Hello, My Name Is Host Name Endgrain Rad Kaminsky


Published on

DEFCON 2009 Presentation by Endgrain, Tiffany Rad, Dan Kaminsky

1 Comment
  • Find coupons for your hosting. Get a promo deal before you purchase hosting http://www.scriptcoupons.com/coupons/hosting/
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • While the research is specific to USM, we discovered similar setups at other universities. Presentation is not meant to target out any specific person or organization
  • Dorm configuration adds “dorm” subdomain, giving away another piece of information to anyone who wants to get it. IT staff configuration shows that even for their own employees – USM either doesn't realize that they're exposing personal information or they just don't think that it's an issue. Websites, emails, file sharing, IRC... anything where communication exposes your IP.
  • maine.edu is unavoidable. Usm sub-domain also rather needed. Dorm vs. wireless sub-domains give relative physical location and prior knowledge or a little research can give a more accurate physical location. Split campus – dorms in Gorham and most classes (wireless) are in Portland. FULL NAME – Why is it necesssary? Laziness or ease of administration? Bottom line: mention other universites.
  • Wanted to know how people were granted access on the network. How to keep out public and allow easy use by students? Still don't know the details about how the DHCP server interfaces with the DB or whether it's built into the DHCP server.
  • Using MAC addresses as a unique identifier is OK but it's not OK to assume that MAC addresses cannot be changed. Why aren't user's identities shielded by edge devices such as routers? Is there a reason that each user has their own external IP? MAC addresses aren't locked to one physical port on the network switches. Users can roam with their devices, even when using the Ethernet network. Student and faculty are constantly moving from network to network with their devices.
  • It didn't take much to realize how this access control model could be circumvented. Can easily assume the identity of another user and perform otherwise suspicious or illegal activities.
  • Are universities rolling their own software that generates user host names from full names or is there a piece of software that comes with the feature? Is it a coincidence that many universities around the country are using similar naming conventions or have they been suggested to do so? Is there some acceptable reason for every user to have an Internet routable IP address?
  • Hello, My Name Is Host Name Endgrain Rad Kaminsky

