 My name's Alec, I'm Ronnie, kind of, I guess that's obvious. I'm doing talk on session donation. If that's the way you're here to see, you can leave. I won't be offended. Everybody hates me already. So we have a very short talk here, so I'm going to try and keep it quick. I've got time for questions and whatnot at the end. We'll figure out as we go. So I'm Alec and Ronnie, like I said before. I'm part of the Longhorn Lockpicking Club. Working in the Lockpicking Village upstairs. Gave a talk earlier. Introduction to Lockpicking. Great story behind that picture there. I'll get to it at the end if we have time. It's awesome. Go to the University of Texas at Austin, studying computer science, and I work for the Information Security Office there. So I guess that's why people might think they want to listen to me. Quick talk, not a lot of time. Everyone can hear me cool, right? Yeah, badass. Question, yeah, blah, blah, blah, blah, blah. Presenting an idea, pretty much. This is really just, it's a variation on a session ID attack. And I know most of you, if not all of you, are familiar with session hijacking. But I feel like there's at least one or two out there who aren't. So quicker review session hijacking is stealing session ID. Session ID is used for authentication for various things like web services. Session fixation, cross-site scripting are two of the really pertinent parts to this session donation attack. There are countermeasures for session hijacking, and I guess there are theoretical countermeasures for session donation, because session donation hasn't actually really been talked about before, as far as I know. These are common countermeasures, random session key, generating it as you go to a new page, encrypting, gibberish, and whatnot. Limiting by IP address, yeah, you guys can read, hopefully, if not, then you probably don't want to listen to me anyway or understand what I'm talking about. No one's really laughing either. God, you guys are a bunch of fucking douchebags, giggles, smile, or something. Make me feel better about myself. I already have self-esteem issues. So session donation, now that there's a quick dirty overview of session hijacking, session ID attacks, if there's any questions on any of that, we can get to it later. It's exactly what it sounds like. Instead of hijacking someone's session ID, you're donating yours. A lot of the attack is very similar to session fixation, which is used in session hijacking. I mean, if you fixate someone's session, then you can steal it, because you know what it is. However, with session donation, instead of fixating it to something just so you know what it is, and then you can steal their IDs after they authenticate, you're fixing their session ID to your session ID after you've authenticated with that session ID. And you would think since session fixation is used a lot with session hijacking, a lot of the countermeasures would be the same. However, because you're authenticating beforehand, and we'll get into this a little bit more later, it's a lot more difficult to prevent and predict. It's kind of cool, actually. I think it is, at least that's why I'm talking about it. People do too, because they can't even listen to me. So yeah, easier to give your identity to someone than stealing it. Common knowledge there and whatnot. Yeah, so am I insane, kind of. Why would I give my information away? I'm a DEF CON. I keep everything private and paranoid. I know the feeling, I fall in the same category. Here's an example scenario, though. Guys can read, but I'm going to read it anyway and insult you. Joe logs into a service, deletes stored information. Stored information, for example, he logs into a web page at work or something where he stores his bank account information for his payroll. It's all stored there, so they can just do an EFT to pay him and whatnot. And then after he deletes his stored information, it's all clear, donates his session to a second party. We're going to call him Jim Bob, so I'm going to have a better name. No, you guys are all dull. God. So then Joe, same with session hijacking. Somehow Joe gets Jim to go to the web page that he wants to attack. In this example, it's an EFT information storage page. And Joe goes there and sees, oh man, the page blank, I better put all my stuff. Joe told me there was an error earlier and that the database deleted my information. So I'm going to go store it so I can get paid on my payday. It's saved, but it's saved after Joe's donated his session ID to Jim. So he saves it, and it's saved as far as anything involved in the service is concerned. It's saved as Joe. So then Joe can log in at any point in time he wants because you're allowed to log in as yourself just because if you couldn't, that'd be ridiculous. And then he goes in and all Jim's information is stored there, and he successfully executed a session donation-esque attack. Since the information is stored there, he can log in, retrieve it, delete it after he's copied it down to a piece of paper or whatever and given it to the world or a hooker or something. There are issues with session donation, things that you would expect people to catch. But then again, you would also expect people to not log in out of fake web page, but they do it anyway and give away their information to anyone who asks. So PEPGAC happens all the time. You can't really deal with it unless you tell people they suck and they can't use their service, which would be fun. But unfortunately, it doesn't work that way. So user training, if you ever train a user