This document summarizes a presentation about low-cost devices that can be used for network espionage. It describes various small, inexpensive devices like wireless routers and PDAs that have been modified to perform attacks and surveillance through their networking capabilities. Examples like the Linksys WRT54G wireless router and Nokia 770 PDA are provided. The presentation outlines how these network espionage devices (NEDs) work, potential attacks they enable, and recommendations for security countermeasures.
Hardwear.io 2018 BLE Security Essentials workshopSlawomir Jasek
Bluetooth Low Energy (Smart, 4) is recently gaining more and more traction as one of the most common and rapidly growing IoT technologies. Unfortunatelly the prevalence of technology does not come with security. Alarming vulnerabilities in BLE smart locks, medical devices and banking tokens are revealed day by day. And yet, the knowledge on how to comprehensively assess them seems very uncommon.
In this workshop you will get familiar with the basics of BLE security. We will work on a dedicated, readily available BLE hardware nRF devkit device. You will learn how to program and flash it yourself, using special web interface and ready templates. Such approach allows to better understand how things work “under the hood”, experiment with different options, and then secure the hardware properly.
From attacker’s perspective, we will cover among others: sniffing, spoofing, MITM, replay and relay.
Having enough time, we will play with a collection of vulnerable smart locks, sex toys and other devices.
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
Ever wanted to hack these proximity/contactless cards you use every day, but did not know where to start? This is the talk to attend! I will walk you through the fascinating world of RFID/NFC failures, snake oils and installation gaps - that despite facing well deserved hacks long time ago, still remain unpatched in so many buildings. Besides legacy (but still widespread), more modern (but also broken), and supposedly non-breakable (yet to be tested) systems, I will also share the risks and possible attacks on the new emerging technology - replacing plastic cards with your NFC smartphone in access control systems. How to recognize the card type? What kinds of cards can be cloned? Can you clone a card having just a picture of it? How to build your own card cracking and cloning equipment for less than $10, and when it is worth to invest in a more powerful hardware? How to use a smartphone to crack keys, or emulate a plastic access control card? How to intercept data transmitted from wall reader to backend door controller? How to reverse hotel system and understand the data encoded on cards? Expect highly practical information regarding these and many other topics. Multiple live demos and NFC hacking hardware sets to give away included. After the talk you are also welcome to practice the new skills yourself on our test access control installations onsite.
Living With Passwords: Personal Password ManagementNuno Loureiro
Living with passwords. How can you manage your passwords and what the alternatives are. Password managers, two-factor authentication, OTPs, smart cards and NFC are some of the covered topics.
Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not.
Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
We are in the IoT era. In this session, the function of GNURadio will be introduced with demonstration. GNURadio is a SDR (Software Defined Radio) tool to analyze wireless security such as Bluetooth LE. As an example of a SDR usage, I will demonstrate the replay attack for RF signal of ADS-B (Automatic Dependent Surveillance Broadcast) mounted on an aircraft and sniffer for wireless keyboards. Ideas of the counter measurement will also be discussed.
Hardwear.io 2018 BLE Security Essentials workshopSlawomir Jasek
Bluetooth Low Energy (Smart, 4) is recently gaining more and more traction as one of the most common and rapidly growing IoT technologies. Unfortunatelly the prevalence of technology does not come with security. Alarming vulnerabilities in BLE smart locks, medical devices and banking tokens are revealed day by day. And yet, the knowledge on how to comprehensively assess them seems very uncommon.
In this workshop you will get familiar with the basics of BLE security. We will work on a dedicated, readily available BLE hardware nRF devkit device. You will learn how to program and flash it yourself, using special web interface and ready templates. Such approach allows to better understand how things work “under the hood”, experiment with different options, and then secure the hardware properly.
From attacker’s perspective, we will cover among others: sniffing, spoofing, MITM, replay and relay.
Having enough time, we will play with a collection of vulnerable smart locks, sex toys and other devices.
