CSI - Poor Mans Guide To Espionage Gear

2,227 views

Published on

Presentation from CSI -Computer Security Institute Conference

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,227
On SlideShare
0
From Embeds
0
Number of Embeds
28
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

CSI - Poor Mans Guide To Espionage Gear

  1. 1. Poor Man's Guide To Network Espionage Gear: Return of the Beast Shawn Merdinger Independent Security Researcher & Consultant SEC-5 Computer Security Institute 33rd Annual 2006.11.7
  2. 2. About the speaker Shawn Merdinger ● Independent security researcher & consultant – Current projects – VoIP device security ● Emergency communications system security ● Former positions – TippingPoint ● Cisco Systems (Security Technologies Assessment Team) ●
  3. 3. British Spy Rock
  4. 4. First-Generation Spy Rock?
  5. 5. Warnings and Stuff This is academic research...the “how” not the “why” ● This is “dangerous information”...however ● You have the right/need to know – I have the right/need to talk – Oh yeah...and remember ● Devices (in context) may be illegal...don't use – Activities (in context) may be illegal...don't do –
  6. 6. Objectives Academic information exchange ● My favorite cheap 'n mean gear (network focused) ● Attacks & countermeasures ● “The nasty” ● Resources ●
  7. 7. Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●
  8. 8. “Waiter, my mushroom soup tastes funny” Never underestimate the devastation of a “simple” attack
  9. 9. Attacker Goals Attacker wants to accomplish... ● Gain network access via a device at victim's location – Attack internal/external hosts via TCP/IP – Attack phone/PDA/PC via Bluetooth – Passively gather information via sniffing – Establish other internal and external access – Impersonate services – Webserver, Database – Target a user – VIP VoIP connection –
  10. 10. Attack Tools Typical opensource methods and tools ● Scanning & Probing – Sniffing – Exploiting – Covert communications, reverse crypto connections – Multiple protocols and entry points ● Wired LAN – 802.11b/g wireless – Bluetooth – RFID –
  11. 11. NEDs My favorites ● Linksys WRT54G – Linksys NSLU2 – Nokia 770 – Gumstix – PicoTux – Plenty of others! ● Access Points, PDAs, Game platforms, etc. –
  12. 12. Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●
  13. 13. NED Characteristics Small, unobtrusive, ubiquitous, cute ● Low-cost, almost disposable ● Minimal power requirements ● Power over ethernet, battery, solar potential – Multiple attack vector capability ● Wired, Wireless, Bluetooth, RFID – Traditional forensics very difficult ● Ephemeral filesystems running in RAM – Try that Encase! ●
  14. 14. NED Characteristics Outbound reverse connections back to attacker ● Crypto tunnels bypass firewalls, IDS/IPS – “Under the radar” common protocols DNS requests, – ICMP, HTTP/S are typically allowed through firewalls Proxies, anonymizers, bouncing through multiple boxes – Ported attack tools and exploits ● ARM processor-based – Hardware/software limitations and trade-offs – Dependent libraries, GUIs, etc. ● Don't expect Nessus GUI on Linksys routers ●
  15. 15. NED Characteristics Stripped-down Linux ● BusyBox shell ● SSH, HTTP/S management ● Features like VPN tunnels, mesh networking ● On-the-fly software install as “packages” ● DNS, Apache, Asterisk – Attack tools and exploits – Powerful scripting languages: Python, Ruby –
  16. 16. Linksys WRT54G Cheap, cute, heavily “hacked” and tweaked ● Secure with default Linksys firmware? ● Ubiquitous = the “new Windows” – Very likely unpublished exploits in the wild – Opensource alternatives to Linksys firmware ● OpenWRT – Package system ● Sveasoft – Mesh networking ● Un-leashing the WRT54G.... ●
  17. 17. FairuzaUS for Linksys FairuzaUS: www.hackerpimps.com ● Command line interface over SSH Treo 650 SSH into FairuzaUS into compromised Windows box
  18. 18. Upcoming Linksys EVDO & Wifi = WOW! ● Linux- based ● This will become popular ● Potential for abuse is big ●
  19. 19. Nokia 770 Basics ● Debian Linux PDA – Slow CPU, low RAM – 802.11b & Bluetooth – Touchscreen keyboard – Software & Commercial Attack Platform Development – Immunity SILICA (Dave Aitel) ● http://immunitysec.com/products-silica.shtml HD Moore doing work on this platform (MetaSploit) ● Maemo project and security tool packaged ● Tcpdump, Nmap, Dsniff, Kismet, Bluetooth audit –
