SlideShare una empresa de Scribd logo

CSI - Poor Mans Guide To Espionage Gear

S
shawn_merdinger

Presentation from CSI -Computer Security Institute Conference

1 de 36
Poor Man's Guide To Network Espionage Gear: Return of the Beast Shawn Merdinger Independent Security Researcher & Consultant SEC-5 Computer Security Institute 33rd Annual 2006.11.7
About the speaker Shawn Merdinger ● Independent security researcher & consultant – Current projects – VoIP device security ● Emergency communications system security ● Former positions – TippingPoint ● Cisco Systems (Security Technologies Assessment Team) ●
British Spy Rock
First-Generation Spy Rock?
Warnings and Stuff This is academic research...the “how” not the “why” ● This is “dangerous information”...however ● You have the right/need to know – I have the right/need to talk – Oh yeah...and remember ● Devices (in context) may be illegal...don't use – Activities (in context) may be illegal...don't do –
Objectives Academic information exchange ● My favorite cheap 'n mean gear (network focused) ● Attacks & countermeasures ● “The nasty” ● Resources ●
Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●
“Waiter, my mushroom soup tastes funny” Never underestimate the devastation of a “simple” attack
Attacker Goals Attacker wants to accomplish... ● Gain network access via a device at victim's location – Attack internal/external hosts via TCP/IP – Attack phone/PDA/PC via Bluetooth – Passively gather information via sniffing – Establish other internal and external access – Impersonate services – Webserver, Database – Target a user – VIP VoIP connection –
Attack Tools Typical opensource methods and tools ● Scanning & Probing – Sniffing – Exploiting – Covert communications, reverse crypto connections – Multiple protocols and entry points ● Wired LAN – 802.11b/g wireless – Bluetooth – RFID –
NEDs My favorites ● Linksys WRT54G – Linksys NSLU2 – Nokia 770 – Gumstix – PicoTux – Plenty of others! ● Access Points, PDAs, Game platforms, etc. –
Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●
NED Characteristics Small, unobtrusive, ubiquitous, cute ● Low-cost, almost disposable ● Minimal power requirements ● Power over ethernet, battery, solar potential – Multiple attack vector capability ● Wired, Wireless, Bluetooth, RFID – Traditional forensics very difficult ● Ephemeral filesystems running in RAM – Try that Encase! ●
NED Characteristics Outbound reverse connections back to attacker ● Crypto tunnels bypass firewalls, IDS/IPS – “Under the radar” common protocols DNS requests, – ICMP, HTTP/S are typically allowed through firewalls Proxies, anonymizers, bouncing through multiple boxes – Ported attack tools and exploits ● ARM processor-based – Hardware/software limitations and trade-offs – Dependent libraries, GUIs, etc. ● Don't expect Nessus GUI on Linksys routers ●
NED Characteristics Stripped-down Linux ● BusyBox shell ● SSH, HTTP/S management ● Features like VPN tunnels, mesh networking ● On-the-fly software install as “packages” ● DNS, Apache, Asterisk – Attack tools and exploits – Powerful scripting languages: Python, Ruby –
Linksys WRT54G Cheap, cute, heavily “hacked” and tweaked ● Secure with default Linksys firmware? ● Ubiquitous = the “new Windows” – Very likely unpublished exploits in the wild – Opensource alternatives to Linksys firmware ● OpenWRT – Package system ● Sveasoft – Mesh networking ● Un-leashing the WRT54G.... ●
FairuzaUS for Linksys FairuzaUS: www.hackerpimps.com ● Command line interface over SSH Treo 650 SSH into FairuzaUS into compromised Windows box
Upcoming Linksys EVDO & Wifi = WOW! ● Linux- based ● This will become popular ● Potential for abuse is big ●
Nokia 770 Basics ● Debian Linux PDA – Slow CPU, low RAM – 802.11b & Bluetooth – Touchscreen keyboard – Software & Commercial Attack Platform Development – Immunity SILICA (Dave Aitel) ● http://immunitysec.com/products-silica.shtml HD Moore doing work on this platform (MetaSploit) ● Maemo project and security tool packaged ● Tcpdump, Nmap, Dsniff, Kismet, Bluetooth audit –
Linksys NSLU2 “Slug” US $75 ● Heavy OpenSource support ● Unslung, Openslug, DebianSlug – USB storage ● Bluetooth dongles ● Asterisk, WebCam, MP3 stream ● Try if you're looking for a weekend geek project ● I'm looking into this as a testing platform ●