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
Ever wanted to hack these proximity/contactless cards you use every day, but did not know where to start? This is the talk to attend! I will walk you through the fascinating world of RFID/NFC failures, snake oils and installation gaps - that despite facing well deserved hacks long time ago, still remain unpatched in so many buildings. Besides legacy (but still widespread), more modern (but also broken), and supposedly non-breakable (yet to be tested) systems, I will also share the risks and possible attacks on the new emerging technology - replacing plastic cards with your NFC smartphone in access control systems. How to recognize the card type? What kinds of cards can be cloned? Can you clone a card having just a picture of it? How to build your own card cracking and cloning equipment for less than $10, and when it is worth to invest in a more powerful hardware? How to use a smartphone to crack keys, or emulate a plastic access control card? How to intercept data transmitted from wall reader to backend door controller? How to reverse hotel system and understand the data encoded on cards? Expect highly practical information regarding these and many other topics. Multiple live demos and NFC hacking hardware sets to give away included. After the talk you are also welcome to practice the new skills yourself on our test access control installations onsite.
Living With Passwords: Personal Password ManagementNuno Loureiro
Living with passwords. How can you manage your passwords and what the alternatives are. Password managers, two-factor authentication, OTPs, smart cards and NFC are some of the covered topics.
Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not.
Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
We are in the IoT era. In this session, the function of GNURadio will be introduced with demonstration. GNURadio is a SDR (Software Defined Radio) tool to analyze wireless security such as Bluetooth LE. As an example of a SDR usage, I will demonstrate the replay attack for RF signal of ADS-B (Automatic Dependent Surveillance Broadcast) mounted on an aircraft and sniffer for wireless keyboards. Ideas of the counter measurement will also be discussed.
Web application-security-and-why-you-should-review-yoursDavid Busby, CISSP
In this talk we will cover what is an attack surface and what you can do to limit it.
Acronym hell what does all these acronyms associated with security products mean and what do they mean?
Vulnerability media naming stupidity or driving the message home ?
Detection or Prevention avoiding the boy who cried wolf.
Emerging technologies to keep an eye on or even implement yourself to help improve your security posture.
2014 -> 2017 what's been going on, why have there been so many compromises ?
Feasibility of Security in Micro-Controllersardiri
Is it possible to secure micro-controllers used within IoT?
With the introduction of micro controllers such as the Arduino, Raspberry Pi and BeagleBone – it has become easy to connect sensors to gather information and utilise network connections to build an IoT ecosystem. Strong encryption schemes like RSA/AES/SHA and ecliptic curves cryptography (ECC) have been difficult to introduce due to limited performance and memory capabilities of the micro controllers used and using standard libraries just isn’t feasible – we find that designated and optimised software is the only feasible way forward.
Controlling USB Flash Drive Controllers: Expose of Hidden Featuresxabean
Video here, thanks to archive.org:
https://archive.org/details/ShmooCon2014_Controlling_USB_Flash_Drive_Controllers
With stories of "BadBIOS" infecting PCs simply by connecting a malicious USB flash drive to a PC, it's time we learned about flash drives and their controllers. Consumer USB flash drives are cheap, growing in capacity and shrinking in physical size. There are only around 15 prominent controller chip manufacturers whom you have never heard of, but OEM for all the popular and respected "name brands" on the market. These flash controllers have capabilities that aren't mentioned on product packaging, and can be enabled with programming you will learn during this presentation. These flash controllers can be *reprogrammed entirely* via software to do whatever you want.
Turn an old flash drive into an emulated CDROM or a CDROM + flash drive. Update the controller's firmware, disassemble it, etc. This talk will touch on the various controller manufacturers, features, and show you how to leverage them for yourself. Why spend $100 on an old SanDisk[tm] U3 Cruiser when you can spend $4 for the same features?
Richard Harman is an incident responder at SRA International's internal Security Operations Center, where he slings Perl code supporting incident response and performs analysis & reverse engineering of targeted attack malware samples. He writes and releases scripts in support of his work on github at http://github.com/warewolf. Outside of his day job, he can be found hacking on projects at the Reston, VA hackerspace Nova Labs http://www.nova-labs.org.
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...grecsl
Wanna teach your kid to be a hacker but don’t know where to start? Security is a fairly complex topic but games offer the best way for kids to learn the basics. This presentation not only reviews a sample of existing games that teach security fundamentals to a younger audience but also discusses a new crowdsourced project to catalog similar fun and entertaining ways to teach kids security. This project could help spur interest in later university and other programs and potentially a career … or at least make our children a more security-conscience adult in whatever field they choose.
