Thank you for collaborating with your local hackers

Thank you for collaborating
with your local h4¢k3r$ !
h4¢
C:
C:>format C:Y/N _
Christian “Check your Wifi” Frenette
Michel “You’ve been H4x0r3d!” Cusin
CSE Conference – Mont-Tremblant
October 16, 2009 © Bell Canada, 2009. Tous droits réservés

Start to think out of the box…

… and realize what hackers know that you
don't… !

Because they WILL use it to their advantage,
against you or your customers !

© Bell Canada, 2009. Tous droits réservés

Let’s try to think out of the box…

• How can we make 4 triangles,
with 6 matches… ?


?
?

You have to think out of the
box, just like the hackers do…
3

1 2
4

3

You know we’re getting at… Right ?


Overview of the presentation

• Public information gathering
• The WiFi Landscape
• Social Networks / Social hacking / Engineering
• Spamming, phishing & Cross-site Scripting
• The infamous Botnets


Public information gathering
• Whois, nslookup / dig, ARIN, RF monitoring, etc…
• Google (Maps / Earth, Groups, Blogs, Images, etc…)
• Wigle.net, Wireless Geographic Loggin Engine
• Enterprise Register
• Specialized tools (Maltego, Lazy Champ, Kismet, etc…)
• Social Networking Sites

• Did you know you were leaking that much..?


The WiFi Landscape

• Use Radio frequencies
• Electromagnetic shared medium, think hub !
• Physical environment dependencies
• Users can move, Phy environment can change
• CSMA/CA instead CSMA/CD, or transmit and
pray
• Indoor / outdoor
• Antenna pattern
• New security considerations


New vector to protect from….
• Protect network from unauthorized users
• Rogue AP, session hijacking, eavesdropping
• Protect users from unauthorized networks
– Fake AP

Network Users


Don’t
• Disclose personal information in the SSID name
of your network
• Relying on masking your SSID is useless:
– Provide a false sense of security
– User don’t know and reach for other
– The stations are broadcasting the SSID they’re trying
to reach anyway (Probe requests)
• Filtering MAC addresses is useless
– Always transmit in clear text
– Easy to spoof


DOS attack require expensive equipements
• Micro-wave fork attack
• WiFi jammer

Gighz,
Usually 2.450 Gighz,
just between Ch 8-9, in
the ISM band and 500-
500-
1000 watts !!! Vs AP 4
watts


We are protected…
• We have firewall
– Facing Internet ! (dude!!!)
– We provide a corporate Lan access jack
• in the parking lot (WiFi)
• We don’t have any wireless… neither policies !
– Neither wireless detection, ;-(
– Laptop with WiFi card (ad-hoc mode)

Internet


Authentication & encryption

• We use encryption
– WEP-RC4 or TKIP-RC4, AES-CCMP
• We use authentication
– PSK or Enterprise (Eg: Radius)
– SSID, 802.1x, EAP-TLS, PEAP, etc, (PWD,
Certificat)
– EAP, Sitting on WEP/TKIP, AES ?
– Always use strong password policy (LEAP—
ASLEAP)


Working @ home

• I use WEP, WPA-PSK
– you are acting like a rogue AP, if your home network
is not protect
• Anayway, I use VPN to connect to the office
– Your lucky, if it never drop when your not in front of
your PC
– Enforce layer 2 security even if you use VPN
• All PCs at home are safe
– Kids PCs, Playstation, lots of treath from the inside


Rogue threats

• Good guys friendly/unaware
– Implement by users to facilitate network
access, always against organization policy
(when they exist…)
• Malicious
– To provide network backdoor
• Unintended
– Authorized but misconfigured equipment


Ad-Hoc mode
• Ad-hoc mode are insecure
– All stations control the communication no APs
– Unencrypted or WEP
• Look the same or very close
• With aircrack-ng you get the WEP key and import it in Wireshark
to decrypt on the fly.
– User may use windows bridging utility to give access to
wire Lan from the ad-hoc segment


Free WiFi acces
Wonderfull Hot spot

• Hot spot controller only identifies
authorized user by MAC+IP add
• At login, a popup logoff window is opened,
normally block by popup-bloker
• Sessions stay active until inactivity timeout
• Excellent receipt for session Hijacking
– Script to monitor inactivity
– Spoof MAC and IP address (Pickupline)


Hot spot cont….