who's dumb to not give away their shit so it doesn't get stolen, you're like, hey, don't log into a page. It's not the right one. You don't want to give it away. People will steal your username and password and try and authenticate as you, blah, blah, blah. They're all looking for, oh man, I better not put my information on this page. However, if a session has been donated to them, they're not gonna need to log in. It's already been authenticated as far as service concerns. They don't need any more. There's nothing else for them to authenticate. So I mean, if you get a single login set up, a lot of universities, some corporations, for example, the University of Texas, they have an EID login. Same login, you authenticate once and you're authenticated for all the services across campus. With something like that, people aren't gonna think, oh, I didn't have to log in, because they logged in earlier, so they know they're used to not halting to log in. And then if you get someone who actually knows somewhat what they're doing and they are like, I'm gonna check before I put in my bank account information, check the SSL cert. The SSL cert's gonna be valid. There's no problem with the connection to the server. He's authenticated, connected to the server. There might be a problem, but it's not involved with this attack. So they check and they're like, oh, it's cool. It's all okay, but it's really not. And that's where the issue comes in here. So in order to take this attack live, Portrait Awards, anywho, you have to, AttackRest be able to get a session ID. That's potentially a very large pool. I mean, if you can log in or if you're allowed to use it, then you can get a session ID whenever you want. So once you have that, then you just have to be able to give away your session identity. It's very hard to stop someone from giving that away. It's definitely doable. It's just at the moment, not a lot of people think to check for something like that. Cross-site cooking, session fixation, man in the middle, there's all sorts of ways you can switch someone else's session identity with yours. Yeah, like I said earlier, this is dangerous, kind of, because countermeasures that are implemented right now won't work effectively. The victim still has a valid session ID, so it's, you know, there's no problem there. It's been authenticated, it's been checked and everything, and you know, you can implement a common countermeasure for session hijacking is to switch the ID as you go to a new page. Well, if you get a valid ID and send it to them and then just wait for them to click on new pages and whatever, then they'll still have a valid ID the whole time going through and they'll be authenticated and then you wait until they're done and go and take whatever you want. So I mean, it really comes down to can you prevent someone from giving away what they need to have? And it's hard to do, and if you can't do that, can you prevent them from authenticating as themselves after they've given away their identity? Once again, very hard to do. And I mean, like this says here, it's session hijacking techniques might make it a lot easier to prevent a user who knows that they've, you know, they've been compromised to go in and, you know, delete the information that they accidentally stored in the wrong place. Once the attacker logs in, the old session ID would have been cleared out and they, you know, the victim can no longer log in and switch it with the, or, you know, delete the information they stored there. Man, you guys are really quiet. It's a big route. So like I said, it's definitely possible to prevent. There's little things. It's just the fact is the attacker isn't attacking, you know, trying to get the session ID. They're attacking the fact that it exists and that's what you use for authentication. And you can't really get around that because you need that there in order to authenticate people. If you don't have it, then you run an issue that you need it. Just simple things, prevent cross-site scripting. Most people here know that, but a lot of people don't think to do it. It's the biggest vulnerability in the web as far as I know last, I don't remember where I read that, Wikipedia. Yeah, no, it's a great source. You're not allowed to use it ever in college. Just disappointing. So the best way I came up with, and I mean, this is all very recent, I haven't... Stop it. So I mean, the best counter measure I came up with was at a very basic level, it's pretty much using the IP address of the sender or something of that nature when you generate the session ID. That way if someone gives away their session ID, unless they're giving away to the same computer or whatever you're using in place of the IP address, it's no longer a valid session ID. So you take a hash of the IP address and use it as part of the session ID generation, and then for authentication, you don't just say, oh, is this a valid session ID if yes, then whatever. You go through and you actually have to regenerate the session ID based on who's requesting information and then compare the two. It takes more time. It's not as fast, it's not as efficient, but security is always the least efficient way to do anything. Whoa. I thought there was another slide in there. Yeah, so that went a hell of a lot faster than I thought it would. I guess I'm kind of nervous because of that crate story I have from the picture. So I'm gonna go ahead and tell it because we have a lot of time, and if you guys have questions or anything, or if you feel like yelling at me, I guess