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...grecsl
Wanna teach your kid to be a hacker but don’t know where to start? Security is a fairly complex topic but games offer the best way for kids to learn the basics. This presentation not only reviews a sample of existing games that teach security fundamentals to a younger audience but also discusses a new crowdsourced project to catalog similar fun and entertaining ways to teach kids security. This project could help spur interest in later university and other programs and potentially a career … or at least make our children a more security-conscience adult in whatever field they choose.
Project KidHack – Teaching the Next Next Generation Security through Gaming a...grecsl
Wanna teach your kid to be a hacker but don’t know where to start? Security is a fairly complex topic but games offer the best way for kids to learn the basics. This presentation not only reviews a sample of existing games that teach security fundamentals to a younger audience but also discusses a new crowdsourced project to catalog similar fun and entertaining ways to teach kids security. This project could help spur interest in later university and other programs and potentially a career … or at least make our children a more security-conscience adult in whatever field they choose.
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...grecsl
Wanna teach your kid to be a hacker but don't know where to start? Security is a fairly complex topic but games offer the best way for kids to learn the basics. This presentation not only reviews a sample of existing games that teach security fundamentals to a younger audience but also discusses a new crowdsourced project to catalog similar fun and entertaining ways to teach kids security. This project could help spur interest in later university and other programs and potentially a career ... or at least make our children a more security-conscience adult in whatever field they choose.
Web application-security-and-why-you-should-review-yoursDavid Busby, CISSP
In this talk we will cover what is an attack surface and what you can do to limit it.
Acronym hell what does all these acronyms associated with security products mean and what do they mean?
Vulnerability media naming stupidity or driving the message home ?
Detection or Prevention avoiding the boy who cried wolf.
Emerging technologies to keep an eye on or even implement yourself to help improve your security posture.
2014 -> 2017 what's been going on, why have there been so many compromises ?
Feasibility of Security in Micro-Controllersardiri
Is it possible to secure micro-controllers used within IoT?
With the introduction of micro controllers such as the Arduino, Raspberry Pi and BeagleBone – it has become easy to connect sensors to gather information and utilise network connections to build an IoT ecosystem. Strong encryption schemes like RSA/AES/SHA and ecliptic curves cryptography (ECC) have been difficult to introduce due to limited performance and memory capabilities of the micro controllers used and using standard libraries just isn’t feasible – we find that designated and optimised software is the only feasible way forward.
Controlling USB Flash Drive Controllers: Expose of Hidden Featuresxabean
Video here, thanks to archive.org:
https://archive.org/details/ShmooCon2014_Controlling_USB_Flash_Drive_Controllers
With stories of "BadBIOS" infecting PCs simply by connecting a malicious USB flash drive to a PC, it's time we learned about flash drives and their controllers. Consumer USB flash drives are cheap, growing in capacity and shrinking in physical size. There are only around 15 prominent controller chip manufacturers whom you have never heard of, but OEM for all the popular and respected "name brands" on the market. These flash controllers have capabilities that aren't mentioned on product packaging, and can be enabled with programming you will learn during this presentation. These flash controllers can be *reprogrammed entirely* via software to do whatever you want.
Turn an old flash drive into an emulated CDROM or a CDROM + flash drive. Update the controller's firmware, disassemble it, etc. This talk will touch on the various controller manufacturers, features, and show you how to leverage them for yourself. Why spend $100 on an old SanDisk[tm] U3 Cruiser when you can spend $4 for the same features?
Richard Harman is an incident responder at SRA International's internal Security Operations Center, where he slings Perl code supporting incident response and performs analysis & reverse engineering of targeted attack malware samples. He writes and releases scripts in support of his work on github at http://github.com/warewolf. Outside of his day job, he can be found hacking on projects at the Reston, VA hackerspace Nova Labs http://www.nova-labs.org.
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...grecsl
Wanna teach your kid to be a hacker but don’t know where to start? Security is a fairly complex topic but games offer the best way for kids to learn the basics. This presentation not only reviews a sample of existing games that teach security fundamentals to a younger audience but also discusses a new crowdsourced project to catalog similar fun and entertaining ways to teach kids security. This project could help spur interest in later university and other programs and potentially a career … or at least make our children a more security-conscience adult in whatever field they choose.
