Scanning the Internet for External Cloud Exposures via SSL Certs
Jim Libersky: Cyber Security - Super Bowl 50
1. Cyber Threats are now front and center
to the largest events in the world
2. Set The Stage
• 9 Days
• Ranked at #1 Technically advanced in N.
America
• 75,000 fans into 1 stadium + operations,
vendors and media
• 1 Million + new Visitors into San Fran
• 100+ Million watching
• 150+ countries
• 70 cameras filming
• 360 instant freeze and Replay cameras
• 36 Red Zone Cameras with 360 degree
visibility and virtual playback
• Superimposed yard lines
• Apps offering fans an interactive experience
• 400 miles of data cable/fiber
• 12,000 network interfaces
• Distributed antenna system (DAS) to boost
the cellular signals
3. Mobile enabled
• 1,300 Wi-Fi Access Points
• 1,200 Bluetooth Beacons
• 40 Gb/s of available bandwidth
• 10 Terabyte of Data
• 1 AP for 100 Seats
• Cellular Enhanced
4. Now Social Media
• Brand engagements
• 50% of the ads had a special
hashtag
• Enhanced User Experience Apps
• For directions
• To order Food
• NFL emoji keyboard
• Fantasy Football
• Interactive games that let fans
catch virtual passes
6. Preparation
• Understand the Network
Topology
• Set layered Inspection
and what sensors
• Understand role and
placement of sensors
• Base Line Traffic
• Understand chain of
command
7. Monitor Other Uses
Of the Stadium
• Local Events
• WrestleMania
• Concerts
• Foster Farms College
Bowl
8. Concerns
Before game day
• 14 Fiber Cuts through 2015
• New traffic showing up
• Outbound Traffic to
Ireland and other
countries
9.
10. Concerns
• Horizontal Movement
between Servers
• JumboTron
• IP Harvesting
• POS
• Fake Tickets
• Fake Emails and part of
campaigns to confirm
orders
• APT’s
• Electric Power going dark
14. What were the Fans Doing?
• 19.8% Video
• 19.6% Web-browsing
• 17.6% Social Media sharing
• 15.9% Cloud
• 2.3% Music
• 1.4% Messaging
• 1.4 % Email
• 1% Navigation
• 21% other
• Ie Twitter feeds on Cell Carriers
15. Met Life SB 48
• 1.1 TB of Wi-Fi Data
Univ of Phoenix SB 49
• 6.2 TB of Wi-Fi Data
• 25,936 unique Wi-Fi Users
• 17,322 Peak Concurrent
users
• 7 TB approx. data via
wireless carrier
Levi Stadium SF 50
• 10.1 TB of Wi-Fi Data +63%
• 1st to transfer 10 TB of Data over
Wi-Fi
• Sunday 6 am to 11 pm fans use
9.3TB and the media used 453 GB
• 27,315 Unique Wi-Fi users
• 20,300 Peak Concurrent users3.0
Gbps Continuous Wi-Fi bandwidth
for 4+ hrs. on Sunday
• 15.9 TB of data via wireless carrier
• 15.1 – 23Mbps download
throughout the game (3 x SB 49)
• Live Streaming consumed 315
Million Total min. @ 1.4 M users
16. Comparison
• Aver 49s Game generates 2.0 TB
• Wrestle Mania last March 4.5 TB
• 76,976 Fans
• 4.5 TB
• Peak 14,800 Concurrent Fans
• 1.61 Gbps Continuous data
• 2.474 Gbps
• Taylor Swift 7.1 TB ( with ½ of the
stadium closed off)
17. What did we Learn?
Game Stats
• 24 Million Cyber Events
• 19.6 Million events from Wired Network
• 3.8 Million from Wireless Wi-Fi Network
• Barrier1 AARE Engine 568,502 or 2.3%
Cyber never before seen in the world.
No Signatures. Definitions or Knowledge
• Game Day 6 am – 11Pm
• fans used 9.3 TB
• Media used 453 Gb
Severity of the Cyber Events
• 1 336,035 1.4%
• 2 801,122 3.3%
• 3 23,364,179 95.4%
18. What did we uncovered
Cnc P2P Bitorrent
TOR Vuze BtWeb Client
EDonkey Edonkey emule
Gnutella Kaza ThunderNetwork
RAT Client Heartbleed C2
Viruses
• User Agents
• Window Executable in Text file
• Anubis PushDo
• Netwire DNS Poison
• Trojan DNS
• Overtoobar.net backdoor
Most Bizarre
• Clear Text Password
• Inappropriate Websites
• Sexting
19.
20.
21. What Did we Learn
• Speeds will be faster
• Greater Emphasis on
Fan Experience
• More Apps
• Cyber Attacks will be
more complex
• There will be more
attack surfaces
• More Automation
23. Worries
• Phishing Attacks
• Ransomware
• Soft Targets – before and during the game
• Web Site compromise
• IP Harvesting
• Fake Tickets
• Fake Emails and part of campaigns to confirm orders
24. What were they doing?
• 19.8% Video
• 19.62% Web Browsing
• 15.9 % Cloud
• 2.29% Music
• 1.44% Messaging
• 1.3% email
• .97% Navigation
• 20.8% the rest
• Planned for 2/Gbps
• Ordered Food
• Watched Replays
• Communicating with their friends
that were not at the game
• Fantasy Football
• Stadium Apps that show direction
and locations of vendors & services
• Selfies
• 6,000 hrs. of HD Video
25. What Got Through
• Network Capture
• Wired 19,609,972 (normal business, Web, Mail, printing)
• Wireless 3,719,231
• AARE Engine 56,442
• Types of traffic
26. Continued
• Main Viruses
• User-Agent
• Flow Point 220
• Window Executable in Test File
• Anubis
• PushDo
• Netwire RD
• Overtoolbar.net backdoor
• DNS Poison
• Trojan DNS
27. Continued What were they doing?
• Live Streams consumed 315 Million total minutes of Game
• Average audience was 1.4 million
• Event driven traffic
28. • Distributed antenna system (DAS) to boost the cellular signals
• Thousands of monitors in every section of the stadium, so no one will miss a beat
• One large master control room to power those monitors with game action, graphics and replays
• Interactive games that let fans catch virtual passes
• 20,000 square feet of solar panels and a LEED Gold Certification for its environmental friendliness
• An app designed specifically to enhance the in-game experience