 Alright, I'd like to thank you, everyone who showed up for the talk. The talk is Kong Kong Fu, defending yourself at DEF CON. My name is Rob. A little bit about myself, I've been in the IT industry for about 14 years and security for about 10. I'm just a technical guy like you, so if I try to give back to the community a little bit, I've been coming to DEF CON for about six years now and I've enjoyed every minute of it. I hope you find this talk interesting. Some of the things that I want to get across to you today, some things that I learned, some things that I think you can take away from this and put to use right away. Some ways that wireless networks are subverted commonly, not necessarily here at DEF CON. Some have been used in the past effectively. There are some methods in place now to prevent that, but still there's a lot of shenanigans that happen here at DEF CON as usual. The other thing is give away some t-shirts. The good people at Jinx donate a few t-shirts today, so they're going to be setting up shop tomorrow. Please go by and pick up some of their stuff. They've got great stuff. And we'll be going through, we've got three trivia questions throughout the presentation. So we'll just throw those out there and the first one to answer correctly, we'll get a t-shirt. You can go pick them up tomorrow from Jinx. All right, so last year I was attending this conference here and I was just like you, I was sitting in one of those chairs and I was surfing slash dot and doing my thing. I go into a Linux shell, do some more stuff, you know, screw around a little bit and I see my scroll bar, my Firefox scroll bar going up and down, up and down, right? Going to pages, going to websites that I'm not going to refer to right now. If you know what I mean, I didn't like it too much but I shut down right away. All right, so Firefox was definitely possessed, it was taken over, subsequently I took a closer look at things. Back at the office there was a master boot record virus Trojan salt for command and control. Trying to load a live CD, only let me load from certain parameters, not all. Also millworm.lzm, it was slipstreamed into my boot sequence. You can do that by use live mod and at least in backtrack, some other distros too, but you can slipstream right in on the fly, right while the OS is running. This happened every time. Millworm would, or the sequence would get an IP address, millworm would automatically update and then a command and control channel would be established through a back channel. So one of the things that I determined was the cause of this was DNS redirection from my wireless, from a wireless interception that I was using here at DEF CON. So there's a lot of ways to do this, but the end result was most of my logs were wiped, most of my system binaries were compromised, they weren't the same ones, they are typical stuff, right? We've seen it a lot before, but it happened to me and it didn't feel so good. So air hijacking can be accomplished in a few ways, and by the way, I'm talking kind of fast because I've put an hour of stuff worth to 20 minutes and we've got the trivia stuff, so I'm going to move along pretty quickly here, so sorry if I'm talking real fast. Ettercap has been around for a long time, real tried and true, real good tool. Work songs, DSNIF package, DNS spoof, some other real good tools, Aircracker and G Suite, of course, and then the Karmic Car Metasploit package, which is just awesome, AP impersonation with Metasploits automatic exploiting features, and then AirPone, we're going to talk a little bit about AirPone because that's really, really sweet. So AirPone doesn't even require you to be associated with the AP, it can rip out of the air and inject it or substitute it. So I was going to do a live demo, I don't have time to do that so we're going to diagram it a little bit here. So we've got your typical wireless client and your wireless router here. So the wireless client is connecting to the wireless router and he's going to say, all right, I need to go to a web page. The web page is going to go up to the router, the router needs to find out what the DNS record is. So he goes to DNS, asks for what the IP address is, they tell him, he goes out to the website. What I'm trying to get by here, get to you here, is there's a lot going on before the web request even goes out to the internet. So while this is happening, we have a wireless attacker sitting in the stream of traffic saying, hey, I know what your request is, I can give you whatever I want. So he's listened to this and he knows exactly what's requested. The web request is going to go through a multitude of different routers, especially if you have like Comcast like I do and you get like eight different routers in there. So he's getting ready a JavaScript or some kind of other malicious code to insert into this traffic stream and when the inherent latency of the internet is around 31 milliseconds and the local land latency for this wireless attacker is going to be much lower, you know, less than a millisecond, he's always going to beat you to the punch. There's no way you're going to beat him. So he's always going to be able to, if he knows what your request is, he's always going to be able to feed it to you before you can get back from the internet. So he goes and he throws in something before you get your web request back and he can do things such as URL redirection, he can subvert your traffic session to his own laptop running his own website or he can throw in some malicious JavaScript just in the page that you requested. So you see Facebook or you see Hotmail or you see whatever and