Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ECSA Cyber Security Conference 2011


Published on

A session of Live Hacking demonstrations at the ECSA Cyber Security Conference 2011 (Belgium) to law enforcement and private community.

Published in: Technology
  • Be the first to comment

ECSA Cyber Security Conference 2011

  1. 1. ECSA  Cyber  Security  Conference  2011  Some  hands-­‐on  threat  demonstra.ons    Cyber  Security  2011  (13-­‐Dec-­‐2011)        Filip  Maertens  Avydian  Cyber  Defense   Cyber  Defense  Group  
  2. 2. Agenda  ➤  Demo  1:  The  Curious  Case  of  Benjamin  BuGon  ➤  Demo  2:  Thanks  for  the  free  Wi-­‐Fi  ➤  Demo  3:  Hm.  Now,  I  need  free  Wi-­‐Fi    ➤  Demo  4:  Social  Engineering  on  social  networks  ➤  Demo  5:  IntercepTng  GSM  networks   Cyber  Defense  Group  
  3. 3. About  the  speaker  ➤  Cybercrime  invesTgator  and  tacTcal  cyber  security  advisor  ➤  Head  of  Cyber-­‐Security  at  European  Corporate  Security  AssociaTon  ➤  CISSP,  CISM,  CISA,  CPO,  CFE  …  and  CCSP  (“cer.fied  common  sense  prac..oner”)  ➤  MSc.  InformaTon  Risk  and  BSc.  InformaTon  OperaTons  ➤  Mobile  aficionado  (building  mobile  channels  for  Fortune  500  banks)   Cyber  Defense  Group  
  4. 4. Demo  1  –  The  Curious  Case  of  Benjamin  BuBon     (or  how  curiosity  killed  the  cat)   Cyber  Defense  Group  
  5. 5. The  ABack  -­‐  PreparaDon  ➤  Prepare  a  USB  with  a  maliciously  cra[ed  file  and   drop  it  somewhere.    Then  wait.  ➤  ExploitaTon  of  human  weakness  ➤  ExploitaTon  of  system  weakness   Cyber  Defense  Group  
  6. 6. The  ABack  –  PreparaDon  (2/2)  ➤  Make  a  good  payload:   ➤  Obfuscated  key-­‐logger     ➤  Adobe  Acrobat  Reader  10.x   0day  exploit  (PDF)  ➤  Once  the  Acrobat  is   exploited,  our  key-­‐logger  is   silently  installed   Cyber  Defense  Group  
  7. 7. The  ABack  –  ExecuDon  (Step  1)   Cyber  Defense  Group  
  8. 8. The  ABack  –  ExecuDon  (Step  2)  Live  Demo:  Silent  install  of  key-­‐logger   Cyber  Defense  Group  
  9. 9. Defending  against  the  aBack  ➤  Don’t  take  candy  from  a  stranger:   ➤  Always  approach  unknown  storage  hardware   with  great  cauTon   ➤  Do  not  open  files  (seriously)   ➤  …  and  if  you  must,  open  it  in  an  isolated  test   environment  ➤  PracTce  sound  personal  system  security   pracTces   Cyber  Defense  Group  
  10. 10. Demo  2  –  Thanks  for  the  free  Wi-­‐Fi!    (or,  if  something  looks  to  be  good  to  be  true…  it  usually  is)   Cyber  Defense  Group  
  11. 11. The  ABack  -­‐  PreparaDon  ➤  Prepare  a  rogue  access  point:   ➤  Deny  access  to  Access  Point   ➤  Set  up  your  own  Access  Point  (with  sslstrip)   ➤  Intercept  all  traffic  going  over  the  wire  ➤  ExploitaTon  of  human  weakness  ➤  ExploitaTon  of  system  weakness   Cyber  Defense  Group  
  12. 12. The  ABack  –  ExecuDon  Live  Demo:  Capture  usernames  +  passwords  of  a  user   Cyber  Defense  Group  
  13. 13. Defending  against  the  aBack  ➤  Never  assume  (“it  makes  an  ass  of  u  and  me”):   ➤  Always  ask  for  the  SSID  of  the  Hotel  or  public  area    ➤  Be  vigilant  /  aware  of  abnormal  behavior:   ➤  Someone  in  a  parked  car  with  a  laptop   ➤  Unusual  slow  Internet  access   ➤  Abnormal  traceroute  paths   ➤  Abnormal  SSL  cerTficates  presented  (or  broken  cerTficates)   ➤  Automated  connects  aren’t  automated  any  more   Cyber  Defense  Group  
  14. 14. Demo  3  –  Hm.  Now,  I  need  free  Wi-­‐Fi!     (wireless  hacking  for  fun  and  profit)   Cyber  Defense  Group  
  15. 15. The  ABack  -­‐  PreparaDon  ➤  Set  up  a  Linux  machine  with  a  wireless  card  ➤  Put  network  card  in  promiscuous  mode,  so  it   starts  to  listen  to  all  wireless  traffic  around  you  ➤  Capture  all  traffic  and  do  this  unTl  you  have   capture  a  WPA  Handshake  session.  ➤  Decode  the  passphrase  (PSK)  by  doing  offline   cracking.   Cyber  Defense  Group  
  16. 16. The  ABack  –  ExecuDon  Live  Demo:  Hack  an  Access  Point  (WPA2-­‐PSK)   Cyber  Defense  Group  
