 Welcome to the annual DEF CON convention. This meeting was held at exciting Las Vegas, Nevada from July 9th through the 11th, 1999. This is video tape number 41. No applause. Hands up who was drinking late last night? Don't applaud. Hands up who was drinking late last night? Who was drinking cum sunup? Sorry, the pearls are appearing on a hacker jeopardy team, even losing one. So, in case you're wondering why we're in the sun specs, it's not really because of the fact I want to look cool. It's more because of the fact that, well, it's a bit bright in here. It's the right way of putting it. Well, and also welcome to this talk, which I have come to term the cursed talk recently. And it's struck again, this time with the projection system. Hands up who can see what's on the screen on the palm top on the desk in front here? Thank you. What palm top is the best answer I can come with at this point? I'm going to shibo libretto. It doesn't seem to be willing to project. It doesn't even do it under Windows, let alone Linux, which the presentation is under. So, I'm going to probably have to deliver this without doing the projection. I suspected this might be the case. What was that again? Ask around. Pass it around. Would I get it back afterwards? Don't worry about it. I'll make sure there's a full copy of the overheads are available. I'll give you a web address where I'll post them to in the coming week, so you can download the copy of the overheads. So, I'll do it verbally and you can download them then. Is that okay, everyone? Okay, we'll move on that. Actually, I should be able to give you a better set than what I've got here because this is an interesting story. I found out, I was speaking at DEF CON after I came to the United States on vacation. That's why I've only got my palm top with me. I just brought it along for web access. All I had on it was Windows 95 and Linux. The only presentation I had was Star Office under Linux. That's what the presentation here is in, but the main presentation, which I submitted, was actually in PowerPoint and it was left back in Britain. I'm saying this is a cursed talk because when I wrote this up on the laptop, we wrote it up on the laptop for you all, I did it in Vegas and the heavens opened. It rained here. I think I might be to blame for it. In Britain, when I did the original one on PowerPoint, I did it a couple of days earlier and after that, I was in a road smash and had to be cut out of the vehicle about three weeks ago. I'm here with cracked ribs, but still operational. I'm viewing this as a minor setback, not being able to display this on the other projection and just thanking the lucky stars, the ceiling hasn't fallen in. Yeah, definitely. It's the best way on this. So what's the talk about? Well, literally the talk is about simple methods which can be used to damage a company's website or damage a company's web presence or internet presence without necessarily hacking the site itself. There's all sorts of techniques and as I've been asked to do is for a new channel, I've picked some of the simpler ones to outline later on which can be done and particularly strong emphasis on the defence against them. If you've not read the sheet, I'm a lecturer in computer networking and also on computer security and information security. So it's more aimed more towards protection than attack, but naturally to defend you've got to know how the attack occurs. So I'm going to be describing that out to you. Basic terms and if you're expecting some radical new hacking exploits, you're in the wrong talk. But it's an alternative way of thinking things which many people in security tend not to look at. And hopefully I'll open a few eyes out there to what security should be rather than what quite a few of the vendors are selling. Right. Do you mind if I look at the palm top rather than point it out of the crowd? I mean, who can actually see the actual screen display? Hands up. So in other words, about five yards is all that. Do you mind if I look at it so I can see what the sections are? Thanks. The problem with the libretto, if anyone ever gets one, tube libretto, is that the screen resolution is 640 by 480, which believe it's not a lot, projection screens will not display. In addition, the fact is very, very high frequency on production. And that's what seems a lot of the presentation devices won't do. It is turned on in the BIOS if anyone's asking to actually project out on the other projector. So that's the reason why it's not displaying. And unless someone here wants to come up and reconfigure X-Windows, so I can't see it, but knock down the screen display to actually get it up on the thing. They're welcome to have a go if they can do it in two minutes flat. Anyone here can do that? It won't work. The reason is because the resolution is set, I'd have to set for the screen display as well as the driver. You'd have to knock down the Hertz ratio of the system with the standard VGA function. You have to knock down the speed resolution and lose the screen display, but knock it down to something which that can handle to put out on the screen. So that won't work, I'm afraid. Tried it. Okay, right. Let's get underway. Extra border hacking. Why defenses are required beyond your site's boundary? I'm not the one who can see this overhead while I'm clicking to it. Well, first of all, is everyone here should be aware of a conventional model of connecting to an Internet for a small to medium-sized company. You have a site. You're connected to the Internet via one single link. Your logical model of Internet connectivity. You to the Internet. Internet to you. Now, I assume most people here would not connect a company via any least-line technology without putting in a firewall. I think it's a given thing that