  20. 20. Linksys NSLU2 “Slug” US $75 ● Heavy OpenSource support ● Unslung, Openslug, DebianSlug – USB storage ● Bluetooth dongles ● Asterisk, WebCam, MP3 stream ● Try if you're looking for a weekend geek project ● I'm looking into this as a testing platform ●
  21. 21. Gumstix Ultra-small computers ($120 +) ● Expandable “snap in” boards ● CF storage and 802.11b wireless – Single and dual Ethernet with POE – MITM hardware device with dual ethernet ● Bluetooth – USB, serial, PS/2 connectors – Used in BlueSniper, UltraSwarm – Developer CDs and environment –
  22. 22. PicoTux Picotux 100 and 112 (US $100 +) ● World's smallest Linux computer – 35mm×19mm×19mm (size of RJ45 connector) – Power over ethernet – Telnet and HTTP server – Developer CDs and environment – Attacks ● Plenum off a Cisco CAT switch – “Serial to ethernet connector” –
  23. 23. Other Gear KeyKatcher ● PS/2 and new USB version – New “U3” USB key technology ● Auto-run apps, installs, pull SAM on-the-fly,etc. – EVDO USB Key ● “Executive Gift USB” - Swiss Army USB/Knife ● Infected RFID tags ● Infects reader, which then infects other tags and DB – http://www.rfidvirus.org/papers/press_release.pdf ●
  24. 24. Other Gear Linux Phones ● Customizable – Bluetooth, Wifi, cameras, etc. – Qtopia ● Security people “discussing ideas” – Prediction: top “hacker” phone – BlackDog ● Linux box on USB – Biometric auth ●
  25. 25. Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●
  26. 26. Spooky: Device Enclosures Free water cooler offer ;) ● Potential for power source – Legitimate reason for physical presence..and returning – Office décor ● Flower safe with X-mas tree & lights...plug 'n play – Exit Sign, fire extinguisher ● Dangerous to mess with emerg. Gear – But what if extra gear shows up? ● Wow, we have even more security now! –
  27. 27. Spooky: 0wn3d Mesh Network Municipal networks beware! ● Build It ● EVDO gateway for Internet – Drive-by/Walk-by AP 0wn4g3 – Senao AP w/ YAGI = Sweeper – Run It ● Karma = DHCP for everybody – Shared crypto keys, cron jobs, remote ssh-fs mounts – 0wn it ● Attack everything, browser exploits on portal –
  28. 28. Spooky: In-Transit “Marketing” Airports, train stations, bus stations, subways, etc. ● Bluetooth spamming with “scary” message content – 0wn3d wifi networks & Windows Messaging – Multiplier-effect ● Simultaneous at multiple hubs in US – “Scary message” – Huge productivity costs ● Wrong message – Used as diversion, secondary attack, etc. ● Virus/worm type attack like this is possible ●
  29. 29. Of Course... Why not hack the marketing guy's gear instead? ● “CBS today said it is planning a marketing initiative that will allow mobile users with Bluetooth-enabled phones to download promotional clips from its new fall TV shows directly to their handsets at billboard locations in New York. The billboards in Grand Central station....” Digging a little deeper ● kameleon-media.com – “Remote data loading via a GPRS or Ethernet modem that ● connects directly the MobiPoint® to our server.”
  30. 30. Spooky: Long-distance, the next best thing to being there Home-built Bluetooth/Wifi “Sniper” setups ● Bluetooth targets up to one mile 802.11b targets up to...?
  31. 31. How far? 802.11b over 125 miles
  32. 32. Maxing Out Current Gear Janus Scanner – DefCon 14 ● 8 Senao hi-power cards (125 mile wifi-record card) ● Amplifier 1-watt to “keep it legal” ● Linux, Kismet, etc. ● Pelican case ● Data encrypted ● 1 button operation ● Also “BlueBag” ● Target Bluetooth –
  33. 33. Terrorism & RFID Passports US Passports will have RFID tags ● Each US State's Drivers' licenses probably next – RFID security weaknesses already found ● Reading tags at a distance is a documented threat ● The “Nightmare Scenario” ● Discussed in media already – NED (or cell) RFID scan for passports – Connected to explosive device ● Detonate X number in range ●
  34. 34. Countermeasures Know the risks and threats ● Know your network devices and traffic ● User education, buy-in, ownership of the problem ● Policy and “best practices” ● Planned response vs. “Uh oh...” ● Calling the cavalry (specialists, Johnny Law) – Proactive measures ● Honeypots, Honeynets, Bluetooth-honeypot – Yet to see a RFID honeypot (sell to Wal-Mart?) –
  35. 35. Looking Forward & Other Stuff More devices with network access ● “Why is my refrigerator scanning my network?” – Mobile devices will be targeted ● VoIP and the new-style phone tapping agenda ● VoIP phones as room taps – Capture VoIP traffic – Same old story ● New technology, adoption, poor security, etc. –
  36. 36. Thanks! Questions? ● Feel free to contact me at shawnmer@io.com ●

×