CSI - Poor Mans Guide To Espionage Gear

67 %
33 %
Information about CSI - Poor Mans Guide To Espionage Gear

Published on October 30, 2008

Author: shawn_merdinger

Source: slideshare.net

Description

Presentation from CSI -Computer Security Institute Conference

Poor Man's Guide To Network Espionage Gear: Return of the Beast Shawn Merdinger Independent Security Researcher & Consultant SEC-5 Computer Security Institute 33rd Annual 2006.11.7

About the speaker Shawn Merdinger ● Independent security researcher & consultant – Current projects – VoIP device security ● Emergency communications system security ● Former positions – TippingPoint ● Cisco Systems (Security Technologies Assessment Team) ●

British Spy Rock

First-Generation Spy Rock?

Warnings and Stuff This is academic research...the “how” not the “why” ● This is “dangerous information”...however ● You have the right/need to know – I have the right/need to talk – Oh yeah...and remember ● Devices (in context) may be illegal...don't use – Activities (in context) may be illegal...don't do –

Objectives Academic information exchange ● My favorite cheap 'n mean gear (network focused) ● Attacks & countermeasures ● “The nasty” ● Resources ●

Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●

“Waiter, my mushroom soup tastes funny” Never underestimate the devastation of a “simple” attack

Attacker Goals Attacker wants to accomplish... ● Gain network access via a device at victim's location – Attack internal/external hosts via TCP/IP – Attack phone/PDA/PC via Bluetooth – Passively gather information via sniffing – Establish other internal and external access – Impersonate services – Webserver, Database – Target a user – VIP VoIP connection –

Attack Tools Typical opensource methods and tools ● Scanning & Probing – Sniffing – Exploiting – Covert communications, reverse crypto connections – Multiple protocols and entry points ● Wired LAN – 802.11b/g wireless – Bluetooth – RFID –

NEDs My favorites ● Linksys WRT54G – Linksys NSLU2 – Nokia 770 – Gumstix – PicoTux – Plenty of others! ● Access Points, PDAs, Game platforms, etc. –

Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●

NED Characteristics Small, unobtrusive, ubiquitous, cute ● Low-cost, almost disposable ● Minimal power requirements ● Power over ethernet, battery, solar potential – Multiple attack vector capability ● Wired, Wireless, Bluetooth, RFID – Traditional forensics very difficult ● Ephemeral filesystems running in RAM – Try that Encase! ●

NED Characteristics Outbound reverse connections back to attacker ● Crypto tunnels bypass firewalls, IDS/IPS – “Under the radar” common protocols DNS requests, – ICMP, HTTP/S are typically allowed through firewalls Proxies, anonymizers, bouncing through multiple boxes – Ported attack tools and exploits ● ARM processor-based – Hardware/software limitations and trade-offs – Dependent libraries, GUIs, etc. ● Don't expect Nessus GUI on Linksys routers ●

NED Characteristics Stripped-down Linux ● BusyBox shell ● SSH, HTTP/S management ● Features like VPN tunnels, mesh networking ● On-the-fly software install as “packages” ● DNS, Apache, Asterisk – Attack tools and exploits – Powerful scripting languages: Python, Ruby –

Linksys WRT54G Cheap, cute, heavily “hacked” and tweaked ● Secure with default Linksys firmware? ● Ubiquitous = the “new Windows” – Very likely unpublished exploits in the wild – Opensource alternatives to Linksys firmware ● OpenWRT – Package system ● Sveasoft – Mesh networking ● Un-leashing the WRT54G.... ●

FairuzaUS for Linksys FairuzaUS: www.hackerpimps.com ● Command line interface over SSH Treo 650 SSH into FairuzaUS into compromised Windows box

Upcoming Linksys EVDO & Wifi = WOW! ● Linux- based ● This will become popular ● Potential for abuse is big ●

Nokia 770 Basics ● Debian Linux PDA – Slow CPU, low RAM – 802.11b & Bluetooth – Touchscreen keyboard – Software & Commercial Attack Platform Development – Immunity SILICA (Dave Aitel) ● http://immunitysec.com/products-silica.shtml HD Moore doing work on this platform (MetaSploit) ● Maemo project and security tool packaged ● Tcpdump, Nmap, Dsniff, Kismet, Bluetooth audit –

Linksys NSLU2 “Slug” US $75 ● Heavy OpenSource support ● Unslung, Openslug, DebianSlug – USB storage ● Bluetooth dongles ● Asterisk, WebCam, MP3 stream ● Try if you're looking for a weekend geek project ● I'm looking into this as a testing platform ●

Gumstix Ultra-small computers ($120 +) ● Expandable “snap in” boards ● CF storage and 802.11b wireless – Single and dual Ethernet with POE – MITM hardware device with dual ethernet ● Bluetooth – USB, serial, PS/2 connectors – Used in BlueSniper, UltraSwarm – Developer CDs and environment –

PicoTux Picotux 100 and 112 (US $100 +) ● World's smallest Linux computer – 35mm×19mm×19mm (size of RJ45 connector) – Power over ethernet – Telnet and HTTP server – Developer CDs and environment – Attacks ● Plenum off a Cisco CAT switch – “Serial to ethernet connector” –

Other Gear KeyKatcher ● PS/2 and new USB version – New “U3” USB key technology ● Auto-run apps, installs, pull SAM on-the-fly,etc. – EVDO USB Key ● “Executive Gift USB” - Swiss Army USB/Knife ● Infected RFID tags ● Infects reader, which then infects other tags and DB – http://www.rfidvirus.org/papers/press_release.pdf ●