everyone here would actually connect to firewall. Anyone who wouldn't? You wouldn't connect to firewall? Why is that? Ah, okay. You'd put some kind of method of actual Internet at large, wouldn't you? Or more importantly, between your company and the attendees of DEFCON, I would imagine. It's realistic, isn't it? And so you'd actually have that in between you and the Internet. There's a great deal of computer security vendors out there who are selling firewalls as a be-all and end-all of security. I hope people by listening to some of the talks at DEFCON have started to realise that if they had that conception beforehand, that's not necessarily the case. Firewalls are good. Firewalls will help you. They won't do everything. You have been attending the other talks, haven't you? A trust, yes? Right, okay. I'm just asking at this point here, you know, in previous times when I've been to DEFCON, and I've turned up before, a lot of people have just gone on drinking speeds up to Sunday, then turned up because the bags have been kicked out of the hotel and therefore hang around the presentations for a while before going back. Have you ever noticed that this morning? No? Or the luggage in the corridor? The thing is, Firewalls enforce a kind of fortress model. The traditional orange book-based approach to computer security. Those who didn't know the orange book as security standard for actually securing sites, it's based on the fact of hardening sites against attack. You form a fortress and defend against it. The old traditional model of computer security. There's also another model, time-based. Pioneer ba ba ba's and talked about a lot by Winsh Raw Tower. If you haven't been hit by one of these books, phone into the audience on the subject. If you were there last night, you probably were hit by one. But literally, both of these are based on a kind of fortress model. It's interesting that computer security is often analogous to actually real life and old things in which happened in history. So really, Firewall is nothing more different than a castle. It helps protect your site. And what people forget is that castles have problems. There's a whole series of things in history where castles have actually been detrimental to the defenders. And one of the members heard of a certain battle which occurred between Julius Caesar in France, famous for its what's called tactical doughnut. Any military people here? Alicia. Alicia, that's the one. Yes, I was leaning on to that one. So you're fed? Thank you. Quiet. Interesting. So I won't note it down for later. You walked into that one. The key thing to note is taught at all the military colleges. It's worth noting the fact it's very famous to perform tactical doughnut. And the inner defenders were trying to get out to attack Julius Caesar while the outer ones were trying to get in to attack him on the outside. So it's a very unusual battle scenario. But the inner defenders just could not get their troops out like gates and sufficient numbers only could attack one small part. And that was in part what led to his victory. There's a whole series of cases where fortresses have been negative. The job of a fortress is to buy time against an attacker. It's to deter an attacker and also to make the defenders feel safe. Whether they are or not, there's a placebo effect. I'm sure there's many computer consultants in the audience here today and I bet many of them have sold firewalls and perhaps knowingly that the firewall isn't perhaps the best product or in some cases that the customer didn't actually need a firewall. And how should I put it this way, the fact that they sold them to them because the customer felt they needed one to make them feel safer. It's a visible symbol of authority and security and it's a demarcation line. And it does force anyone attacking to invest more effort in trying to break in. Great fear if you're a divisive as a problem. Historically, and you should look at history because we always repeat history's mistakes in the current day. Very few fortresses were ever stormed by force. Look at your military history. It's littered with cases of attacks on fortresses. In most of these, the fortress was not stormed by force or if it was only at the final end stage. And that end stage was an end of a siege. Most fell due to being starved into submission. The defenders would surrender. And there's various methods of forcing this to be done. In particular, cutting off key services that defenders rely upon. It's very unlikely anyone can build a fortress which doesn't need some external services. Think about a company's internet link. Does that need any external services? Chopper? And argue you'd have to have some advice. Why on earth did you connect to the internet in the first place? So literally, you've got that flaw. And there's been a whole series of these without history. And to move into modern history is to give a military example. The fall of Singapore in World War II where the Japanese effectively cut off the water supply and therefore forced the British forces to surrender. You can go through hundreds of cases where the fact this has happened. You cut off something essential, something people didn't think about and it forces you to capitulate. And this is worrying because many sites connected by internet links but protected by firewalls have key services which are important to them running on the outside of the firewall or elsewhere on the internet where they may be vulnerable. I'm sure we've all perhaps seen the situation where you have web servers outside firewalls on the internet when perhaps you won't really want to protect the actual web server more than the people running Windows 95 at the desktop. But that's where the firewall ends up going in. So let's look at the attacks. Let's