The document summarizes the findings of network monitoring conducted at DEF CON 22. Some key points:
- Passwords and credentials were captured in plaintext for many protocols like POP3, IMAP, SMTP, FTP due to lack of encryption.
- HTTP requests were also intercepted containing usernames, passwords and API keys in the URL query string or HTTP Authorization header.
- Mobile app traffic was analyzed revealing personal user information like location data.
- Email contents were read, including unencrypted attachments containing sensitive personal information.
- With access to email, an attacker could potentially impersonate someone in a financial transaction.
The document warns that failing to use encryption leaves sensitive data vulnerable when on untrusted
4. Our Setup
• COTS network visibility appliance for capture and analysis
• Common data tap from Packet Hacking Village
• General purpose rules and some written specifically for Wall of Sheep
to generate alerts and capture content for specific sessions
• Metadata capture for the duration of the event
• About 500M of compressed metadata between August 8 and 10,
2014
• A little over 6M transactions
5. Rules of Engagement
• Completely passive listener
• Ignore SSL/TLS content (metadata only)
• All credentials partially redacted
7. Where’s the VPN traffic?
• Good question…
• Very few encrypted tunnels from what
we could tell. A few sessions, but
nowhere near what we expected.
• More Teredo IPv6 tunnels than real VPN
traffic
• Best guess, most aren’t using the WiFi
11. IMAP
* OK IMAP4 Service Ready
1 LOGIN yihui.xu@******** N*****
1 OK LOGIN completed
12. FTP
220------- Welcome to Pure-FTPd [privsep] [TLS] -------
220-You are user number 129 of 200 allowed.
220-Local time is now 14:45. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 3 minutes of inactivity.
USER dpi03@******
331 User dpi03@****** OK. Password required
PASS **********
230 OK. Current restricted directory is /
13. HTTP – In URL
/login?username=jacky&password=******
/login.php?username=revelation&password=******
/perfils/autenticar/5512899033.json?passwordKey=******&telefono=
**********&dispositivo=IPH&password=******&SO=iOS
7.1.2&deviceId=iPhone
14. When it comes to plaintext fail, mail is king
POP3
IMAP
SMTP
FTP
TELNET
IRC
HTTP
15. A problem of their own making
• For mail protocols, vast majority iPhones
based on outgoing MIME headers and IMAP ID
responses
• From what we can tell, most providers
supported SSL
• If your provider doesn’t support SSL, find a
provider that isn’t crap
16. • None of the major email service
providers represented
• Built-in profiles, SSL automatically
enabled
17. HTTP Basic Access Authentication
GET / HTTP/1.1
Host: ******************************
Connection: keep-alive
Authorization: Basic bmF0YXMwOm5hdHRhczA=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,
image/webp,*/*;q= 0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125
Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750;
__utma=1768596 43.984037758.1407700117.1407700117.1407700117.1;
__utmb=176859643.3.10.140770011 7; __utmc=176859643;
__utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir
ect)|utmcmd=(none)
18. HTTP Basic Access Authentication
GET / HTTP/1.1
Host: ******************************
Connection: keep-alive
Authorization: Basic bmF0YXMwOm5hdHRhczA=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,
image/webp,*/*;q= 0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125
Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750;
__utma=1768596 43.984037758.1407700117.1407700117.1407700117.1;
__utmb=176859643.3.10.140770011 7; __utmc=176859643;
__utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir
ect)|utmcmd=(none)
19. HTTP Basic Access Authentication
That looks a lot like base64…
localhost$ echo "bmF0YXMwOm5hdHRhczA=" | base64 -D; echo
natas0:nattas0
Username and password encoding. OK if the transport layer is
providing confidentiality, but not for straight HTTP.
curl http://natas0:nattas0@*************
22. Basic Auth and API Keys
localhost$ echo
"YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0" |
base64 -D; echo
api:41665abccbeb09b1cd650077b9ebdec4
Session key for the current user. Anyone interested in buying a couple
tons of toner on their account?
23. Then we started getting bored…
A bunch of bored guys looking at your network traffic probably isn’t a good thing
24. Fun With Mobile Apps
GET
/gw/mtop.taobao.wireless.homepage.ac.loadPageContent
/3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig
inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg
Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2
2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C%
22nick%22%3A%22******%22%2C%22longitude%22%3A%22120.