Gumstix Ultra-small computers ($120 +) ● Expandable “snap in” boards ● CF storage and 802.11b wireless – Single and dual Ethernet with POE – MITM hardware device with dual ethernet ● Bluetooth – USB, serial, PS/2 connectors – Used in BlueSniper, UltraSwarm – Developer CDs and environment –
PicoTux Picotux 100 and 112 (US $100 +) ● World's smallest Linux computer – 35mm×19mm×19mm (size of RJ45 connector) – Power over ethernet – Telnet and HTTP server – Developer CDs and environment – Attacks ● Plenum off a Cisco CAT switch – “Serial to ethernet connector” –
Other Gear KeyKatcher ● PS/2 and new USB version – New “U3” USB key technology ● Auto-run apps, installs, pull SAM on-the-fly,etc. – EVDO USB Key ● “Executive Gift USB” - Swiss Army USB/Knife ● Infected RFID tags ● Infects reader, which then infects other tags and DB – http://www.rfidvirus.org/papers/press_release.pdf ●
Other Gear Linux Phones ● Customizable – Bluetooth, Wifi, cameras, etc. – Qtopia ● Security people “discussing ideas” – Prediction: top “hacker” phone – BlackDog ● Linux box on USB – Biometric auth ●
Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●
Spooky: Device Enclosures Free water cooler offer ;) ● Potential for power source – Legitimate reason for physical presence..and returning – Office décor ● Flower safe with X-mas tree & lights...plug 'n play – Exit Sign, fire extinguisher ● Dangerous to mess with emerg. Gear – But what if extra gear shows up? ● Wow, we have even more security now! –
Spooky: 0wn3d Mesh Network Municipal networks beware! ● Build It ● EVDO gateway for Internet – Drive-by/Walk-by AP 0wn4g3 – Senao AP w/ YAGI = Sweeper – Run It ● Karma = DHCP for everybody – Shared crypto keys, cron jobs, remote ssh-fs mounts – 0wn it ● Attack everything, browser exploits on portal –
Spooky: In-Transit “Marketing” Airports, train stations, bus stations, subways, etc. ● Bluetooth spamming with “scary” message content – 0wn3d wifi networks & Windows Messaging – Multiplier-effect ● Simultaneous at multiple hubs in US – “Scary message” – Huge productivity costs ● Wrong message – Used as diversion, secondary attack, etc. ● Virus/worm type attack like this is possible ●
Of Course... Why not hack the marketing guy's gear instead? ● “CBS today said it is planning a marketing initiative that will allow mobile users with Bluetooth-enabled phones to download promotional clips from its new fall TV shows directly to their handsets at billboard locations in New York. The billboards in Grand Central station....” Digging a little deeper ● kameleon-media.com – “Remote data loading via a GPRS or Ethernet modem that ● connects directly the MobiPoint® to our server.”
Spooky: Long-distance, the next best thing to being there Home-built Bluetooth/Wifi “Sniper” setups ● Bluetooth targets up to one mile 802.11b targets up to...?
How far? 802.11b over 125 miles
Maxing Out Current Gear Janus Scanner – DefCon 14 ● 8 Senao hi-power cards (125 mile wifi-record card) ● Amplifier 1-watt to “keep it legal” ● Linux, Kismet, etc. ● Pelican case ● Data encrypted ● 1 button operation ● Also “BlueBag” ● Target Bluetooth –
Terrorism & RFID Passports US Passports will have RFID tags ● Each US State's Drivers' licenses probably next – RFID security weaknesses already found ● Reading tags at a distance is a documented threat ● The “Nightmare Scenario” ● Discussed in media already – NED (or cell) RFID scan for passports – Connected to explosive device ● Detonate X number in range ●
Countermeasures Know the risks and threats ● Know your network devices and traffic ● User education, buy-in, ownership of the problem ● Policy and “best practices” ● Planned response vs. “Uh oh...” ● Calling the cavalry (specialists, Johnny Law) – Proactive measures ● Honeypots, Honeynets, Bluetooth-honeypot – Yet to see a RFID honeypot (sell to Wal-Mart?) –
Looking Forward & Other Stuff More devices with network access ● “Why is my refrigerator scanning my network?” – Mobile devices will be targeted ● VoIP and the new-style phone tapping agenda ● VoIP phones as room taps – Capture VoIP traffic – Same old story ● New technology, adoption, poor security, etc. –
Thanks! Questions? ● Feel free to contact me at shawnmer@io.com ●