see what we can go on. And the first one is your internet service provider. Everything you do goes via them. Simple really. Everyone here knows that from the access at home if not from their companies. Who trusts their internet service provider? Hands up. Put your hand down if you are your internet service provider. Right. Okay. So in other words, none of you seem to trust them. Why? Unknown quantity. They're a company out there. They see all your traffic. They know what you do on the internet. They know what sites you visit. Ask anyone who breaks into their systems as well. If someone breaks into their service provider they can alter stuff which normally would be viewed as being secure. And internet service providers often, I use those as a vague word there often, aren't the most secure systems out there? Okay, some are. Some are very, very secure indeed. But others aren't. They all tend to have vulnerabilities. They're often concerned with getting the product out. But you'd hope that they'd be more technically oriented than the people, for example, at J-Blogs and Cochris factory. But you'd be surprised sometimes that the vulnerabilities which stuck out there. I've gone to quite a few web hosting companies and just found straight out of the box in stores of Linux Red Hat 4.1 with no book patches out there running several hundred websites off the thing. I'm sure you probably all know of similar cases or Windows NT straight installations and no book patches being placed on them. So in other words they have vulnerabilities and just ask dark tangent about Defconn.org and via this hosting company if you want to. Does anyone have a seen Defconn.org website? Anyone see it on Friday? Yeah? Who saw it on Friday? Most people here haven't. Didn't see it. They're already here. So they didn't have any internet access, right? Well in case anyone wants to know that the Defconn.org site got altered, didn't it? Yeah. So I mean it happens to them by their hosting company. Again, it was held by an external hosting company. Someone broke into next door hosting company's computers and altered things. And this is worrying, particularly if people do variety of attacks. Now, assuming you've got your web server at your site, so we'll assume a medium-sized company. Leastline connectivity. Website running on their site rather than external host. And they're connected via an internet service provider. Right? Well, if you break an internet service provider what damage can be done? Well, they can do the following. First of all, sniffing. I'm sure you all know what sniffing is. Am I right? No, not that. I don't think I'm good if I'm right. Okay. Right, okay. Did you win any of the tickets to Palomino? No, obviously not, right, okay. Well, sniffing in case anyone didn't know that the computing term is monitoring and recording your traffic. Anyone at the internet service provider could do it. There's tons of programs out there to do the system. I won't go through them all, or any of them in fact. But the key thing is they can just record your traffic, see what's going past on the wire and record it down. If you're learning how to text down machines when encrypted, which some of those people tend to do unfortunately, you're about to actually get the ID and password. But one of the most serious things is actually just seeing what sites your company visits. And particularly for blackmail purposes for certain staff but in addition for industrial espionage. Because your email goes out and I'm going to put money on here that most people in this room do not use encrypted email when talking to commercial clients. Very few companies when emailing other commercial clients tend to encrypt their email. So if someone breaks an internet service provider, they could spy on the actual email traffic, record it going out to the company, find out who your company's clients are or providers, how much she's perhaps charging for them and maybe undercut you or be able to work out your financial position. It happens, particularly leaving from France, from France, allegedly. The key thing to note is that's one thing. The other thing is DNS analysis. The DNS system of running an internet service provider could be monitored, see which sites you visit and so on. It would be nice if your rivals were able to post up X-Corp, perhaps 25% of its accesses to porn sites and pass it off to a newspaper. I'm sure that would go down well with your managing director. The CEO. Oh, yes, and this is what this next slide is. And you can see this. You're sat in the front, very handy for this. Yes, it can be changed. I'm sure you're probably seeing some of the other talks on the poison-gaining caches, but what about hitting the primary and secondary DNS servers? Most mid-sized companies tend not to bother hosting their own DNS servers on site even if they've got a web server. They get their internet service provider to host it for them. This means that any DNS look-ups or questions of their domain get provided by their internet service provider to whoever asked, and then they talk via internet service provider to the company. So if you're on AOL, any AOL users here, no one wants to admit being on AOL, hmm, strange. So obviously not many security professionals in the audience. They don't have intent to have compensated an AOL account, so I've noticed. They do. It's true. It's just they don't. Go on, let me ask the question again. Honestly, who has an AOL account? Or compensated? None. Right, okay then. I don't believe it. Some of you will. Okay, who had an AOL account and dropped it? Thank you. He's got some people answer. Now the thing about it is that these internet service providers, they go by them. They get their DNS information off your app, the SP server hosting the website. They get