that's cool too. So, in case you forgot what this picture looked like, it's a giant fail trophy. I gave a speech earlier for introduction to lockpicking, DC 101, and long story short, TSA lost all my demo equipment and everything. I had to rewrite it Wednesday at 11 when I got in, and this guy said I gave possibly the worst talk at DEFCON ever. So I'm working on figuring out who it is. I think he's giving a safe cracking speech in the lockpicking village later. I'm gonna have a lot of fun with that. So anyone have any questions or wanna harass me? Yeah, yes. Once again, yeah, it's not a foolproof method. It's just, it would stop a little bit. There's no, I don't believe there's such thing as a, I'm sorry. Sorry about that. He said, you had mentioned something about protection earlier. Why can't you just spoof the IP and then that entire use a hash of the IP and generation of a server on the server's generation of the session ID, it becomes irrelevant at that point. That's true. Like I said, that's like the best I could come up with. It's very hard to prevent someone from giving away their identity to someone else with the intention of stealing their information. So yes, that is a very valid way to just bypass that too. Anyone else? Yeah. Yeah, no, that was the original idea I'd come up with. The problem I saw with that is, once again, people don't pay attention to things like that. A lot of web pages also already have that, it's small enough in the top right-hand corner saying, like, hello, I'm a douchebag. Welcome to our website. So I mean, you could make it a lot bigger, make it the title, make it so when they hit the submit button or whatever it says, you are submitting this information as, but people will get annoyed and be like, yeah, okay, whatever, hit okay. I mean, people don't even check, you know, if they had an invalid SSL cert, they're generally just gonna hit okay and be like, oh, well, I trust this site. I mean, I don't know, it must be a computer problem. I hate computers. Anyone else? If you have a question and I don't see your hand, just yell at me. Well, awkward. I'm sorry about that. I just, you know, it's hard to give a speech after you've heard you've given the worst speech at DEF CON ever. It's actually very hard. So, yeah, thanks for listening to me. If you guys wanna catch me at any point in time, I'll probably be up in the lockpicking village doing things of that nature. If you don't really wanna talk to me, you can go up there and I might not be there for the other half of the time. So, you have a question? I'm sorry? Right now, so I tried editing my website before I got here because I was gonna put up all sorts of nifty stuff and I was tired and then I got halfway through it and realized I didn't have my bag from TSA and stop. So, my website is down. It will be up by the end of tomorrow. And I say that tentatively because who knows, the way my life's been going, it's probably not going. It's obscenicize.com. Great, I'm gonna have to put that up here. Give me two seconds. Yeah, I know, right? Because I rushed through my speech and didn't really go over things like I wanted to. Yeah, so like I said, go to Lockpicking Village, it's cool, I have time to kill, so I'm just gonna keep talking and chatting until someone wants to yell at me or something. No one likes yelling at me to my face. It's kind of disappointing. I really kind of wish he had said I gave the worst speech at DEF CON ever to my face. I could have a lot of fun with that conversation. No, it's all secondhand, so I gotta find out who it is still. It was actually Thursday, so yesterday. Well, yeah, that was like half my speech. I had to kill three hours, I was like, I lost my shit. I'm gonna say another sentence, I'm gonna say I lost my stuff again because I got a lot of time to kill. Once again, I mean, more time killing, yeah. Fair enough, well, I actually feel like this one went a lot worse, so. Definitely possible that I topped my own worst DEF CON speech ever, all in the same CON. Wish I had a third speech, I'd try and top myself a third time. You really, you want me to? I mean, I can go through it really quick. Cool, yeah. Oh, cool, awesome. I feel like people wanna listen to me. So, yeah, session donation. That's me, TurboTrack, not a lot of time. Two minutes to go, session ID. You know what a session ID is? Cool, kosher, not gonna go through that. Session donation, exactly what it sounds like. Take the hijacking out and donate instead of taking. Why would you do that, are you insane? Yeah, if you haven't listened to my speech yet, then you'd probably know, oh, yeah, I lost my train of thought. Schizophrenia's a bitch. Example scenario, someone would know, we don't need that. Yeah, so why would you give it out? Because if you can get someone to authenticate as you go to a website, then save their bank account information, then you go in, log in to yourself, their bank account information is saved, and you can just take it. I'm sorry? There was actually a different, which Mahoos are PowerPoint on the CD. This will be on the website, I'm giving this to Nikita after the speech. So it'll be on the DEF CON website, it'll also be on, I think they put the speeches, the video recording of the speeches, so you gotta listen to me being embarrassed and freaking out too. Yeah, it'll be cool, so if you ever feel bad about yourself, you can go ahead and watch this video and you'll feel great. That said, I'm out of time, thank God. So go to Lockpicking Village is cool. Thanks for listening to me be a douchebag.