The document summarizes the findings of network monitoring conducted at DEF CON 22. Some key points: - Passwords and credentials were captured in plaintext for many protocols like POP3, IMAP, SMTP, FTP due to lack of encryption. - HTTP requests were also intercepted containing usernames, passwords and API keys in the URL query string or HTTP Authorization header. - Mobile app traffic was analyzed revealing personal user information like location data. - Email contents were read, including unencrypted attachments containing sensitive personal information. - With access to email, an attacker could potentially impersonate someone in a financial transaction. The document warns that failing to use encryption leaves sensitive data vulnerable when on untrusted

1. I See You
What not to do when someone is monitoring your network traffic
Andrew Beard
Brian Wohlwinder

2. In honor of Brian
• Lift with your legs, not your
back
• Engage your core, keep your
abs pulled in
• Avoid twisting your trunk

3. DEFCON 22

4. Our Setup
• COTS network visibility appliance for capture and analysis
• Common data tap from Packet Hacking Village
• General purpose rules and some written specifically for Wall of Sheep
to generate alerts and capture content for specific sessions
• Metadata capture for the duration of the event
• About 500M of compressed metadata between August 8 and 10,
2014
• A little over 6M transactions

5. Rules of Engagement
• Completely passive listener
• Ignore SSL/TLS content (metadata only)
• All credentials partially redacted

6. Overall Protocol Mix
HTTP
TLS/SSL
FTP
Other
XMPP
WebSocket
BitTorrent
IRC

7. Where’s the VPN traffic?
• Good question…
• Very few encrypted tunnels from what
we could tell. A few sessions, but
nowhere near what we expected.
• More Teredo IPv6 tunnels than real VPN
traffic
• Best guess, most aren’t using the WiFi

8. It’s all about the passwords

9. Plain Text Credentials
• POP3, IMAP, SMTP
• FTP
• IRC
• Telnet
• Occasional HTTP (mostly via URL or POST content)

10. POP3
+OK <21066.1407692429@************************>
CAPA
-ERR authorization first
USER lodgetreasurer@***************
+OK
PASS 2Q********
+OK
STAT
+OK 8 107321

11. IMAP
* OK IMAP4 Service Ready
1 LOGIN yihui.xu@******** N*****
1 OK LOGIN completed

12. FTP
220------- Welcome to Pure-FTPd [privsep] [TLS] -------
220-You are user number 129 of 200 allowed.
220-Local time is now 14:45. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 3 minutes of inactivity.
USER dpi03@******
331 User dpi03@****** OK. Password required
PASS **********
230 OK. Current restricted directory is /

13. HTTP – In URL
/login?username=jacky&password=******
/login.php?username=revelation&password=******
/perfils/autenticar/5512899033.json?passwordKey=******&telefono=
**********&dispositivo=IPH&password=******&SO=iOS
7.1.2&deviceId=iPhone

14. When it comes to plaintext fail, mail is king
POP3
IMAP
SMTP
FTP
TELNET
IRC
HTTP

15. A problem of their own making
• For mail protocols, vast majority iPhones
based on outgoing MIME headers and IMAP ID
responses
• From what we can tell, most providers
supported SSL
• If your provider doesn’t support SSL, find a
provider that isn’t crap

16. • None of the major email service
providers represented
• Built-in profiles, SSL automatically
enabled

17. HTTP Basic Access Authentication
GET / HTTP/1.1
Host: ******************************
Connection: keep-alive
Authorization: Basic bmF0YXMwOm5hdHRhczA=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,
image/webp,*/*;q= 0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125
Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750;
__utma=1768596 43.984037758.1407700117.1407700117.1407700117.1;
__utmb=176859643.3.10.140770011 7; __utmc=176859643;
__utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir
ect)|utmcmd=(none)

18. HTTP Basic Access Authentication
GET / HTTP/1.1
Host: ******************************
Connection: keep-alive
Authorization: Basic bmF0YXMwOm5hdHRhczA=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,
image/webp,*/*;q= 0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125
Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750;
__utma=1768596 43.984037758.1407700117.1407700117.1407700117.1;
__utmb=176859643.3.10.140770011 7; __utmc=176859643;
__utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir
ect)|utmcmd=(none)

19. HTTP Basic Access Authentication
That looks a lot like base64…
localhost$ echo "bmF0YXMwOm5hdHRhczA=" | base64 -D; echo
natas0:nattas0
Username and password encoding. OK if the transport layer is
providing confidentiality, but not for straight HTTP.
curl http://natas0:nattas0@*************