that, then use the IP number to talk through to the site. TCP IP basics talk. I'm not going to go into it anymore. But what happens if someone breaks into that service provider, changes that DNS information? They can redirect where the website's going to. So instead of going to your company's website, they can be redirected to another one. So people going to your company.com suddenly go to www.insertyourfavouritesiteofchoice.com. Okay, redirect to all the emails as well. Yeah, particularly to the rivals or something completely inappropriate. That's right. And in addition, of course, there's another nasty attack where you hack someone else's DNS one, which is a completely different site, and redirect their email to you, to your target. And that means that they get all the spurious emails which they wouldn't normally expect. Could be embarrassing for certain kind of sites. Again, to clog it up. There's all sorts of tricks which can be done with this DNS redirection. It's not... No, it's a hacking attack. It's not that tricky to pull off. Okay, that's believed DNS for time. I'm going to get through a few more services, in particular denial of service attacks, which you've all heard of, I'm sure. Particularly the old fashioned hosing attack. And this actually operates... Hang on. Does anyone... No, not hosing this. This was just sending people so much traffic that their pipe can't handle it. My pipe's bigger than yours, so I can transmit more data than you can handle so you cannot access the internet. So I've got a T1. You've got a 56K modem. I broadcast at 256 kilobits a second to you. You're not going to be able to do any web browsing or anything on the internet whilst I'm transmitting. That's what the hosing is. And again, that's an interesting one, because firewalls at sites often make hosing attacks more possible. They slow down connections. Anyone here who's worked in a company who's got a firewall connected via an ISDN line or a full speed connection then suddenly upgraded the speed of link and tried to put use the same firewall on the higher speed link. And suddenly found you've got no improvement in actual connection speed. Anyone who had that situation? Ah, a few professionals out there. Because of that, the firewall wasn't able to handle the extra traffic. It was a limitation of traffic. And this is very annoying because a lot of systems have this and a lot of military fortresses in the past have had this. And as a famous case, everyone heard of Horatio at the bridge from military history, from Roman history. Yeah. Where one person essentially stood at the bridge. Everyone had to cross one at a time. The attacking army was able to face the entire army one on one. And essentially saved the city by defeating the army. He died himself, I believe, but was able to defeat the attack. So, this is the sort of thing a game which applies. And firewalls do constrict your access speed. So, it makes you more vulnerable to these sort of attacks. And we all know that now, of service attacks don't need much knowledge to carry out. Any script person can actually get stuff off certain sites on the internet. These are the more technical external attacks. But there's some incredibly insidious very basic levels of attacks which can be carried out by people with no technical knowledge whatsoever. And I mean, including here, technical knowledge, being able to visit a certain website, get a script and press go and type in an IP number. There are some even more basic level skills that can be done to attack this. And this is based about actual information and poisoning information out on the internet about companies. I assume there's a good number of people looking at this crowd from the age group which is here. Most younger people probably aren't up yet, I assume. A good number of you work for companies. How many of your companies have a policy of monitoring what is said about your company on the internet? Hands up. That's most not, but a good number are, good. Because most companies tend not to check what's been said about them on the internet. And that is dangerous. Information is power. Poisoned information about a company can be damaging. Say the fact that you are going to post a loss in the coming quarter gets out to the people trading your stock on NASDAQ. What's going to happen? Yeah, we all know what's happened. We've seen some cases of someone people trying to talk up stock as well recently using false information. And the problem is people accept what they are told across the internet without really checking the sources. And the problem is people can do these attacks, particularly on things like news groups. Now, most people here probably access news groups at one time alt.sex.whatever or other topics. I know you have. There's always one in the audience you can always get one. The thing is they always have people access these kind of sites and ones like com.ris.linux and so on like that. And hopefully com.ris.libre and stuff like that. I was trying to get it to look at these other projection systems and say well, I'm going to have to visit that one. The thing is fake press releases could easily be published on a news group. And they hope of causing you problems. And it can be done virtually anonymously. Forget what people say about all you can always track people across cyber space and so on. Any person can go and get an AORAL account at one of these trial accounts. You find them, well who hasn't got one coming through the door. Just go and get a magazine, pick one up. Enter in some kind of financial information for the registration. Connect on via hotel room registered on someone else's name paid for in cash. And you can post anonymously. Any other intents so inspired are probably similar. A comp you serve and you name which one