• Hotspot are identified only by SSID
• Station reach for the highest signal
• High power soft-AP may be use to capture
clients

Hotspot AP


Hot spot…Sidejacking.

• Common for popular sites to do authentication
over HTTPS (Gmail)
– and reverts to HTTP after authentication
• Raison they can support HTTPS for all users
– HTTPS is an option you have to select
• The attack consist to retrieve the session cookie,
no need of your credentials
– Attacker can impersonate the user
– Doesn’t affect the active session


Hot spot injections Airpw

• begin page_html
• match ^(GET|POST)
• ignore ^GET [^ ?]+.(jpg|jpeg|gif|png|tif|tiff)
• response content/page_html
• -----------------------------------------------------------------

• HTTP/1.1 200 OK HTTP req
• Connection: close sniff
• Content-Type: text/html HTTP
response
• <html><head><title>HELLO CSE!</title>
• </head><body>
• <blink><font size=+5 color=red>
• Hello CSE! I'm watching you !
• </font>
• </blink>
• <p>

HTTP req
Internet


Hot spot recommendations

• Lack of layer 2 security require stronger
upper-layer defences
• Personal firewall, HIPS, AV is a must and
– Patch, patch, patch
• Restrict permitted SSID
• Use VPN tunnelled traffic at hotspots
• Security awareness for Hot spot utilisation


Black Berry

• They are secure, but users are not always
• Social engineering vulnerability
– Malware download, turn de BB into a remote
cam or microphone or redirect mail


6 things to consider

• Security policy
• Strong authentication
• Strong encryption
• Monitoring
• Auditing
• Security awareness


Social Engineering

What is social engineering?

Is there any social engineers in the room ?


Social Networks and Social Engineering


Social Engineering + Social Networks =

• Some people post their life
– (Kids, vacations, etc..)
• Security relies on a username/password
– Could be easy to get in
• ID spoofing
– Could ask money to the victim’s known contacts
• Koobface
– Worm – Infected 2.9M machines just in the US (Soc. Eng.)
• Install a Web Server and fake antivirus, send fake messages,
• Foils CAPTCHA, Steal Data,
• Hijack Web sessions, Change Domain Name System (DNS)


Social Networks and Social Engineering

• Microblog (Max 140 characters -> SMS)
• Security relies on a username/password
– Could be easy to get in
• ID spoofing
– Could ask money to the victim’s known contacts
• New way of spamming
• Are used to control Botnets
• All kind of information could be posted on it (same as forums, BB)
– Corporate
– Sensitive
– Etc..


Spam

• What is it ?
Did you know that 86.4% of all e-mail in Sep 09 was spam ?

• Who ?

• Why ?

• When ?

• How ?


Phishing

• What is it ?
Did you know that 1 in 437 e-mails comprised a phishing attack?

• Who ?

• Why ?

• When ?

• How ?

• Here’s some examples…

Example of Phishing


XSS example Web Site
(very popular)

User
Web Site
(vulnerable to XSS)

Another Example <Metasploit>


Spamming + phishing = Lo$$ & Profit$

Lo$$ & Profit$

ng
Ph

mi
is

am
hi
ng

Sp


The infamous botnet

Relay
Japan

Relay
Russia

IRC Servers
(Internet Relay Chat)

Relay
China

IRC client
Cuba


Methodes of propagation


X OK


Peer to peer botnet


Fast flux botnet


Botnet controled via Twitter


Botnet controled via Google Groups


Security in surface…

Intrusion Detection

Antivirus
Firewall


Security in depth

Intrusion Detection
Communications and
Communications and
Security Policy
Security Policy Operations Management
Operations Management
Antivirus
Firewall
Organizational Security
Organizational Security Access Control
Access Control

Information Classification
Information Classification Systems Development and
Systems Development and
Maintenance
Maintenance

Personnel Security
Personnel Security Business Continuity
Business Continuity
Management
Management

Physical and Environmental
Physical and Environmental Compliance
Compliance
Security
Security

* 10 domains of security - ISO 17799

Information security sometimes
require solutions, that may not be in
“a box”…


Questions ?


Thank you for collaborating with your local hackers

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Viewers also liked

Viewers also liked (9)

Similar to Thank you for collaborating with your local hackers

Similar to Thank you for collaborating with your local hackers (20)

More from michelcusin

More from michelcusin (18)

Recently uploaded

Recently uploaded (20)

Thank you for collaborating with your local hackers