  17. 17. Defending  against  the  aBack  ➤  Don’t  use  Pre-­‐Shared  Key  protecTon:   ➤  But  if  you  have  no  choice,  make  it  extremely  long  (  >  35  chars)   ➤  Change  the  PSK  every  month  or  quarter   ➤  Change  the  SSID  to  a  non-­‐default  SSID   ➤  Don’t  use  WPA2-­‐TKIP,  but  WPA2-­‐AES  ➤  Monitor  your  Internet  usage  to  check  for  excessive   bandwidth  usage.  ➤  Have  a  firewall  between  the  AP  and  your  network.   Cyber  Defense  Group  
  18. 18. Demo  4  –  Social  Engineering  on  Social  Networks     (trying  to  score  a  date  with  Sophie  Draufster)   Cyber  Defense  Group  
  19. 19. The  ABack  -­‐  PreparaDon  ➤  Back  in  2010:  Sophie  Draufster  was  born  on   Facebook  and  LinkedIn  ➤  Reason  for  existence:  Social  engineering  of   execuTves  of  large  consulTng  firms  ➤  Results:   ➤  Facebook  Friends:  105   ➤  LinkedIn  Requests:  133   ➤  Divulging  of  confidenTal  informaTon:  73   ➤  Explicit  date  requests:  33   Cyber  Defense  Group  
  20. 20. The  ABack  -­‐  Results   Cyber  Defense  Group  
  21. 21. Defending  against  the  aBack  ➤  Be  vigilant  and  know  who  you  are  talking  to:   ➤  Why  would  a  (gorgeous  looking)  stranger  befriend  you  ?   ➤  Never  post  /  talk  /  tweet  /  …  classified  business   ➤  Be  trained  to  detect  social  engineering  aGacks  (paranoia   can’t  hurt)  ➤  Claim  your  own  idenTty  (before  someone  else  does)  ➤  Social  networks  only  for  offline  trusted  friends   Cyber  Defense  Group  
  22. 22. Demo  5  –  IntercepDng  GSM  networks    (build  your  own  tacTcal  intercepTon  device)   Cyber  Defense  Group  
  23. 23. The  ABack  -­‐  PreparaDon   Trixie  ➤  Become  your  own  operator:   R/TFX900   Priceless   175  USD   ➤  Universal  So[ware  Radio  Peripheral   ➤  GNUradio  Project   ➤  OpenBTS  /  OpenBSC  /  SMSqueue   USRP   800  USD   ➤  OsmocomBB   ➤  Asterisk   52  Mhz  ➤  Under  1,500  USD  you  cover  up  to   37  USD   300  m  of  GSM  signal  (indoor)  +  2   channels  (850/900/1800/1900).   Cyber  Defense  Group  
  24. 24. The  ABack  -­‐  Background  (1/2)  ➤  GSMA  is  not  too  worried,  though  :   “  …  intercept  approach  has  underesDmated  its  pracTcal  complexity   A  hacker  would  need  a  radio  receiver  system  and  the  signal  processing     so]ware  necessary  to  process  the  raw  radio  data.  CSMA,  Aug  2009   ✓  UnderesDmated  complexity:  Ability  to  decrypt  A5  family  in  (near)  real  Tme  (2009)   ✓  UnderesDmated  complexity:  IMSI  catching,  bypass  A3/A8,  …  (2010)   ✓  Radio  receiver  system:  USRP  /  USRP2  +  GNUradio  +  OpenBTS  (you  know,  the  so]ware)   Cyber  Defense  Group  
  25. 25. The  ABack  -­‐  Background  (2/2)   If  it  looks  like  a  duck   ,  walks  like  a  duck   ,  talks  like  a  duck   =   it’s  a  duck  !   ?  MCC=206,  MNC=020   Handset  registers  to  who  ?   This  is  where  you  do  “Hello”   Cyber  Defense  Group  
  26. 26. The  ABack  –  ExecuDon  Disclaimer  –  Only  used  for  test  and  protocol  analysis  purposes.  No  real  operator  MMC  or  MNC  data,  frequencies  and  spectrum  used.  No  operator  BTS,  BSC  or  HLR  infrastructure  is  (ab)used.    Live  Demo:  IntercepDon  of  SMS  Live  Demo:  IntercepDon  of  Voice  Call   Cyber  Defense  Group  
  27. 27. The  ABack  –  Summary   OTP  over  SMS   Insecure     Making  calls   Insecure     Cyber  Defense  Group  
  28. 28. Defending  against  the  aBack  ➤  Sudden  and/or  repeated  network  signal  loss  ➤  Sudden  3G  data  loss  (where  it  is  abnormal)  ➤  Cryptographic  voice  streaming  over  3G  (A5.3)  ➤  Sudden  downgrade  from  A5.1  to  A5.0/A5.2  ➤  …  but  passive  intercepTon  =>  undetectable  from  handheld   Cyber  Defense  Group  
  29. 29. Taking  it  to  an  non-­‐defendable  level   Cyber  Defense  Group  
  30. 30. ECSA  Cyber  Security  Conference  2011  Some  hands-­‐on  threat  demonstra.ons    Cyber  Security  2011  (13-­‐Dec-­‐2011)        Filip  Maertens   Cyber  Defense  Group