you want to do. I'm just picking one AORAL because I have an AORAL account. I know, I got it when I came to America in the hope of getting internet access. Yeah, there is actually my name on it. Why do you have a look? Ah, all right. It's not actually my name but it's close to it. So I'm not really slagging off AORAL don't worry about that. It did work. I've been able to get internet access. The key thing to know is the fact that these companies which distribute things widely do make this vulnerable. It is possible to do it and if people publish via things like doji news in addition it helps muddy the waters. They can almost certainly get away with such posting. So it's not exactly news not exactly difficult. Defenses if you're going to defend yourself you have to check news groups for comments out about yourself. Use a search engine for news groups such as doji news search for your company's name see what's there. And publish quickly counter statements if any occur about your company. You're going to have to be on the ball on this. It's worth noting that many companies use search companies to search for news articles on themselves. Press clipping agencies which tend to return once a week. And a number of these actually do this on the internet as well. And it might be worth our paying for such a company to actually search for your press clippings and information to see if anyone's doing this about yourself. And it can affect small companies as well as large ones. Imagine if you're a small burger joint and someone posted news to a local news group that you had food poisoning outbreak gets into the local press problem. People could also email poisoned information pretending to come from you. There's plenty of guides on out there on how to hide your email and disguise where it's coming from. Use the trick I told you earlier and it just starts to connect on using port 25 and into the information. There's tons of script information out there. And they just send it there and it appears to come from you. Okay. If you had a check you'd find out it wouldn't have come from the person. Who thinks newspapers are able or take the effort to check up all the releases sent to them to check the header information to confirm everything's correct. Okay, major ones do it. What about the local newspaper? You know, you've got to watch out for that. That can happen. Particularly also to clients as well. I mean, people do it all the time like cancelling hotel rooms of some speakers coming to Defconn. It does actually happen. So what happens at this point? Well, how do you defend it? Well, you should use digital signatures on emails and they won't do that with their email. Go on. A good number of people here do that. Digital signatures just really take the contents of the email, produce a hashing function out of it so you can tell the email message is actually who it came from and the contents haven't been altered. You can do that with your emails and do that on the news groups but it's not perfect because how many people here think everyone who you send digital signatures to bothers checking their authenticity? How many people here have had a download off the internet of some popular application, share application and it's had a file of digital signatures so generated with PGP and you've checked the digital signatures to check your binary was not altered. Who's actually done that? About 20% of this audience. Who reckons that the general population at large bothers? Not likely. Most don't do it. So there's no really easy answer to actually defend some emails. Okay, that one there. Good grief, moved ahead. So let's have a look at some other little simple ones and the most obvious one of all is the domain name registration trick. Assume everyone's registered domain name. In fact, I think most people in this audience probably have tons of them or registered those investment opportunities. Some companies didn't left themselves open and quite recently a couple of major companies never bothered to register their domain names and they got taken over. You probably heard of that and they're quite a bit in the press. I will mention their names and won't embarrass them but I'm sure you'll find plenty about it. But there's various things you can do. You need to make sure these domain names, make sure you get them. Also make sure you may get the .NET and .ORG as well as the .COM. Don't leave yourself open as some conferences have done on hacking in the past. Particularly one which called Beyond Hope which very newly have Beyond Hope.com registered when they were using Hope.NET as their domain name system. Because the fact people have a tendency to go just typing names to try and find out sites, make sure the fact your domain name matches and also get logical alternatives to your site to protect your name. This is important because make sure if you've got an O in your name, you register the letter zero and the zero in natural your name. Microsoft for example, the zero instead of an O. Because people will use that and they might be able to convince people that their site is a genuine one. Ones instead of I's simple users and for example AOL users have discovered you can't tell the difference between O and zero and one and I on the actual software. We can also do other versions of your domain name. Make sure that you get them. Just like quite a few of the T-shirts which have been wandering around at DEFCON. Make sure to do that if you wish to protect yourself. Just because the Internet is no longer enforcing their own regulation. Correct. But there's all sorts of ways of even getting rounded at that point. Say for example you have Federal Universal Credit Cards I mean they won't allow the main name but you know you could actually do that and you get your initials