 Yeah, so hi guys Thanks for sticking around until the last talk of the day. I know everybody's probably pretty tired This is a little bit less less high-tech than Olivier So hopefully Hopefully easy to follow along with and if we go through it a little bit quicker than half an hour Don't hold me to accountable This is a subject that I've been thinking about quite a bit since more kind of with the army About two years ago taking a look at domain names in the public infrastructure I've been quite curious about what's possible with a low sort of a low-hanging fruit style of attack Probably a lot of you especially if you're more technical familiar with the internet and the way it works DNS not a mystery full of vulnerabilities In the army we talk about something called an asymmetrical attack So the cost of putting a roadside bomb for example is a fraction of the cost of defending against that attack I think this is a similar a Similar thing in cyberspace that's worth considering. That's something that's been around for a long time and we'll dig into that a little bit Yeah, so introduction Currently sock analyst at commissioners to Quebec big thanks to JP and the rest of the team for encouraging me to Come up here today and give my first talk at a security conference It's a hell of a place to do it too, so it's exciting Also cyber protection team lead with 34 signal regiment in Westmount were a reserve unit in the army Previously spent many years working as a home automation integrator smart home guy a lot of custom AV home theaters Lighting control HVAC that kind of thing Also software product manager for a mobile app Where I spent a lot of time dealing specifically with user behavior and user issues? So there's a lot of overlap there, too. I think this talk is a bit of a culmination of a lot of my experience So what's on the agenda I want to talk quickly about human fallacy and the role it plays in some attacks I want to talk about DNS specifically some of the challenges that and email security challenges We're gonna take a closer look at cyber squatting and maybe refresher for some of you Maybe some new angles to think about and then I want to bring you sort of on the inside of a little evil experiment that I conducted Over the last 45 days Then obviously we'll talk about protecting ourselves and our organizations and then some closing thoughts Maybe we can talk about more in the panel so It's a cartoon that resonates with me pretty well on one side We've got data security and firewalls and everything that goes along with that on the other side We have Dave who's the walking? epitome of human error Because the point is that you put a lot of technical controls in place But it's really hard to account for some of the human factors involved Now we see that firsthand a recent report probably I'll saw this in the news It was released by Bellingcat a bunch of US soldiers were using flashcards to study overseas and We're leaking top nuclear secrets Some of the most top-secret information in the United States was revealed 100% human error Ops sec issue there More recently city of Ottawa. We saw humans involved in a scam Social engineering experiment where somebody was pretending to be a Partner on behalf of the Salvation Army requesting the city of Ottawa changed the bank account that they transfer money to They made away with $558,000 in city funds 100% human driven Probably my favorite example if anybody should be secure. It's president of the United States Ops sec fail even surrounded by The best people in the world in cybersecurity arguably Still using a password like mega 2020 was the first example if I remember correctly second one was your fired happened twice his account was guessed by security researchers from I think it was Denmark So what is all of this matter? You know according to agress report 94% of organizations have experienced a data breach In the last year with human error being the leading cause of serious incidents On the other hand only 21% of technology leaders surveyed said that human error was their biggest concern Mid-pandemic this issue is only grown Accidental and improper sharing of data by employees has grown to become Probably one of the most critical threats facing were concerning security leaders and then finally the last Five years and even up to today. We see a growing concern with the introduction of things like GDPR Privacy protection laws CCPA in California More close to home bills bill 64 in Quebec and another such privacy regimes Where the penalties imposed on organizations and the costs incurred are much much higher and it's now a regulated Issue it's no longer. Should we care about security? It's a you better care about security or it's gonna cost a lot of money To the organization and in some cases even criminal liability So let's back up a little bit. Let's talk about what is DNS? I'm not gonna read the slide I'm not gonna take you through how DNS works. You can do that research on your own but essentially DNS is a system that is designed to point users To IP addresses and software applications to IP addresses because humans have a hard time remembering IP addresses names are a lot easier to remember DNS has a long history started all the way back with our penette in 1972 the concept of a host or an Arpanet host name was was introduced and then Dr. Paul mock Petra's pioneer of DNS Publishes RFC's 8 8 2 8 8 3 with some evolutions by 1986 into RFC 973 and Finally, you know the ISE is founded DNS systems that we still use today like bind or introduced by 1987 with RFC 1034 1035 we basically have the DNS that we still have today That's a 30 year old technology that hasn't really evolved in 30 years Long before a time when people were thinking about cybersecurity