Recomendados

Hardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshopHardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshopSlawomir Jasek
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
2018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.22018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.2Len Noe
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...Andrey Belenko
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementNuno Loureiro
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...Positive Hack Days
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
 

Recomendados

Hardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshopHardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshopSlawomir Jasek
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
2018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.22018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.2Len Noe
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh...Andrey Belenko
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementNuno Loureiro
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...Positive Hack Days
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
 
Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Akash Thakur
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...nooralmousa
 
Cybercon 2015 brandon kravitz
Cybercon 2015 brandon kravitzCybercon 2015 brandon kravitz
Cybercon 2015 brandon kravitzBrandon Kravitz
 
wifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slideswifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slidesguest1c1a9a
 
Web application-security-and-why-you-should-review-yours
Web application-security-and-why-you-should-review-yoursWeb application-security-and-why-you-should-review-yours
Web application-security-and-why-you-should-review-yoursDavid Busby, CISSP
 
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011shawn_merdinger
 
Feasibility of Security in Micro-Controllers
Feasibility of Security in Micro-ControllersFeasibility of Security in Micro-Controllers
Feasibility of Security in Micro-Controllersardiri
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Controlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden FeaturesControlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden Featuresxabean
 
IoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT DevkitIoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT DevkitVasily Ryzhonkov
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3Setia Juli Irzal Ismail
 
Redteaming HID attacks
Redteaming HID attacksRedteaming HID attacks
Redteaming HID attacksJuan Espin
 
Risk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Crew
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...grecsl
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...grecsl
 
Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017WhitewoodOWASP
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...grecsl
 
Wednesday’S Quilting
Wednesday’S QuiltingWednesday’S Quilting
Wednesday’S Quiltingguest083dd
 
Quilting
QuiltingQuilting
Quiltingguest083dd
 

Más contenido relacionado

La actualidad más candente

Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Akash Thakur
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...nooralmousa
 
Cybercon 2015 brandon kravitz
Cybercon 2015 brandon kravitzCybercon 2015 brandon kravitz
Cybercon 2015 brandon kravitzBrandon Kravitz
 
wifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slideswifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slidesguest1c1a9a
 
Web application-security-and-why-you-should-review-yours
Web application-security-and-why-you-should-review-yoursWeb application-security-and-why-you-should-review-yours
Web application-security-and-why-you-should-review-yoursDavid Busby, CISSP
 
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011shawn_merdinger
 
Feasibility of Security in Micro-Controllers
Feasibility of Security in Micro-ControllersFeasibility of Security in Micro-Controllers
Feasibility of Security in Micro-Controllersardiri
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Controlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden FeaturesControlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden Featuresxabean
 
IoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT DevkitIoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT DevkitVasily Ryzhonkov
 
Redteaming HID attacks
Redteaming HID attacksRedteaming HID attacks
Redteaming HID attacksJuan Espin
 
Risk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Crew
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...grecsl
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...grecsl
 
Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017WhitewoodOWASP
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...grecsl
 

La actualidad más candente (20)

Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
 
Cybercon 2015 brandon kravitz
Cybercon 2015 brandon kravitzCybercon 2015 brandon kravitz
Cybercon 2015 brandon kravitz
 
wifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slideswifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slides
 
Web application-security-and-why-you-should-review-yours
Web application-security-and-why-you-should-review-yoursWeb application-security-and-why-you-should-review-yours
Web application-security-and-why-you-should-review-yours
 
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
 
Feasibility of Security in Micro-Controllers
Feasibility of Security in Micro-ControllersFeasibility of Security in Micro-Controllers
Feasibility of Security in Micro-Controllers
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillage
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Controlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden FeaturesControlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden Features
 
IoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT DevkitIoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT Devkit
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Redteaming HID attacks
Redteaming HID attacksRedteaming HID attacks
Redteaming HID attacks
 
Risk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Factory: Let's Get Physical
Risk Factory: Let's Get Physical
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
 
Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
 

Destacado

Wednesday’S Quilting
Wednesday’S QuiltingWednesday’S Quilting
Wednesday’S Quiltingguest083dd
 
Monday Quilting
Monday QuiltingMonday Quilting
Monday Quiltingguest083dd
 
Marketing Finance Autobiography
Marketing Finance AutobiographyMarketing Finance Autobiography
Marketing Finance AutobiographyType 2 Consulting
 
Brand Valuation Review of the 2014 League Tables
Brand Valuation Review of the 2014 League TablesBrand Valuation Review of the 2014 League Tables
Brand Valuation Review of the 2014 League TablesType 2 Consulting
 
Shodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San FranciscoShodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San Franciscoshawn_merdinger
 

Destacado (6)

Wednesday’S Quilting
Wednesday’S QuiltingWednesday’S Quilting
Wednesday’S Quilting
 
Quilting
QuiltingQuilting
Quilting
 
Monday Quilting
Monday QuiltingMonday Quilting
Monday Quilting
 
Marketing Finance Autobiography
Marketing Finance AutobiographyMarketing Finance Autobiography
Marketing Finance Autobiography
 
Brand Valuation Review of the 2014 League Tables
Brand Valuation Review of the 2014 League TablesBrand Valuation Review of the 2014 League Tables
Brand Valuation Review of the 2014 League Tables
 
Shodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San FranciscoShodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San Francisco
 

Similar a CSI - Poor Mans Guide To Espionage Gear

Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide MerdingerCsi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdingershawn_merdinger
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Taking the hard out of hardware
Taking the hard out of hardwareTaking the hard out of hardware
Taking the hard out of hardwareRonald McCollam
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
 
Open Moko And Ubiquitous Computing Presentation
Open Moko And Ubiquitous Computing PresentationOpen Moko And Ubiquitous Computing Presentation
Open Moko And Ubiquitous Computing Presentationridgeway137
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay aliveqqlan
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveDefconRussia
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
 
How to over-engineer things and have fun? Building a modern, distributed real...
How to over-engineer things and have fun? Building a modern, distributed real...How to over-engineer things and have fun? Building a modern, distributed real...
How to over-engineer things and have fun? Building a modern, distributed real...Oto Brglez
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemyPROIDEA
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?RIPE NCC
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busbyDavid Busby, CISSP
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.pptDetSersi
 
Dror-Crazy_toaster
Dror-Crazy_toasterDror-Crazy_toaster
Dror-Crazy_toasterguest66dc5f
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoTPriyanka Aash
 
Unauthorized Wireless Network Connections
Unauthorized Wireless Network ConnectionsUnauthorized Wireless Network Connections
Unauthorized Wireless Network ConnectionsJohn Rhoton
 

Similar a CSI - Poor Mans Guide To Espionage Gear (20)

Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide MerdingerCsi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdinger
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
Taking the hard out of hardware
Taking the hard out of hardwareTaking the hard out of hardware
Taking the hard out of hardware
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
Open Moko And Ubiquitous Computing Presentation
Open Moko And Ubiquitous Computing PresentationOpen Moko And Ubiquitous Computing Presentation
Open Moko And Ubiquitous Computing Presentation
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
How to over-engineer things and have fun? Building a modern, distributed real...
How to over-engineer things and have fun? Building a modern, distributed real...How to over-engineer things and have fun? Building a modern, distributed real...
How to over-engineer things and have fun? Building a modern, distributed real...
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busby
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
 
Dror-Crazy_toaster
Dror-Crazy_toasterDror-Crazy_toaster
Dror-Crazy_toaster
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoT
 
Unauthorized Wireless Network Connections
Unauthorized Wireless Network ConnectionsUnauthorized Wireless Network Connections
Unauthorized Wireless Network Connections
 