just the K C at the end becomes a K and I'll leave it up to you to work that one out. There's ways of doing that. You could legitimately form a quick corporation very quickly with that and then potentially have a reason to have that domain name. And trade marks is a major issue because they're not international they're nationals and dot coms are international sections so we'll set a muddy waters on that at that area. But you're correct. There's no enforcement at the top level people aren't able to do this. And some countries have enforced such a stringent regulation on their bodies particularly in other countries. The LTD.UK on the United Kingdom is an example of that which only available to registered limited companies under their registered limited company name. The dot co.UK is open but dot LT.UK you must be a registered company to get that particular name. So people can easily construct a site with a similar domain name and they could even design it to look like your site. I'm going to use AOL here. Anyone heard of AOLbullying.com which knocked around until it was wiped out recently. So site for AOL users where people are emailing AOL users and saying oh we've lost your billing information please go to www.aolbullying.com and type in your ID password your credit card information your mother's maiden name and your national insurance number so we can actually ensure that you get a faster service. These things happen you know I receive such emails going that doesn't exist anymore. The key thing is this people could create sites and maybe even convince people it's the legitimate site. It could be accurate copy for a while before it got changed yes. It could be accurate copy before it even got changed. And this could be combined with news group postings and people could think the site is genuine then you could change it and you can do this for zilch. There's literally internet hosting companies out there who are willing to just take company orders from people one month free web hosting. They go to that particular company say hello company one month free web hosting please I am target company name please. Here's the information you'll bill me in one month if I like your service. Please register this domain name here's information and all this difference is email addressed where the registration document goes to. They go and register it like that it appears to be the site it looks if anyone does a who is search internet there is a legitimate site they publish sites it put something up which looks genuine they could just change it before the mumps up to actually get the site actually appearing to change things and that could have an effect and the press could easily fall for such a thing. It's a way of hacking without actually hacking the site and you could get the publicity. So that's it there. So what do you do? Make sure all related domain names you control if you have a domain name use it don't use web space offer provider without your domain name this is a free web space with a long address because if people are accessing using such a long address if someone creates an account and say just one number different it would be very difficult to tell the difference and if you find out a site get it deregistered do what AOL did which is well I assume they did because since they vanished go and actually get the thing removed they will do it in these cases quite quickly and quite easily just keep an eye on what's going on out there so if you suddenly get new domain names appearing under your name go and search them out and get them removed so that's one thing we can do there's other ones as well search engines oh they're lovely who uses web search engines here okay who doesn't use web search engines here everybody uses them we all go you're typing keywords looking for websites you're looking from particular words often defined by meta tags in the page of the elements and in order to get the site you're looking for and almost certainly it's probably not the site you're looking for set that gentleman at the back obviously normally gets those kind of sites but the key thing to note is the fact that if you go looking for a company's name will you get your company's site or will you get your rivals how many people here running consultancies to get people in the top 10 on search engines hands up no one you are normally you find that a lot of people are doing this now and ordering out on web pages and they will actually get them in the top 10 of the search engines but a rival could do the similar sort of thing to jump ahead of you in the queue and also the fact this fake site could also jump ahead of the legitimate site as a good number of people don't go around remembering domain names they just rely upon the likes of you who and other such systems to actually locate the sites for them and just type the company names in there and get the information coming back so in other words what I'm saying is keep an eye what's out there make sure you register with search engines make sure you're well positioned use that gentleman's company services if need be I have no financial association with you whatsoever or similar people to make sure that you're well positioned in the search engines and check regularly for what your company name pulls up on the web there could be some embarrassing stuff it could be your rivals well positioned that's the key thing about this keep your eyes open I could go on about loads of extra things here and I could go to the more technical ones as well if it was required but this is supposed to be a newbie thing and the key thing I did for this talk is I wanted to wake people up into thinking about beyond the firewalls beyond fortress models beyond time based models and just think about the whole setup of your systems