ECSA Cyber Security Conference 2011 Hands-On Threat Demos
•
4 likes•715 views
The document describes an upcoming cyber security conference presentation on hands-on threat demonstrations. The agenda includes demonstrations of malware installation via a malicious USB drive, capturing usernames and passwords on a rogue open wireless network, hacking into a wireless network protected with WPA2-PSK, and social engineering executives on social media using a fake profile. The speaker is introduced as an experienced cybercrime investigator and security advisor who will demonstrate these attack scenarios live. Attendees are encouraged to learn techniques to defend against these types of attacks.
Recommended
Recommended
More Related Content
Similar to ECSA Cyber Security Conference 2011 Hands-On Threat Demos
Similar to ECSA Cyber Security Conference 2011 Hands-On Threat Demos (20)
More from Filip Maertens
More from Filip Maertens (18)
Recently uploaded
Recently uploaded (20)
ECSA Cyber Security Conference 2011 Hands-On Threat Demos
- 1. ECSA Cyber Security Conference 2011 Some hands-‐on threat demonstra.ons Cyber Security 2011 (13-‐Dec-‐2011) Filip Maertens Avydian Cyber Defense Cyber Defense Group
- 2. Agenda ➤ Demo 1: The Curious Case of Benjamin BuGon ➤ Demo 2: Thanks for the free Wi-‐Fi ➤ Demo 3: Hm. Now, I need free Wi-‐Fi ➤ Demo 4: Social Engineering on social networks ➤ Demo 5: IntercepTng GSM networks Cyber Defense Group
- 3. About the speaker ➤ Cybercrime invesTgator and tacTcal cyber security advisor ➤ Head of Cyber-‐Security at European Corporate Security AssociaTon ➤ CISSP, CISM, CISA, CPO, CFE … and CCSP (“cer.fied common sense prac..oner”) ➤ MSc. InformaTon Risk and BSc. InformaTon OperaTons ➤ Mobile aficionado (building mobile channels for Fortune 500 banks) Cyber Defense Group
- 4. Demo 1 – The Curious Case of Benjamin BuBon (or how curiosity killed the cat) Cyber Defense Group
- 5. The ABack -‐ PreparaDon ➤ Prepare a USB with a maliciously cra[ed file and drop it somewhere. Then wait. ➤ ExploitaTon of human weakness ➤ ExploitaTon of system weakness Cyber Defense Group
- 6. The ABack – PreparaDon (2/2) ➤ Make a good payload: ➤ Obfuscated key-‐logger ➤ Adobe Acrobat Reader 10.x 0day exploit (PDF) ➤ Once the Acrobat is exploited, our key-‐logger is silently installed Cyber Defense Group
- 7. The ABack – ExecuDon (Step 1) Cyber Defense Group
- 8. The ABack – ExecuDon (Step 2) Live Demo: Silent install of key-‐logger Cyber Defense Group
- 9. Defending against the aBack ➤ Don’t take candy from a stranger: ➤ Always approach unknown storage hardware with great cauTon ➤ Do not open files (seriously) ➤ … and if you must, open it in an isolated test environment ➤ PracTce sound personal system security pracTces Cyber Defense Group
- 10. Demo 2 – Thanks for the free Wi-‐Fi! (or, if something looks to be good to be true… it usually is) Cyber Defense Group
- 11. The ABack -‐ PreparaDon ➤ Prepare a rogue access point: ➤ Deny access to exis.ng Access Point ➤ Set up your own Access Point (with sslstrip) ➤ Intercept all traffic going over the wire ➤ ExploitaTon of human weakness ➤ ExploitaTon of system weakness Cyber Defense Group
- 12. The ABack – ExecuDon Live Demo: Capture usernames + passwords of a user Cyber Defense Group
- 13. Defending against the aBack ➤ Never assume (“it makes an ass of u and me”): ➤ Always ask for the SSID of the Hotel or public area ➤ Be vigilant / aware of abnormal behavior: ➤ Someone in a parked car with a laptop ➤ Unusual slow Internet access ➤ Abnormal traceroute paths ➤ Abnormal SSL cerTficates presented (or broken cerTficates) ➤ Automated connects aren’t automated any more Cyber Defense Group
- 14. Demo 3 – Hm. Now, I need free Wi-‐Fi! (wireless hacking for fun and profit) Cyber Defense Group