CSI - Poor Mans Guide To Espionage Gear

  • 1. Poor Man's Guide To Network Espionage Gear: Return of the Beast Shawn Merdinger Independent Security Researcher & Consultant SEC-5 Computer Security Institute 33rd Annual 2006.11.7
  • 2. About the speaker Shawn Merdinger ● Independent security researcher & consultant – Current projects – VoIP device security ● Emergency communications system security ● Former positions – TippingPoint ● Cisco Systems (Security Technologies Assessment Team) ●
  • 5. Warnings and Stuff This is academic research...the “how” not the “why” ● This is “dangerous information”...however ● You have the right/need to know – I have the right/need to talk – Oh yeah...and remember ● Devices (in context) may be illegal...don't use – Activities (in context) may be illegal...don't do –
  • 6. Objectives Academic information exchange ● My favorite cheap 'n mean gear (network focused) ● Attacks & countermeasures ● “The nasty” ● Resources ●
  • 7. Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●
  • 8. “Waiter, my mushroom soup tastes funny” Never underestimate the devastation of a “simple” attack
  • 9. Attacker Goals Attacker wants to accomplish... ● Gain network access via a device at victim's location – Attack internal/external hosts via TCP/IP – Attack phone/PDA/PC via Bluetooth – Passively gather information via sniffing – Establish other internal and external access – Impersonate services – Webserver, Database – Target a user – VIP VoIP connection –
  • 10. Attack Tools Typical opensource methods and tools ● Scanning & Probing – Sniffing – Exploiting – Covert communications, reverse crypto connections – Multiple protocols and entry points ● Wired LAN – 802.11b/g wireless – Bluetooth – RFID –
  • 11. NEDs My favorites ● Linksys WRT54G – Linksys NSLU2 – Nokia 770 – Gumstix – PicoTux – Plenty of others! ● Access Points, PDAs, Game platforms, etc. –
  • 12. Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●
  • 13. NED Characteristics Small, unobtrusive, ubiquitous, cute ● Low-cost, almost disposable ● Minimal power requirements ● Power over ethernet, battery, solar potential – Multiple attack vector capability ● Wired, Wireless, Bluetooth, RFID – Traditional forensics very difficult ● Ephemeral filesystems running in RAM – Try that Encase! ●
  • 14. NED Characteristics Outbound reverse connections back to attacker ● Crypto tunnels bypass firewalls, IDS/IPS – “Under the radar” common protocols DNS requests, – ICMP, HTTP/S are typically allowed through firewalls Proxies, anonymizers, bouncing through multiple boxes – Ported attack tools and exploits ● ARM processor-based – Hardware/software limitations and trade-offs – Dependent libraries, GUIs, etc. ● Don't expect Nessus GUI on Linksys routers ●
  • 15. NED Characteristics Stripped-down Linux ● BusyBox shell ● SSH, HTTP/S management ● Features like VPN tunnels, mesh networking ● On-the-fly software install as “packages” ● DNS, Apache, Asterisk – Attack tools and exploits – Powerful scripting languages: Python, Ruby –
  • 16. Linksys WRT54G Cheap, cute, heavily “hacked” and tweaked ● Secure with default Linksys firmware? ● Ubiquitous = the “new Windows” – Very likely unpublished exploits in the wild – Opensource alternatives to Linksys firmware ● OpenWRT – Package system ● Sveasoft – Mesh networking ● Un-leashing the WRT54G.... ●
  • 17. FairuzaUS for Linksys FairuzaUS: www.hackerpimps.com ● Command line interface over SSH Treo 650 SSH into FairuzaUS into compromised Windows box
  • 18. Upcoming Linksys EVDO & Wifi = WOW! ● Linux- based ● This will become popular ● Potential for abuse is big ●
  • 19. Nokia 770 Basics ● Debian Linux PDA – Slow CPU, low RAM – 802.11b & Bluetooth – Touchscreen keyboard – Software & Commercial Attack Platform Development – Immunity SILICA (Dave Aitel) ● http://immunitysec.com/products-silica.shtml HD Moore doing work on this platform (MetaSploit) ● Maemo project and security tool packaged ● Tcpdump, Nmap, Dsniff, Kismet, Bluetooth audit –
  • 20. Linksys NSLU2 “Slug” US $75 ● Heavy OpenSource support ● Unslung, Openslug, DebianSlug – USB storage ● Bluetooth dongles ● Asterisk, WebCam, MP3 stream ● Try if you're looking for a weekend geek project ● I'm looking into this as a testing platform ●