Other Gear Linux Phones ● Customizable – Bluetooth, Wifi, cameras, etc. – Qtopia ● Security people “discussing ideas” – Prediction: top “hacker” phone – BlackDog ● Linux box on USB – Biometric auth ●

Agenda Objectives ● Attacks ● Network Espionage Devices (NEDs) ● Gettin' Spooky with IT ● Countermeasures ●

Spooky: Device Enclosures Free water cooler offer ;) ● Potential for power source – Legitimate reason for physical presence..and returning – Office décor ● Flower safe with X-mas tree & lights...plug 'n play – Exit Sign, fire extinguisher ● Dangerous to mess with emerg. Gear – But what if extra gear shows up? ● Wow, we have even more security now! –

Spooky: 0wn3d Mesh Network Municipal networks beware! ● Build It ● EVDO gateway for Internet – Drive-by/Walk-by AP 0wn4g3 – Senao AP w/ YAGI = Sweeper – Run It ● Karma = DHCP for everybody – Shared crypto keys, cron jobs, remote ssh-fs mounts – 0wn it ● Attack everything, browser exploits on portal –

Spooky: In-Transit “Marketing” Airports, train stations, bus stations, subways, etc. ● Bluetooth spamming with “scary” message content – 0wn3d wifi networks & Windows Messaging – Multiplier-effect ● Simultaneous at multiple hubs in US – “Scary message” – Huge productivity costs ● Wrong message – Used as diversion, secondary attack, etc. ● Virus/worm type attack like this is possible ●

Of Course... Why not hack the marketing guy's gear instead? ● “CBS today said it is planning a marketing initiative that will allow mobile users with Bluetooth-enabled phones to download promotional clips from its new fall TV shows directly to their handsets at billboard locations in New York. The billboards in Grand Central station....” Digging a little deeper ● kameleon-media.com – “Remote data loading via a GPRS or Ethernet modem that ● connects directly the MobiPoint® to our server.”

Spooky: Long-distance, the next best thing to being there Home-built Bluetooth/Wifi “Sniper” setups ● Bluetooth targets up to one mile 802.11b targets up to...?

How far? 802.11b over 125 miles

Maxing Out Current Gear Janus Scanner – DefCon 14 ● 8 Senao hi-power cards (125 mile wifi-record card) ● Amplifier 1-watt to “keep it legal” ● Linux, Kismet, etc. ● Pelican case ● Data encrypted ● 1 button operation ● Also “BlueBag” ● Target Bluetooth –

Terrorism & RFID Passports US Passports will have RFID tags ● Each US State's Drivers' licenses probably next – RFID security weaknesses already found ● Reading tags at a distance is a documented threat ● The “Nightmare Scenario” ● Discussed in media already – NED (or cell) RFID scan for passports – Connected to explosive device ● Detonate X number in range ●

Countermeasures Know the risks and threats ● Know your network devices and traffic ● User education, buy-in, ownership of the problem ● Policy and “best practices” ● Planned response vs. “Uh oh...” ● Calling the cavalry (specialists, Johnny Law) – Proactive measures ● Honeypots, Honeynets, Bluetooth-honeypot – Yet to see a RFID honeypot (sell to Wal-Mart?) –

Looking Forward & Other Stuff More devices with network access ● “Why is my refrigerator scanning my network?” – Mobile devices will be targeted ● VoIP and the new-style phone tapping agenda ● VoIP phones as room taps – Capture VoIP traffic – Same old story ● New technology, adoption, poor security, etc. –

Thanks! Questions? ● Feel free to contact me at shawnmer@io.com ●

Add a comment

Related presentations

Related pages

Csi Netsec 2006 Poor Mans Guide Merdinger - Technology

"Poor Mans Guide To Network Espionage Gear" ... Csi Netsec 2006 Poor Mans Guide Merdinger; Csi Netsec 2006 Poor Mans Guide Merdinger Nov 12, 2014 Technology
Read more

Csi usb bluetooth driver :: Fileshere - Heunifies

Csi usb bluetooth driver, ... CSI - Poor Mans Guide To Espionage Gear ... from CSI -Computer Security Institute Csi Netsec 2006 Poor Mans Guide ...
Read more

Espionage | LinkedIn

They used espionage ... CSI - Poor Mans Guide To Espionage Gear. 1,984 Views. DemandWave. Seo Espionage - Webmarketing123 webinar. 348 Views. anupriti.
Read more

Spy Guide - Instructables

Spy Guide by Dguy42 + Follow Last update Jun 8 111,042 238. Edit. Share . Favorite Collection. This guide will help You become the ultimate spy.
Read more

FindVideo - Free download tv series

The Increasingly Poor Decisions ... FindVideo team. Star vs ... providing viewers with unprecedented access to the riveting and secret world of espionage.
Read more

Usenet.nl – finest downloads since 1979

Trustworthy anonymity. Usenet.nl provides complete protection of your privacy and does not log IPs or any other data. Enjoy the diversity of Usenet in an ...
Read more

Registration - en.usenet.nl

* During the trial period you can choose from two different price models. If you do not select a different package and do not cancel, your membership is ...
Read more

DOWNLOAD Vampire et Indésirable - bookalltt.ru

DOWNLOAD Vampire et Indésirable - bookalltt.ru
Read more