20. Basic Auth and API Keys
GET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F
categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1
HTTP/1.1
Host: *********************
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Authorization: Basic
YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0
Referer: http://**************************/Las-Vegas
Nevada-printer-ink-toner-cartridge-leader/
Origin: http://**************************
Connection: keep-alive

21. Basic Auth and API Keys
GET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F
categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1
HTTP/1.1
Host: *********************
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Authorization: Basic
YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0
Referer: http://**************************/Las-Vegas
Nevada-printer-ink-toner-cartridge-leader/
Origin: http://**************************
Connection: keep-alive

22. Basic Auth and API Keys
localhost$ echo
"YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0" |
base64 -D; echo
api:41665abccbeb09b1cd650077b9ebdec4
Session key for the current user. Anyone interested in buying a couple
tons of toner on their account?

23. Then we started getting bored…
A bunch of bored guys looking at your network traffic probably isn’t a good thing

24. Fun With Mobile Apps
GET
/gw/mtop.taobao.wireless.homepage.ac.loadPageContent
/3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig
inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg
Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2
2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C%
22nick%22%3A%22******%22%2C%22longitude%22%3A%22120.
050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2
2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition
%22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D
HTTP/1.1
Host: api.m.taobao.com

25. Fun With Mobile Apps
GET
/gw/mtop.taobao.wireless.homepage.ac.loadPageContent
/3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig
inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg
Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2
2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C%
22nick%22%3A%22******%22%2C%22longitude%22%3A%22120.
050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2
2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition
%22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D
HTTP/1.1
Host: api.m.taobao.com

26. User’s Default Location
{
"utdid": "U0gUZGIZnIwDAFX4JgNi4RRk”,
"userId": ”*********",
"ua": "iPhone",
"cityCode": "330100",
"nick": ”******",
"longitude": "120.050453",
"cityName": "杭州",
"latitude": "30.286152",
"isPosition": false,
"platformVersion": "7.1”
}

27. What’s the worst that could
happen?
It can’t be that bad…

28. “Is this important?”
From: Deborah Simon <dms@************>
To: Mitchell IPad Simon <md.simon@************>

29. “Is this important?”
From: Deborah Simon <dms@************>
To: Mitchell IPad Simon <md.simon@************>
Subject: Megan’s W-4

30. “Is this important?”
From: Deborah Simon <dms@************>
To: Mitchell IPad Simon <md.simon@************>
Subject: Megan’s W-4
One attachment, “2014 W4.pdf”

31. Nothing to worry about here

32. Dear God WHY!?
• Data confidentiality in transit vs at rest
• PGP
• S/MIME certificates cheap/free. Supported by most major mail client
(including mobile devices)
• Encrypted zip files or document-based encryption better than nothing

33. DEF CON 22 MUSIC ANNOUNCEMENT: THE ORB
You better have just done that spit-take. That's right. Electronica/Trip-Hop/IDM/dub music classics and
pioneers: The Orb. They're here. They're kicking. And on the 3rd day of DEF CON (Saturday night/Sunday
morning 00:00-01:00) their divine presence shall bless the glorious attendees who... attend their glorious
and divine performance. Those who do not attend will be forsaken and cast into the dystopian landscape
known as "the rest of Las Vegas." And so this event shall henceforth be written into the Dark Tangent's
Book of DEF CON, Volume 22 - also referred to by some as "the conference program." So say we all.

34. More fun with misconfigured mail clients
To: *****@theorb.com
From: Bill Quinn
Subject: ***** pick up amount Rio 8/9
Hey *****,
Please pick up the balance of $6,500 for tonights performance in
Vegas.
Let me know if you have any questions.
Thanks,
Bill Quinn
Madison House, Inc.

35. Imagine for a moment…
• You know someone is going to
be picking up a check for $6500
• You have detailed knowledge of
the transaction
• You have unrestricted access to
the intended recipient’s email
account

36. Imagine for a moment…
• You know someone is going to
be picking up a check for $6500
• You have detailed knowledge of
the transaction
• You have unrestricted access to
the intended recipient’s email
account

37. Quick Recap
• Through misconfiguration or a lack of controls it’s pretty easy for
potentially sensitive or harmful info to make it’s way over a network
• Consider defense in depth. Use multiple layers of encryption in
transit, just in case.
• Don’t trust your email password as the only thing keeping you from
financial or other loss.
• Treat every network as untrusted (especially the ones that warn you
ahead of time)