and what are the security implications of the way DNS works For those of you who study internet history, you'll know that the internet was not designed to be secure It was designed to be robust. So a decentralized naming system was designed to stop a bomb from destroying our Infrastructure and it was to rope packets and be resilient But not necessarily concerned about data security or privacy so important considerations for Putting on the black hat for a second the important consideration is DNS not built with security in mind We didn't talk about it, but you probably all know that it's very trivial to register a domain name You can do it anonymously go buy a prepaid credit card at Shell Throw it into your your registrar of choice and register a domain name It's very inexpensive and finally humans often make mistakes and the component that DNS Relies on is human input more than anything. It's built for humans. So those are the things we want to keep in mind Step aside for a second look at email. Let's look at email You know again first thing we'll notice is as we look at the diagram is that The very first step in composing an email is choosing a recipient and how do you how do you designate a recipient? you put in a name out of domain and right away email is dependent on the domain name system and if we take Forgetting the details of email if we take This concept that DNS is inherently insecure if email is dependent on it. Well, then email is also insecure History of email very similar timeline I'm not going to go through it completely but roughly the same timeline We're looking at email that by and large hasn't changed and I know some of you are probably thinking Oh, what about DNS sec and what about encryption and what about all of these other? Protocol extensions that have come to pass since then. Well, you know, let's do an exercise show of hands Who sent an encrypted email in the last month? Okay, I see about 5% of the room has done that now show hands who sent a sensitive document by email in last month Okay, so different people different priorities. It's Maybe not the effect I was looking for there, but the point is that email is You know basically unchanged since the last 30 years with with some minor caveats Important considerations, we know emails not built with security or privacy in mind really it's trivial to send or receive emails anonymously It's actually quite easy to stand up and operate an inexpensive Email server or email infrastructure and once again humans make mistakes and they make them quite often Let's move into cyber squatting so I'm sure you all know what cyber squatting is but basically it's a practice of registering a domain name with the intention of infringing upon the intended destination of the user so I Could register self-sec that might be a form of domain squatting trying to leverage the trademark of Norsec just one shitty example Many different types of cyber squatting If you break them down into categories, we can look at typo squatting, which is quite common So in this example, we have something like gnail or Facebook with an extra o simple typo mistake put in by the user We have bit squatting, which is really interesting It's when you know cosmic radiation from outer space comes and interferes with whatever is stored in your memory and Flips a bit in the character and all of a sudden you typed in Microsoft But you ended up with mic post off comm in in memory in the computer and that's what gets processed by in this case DNS Combo squatting so taking a brand name Putting a dash in some other trust word or something like that It's not owned by FedEx, but it's made to look like it is Homograph squatting which this is an interesting example Hot mail to a human looks exactly the same as hot mail to a human, but in this case, it's a different character It's not the same character that's registered in DNS Finally paypal this one is a shout out to the franc phones out there PA IE pal dot CA And then level squatting is another interesting technique that we see a lot especially with mobile given limited screen size Sometimes what happens is the domain name is truncated to the left-hand side and everything on the right-hand side is ignored So, you know the user is not actually paying attention to the real domain or TLD so Cyber squatting not a mystery. We see it all the time. It's very common in fishing campaigns You know as a way to bait people into clicking links that seem trustworthy. It's also a very common technique in spam and marketing One thing that's maybe a little less common But but still out there is you know watering hole attacks man in the middle attacks and finally the thing I want to focus on today Is intelligence collection and using this as a tool to to gather information against a target? So let's get to the fun part time for the experiment I want to put a disclaimer out here So when I started this thing, I didn't know what I was going to find I was kind of hoping like maybe somebody's going to send me an email and it'll be interesting It turns out I actually collected an enormous amount of personal private sensitive information None of it's going to be shared. It's all going to be anonymized. I'm going to give you the meta analysis and Everything that I've captured is basically analyzed and deleted on the spot. I'm not storing I'm not interested in anybody's private data, but I am interested in showing what's possible with this kind of attack So I had a few hypotheses going into this thing My first one was that some small but you know given a large enough scale not insignificant number of users Will mistype the domain name of a popular or you know an email address when they're typing in their recipient I'm going to mistype the domain