    1. 1. Hello, My Name is Host Name Endgrain Dan Kaminsky Tiffany Rad
    2. 2. Presenters <ul><li>Endgrain </li></ul><ul><ul><li>Computer science student, University of Southern Maine, Portland, Maine. </li></ul></ul><ul><li>Dan Kaminsky </li></ul><ul><ul><li>Director of Pen Testing, IOActive </li></ul></ul><ul><li>Tiffany Strauchs Rad </li></ul><ul><ul><li>President, ELCnetworks, LLC </li></ul></ul><ul><ul><li>Part-time Adjunct Professor, University of Southern Maine, Portland, Maine. </li></ul></ul>
    3. 3. Discovery <ul><li>First connected to USM network in spring of 2008 via the wireless network on campus </li></ul><ul><ul><li>Connected to IRC </li></ul></ul><ul><ul><ul><li>Magically, people began to address me with my full name </li></ul></ul></ul><ul><ul><ul><li>Quickly discovered that... </li></ul></ul></ul><ul><ul><ul><ul><li>DHCP server leases Internet routable IP addresses </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Domain names take the form of firstname-lastname.wireless.usm.maine.edu </li></ul></ul></ul></ul>
    4. 4. <ul><ul><li>Confirmed same network configuration from dormitory (fall 2008) and similar configuration for IT staff (summer 2009) </li></ul></ul><ul><ul><ul><li>end-grain.dorm.usm.maine.edu </li></ul></ul></ul><ul><ul><ul><li>jcdoe.acs.usm.maine.edu </li></ul></ul></ul><ul><ul><li>What does this mean? </li></ul></ul><ul><ul><ul><li>Sensitive information is now unnecessarily public </li></ul></ul></ul><ul><ul><ul><ul><li>Can be obtained with a simple reverse DNS lookup </li></ul></ul></ul></ul>
    5. 5. What information does a domain name divulge? <ul><ul><li>The user is attending a Maine university </li></ul></ul><ul><ul><li>The user is attending the University of Southern Maine in specific </li></ul></ul><ul><ul><li>How the user is connected to the network </li></ul></ul><ul><ul><ul><li>Wireless </li></ul></ul></ul><ul><ul><ul><li>Wired (from dorms) </li></ul></ul></ul><ul><ul><li>Approximate physical location </li></ul></ul><ul><ul><li>The user's FULL NAME! </li></ul></ul><ul><li>Bottom line: The domain name configuration used by USM reveals the user's physical location and full name, and is clearly a huge violation of the user's implicit right to privacy. </li></ul>
    6. 6. The Vulnerability <ul><li>Decided to further research USM network security and privacy as an educational project for Tiffany's computer ethics class (spring 2009). </li></ul><ul><li>Access Control </li></ul><ul><ul><li>First time use – Authentication </li></ul></ul><ul><ul><ul><li>Login with USM account </li></ul></ul></ul><ul><ul><ul><li>MAC address of connecting device is paired with account in database </li></ul></ul></ul><ul><ul><ul><ul><li>Also paired with semi-static PUBLIC IP address </li></ul></ul></ul></ul><ul><ul><li>Subsequent access to the network with same device does not require authentication </li></ul></ul><ul><li>Network-wide “device registration” database that interfaces with DHCP server </li></ul>
    7. 7. Weaknesses <ul><ul><ul><li>Complete trust is placed in MAC addresses as a unique identifier </li></ul></ul></ul><ul><ul><ul><ul><li>Can be spoofed! (old news right?) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Part of protocols, can't really be fixed </li></ul></ul></ul></ul><ul><ul><ul><li>Global IP addresses </li></ul></ul></ul><ul><ul><ul><ul><li>Why??? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Puts users at unnecessary risk </li></ul></ul></ul></ul><ul><ul><ul><li>No port based security on switched LAN </li></ul></ul></ul><ul><ul><ul><ul><li>Impossible at a college due to the mobile nature of most devices </li></ul></ul></ul></ul>
    8. 8. What if... <ul><li>Potential for abuse </li></ul><ul><ul><li>Impersonation by spoofing MAC address </li></ul></ul><ul><ul><ul><li>View questionable web content </li></ul></ul></ul><ul><ul><ul><li>File sharing </li></ul></ul></ul><ul><ul><ul><li>Any other suspicious network activity all under the cover of another user </li></ul></ul></ul>
    9. 9. Unanswered questions <ul><li>How do the DHCP servers build user domain names? </li></ul><ul><ul><li>Is the full-name-as-host-name feature part of a DHCP package or did the university create the system themselves? </li></ul></ul><ul><ul><ul><li>Pulling information from student database </li></ul></ul></ul><ul><li>Why is each device on the network given an Internet routable IP address? </li></ul><ul><li>Most importantly – why does my host name contain my full name? </li></ul>
    10. 10. Network Analysis Tool <ul><li>Logs MAC addresses and domain names </li></ul><ul><li>ARP scans network and lists offline hosts </li></ul><ul><li>http://endgrain.ath.cx/ </li></ul>
    11. 11. How Host Names are Used at Many Universities <ul><li>Some schools offer a procedure to change host name by filling out FERPA privacy form </li></ul><ul><li>More than 60 Higher Educational Institutions Use Real Name = Host Name </li></ul>
    12. 12. Legal Issues: Privacy, Personal and Online Security <ul><li>Big Question: Why do some educational institutions use real names as host names? </li></ul><ul><ul><li>Not a good idea for privacy and security concerns </li></ul></ul><ul><li>Secondary Questions: Why would they want to use real names as host names? </li></ul>
    13. 13. Pressure from Anti-Piracy Counter-measures? <ul><ul><ul><li>Facilitates DMCA take-down notices and cease and desist RIAA legal threats </li></ul></ul></ul><ul><ul><ul><li>Do patterns of RIAA law suits surround college campuses because of this built-in ability to easily retrieve legal names? </li></ul></ul></ul>
    14. 14. Privacy and Personal Safety Concerns <ul><li>Privacy </li></ul><ul><li>Broadcasting real names on IRC and other online forums creates privacy and personal safety issues. </li></ul><ul><li>What rights you have to protect your Internet searches—differences between society at large and on college campuses. </li></ul><ul><li>When students use IRC or visit websites, search the web, privacy FAIL </li></ul>
    15. 15. DMCA and RIAA Influences? <ul><li>RIAA </li></ul><ul><ul><li>Driven a lot of need for ease of identifying users </li></ul></ul><ul><ul><li>Attempted to pass legislation in 2007 requiring educational institutions to install filers on their networks if the RIAA deemed that school to have many infringers. </li></ul></ul>
    16. 16. Digital Millennium Copyright Act <ul><li>DMCA </li></ul><ul><ul><li>Take-down notices under Section 512 </li></ul></ul><ul><ul><ul><li>Requires ISPs or college networks to take down allegedly infringing materials or they loose their “safe harbor” protections </li></ul></ul></ul><ul><ul><ul><li>Strict wording in the statute and steep penalties for loss of safe harbor protections encourage less analysis of legitimate take-down notices and results in little or no analysis of legitimacy of claims. </li></ul></ul></ul><ul><ul><ul><li>Vitiates Fair Use </li></ul></ul></ul>
    17. 17. Privacy of Personally Identifying Information <ul><ul><ul><ul><li>FERPA-protects student information </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>If school has a form to allegedly change host name that's connected with a FERPA form, they have knowledge that current IT practice of assigning host name may violate FERPA </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Why isn't it opt in instead of opt out if PII? </li></ul></ul></ul></ul></ul>
    18. 18. Have the RIAA Legal Threats Encouraged These Security and Privacy Vulnerabilities? <ul><li>Statistical Analysis </li></ul><ul><ul><li>Found 60 schools though Westlaw and news article searches and put together a list of most schools (students) targeted by the RIAA </li></ul></ul><ul><ul><li>Dan's team did reverse DNS look-ups on those schools to determine if real name = host name </li></ul></ul><ul><ul><li>Correlation? </li></ul></ul>
    19. 19. Contact <ul><li>[email_address] </li></ul><ul><li>[email_address] </li></ul><ul><li>[email_address] </li></ul>