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...grecsl
Wanna teach your kid to be a hacker but don’t know where to start? Security is a fairly complex topic but games offer the best way for kids to learn the basics. This presentation not only reviews a sample of existing games that teach security fundamentals to a younger audience but also discusses a new crowdsourced project to catalog similar fun and entertaining ways to teach kids security. This project could help spur interest in later university and other programs and potentially a career … or at least make our children a more security-conscience adult in whatever field they choose.
Project KidHack – Teaching the Next Next Generation Security through Gaming a...grecsl
Wanna teach your kid to be a hacker but don’t know where to start? Security is a fairly complex topic but games offer the best way for kids to learn the basics. This presentation not only reviews a sample of existing games that teach security fundamentals to a younger audience but also discusses a new crowdsourced project to catalog similar fun and entertaining ways to teach kids security. This project could help spur interest in later university and other programs and potentially a career … or at least make our children a more security-conscience adult in whatever field they choose.
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...grecsl
Wanna teach your kid to be a hacker but don't know where to start? Security is a fairly complex topic but games offer the best way for kids to learn the basics. This presentation not only reviews a sample of existing games that teach security fundamentals to a younger audience but also discusses a new crowdsourced project to catalog similar fun and entertaining ways to teach kids security. This project could help spur interest in later university and other programs and potentially a career ... or at least make our children a more security-conscience adult in whatever field they choose.
Explains why the integration of the marketing and finance perspectives on business is essential if companies are going to achieve a sustainable balance between value creation and value capture
Review of the 2014 league tables for the top 100 brands published by Interbrand, Brand Finance, Eurobrand, and Millward Brown.
Compares the results in terms of the top 30 brands on each list (11 of which are common to all four lists) and the 29 common brands across the four top 100 lists
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Software geeks fear hardware. It's a fact of life: code is easy to write and easy to change, but hardware catches on fire if you put it together wrong. But this is changing! Hardware is becoming cheaper and easier to work with every day and can often be managed with the same tools you use to deploy code to the cloud. Join self-described software guy and hardware-phobe Ronald McCollam for a guided trip from the safe world of web development to the scary lands of hardware and back again. We'll see how easy it can be to make the leap from managed code to microprocessors!
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
How to hack a telecom and stay alive
Speaker: Sergey Gordeychik
Penetration testing of telecommunication companies' networks is one of the most complicated and interesting tasks of this kind. Millions of IPs, thousands of nodes, hundreds of Web servers and only one spare month. What challenges are waiting for an auditor during the telecom network testing? What to pay attention on? How to use the working time more effectively? Why is the subscriber more dangerous than hacker? Why is contractor more dangerous than subscriber? How to connect vulnerability with financial losses? Sergey Gordeychik will tell about it and the most significant and funny cases of penetration testing of telecommunication networks in his report.
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
At all times there have been bad guys, who tried to steal money. ATM machines containing vast amounts of money have always been attractive targets. Until recently, criminals were only using physical weaknesses. Skimmers and shimmers for stealing magstripe-tracking data, fake pin pads and cameras for stealing pin codes, and even fake ATMs were created.
Time passed and ATM software started to unify. Where there is unification, there are viruses. Trojan.Skimmer.*, Ploutus and other named or unnamed trojans.
And what did we see on the public scene? Vendors started discussing the skimmers problem only after they were detected in the wild. As you remember, Barnaby Jack presented "Jackpotting Automated Teller Machines" at Black Hat USA 2010. He used some vulnerabilities in ATM software. He showed that malware, was injected into the OS of the ATM via bootable flash drive or via remote management TCP port.
Barnaby Jack's work was based on assumptions that most vulnerabilities were concentrated in the host machine and that we can and should reuse software made by ATM vendors. And that's quite true, but... antiviruses, locked firmware upgrades, blocked USB connectors, and encrypted hard drives can mitigate such risks. But, what about connecting not to the host machine, but to devices themselves? What countermeasures exist, when we will try to impersonate ourselves as an ATM host? Hacking ATMs with small computer like Raspberry Pi should be impossible, but it isn't.