We should be able to register some of those typosquadded variants. They shouldn't be that expensive and We should you know, we should be able to do that easily and then finally The hypothesis is if I put a catch-all email address on the end of that typosquadded domain I should start receiving emails intended for other people, but they're coming to me So some of the key questions I had is what kind of data can we capture this way? Is it possible to remain passive and anonymous in doing so and Can we employ similar techniques? Or sorry, can we detect other actors employing similar techniques? Can we hypothesize who might be out there doing similar approach and finally how can we defend ourselves against such an attack? So remember the email diagram from before so this is a shitty edit. I've made to it to sort of convey the idea so Alice means to send an email to Bob at be.org, but he mistypes and he types in Bob at C.org well The email server has no problem with that the email application accepts it sends it for an NS lookup and There's an MX record at C.org and it says yeah, sure I'll take an email. Yeah, we've got to catch all email address I'm happy to receive an email for Bob at C.org and The email gets processed and delivered right into in this case the attacker or the malicious listeners email inbox so just a little bit of info to set you up for you know, how the experiment is set up We have 12 different domain names that were registered and I want to give a thank Thanks a shout-out to colleague of mine at questionnaires. I don't kiss you today Simone who? Who'd also done some similar work here and was able to help me get the set up We set them up on a shared webmail inbox with a catch all email address and every single one of those domains and we let it collect data for 45 days Okay, so results 123,000 emails. I was hoping to get like five, okay 2700 emails per day is You know, that's like one a minute or something ridiculous. You can watch them come in in real time. It's really interesting You might be wondering what kind of emails we received well a lot of this There's a lot of spam, which was the first challenge that I came across was how am I gonna eat all of this? There's like a ton of spam to deal with It's ridiculous So the vast majority of his spam frankly not unexpected when you stop and think about it Maybe maybe for the next iteration of this talk We'll talk about who the top spammers are and there's probably a lot of work that could be done just around analyzing that But that wasn't the focus of the talk, so I didn't spend too much time on it So emails of interest here's where things get really interesting. I received at last count 204 interact e-transfers With a total value of tens of thousands of dollars A lot of package tracking links and not the spam variant that you're all used to receiving. These were legitimate Personal banking notifications. So whether those are like You know you you spent money some of you probably get those and we use your debit or credit card you spent money here You spent money there There's a problem with your account your account balance is running low those types of emails we collected and classified them as personal banking Sales receipts lots of sales receipts coming in, you know It's sure any one of you shopping downtown. You've probably been asked if you want to receive an email receipt Well, maybe the girl mistyped your email and I got it Um Account verification this one is dangerous. So a lot of account verification and activation links You know this this we can talk a little bit more about types of attacks We can pull off with this appointment confirmations dental appointments doctors appointments sales meetings all kinds of appointments Personal resumes and employment applications think about the amount of data that's on your personal resumes Sensitive data There's you know, even over 45 days. This is almost Yeah, almost one a day Password reset links loan applications and service contracts tenant notifications personal medical information x-rays All kinds of information, you know people's private health data lease documents I Got a completed security clearance application form complete with passport photo and 10 years of personal history And finally the most impressive one I received was a I don't want to reveal too much, but it's one of the largest labor unions in the country They were in the middle of a draft negotiation with the government and I got an early version and early look at the contract before Before anybody else basically except for the lawyers So some idea of what can be accomplished and collected and again just 45 days just 12 domains So let's talk about the exploit opportunities here. They're basically endless Identity theft comes to mind extortion social engineering I can gather personal information that people may not be you know Aware is out and available to others Doxing I can do a account in credential theft financial theft Impersonation I didn't I didn't claim any e-transfers. I don't know if that would work. I'm not interested in trying Impersonation, you know, once I know enough about a target I can pretend to be them and finally I'm in the army. I've personally seen people send things over a Gmail account I've seen them send things over hotmail accounts. Is there a national security threat here? Maybe So how common is it I? Was curious to look around I only registered 12 domains, but there's a lot of squatted variants of these things So I looked at three examples. It's by you know Not not anywhere near exhaustive But as some examples if you look at gmail.com and you start looking at typosquatted variants You'll find that there's 155 adjacent domains registered and about 70 of them have active MX records on