behind the scenes you're getting a JavaScript, a malicious JavaScript code executed in your system. Now that's even taking root compromise on the box, but you can already impair the box. So this makes our attacker very happy. He now has, he can do whatever he wants and that's what happened to me. All right, so we've got Trivia. If anybody knows what that is, good. Okay, so the Trivia question is, first one is, and raise your hand or shout out or something. I'll try to catch whoever says it first, but forgive me if I don't. The first one is, in the 1983 movie War Games, what computer did the character David Lightman use to access Whopper? Are you with the baseball cap and the gray shirt? Yep, stand up, yeah, you stand up. No, all the way back. Yes, come on up. Good, it was an inside 8080, all right, nice computer there. And that's actually a picture of the original one that was used. All right, so what you should have done before coming here, left your laptop at home, right? All right, but nobody's going to do that. What fun is that, all right? So the other things you could have done, broadband wireless card. Now I'm not saying any of this is going to protect you from getting owned, all right, because as we're all going to see this week, there's a lot of stuff you can subvert any technology. Updates, patches, before you come here, whoops, laptop with no important date on it, not your work laptop, something that you don't care about, that you can throw in the garbage in your way to the airport. Or use a VM, VMs are really good, you can just nuke them again, you know, start up a new VM from a snapshot or something. All right, comprehensive hardening, some good stuff here, security templates from Windows, you know, they'll get you started anyway. Bestial Linux by JBL, great tool that he made several years ago, real good cocoon for your Linux system, and a host intrusion prevention systems, lots of, lots out there, OSSEC, some other stuff. You can look down your BIOS, your master boot record. Now some BIOSes don't allow this, there's some third-party tools to do, but check out your BIOS settings, there's some good stuff in the new ones. Configuration changes, you want to block all inbound connections. So use your host firewall on your Windows workstation or your, your host.deni file, all to block all incoming. Close all services you're not using, obviously change your password, if you haven't done that, you shouldn't be bringing a laptop anywhere. Use your anti-virus, automatic update signatures before you come here. Use Conkey to check out Conkey's great tool if you haven't used it in Linux before to check what connections are inbound and outbound and any other processes running depending on how you set up. Hard set your DNS servers. Protect your logs, real important, there's some good tools out there to do that. One of the things that's easy to do is you can just tail your logs while you're working, you know, just put them in the foreground. Your off log and sys log, Windows is a little bit hard to do that, you have to have a stupid gooey open all the time. Run AuditD, great tool, really neat. All your logs should be owned and readable by root only. All right, check that, that's usually the default, but sometimes it gets switched. Log check, another good tool for keeping an eye on your logs and swatch. SSH Proxying, so this is probably the best bang for your buck you can do when you're at a coffee house or a def con convention or anything else. You can set up a tunnel, tunnel Firefox over that tunnel. Now, there's some considerations here. You have to have a SSH proxy established before you get here, with loanstar.org or freeshell or something that gives you 443 forwarding. And you have to know that SSH key before you get here. Because if you do it while you're here, you're not going to get the right key. You can get somebody else's key. You're going to be going to Romania. All right, Firefox hardening, no script, awesome tool. Great tool for this, blocks JavaScript, it's always updated, really good. Use known grid proxy, oh, and the DNS, about.config and Firefox. Turn that to true because that will allow your proxy to resolve DNS, instead of the local LAN. So if a local LAN's resolving a URL, you get a problem. If you're going to use IE8, there's some mild improvements. Don't use IE8. Run Snort, okay, great, awesome tool. I think everybody knows that here. It's a little bit cumbersome to initially set up, but there's some great signatures. Get some great wireless shenanigans going on. Gets you a little bit to a lot of stuff. Kismet will alert you on deauthentication and dissociation floods, attacks. And it is really good Linux tool that's built into most everything. Run AirSnair for Windows, a tool I've been using for about two months now. Nice little gooey thing that shows you a lot of stuff on the network, blah, blah, blah. Do not check email. Do not go to LinkedIn or Facebook, all right? If you want to improve, go over the wall of sheet, because you'll see it all up there, starting tomorrow, I don't know if it's up there already, but. One thing to know is, even if you go on SSL, a lot of the stuff is going to be unencrypted after login page, like you go to Hotmail, you go back to an HTTP page. Now your messages are going to still be encrypted, but there's a lot of stuff, ads and stuff that are not encrypted. So you can just slipstream something right in there, and you won't even get a warning. Port scan detection, the orders, endmaps, network scanning book, awesome resource. The more you know about scanning, the more you know how to detect it and prevent it, page 238, 283, and