- 15. The ABack -‐ PreparaDon ➤ Set up a Linux machine with a wireless card ➤ Put network card in promiscuous mode, so it starts to listen to all wireless traffic around you ➤ Capture all traffic and do this unTl you have capture a WPA Handshake session. ➤ Decode the passphrase (PSK) by doing offline cracking. Cyber Defense Group
- 16. The ABack – ExecuDon Live Demo: Hack an Access Point (WPA2-‐PSK) Cyber Defense Group
- 17. Defending against the aBack ➤ Don’t use Pre-‐Shared Key protecTon: ➤ But if you have no choice, make it extremely long ( > 35 chars) ➤ Change the PSK every month or quarter ➤ Change the SSID to a non-‐default SSID ➤ Don’t use WPA2-‐TKIP, but WPA2-‐AES ➤ Monitor your Internet usage to check for excessive bandwidth usage. ➤ Have a firewall between the AP and your network. Cyber Defense Group
- 18. Demo 4 – Social Engineering on Social Networks (trying to score a date with Sophie Draufster) Cyber Defense Group
- 19. The ABack -‐ PreparaDon ➤ Back in 2010: Sophie Draufster was born on Facebook and LinkedIn ➤ Reason for existence: Social engineering of execuTves of large consulTng firms ➤ Results: ➤ Facebook Friends: 105 ➤ LinkedIn Requests: 133 ➤ Divulging of confidenTal informaTon: 73 ➤ Explicit date requests: 33 Cyber Defense Group
- 20. The ABack -‐ Results Cyber Defense Group
- 21. Defending against the aBack ➤ Be vigilant and know who you are talking to: ➤ Why would a (gorgeous looking) stranger befriend you ? ➤ Never post / talk / tweet / … classified business ➤ Be trained to detect social engineering aGacks (paranoia can’t hurt) ➤ Claim your own idenTty (before someone else does) ➤ Social networks only for offline trusted friends Cyber Defense Group
- 22. Demo 5 – IntercepDng GSM networks (build your own tacTcal intercepTon device) Cyber Defense Group
- 23. The ABack -‐ PreparaDon Trixie ➤ Become your own operator: R/TFX900 Priceless 175 USD ➤ Universal So[ware Radio Peripheral ➤ GNUradio Project ➤ OpenBTS / OpenBSC / SMSqueue USRP 800 USD ➤ OsmocomBB ➤ Asterisk 52 Mhz ➤ Under 1,500 USD you cover up to 37 USD 300 m of GSM signal (indoor) + 2 channels (850/900/1800/1900). Cyber Defense Group
- 24. The ABack -‐ Background (1/2) ➤ GSMA is not too worried, though : “ … intercept approach has underesDmated its pracTcal complexity A hacker would need a radio receiver system and the signal processing so]ware necessary to process the raw radio data. CSMA, Aug 2009 ✓ UnderesDmated complexity: Ability to decrypt A5 family in (near) real Tme (2009) ✓ UnderesDmated complexity: IMSI catching, bypass A3/A8, … (2010) ✓ Radio receiver system: USRP / USRP2 + GNUradio + OpenBTS (you know, the so]ware) Cyber Defense Group
- 25. The ABack -‐ Background (2/2) If it looks like a duck , walks like a duck , talks like a duck = it’s a duck ! ? MCC=206, MNC=020 Handset registers to who ? This is where you do “Hello” Cyber Defense Group
- 26. The ABack – ExecuDon Disclaimer – Only used for test and protocol analysis purposes. No real operator MMC or MNC data, frequencies and spectrum used. No operator BTS, BSC or HLR infrastructure is (ab)used. Live Demo: IntercepDon of SMS Live Demo: IntercepDon of Voice Call Cyber Defense Group
- 27. The ABack – Summary OTP over SMS Insecure Making calls Insecure Cyber Defense Group
- 28. Defending against the aBack ➤ Sudden and/or repeated network signal loss ➤ Sudden 3G data loss (where it is abnormal) ➤ Cryptographic voice streaming over 3G (A5.3) ➤ Sudden downgrade from A5.1 to A5.0/A5.2 ➤ … but passive intercepTon => undetectable from handheld Cyber Defense Group
- 29. Taking it to an non-‐defendable level Cyber Defense Group
- 30. ECSA Cyber Security Conference 2011 Some hands-‐on threat demonstra.ons Cyber Security 2011 (13-‐Dec-‐2011) Filip Maertens filip.maertens@avydian.com Cyber Defense Group