050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2
2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition
%22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D
HTTP/1.1
Host: api.m.taobao.com
25. Fun With Mobile Apps
GET
/gw/mtop.taobao.wireless.homepage.ac.loadPageContent
/3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig
inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg
Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2
2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C%
22nick%22%3A%22******%22%2C%22longitude%22%3A%22120.
050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2
2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition
%22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D
HTTP/1.1
Host: api.m.taobao.com
28. “Is this important?”
From: Deborah Simon <dms@************>
To: Mitchell IPad Simon <md.simon@************>
29. “Is this important?”
From: Deborah Simon <dms@************>
To: Mitchell IPad Simon <md.simon@************>
Subject: Megan’s W-4
30. “Is this important?”
From: Deborah Simon <dms@************>
To: Mitchell IPad Simon <md.simon@************>
Subject: Megan’s W-4
One attachment, “2014 W4.pdf”
32. Dear God WHY!?
• Data confidentiality in transit vs at rest
• PGP
• S/MIME certificates cheap/free. Supported by most major mail client
(including mobile devices)
• Encrypted zip files or document-based encryption better than nothing
33. DEF CON 22 MUSIC ANNOUNCEMENT: THE ORB
You better have just done that spit-take. That's right. Electronica/Trip-Hop/IDM/dub music classics and
pioneers: The Orb. They're here. They're kicking. And on the 3rd day of DEF CON (Saturday night/Sunday
morning 00:00-01:00) their divine presence shall bless the glorious attendees who... attend their glorious
and divine performance. Those who do not attend will be forsaken and cast into the dystopian landscape
known as "the rest of Las Vegas." And so this event shall henceforth be written into the Dark Tangent's
Book of DEF CON, Volume 22 - also referred to by some as "the conference program." So say we all.
34. More fun with misconfigured mail clients
To: *****@theorb.com
From: Bill Quinn
Subject: ***** pick up amount Rio 8/9
Hey *****,
Please pick up the balance of $6,500 for tonights performance in
Vegas.
Let me know if you have any questions.
Thanks,
Bill Quinn
Madison House, Inc.
35. Imagine for a moment…
• You know someone is going to
be picking up a check for $6500
• You have detailed knowledge of
the transaction
• You have unrestricted access to
the intended recipient’s email
account
36. Imagine for a moment…
• You know someone is going to
be picking up a check for $6500
• You have detailed knowledge of
the transaction
• You have unrestricted access to
the intended recipient’s email
account
37. Quick Recap
• Through misconfiguration or a lack of controls it’s pretty easy for
potentially sensitive or harmful info to make it’s way over a network
• Consider defense in depth. Use multiple layers of encryption in
transit, just in case.
• Don’t trust your email password as the only thing keeping you from
financial or other loss.
• Treat every network as untrusted (especially the ones that warn you
ahead of time)
Notas del editor
Brian couldn't be here today
Recovering from severe back issues
In honor of Brian, wanted to say a few words about protecting your back
Picking something up or just bending over
Avoid long and painful recovery, and bailing on your co presenter
Setup last year
Couple very basic (and very stupid) was to pass credentials in the clear
Weird things we found
Wall of Sheep at DEFCON 22, August 2014
Fidelis sponsor
Fun to park a couple guys on a network tap and see what we could find
Mostly OpenVPN
Keep it on cellular
Paranoid enough to use VPN, paranoid enough not to use shared network
So that’s where we started
Fish in a barrel
Metadata collection. Plug Bro, Critical Stack, Liam Randall
Other HTTP, HTTP POST + keyword
Very different from the protocol mix above, in other category less than 10%
75% here
Why? Beaconing. Almost all other protocols are active, and transactional. You have to do something.
Mail, especially on mobile devices, a given. Repeated logins. Easy to misconfigure something in the background.
One class of credentials on the wire, straight plaintext.
Another class, encoded
Don't like obfuscated, because it's a poor job
HTTP client header
Content aware, Bro
Liam Randall, Critical Stack awesome Bro training
Rule looking for any interesting documents. Found a lot, mostly from defcon file share. Large percentage of FTP traffic.
So a woman walks over, sits down at our setup, and says “teach me something”. Show her setup, how things work, starts playing around.
About 5 minutes later she says “Is this important?”
All data in transit.
Consider implication though. Even if they hadn’t been actively looking at the file anyone could have logged.