The point of our presentation is to draw attention to the problem, which has existed for quite a long time. The problem is usage of common interfaces (like RS232 or USB) and protocols of communication from host machine to such devices as card readers, pin pads and/or dispenser units.
Jednym z najistotniejszych czynników wspierających ochronę krytycznej infrastruktury sieciowej jest czas reakcji zespołu reagowania na incydenty bezpieczeństwa (Incident Response Team).
Im szybciej, tym lepiej. Rozwiązania wspomagające wczesne wykrywanie ataków oparte o pasywną analizę zapytań DNS, zbiorów danych Netflow czy PCAP warto wesprzeć coraz częściej docenianą i wykorzystywaną produkcyjnie infrastrukturą typu honeynet. Rozsądne osadzenie sond honeypotowych w różnych segmentach sieci pozwoli na wykrycie ataku już w początkowych fazach rekonesansu i enumeracji. Dzięki honeypotom niejednokrotnie uzyskamy także szczegółowe informacje na temat nowej techniki ataku, próby wykorzystania błędu typu 0-day czy bardzo specyficznego użycia znanych od lat narzędzi.
"Know your enemy" - to dewiza, którą powinniśmy się kierować w trosce o rozwój defensywnych umiejętności zespołów bezpieczeństwa i honeypotowa sieć zdecydowanie posiada tu dużą wartość.
Podczas prelekcji postaram się przedstawić sposoby wykorzystania jak i możliwości oferowane przez open source'owe rozwiązania typu honeypot. Będziemy mówić o pojedynczych projektach imitujących rzeczywiste usługi (DNS, SMB, SSH, SCP/SFTP, FTP, telnet, HTTP, TFTP, MySQL/MSSQL, RDP i wiele innych), wstrzykiwaniu poprzez reverse proxy honeypotowych zawartości do aplikacji webowych, atakowaniu atakujących;) , kończąc na dedykowanych platformach z wbudowanych stackiem ELK.
Web application security and why you should review yours, is a whole stack look skydive without a parachute, let's try not to die as we explore what is an attack surface, Arcronym hell, Vulnerability naming, Detection or provention is there a place for both or none, emerging oss technologies which can help you, a firehose review of compromises 2014 through 2018, and finally a live compromise demo covering everything we've discussed as being 'bad' ... or as often happens the backup video.
IoT offers a plethora of new protocols and frequencies over which communication travels. Protocols and services such as SSDP, P25, Zigbee, Z-Wave, WiFi and more provide countless ways to exfiltrate data or infiltrate the network. Through real-world examples, sample code and demos, presenters will bring to light these threats and new methods for detecting aberrant behavior emanating to/from these devices.
Learning Objectives:
1: Gain a better understanding of the many IoT protocols, frequencies and services.
2: Learn how IoT communications can be exploited to exfiltrate your network.
3: Obtain a list of techniques for detecting these aberrant IoT behaviors.
(Source: RSA Conference USA 2018)
5. Warnings and Stuff
This is academic research...the “how” not the “why”
●
This is “dangerous information”...however
●
You have the right/need to know
–
I have the right/need to talk
–
Oh yeah...and remember
●
Devices (in context) may be illegal...don't use
–
Activities (in context) may be illegal...don't do
–
6. Objectives
Academic information exchange
●
My favorite cheap 'n mean gear (network focused)
●
Attacks & countermeasures
●
“The nasty”
●
Resources
●
7. Agenda
Objectives
●
Attacks
●
Network Espionage Devices (NEDs)
●
Gettin' Spooky with IT
●
Countermeasures
●
8. “Waiter, my mushroom soup tastes funny”
Never underestimate the devastation
of a “simple” attack
9. Attacker Goals
Attacker wants to accomplish...
●
Gain network access via a device at victim's location
–
Attack internal/external hosts via TCP/IP
–
Attack phone/PDA/PC via Bluetooth
–
Passively gather information via sniffing
–
Establish other internal and external access
–
Impersonate services – Webserver, Database
–
Target a user – VIP VoIP connection
–
10. Attack Tools
Typical opensource methods and tools
●
Scanning & Probing
–
Sniffing
–
Exploiting
–
Covert communications, reverse crypto connections
–
Multiple protocols and entry points
●
Wired LAN
–
802.11b/g wireless
–
Bluetooth
–
RFID
–
11. NEDs
My favorites
●
Linksys WRT54G
–
Linksys NSLU2
–
Nokia 770
–
Gumstix
–
PicoTux
–
Plenty of others!