the domain Outlook.com similar stats Yahoo. I guess it's been around longer. We're highly targeted That's a lot of potential for theft right there And we don't know who's behind these domains and I can tell you when I looked at them Many of them share the same IP address So one has to wonder who's listening who's receiving those emails One thing that's interesting about this and this is an example of What you can do against a public email service, but what about against an enterprise, you know What what about against a company domain or an enterprise domain? Can we do the same type of attack and part of what inspired me on this talk was was one that I saw at the RSA conference Where they use this as a red teaming technique and one of the researchers said hey You know what for 12 bucks. Let's register the domain and just see what we get and They got the keys to the kingdom by like day six of the engagement They they received a mistyped password reset for their most sensitive database They were able to change the password and log in with admin rights to the thing that the company most wanted to protect If you want to see the talk, I highly recommend it. I'll share the slides Afterwards, I guess through north sec. I can probably do that This link will take you right to the interesting part of the talk Okay, so how can we defend against this the first thing I want to talk about is I alluded to it earlier as encryption I wouldn't have really learned anything or at least not anything meaningful if these emails were encrypted They were all in clear text and I could read them However, I wanted there was no as my own certificates and use I didn't I didn't detect a single encrypted email and what I gathered Awareness training is a really big one So I was digging for stats because I started to ask myself. Well, what about digital literacy? Do people understand that this is possible? For me it's shocking, but what about for other people? Stats can the the most recent Most recent stats I could pull were from 2018 where they were looking at student digital digital literacy ratings So in this case 15 year old students only Like in Quebec, I think Canada wide 38% in Quebec were actually the lowest in the country 30% of students reported being taught How to identify phishing or spam emails? You know that that's a pretty big problem I think awareness training across the board maybe in school all the way up into the enterprise is really important And then finally DNS solutions I think solve a lot of these problems so Monitor your DNS take a look at what requests are happening There's DNS firewalls DNS filtering out there Passive DNS is another interesting tool to detect things like newly registered domain names There's a lot of research out there that shows if a domain name is new enough It's probably malicious with a high degree of confidence. So don't resolve new domains There's a lot of tools for this far-set security domain tools There was There's a few vendors here today flare systems was there they have a really neat platform that looks at a lot of this kind of thing and Then finally if you talk to dr. Paul Vixie the guy who wrote bind and maintains bind for for many many years or the father of the DNS They'll tell you to run your own DNS resolver. It's really easy to set up I know it's really easy to go and say hey, you know what get get your domains from your IP addresses from 8.8.8.8 Or you know what cloud flare wherever you want to resolve your DNS, but take control back It's actually quite easy. You can throw it up on a Raspberry Pi play with it And you can use things that are called DNS response policy zones. So if you detect domains that are targeting Your enterprise domain you can set up a response policy zone that says hey if somebody asks for Gnail comm well send them to gmail comm give them the result for that instead You can set that up and you can do it in response to the things that you're seeing on your network Maybe specific to your domain or the types of traffic that that's happening on your network So do you ask big one? And then finally some food for thought You know the question is this brought up for me is it was quite shocking the first one was is email an essential service or a critical infrastructure You know for the importance that it has in our lives Is it considered critical infrastructure? And if so who's responsible for protecting it? Does this fall on the public email service providers? Does it fall on us as individuals or maybe the root? Root certificate root authorities and in the domain name system The second question I had is can I automate the analysis? You know I started getting a little bit uncomfortable looking at some of this data and Tried to remove myself from it as much as possible So can we can we do this kind of research in a more automated way that that generates meaningful threat intelligence? But also respects privacy And finally can we use similar approaches exploiting typo squatting against other services is really interesting research done Regarding NTP bit flips some of you may have seen that research the researcher that Basically realized that every I think it's every day every 24 hours a Windows machine checks in with time.microsoft.com And he knew that bit flips were a thing and they're theorized but he wanted to measure the rate that they happened at and He registered time dot some bit flipped version of Microsoft comm and he got millions of NTP requests to his server And in a very short amount of time And then finally man in the middle month excuse me monster in the middle We'll make that a standard Or you know reverse proxying against web pages and popular web portals, you know that could be another abuse That's interesting to look at Thank you