects </li></ul></ul><ul><ul><ul><li>VoIP device & Emergency communications systems </li></ul></ul></ul><ul><ul><li>Former positions </li></ul></ul><ul><ul><ul><li>TippingPoint </li></ul></ul></ul><ul><ul><ul><li>Cisco Systems </li></ul></ul></ul><ul><ul><ul><ul><li>STAT (Security Technologies Assessment Team) </li></ul></ul></ul></ul><ul><ul><li>Web: www.io.com/~shawnmer </li></ul></ul>
  5. 5. Warnings and Stuff <ul><li>This is academic research...the “how” not the “why” </li></ul><ul><li>This is “dangerous information”...however </li></ul><ul><ul><li>You have the right/need to know </li></ul></ul><ul><ul><li>I have the right/need to talk </li></ul></ul><ul><li>Oh yeah...and remember </li></ul><ul><ul><li>Devices (in context) may be illegal...don't use </li></ul></ul><ul><ul><li>Activities (in context) may be illegal...don't do </li></ul></ul><ul><ul><li>I’m not a lawyer… </li></ul></ul>
  6. 6. Objectives <ul><li>Academic information exchange </li></ul><ul><li>My favorite cheap and mean gear </li></ul><ul><li>Attacks & countermeasures </li></ul><ul><li>Resources </li></ul>
  7. 7. Agenda <ul><li>Objectives </li></ul><ul><li>Attackers </li></ul><ul><li>Network Espionage Devices (NEDs) </li></ul><ul><li>Gettin' Spooky with IT </li></ul><ul><li>Countermeasures </li></ul><ul><li>Looking forward </li></ul>
  8. 8. Got bad soup? <ul><li>Devestating yet “simple” attack </li></ul>
  9. 9. Attacker Goals <ul><li>Attacker wants to accomplish... </li></ul><ul><ul><li>Gain internal access via a device at victim location </li></ul></ul><ul><ul><li>Attack internal/external hosts via TCP/IP </li></ul></ul><ul><ul><li>Attack phone/PDA/PC via Bluetooth </li></ul></ul><ul><ul><li>Passively gather information via sniffing </li></ul></ul><ul><ul><li>Establish other internal and external access </li></ul></ul><ul><ul><li>Impersonate services – Webserver, Database </li></ul></ul><ul><ul><li>Target a user's service – VIP VoIP connection </li></ul></ul>
  10. 10. Attack Tools <ul><li>Typical opensource methods and tools </li></ul><ul><ul><li>Scanning & Probing </li></ul></ul><ul><ul><li>Sniffing </li></ul></ul><ul><ul><li>Exploiting </li></ul></ul><ul><ul><li>Covert communications </li></ul></ul><ul><li>Multiple protocols and entry points </li></ul><ul><ul><li>Wired LAN </li></ul></ul><ul><ul><li>802.11b/g wireless </li></ul></ul><ul><ul><li>Bluetooth </li></ul></ul>
  11. 11. NEDs <ul><li>My favorites </li></ul><ul><ul><li>Linksys WRT54G </li></ul></ul><ul><ul><li>Nokia 770 </li></ul></ul><ul><ul><li>Gumstix </li></ul></ul><ul><ul><li>PicoTux </li></ul></ul><ul><li>Plenty others! </li></ul><ul><ul><li>Access Points </li></ul></ul><ul><ul><li>PDAs </li></ul></ul><ul><ul><li>Game platforms </li></ul></ul>
  12. 12. NED Characteristics <ul><li>Small, unobtrusive, ubiquitous, “cute” </li></ul><ul><li>Low-cost, disposable at victim's location </li></ul><ul><li>Minimal power requirements </li></ul><ul><ul><li>Power over ethernet, battery, solar potential </li></ul></ul><ul><li>Multiple attack vector capability </li></ul><ul><ul><li>Wired, Wireless, Bluetooth, RFID </li></ul></ul><ul><li>Traditional forensics very difficult </li></ul><ul><ul><li>Ephemeral filesystems running in RAM & device access </li></ul></ul><ul><ul><li>Try that with Encase! </li></ul></ul>