●
Access Points, PDAs, Game platforms, etc.
–
12. Agenda
Objectives
●
Attacks
●
Network Espionage Devices (NEDs)
●
Gettin' Spooky with IT
●
Countermeasures
●
13. NED Characteristics
Small, unobtrusive, ubiquitous, cute
●
Low-cost, almost disposable
●
Minimal power requirements
●
Power over ethernet, battery, solar potential
–
Multiple attack vector capability
●
Wired, Wireless, Bluetooth, RFID
–
Traditional forensics very difficult
●
Ephemeral filesystems running in RAM
–
Try that Encase!
●
14. NED Characteristics
Outbound reverse connections back to attacker
●
Crypto tunnels bypass firewalls, IDS/IPS
–
“Under the radar” common protocols DNS requests,
–
ICMP, HTTP/S are typically allowed through firewalls
Proxies, anonymizers, bouncing through multiple boxes
–
Ported attack tools and exploits
●
ARM processor-based
–
Hardware/software limitations and trade-offs
–
Dependent libraries, GUIs, etc.
●
Don't expect Nessus GUI on Linksys routers
●
15. NED Characteristics
Stripped-down Linux
●
BusyBox shell
●
SSH, HTTP/S management
●
Features like VPN tunnels, mesh networking
●
On-the-fly software install as “packages”
●
DNS, Apache, Asterisk
–
Attack tools and exploits
–
Powerful scripting languages: Python, Ruby
–
16. Linksys WRT54G
Cheap, cute, heavily “hacked” and tweaked
●
Secure with default Linksys firmware?
●
Ubiquitous = the “new Windows”
–
Very likely unpublished exploits in the wild
–
Opensource alternatives to Linksys firmware
●
OpenWRT
–
Package system
●
Sveasoft
–
Mesh networking
●
Un-leashing the WRT54G....
●
17. FairuzaUS for Linksys
FairuzaUS: www.hackerpimps.com
●
Command line interface over SSH
Treo 650 SSH into FairuzaUS
into compromised Windows box
18. Upcoming Linksys
EVDO & Wifi = WOW!
●
Linux- based
●
This will become popular
●
Potential for abuse is big
●
19. Nokia 770
Basics
●
Debian Linux PDA
–
Slow CPU, low RAM
–
802.11b & Bluetooth
–
Touchscreen keyboard
–
Software & Commercial Attack Platform Development
–
Immunity SILICA (Dave Aitel)
●
http://immunitysec.com/products-silica.shtml
HD Moore doing work on this platform (MetaSploit)
●
Maemo project and security tool packaged
●
Tcpdump, Nmap, Dsniff, Kismet, Bluetooth audit
–
20. Linksys NSLU2 “Slug”
US $75
●
Heavy OpenSource support
●
Unslung, Openslug, DebianSlug
–
USB storage
●
Bluetooth dongles
●
Asterisk, WebCam, MP3 stream
●
Try if you're looking for a weekend geek project
●
I'm looking into this as a testing platform
●
21. Gumstix
Ultra-small computers ($120 +)
●
Expandable “snap in” boards
●
CF storage and 802.11b wireless
–
Single and dual Ethernet with POE
–
MITM hardware device with dual ethernet
●
Bluetooth
–
USB, serial, PS/2 connectors
–
Used in BlueSniper, UltraSwarm
–
Developer CDs and environment
–
22. PicoTux
Picotux 100 and 112 (US $100 +)
●
World's smallest Linux computer
–
35mm×19mm×19mm (size of RJ45 connector)
–
Power over ethernet
–
Telnet and HTTP server
–
Developer CDs and environment
–
Attacks
●
Plenum off a Cisco CAT switch
–
“Serial to ethernet connector”
–
23. Other Gear
KeyKatcher
●
PS/2 and new USB version
–
New “U3” USB key technology
●
Auto-run apps, installs, pull SAM on-the-fly,etc.