  • 21. Gumstix Ultra-small computers ($120 +) ● Expandable “snap in” boards ● CF storage and 802.11b wireless – Single and dual Ethernet with POE – MITM hardware device with dual ethernet ● Bluetooth – USB, serial, PS/2 connectors – Used in BlueSniper, UltraSwarm – Developer CDs and environment –
  • 22. PicoTux Picotux 100 and 112 (US $100 +) ● World's smallest Linux computer – 35mm×19mm×19mm (size of RJ45 connector) – Power over ethernet – Telnet and HTTP server – Developer CDs and environment – Attacks ● Plenum off a Cisco CAT switch – “Serial to ethernet connector” –
  • 23. Other Gear KeyKatcher ● PS/2 and new USB version – New “U3” USB key technology ● Auto-run apps, installs, pull SAM on-the-fly,etc. – EVDO USB Key ● “Executive Gift USB” - Swiss Army USB/Knife ● Infected RFID tags ● Infects reader, which then infects other tags and DB – http://www.rfidvirus.org/papers/press_release.pdf ●
  • 24. Other Gear Linux Phones ● Customizable – Bluetooth, Wifi, cameras, etc. – Qtopia ● Security people “discussing ideas” – Prediction: top “hacker” phone – BlackDog ● Linux box on USB – Biometric auth ●
  • 25. Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●
  • 26. Spooky: Device Enclosures Free water cooler offer ;) ● Potential for power source – Legitimate reason for physical presence..and returning – Office décor ● Flower safe with X-mas tree & lights...plug 'n play – Exit Sign, fire extinguisher ● Dangerous to mess with emerg. Gear – But what if extra gear shows up? ● Wow, we have even more security now! –
  • 27. Spooky: 0wn3d Mesh Network Municipal networks beware! ● Build It ● EVDO gateway for Internet – Drive-by/Walk-by AP 0wn4g3 – Senao AP w/ YAGI = Sweeper – Run It ● Karma = DHCP for everybody – Shared crypto keys, cron jobs, remote ssh-fs mounts – 0wn it ● Attack everything, browser exploits on portal –
  • 28. Spooky: In-Transit “Marketing” Airports, train stations, bus stations, subways, etc. ● Bluetooth spamming with “scary” message content – 0wn3d wifi networks & Windows Messaging – Multiplier-effect ● Simultaneous at multiple hubs in US – “Scary message” – Huge productivity costs ● Wrong message – Used as diversion, secondary attack, etc. ● Virus/worm type attack like this is possible ●
  • 29. Of Course... Why not hack the marketing guy's gear instead? ● “CBS today said it is planning a marketing initiative that will allow mobile users with Bluetooth-enabled phones to download promotional clips from its new fall TV shows directly to their handsets at billboard locations in New York. The billboards in Grand Central station....” Digging a little deeper ● kameleon-media.com – “Remote data loading via a GPRS or Ethernet modem that ● connects directly the MobiPoint® to our server.”
  • 30. Spooky: Long-distance, the next best thing to being there Home-built Bluetooth/Wifi “Sniper” setups ● Bluetooth targets up to one mile 802.11b targets up to...?
  • 31. How far? 802.11b over 125 miles
  • 32. Maxing Out Current Gear Janus Scanner – DefCon 14 ● 8 Senao hi-power cards (125 mile wifi-record card) ● Amplifier 1-watt to “keep it legal” ● Linux, Kismet, etc. ● Pelican case ● Data encrypted ● 1 button operation ● Also “BlueBag” ● Target Bluetooth –
  • 33. Terrorism & RFID Passports US Passports will have RFID tags ● Each US State's Drivers' licenses probably next – RFID security weaknesses already found ● Reading tags at a distance is a documented threat ● The “Nightmare Scenario” ● Discussed in media already – NED (or cell) RFID scan for passports – Connected to explosive device ● Detonate X number in range ●
  • 34. Countermeasures Know the risks and threats ● Know your network devices and traffic ● User education, buy-in, ownership of the problem ● Policy and “best practices” ● Planned response vs. “Uh oh...” ● Calling the cavalry (specialists, Johnny Law) – Proactive measures ● Honeypots, Honeynets, Bluetooth-honeypot – Yet to see a RFID honeypot (sell to Wal-Mart?) –
  • 35. Looking Forward & Other Stuff More devices with network access ● “Why is my refrigerator scanning my network?” – Mobile devices will be targeted ● VoIP and the new-style phone tapping agenda ● VoIP phones as room taps – Capture VoIP traffic – Same old story ● New technology, adoption, poor security, etc. –
  • 36. Thanks! Questions? ● Feel free to contact me at shawnmer@io.com ●