this will be all in the slides. And I'll be updating them too, they'll be updating on the website. ScanLogD and Port Century. Two really great tools for Linux workstations will automatically block some attacks which could leave you susceptible to a DOS against yourself, but you can whiteness some sites that you never want to get blocked. So these are really cool tools, really easy to get up and running quick. Zone alarm for Windows, tried and true. And PSAD, an oldie but a goodie, it still works, check it out. Okay, trivia. Okay, so the trivia question is, what was depicted on the DEF CON 8 human badges? Okay, let me give you a clue. The year was 2000 and it was just after the matrix. Nothing, huh? All right, well, okay, go ahead. No, no, that's a good, good, yes, out there. The answer is the red pill. But there's a backup question. All right, who's the dopest DJ in the galaxy? Right behind the marker. Yep, you got a DJ Jackalope. Come on up, she'll be spending some tracks this weekend. All right, do you think? All right, so you want to check out, you want to make sure that, and you're not sure if you got owns, you want verification. So check your logs, we talked about tailing your logs. If you still got them, check them. High network utilization, funky processes, and yes, Goatsy. So AirPone was introduced in DEF CON 12 here at DEF CON, and the originators ran it here and inserted all images coming through people's web pages and through their browsers with Goatsy. So they went to all their favorite web pages and saw Goatsy. There was a lot of puking that day. Check your MD5 hashes if you have some known good binaries, you can MD5 them and make sure they're the same ones you put on there originally. Forensic utilities on backtrack and system rescue CD and so forth. Good ones to have. Connection monitors, Kerr ports for Windows is really good. It allows you to disconnect the connection that you don't like. So I like that one if you run in Windows. Mario Etsy Services and EtsyNet.com. So strike back, it's the most hostile network in the world. Be part of it, jump in there. The things that I don't recommend you doing for a variety of reasons, but I'm going to mention a couple here. Do not toss the wireless network or these guys will come and get you. No matter how much you accomplish in life, you will never be as awesome as this, ninjas with guitars. Do not screw the APs or general DNS or this guy will come and get you. Now this was as painful for me to put in this PowerPoint slide as it was for you to see. So don't let this guy come and get you. All right. You want to have tools ready to terminate access as soon as you see it and you think it's suspicious. Winden T and Ice Pick, some older tools but still useful. Again, if you use network in-map book. ScanLog D, port sentry again. These will block offenses and block the ports until you open them up again. We've got another trivia. All right. Since we're in Vegas, this might be a tough one. Since we're in Vegas, what casino was used for the Vegas scene in the movie Swingers? No. There's two answers. Go ahead, Weichert. No, not the Flamengo. Was it? No, not Caesar's Piles. Was it? Stardust, good one. Yes, this guy right here, Stardust. So it's not demolished but they used it for the outside scene when they're walking by. Come on up. All right. Conclusion, am I doing all right for time? Anybody know? All right. Cool. That's a fascinating thought. All right. So have a blast here. This is the most fun I have all year. You guys are going to enjoy the heck out of it if you haven't been here before, and you're going to enjoy it again if you have been. But one consideration, if you have the inclination, put the laptop down for a while and try to meet some people. Because when you come back to a conference and you see old friends that you may be for, it's even better than if you just sat down your laptop the whole time. So even if you can talk about laptops, talk to somebody. If you go on network monitor everything you can, keep your pulse on everything that's going on, assume that you're going to get owned. Assume that something's going to happen, and no matter what you think happen, mute your laptop when you get home. Just totally wipe it, rebuild the master boot record, just consider it a trash laptop in all regards. A couple of support shots I'd like to throw out there. The EFF supports the summits tonight. Please go up there, the defending our rights against government intrusion and corporate entities, so please go up there and support them. Hackers for Cherry, Johnny Long's doing great stuff down in Africa, and Big Fix is donating a dollar for dollar right now I think. So go and support that, but please, if you're going to donate, don't do it from here. Okay. Thanks very much. Any questions? Yeah, go ahead in the chat. So the question was, how was I running my, in what mode was I running in when I was running my Linux distro? I was running as a normal user, I wasn't running as root, but doesn't, a lot of that stuff is not going to matter once you get a web session owned. So there's going to be a lot of privileged escalation attacks that can happen after the fact. Yeah, I thought we were going to get a CD like we have in the past, but I guess, did you get a CD? Oh, you did. Okay. So it should be on there. I've updated these some. So on the website, they're going to post all the updated slides. So anything that's changed will be up on the website after the con. Oh, it's not on the CD. Look later. Okay. Okay, so it will be up on the website. Did somebody else? Okay, that's it. Thanks very much for attending. You guys have been awesome.