–
EVDO USB Key
●
“Executive Gift USB” - Swiss Army USB/Knife
●
Infected RFID tags
●
Infects reader, which then infects other tags and DB
–
http://www.rfidvirus.org/papers/press_release.pdf
●
24. Other Gear
Linux Phones
●
Customizable
–
Bluetooth, Wifi, cameras, etc.
–
Qtopia
●
Security people “discussing ideas”
–
Prediction: top “hacker” phone
–
BlackDog
●
Linux box on USB
–
Biometric auth
●
25. Agenda
Objectives
●
Attacks
●
Network Espionage Devices (NEDs)
●
Gettin' Spooky with IT
●
Countermeasures
●
26. Spooky: Device Enclosures
Free water cooler offer ;)
●
Potential for power source
–
Legitimate reason for physical presence..and returning
–
Office décor
●
Flower safe with X-mas tree & lights...plug 'n play
–
Exit Sign, fire extinguisher
●
Dangerous to mess with emerg. Gear
–
But what if extra gear shows up?
●
Wow, we have even more security now!
–
27. Spooky: 0wn3d Mesh Network
Municipal networks beware!
●
Build It
●
EVDO gateway for Internet
–
Drive-by/Walk-by AP 0wn4g3
–
Senao AP w/ YAGI = Sweeper
–
Run It
●
Karma = DHCP for everybody
–
Shared crypto keys, cron jobs, remote ssh-fs mounts
–
0wn it
●
Attack everything, browser exploits on portal
–
28. Spooky: In-Transit “Marketing”
Airports, train stations, bus stations, subways, etc.
●
Bluetooth spamming with “scary” message content
–
0wn3d wifi networks & Windows Messaging
–
Multiplier-effect
●
Simultaneous at multiple hubs in US
–
“Scary message”
–
Huge productivity costs
●
Wrong message
–
Used as diversion, secondary attack, etc.
●
Virus/worm type attack like this is possible
●
29. Of Course...
Why not hack the marketing guy's gear instead?
●
“CBS today said it is planning a marketing initiative
that will allow mobile users with Bluetooth-enabled
phones to download promotional clips from its new
fall TV shows directly to their handsets at billboard
locations in New York.
The billboards in Grand Central station....”
Digging a little deeper
●
kameleon-media.com
–
“Remote data loading via a GPRS or Ethernet modem that
●
connects directly the MobiPoint® to our server.”
30. Spooky: Long-distance,
the next best thing to being there
Home-built Bluetooth/Wifi “Sniper” setups
●
Bluetooth targets up to one mile 802.11b targets up to...?
32. Maxing Out Current Gear
Janus Scanner – DefCon 14
●
8 Senao hi-power cards (125 mile wifi-record card)
●
Amplifier 1-watt to “keep it legal”
●
Linux, Kismet, etc.
●
Pelican case
●
Data encrypted
●
1 button operation
●
Also “BlueBag”
●
Target Bluetooth
–
33. Terrorism & RFID Passports
US Passports will have RFID tags
●
Each US State's Drivers' licenses probably next
–
RFID security weaknesses already found
●
Reading tags at a distance is a documented threat
●
The “Nightmare Scenario”
●
Discussed in media already
–
NED (or cell) RFID scan for passports
–
Connected to explosive device
●
Detonate X number in range
●
34. Countermeasures
Know the risks and threats
●
Know your network devices and traffic
●
User education, buy-in, ownership of the problem
●
Policy and “best practices”
●
Planned response vs. “Uh oh...”
●
Calling the cavalry (specialists, Johnny Law)
–
Proactive measures
●
Honeypots, Honeynets, Bluetooth-honeypot
–
Yet to see a RFID honeypot (sell to Wal-Mart?)
–
35. Looking Forward & Other Stuff
More devices with network access
●
“Why is my refrigerator scanning my network?”
–
Mobile devices will be targeted
●
VoIP and the new-style phone tapping agenda
●
VoIP phones as room taps
–
Capture VoIP traffic
–
Same old story
●
New technology, adoption, poor security, etc.
–
36. Thanks!
Questions?
●
Feel free to contact me at shawnmer@io.com
●