  13. 13. NED Characteristics <ul><li>Outbound reverse connections back to attacker </li></ul><ul><ul><li>Crypto tunnels bypass firewalls, IDS </li></ul></ul><ul><ul><li>“Under the radar” common protocols like DNS requests, ICMP, HTTP/S </li></ul></ul><ul><ul><li>Proxies, anonymizers, etc. </li></ul></ul><ul><li>Ported attack tools and exploits </li></ul><ul><ul><li>ARM processor-based </li></ul></ul><ul><ul><li>Some hardware and software limitations and trade-offs </li></ul></ul><ul><ul><ul><li>Dependent libraries, GUIs, etc. </li></ul></ul></ul><ul><ul><ul><ul><li>E.g. Don't expect a full Nessus client/server on Linksys routers </li></ul></ul></ul></ul>
  14. 14. NED OS & Software <ul><li>Stripped-down Linux </li></ul><ul><li>BusyBox shell </li></ul><ul><li>SSH, HTTP/S management </li></ul><ul><li>Features like VPN tunnels, mesh networking </li></ul><ul><li>On-the-fly software install as “packages” </li></ul><ul><ul><li>DNS, Apache, Asterisk </li></ul></ul><ul><ul><li>Attack tools and exploits </li></ul></ul><ul><ul><li>Powerful scripting languages: Python, Ruby </li></ul></ul><ul><ul><li>Customizable </li></ul></ul>
  15. 15. Linksys WRT54G <ul><li>Cheap, cute </li></ul><ul><li>Secure with default Linksys firmware? </li></ul><ul><ul><li>Ubiquitous = the “new Windows” </li></ul></ul><ul><ul><li>Very likely unpublished exploits in the wild </li></ul></ul><ul><li>Opensource alternatives to Linksys firmware </li></ul><ul><ul><li>OpenWRT </li></ul></ul><ul><ul><ul><li>Package system </li></ul></ul></ul><ul><ul><li>Sveasoft </li></ul></ul><ul><ul><ul><li>Mesh netwkorking </li></ul></ul></ul><ul><li>Un-leashing the WRT54G.... </li></ul>
  16. 16. FairuzaUS for Linksys <ul><li>FairuzaUS: www.hackerpimps.com </li></ul>Treo 650 SSH into FairuzaUS into compromised Windows box Command line interface over SSH
  17. 17. Nokia 770 <ul><li>Basics </li></ul><ul><ul><li>US $300 </li></ul></ul><ul><ul><li>Slow CPU, low RAM </li></ul></ul><ul><ul><li>802.11b & Bluetooth </li></ul></ul><ul><ul><li>Virtual touchscreen keyboard </li></ul></ul><ul><ul><li>Debian Linux PDA </li></ul></ul><ul><ul><li>Software </li></ul></ul><ul><ul><ul><li>Lots of development via Maemo project </li></ul></ul></ul><ul><ul><ul><li>Many security tool packages by independent folks </li></ul></ul></ul><ul><ul><ul><ul><li>Tcpdump, Nmap, Dsniff, Kismet, Bluetooth audit </li></ul></ul></ul></ul>
  18. 18. Gumstix <ul><li>Ultra-small computers ($120 +) </li></ul><ul><li>Expandable “snap in” boards </li></ul><ul><ul><li>CF storage and 802.11b wireless </li></ul></ul><ul><ul><li>Single and dual Ethernet with POE </li></ul></ul><ul><ul><ul><li>MITM hardware device with dual ethernet </li></ul></ul></ul><ul><ul><li>Bluetooth </li></ul></ul><ul><ul><li>USB, serial, PS/2 connectors </li></ul></ul><ul><ul><li>Used in BlueSniper, UltraSwarm </li></ul></ul><ul><ul><li>Developer CDs and environment </li></ul></ul>
  19. 19. PicoTux <ul><li>Picotux 100 and 112 (US $100 +) </li></ul><ul><ul><li>World's smallest Linux computer </li></ul></ul><ul><ul><li>35mm×19mm×19mm (size of RJ45 connector) </li></ul></ul><ul><ul><li>Power over ethernet </li></ul></ul><ul><ul><li>Telnet and HTTP server </li></ul></ul><ul><ul><li>Developer CDs and environment </li></ul></ul><ul><li>Attacks </li></ul><ul><ul><li>One of these in the plenum off a Cisco CAT switch </li></ul></ul><ul><ul><li>“Serial to ethernet connector” </li></ul></ul>
  20. 20. Spooky: Device Enclosures <ul><li>Free water cooler offer ;) </li></ul><ul><ul><li>Potential for power source </li></ul></ul><ul><ul><li>Legitimate reason for physical presence..and returning </li></ul></ul><ul><li>Office décor </li></ul><ul><ul><li>Flower safe with X-mas tree & lights...plug 'n play </li></ul></ul><ul><li>Exit Sign, fire extinguisher </li></ul><ul><ul><li>*Dangerous to mess with emerg. gear </li></ul></ul>
  21. 21. Spooky: 0wn3d Mesh Network <ul><li>Municipal networks beware! </li></ul><ul><li>Build It </li></ul><ul><ul><li>EVDO gateway for Internet </li></ul></ul><ul><ul><li>Drive-by/Walk-by AP 0wn4g3 </li></ul></ul><ul><ul><li>Senao AP w/ YAGI = Sweeper </li></ul></ul><ul><li>Run It </li></ul><ul><ul><li>Karma = DHCP for everybody </li></ul></ul><ul><ul><li>Shared crypto keys, cron jobs, remote ssh-fs mounts </li></ul></ul><ul><li>Own it </li></ul><ul><ul><li>Attack everything , browser exploits on capture portal </li></ul></ul>
  22. 22. Spooky: In-Transit “Marketing” <ul><li>Airports, train stations, bus stations, subways, etc. </li></ul><ul><ul><li>Bluetooth spamming with “scary” message content </li></ul></ul><ul><ul><li>0wn3d wifi networks & Windows Messaging </li></ul></ul><ul><li>Multiplier-effect </li></ul><ul><ul><li>Simultaneous at multiple hubs in US </li></ul></ul><ul><ul><li>“Scary message” </li></ul></ul><ul><ul><ul><li>Huge productivity costs </li></ul></ul></ul><ul><ul><li>Wrong message </li></ul></ul><ul><ul><ul><li>Used as diversion, secondary attack, etc. </li></ul></ul></ul>
  23. 23. Spooky: Long-distance, the next best thing to being there <ul><li>Home-built Bluetooth/Wifi “Sniper” setups </li></ul><ul><ul><li>Bluetooth targets up to one mile </li></ul></ul><ul><ul><li>802.11b targets up to...? </li></ul></ul>
  24. 24. How far? 802.11b over 125 miles
  25. 25. Countermeasures <ul><li>Know the risks and threats </li></ul><ul><li>Know your network devices and traffic </li></ul><ul><li>User education, buy-in, ownership of the problem </li></ul><ul><li>Policy and “best practices” </li></ul><ul><li>Planned response </li></ul><ul><li>Other measures </li></ul><ul><ul><li>Honeypots, Honeynets, Bluetooth-honeypot </li></ul></ul><ul><ul><li>Calling the cavelry (private specialists, Johnny Law) </li></ul></ul><ul><ul><li>Hack-backs </li></ul></ul>
  26. 26. Looking Forward <ul><li>More devices with network access </li></ul><ul><ul><li>It's only going to get worse.... </li></ul></ul><ul><ul><ul><li>“Why is my refrigerator scanning my network?” </li></ul></ul></ul><ul><ul><ul><li>Same old issues: poor QA and security, outsourced, lack-of ownership, fixes/patching, etc. </li></ul></ul></ul><ul><li>Tied into critical applications </li></ul><ul><ul><li>Tele-medicine, mobile data </li></ul></ul><ul><ul><li>Emergency Communications Infrastructure </li></ul></ul><ul><ul><ul><li>Vonage over Linksys box was NO lifeline post-Katrina </li></ul></ul></ul><ul><ul><ul><li>Plenty others...stay tuned! </li></ul></ul></ul>
  27. 27. Questions? <ul><li>Thanks! </li></ul><ul><li>Contact: shawnmer @ gmail.com </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×