on the internet and regard the internet as your back yard which you also have to defend keep an eye on what's being said out there don't just pull down the blinds and ignore what's not going on in the street because what goes on out there could cause you far more damage than what goes in here and you've got to be in mind that this is going to take quite a bit in particular anyone here go to beyond hope conference anyone to hip in Holland a few of us went to hip in hip someone claimed to hack some of the hip sites and the old days wasn't really a hack it was a site altered locally in America and just chased and looked like it so these sort of things are done and we realised that things weren't really the hack that actually happened but after that it's too late that the embarrassment has occurred ok then right well I'm going to take questions now I think it's a good time to take a few questions and I have a few things to pass out to the audience if anyone's interested from a British conference called DNS Plug 14th of August you won't get an airfare over there now because the clip's the sun is three days beforehand so it's probably why I'm plugging it but I have a few candy bars from it I have to throw them out in the audience but I think I'll injure you all so I'll be willing to kind of like throw them down the corridor in the next few minutes after questions if anyone's interested ok questions you mean about allowing DNS through you know particularly port 53 we all know about it it works great for yeah it can be done to that way it's very much a technical attack but yeah a lot of firewalls essentially up on a filter based mechanism and we allow stuff for certain people's ones like a dress translation blow that one out of the water yes do you want to do a short I want to say something quickly about going to network solutions and changing somebody else's registration ooh the changing someone else's registration network solutions oh that's a good one yeah you can do that people when you get domain names they have to be able to be transferred and changed particularly from providers to providers changing who's hosting the particular IP the primary and secondary domain service so network solutions accept requests to change things and they have several methods of doing it the most common used one is email address only you can have PGP signature you can have signatures but hardly anybody does it and what happens is you go to the site put a request to change information even change ownership and they email the email address listed in their document with a confirmation number and the person then gets the email with a confirmation number to get the thing changed if you can insert that email and reply with it you can change it a good example of the internet source is broken internet source by the sniffing because then you can get that going past and reply brilliant question you get a candy bar see what I mean about these being dangerous catch one they make good cudgels as well they've got a shelf life of about 300 years so I mean it's just a pure sugar mint flavour what would hackers rock all the way through and the best thing to point out about them is that watch your teeth when you're trying to eat one that's all I'm going to say this gentleman in the black shit which is not very identifiable hold on a second there's a choice it's number one straight in the film yes I believe you're correct on that I've always done my changes using the web interface and doing the confirmation back yeah yes whether that was wise to tell this audience I'm not too sure about that's all I'm going to say at that point I don't yeah okay well you can generally assume that virtually everybody who's involved in computer security most of them have actually ensured that their main names are registered with a key you know it's a simple thing you will not be able to get DEF CON reassigned you won't be able to get DNS CON reassigned you won't be able to get 2600 reassigned but you would be able to get Joe Block butchers reassigned or whatever of a company it happened to be any more questions? you can do the same thing with round up oh yes of course you can oh yeah brilliant denial of service stat yeah the old trick if you want to do the denial of service you don't do it from your machine you get other people to the denial of service you're targeted by doing that yeah that's a great one another thing about firewalls is that you can run PPPs through a port that's open yes of course the old thing about most firewalls letting things through the DNS request back on if it's being put over that port it's an old trick it's a very common being done on that and it's amazing the number of modern installations which just allow that to happen really is it's sad but it's true the gentleman in the glasses on this side please ooh you mean the fact that most people leave their mail servers globally accessible so what I can do is externally my fake email coming from your company I actually get your email server to send it straight out I've just said that yeah literally whenever you use a tool such as like your Dora you enter in which mail server you're going to be doing your posting from and I've used my a lot of spam emails they use other people's email servers to bounce the email off you don't have to use your own your presence is set up it's changing the spam email industry has forced people to check on this but I could have sent up my Udora account but essentially send the email from your mail server it would be or more or less that it came from your side at that point it's still not complete because I still have the sending address so you can pick that one up but it would have muddied the waters a bit more you've had your hand up but it's easy enough it's not a problem just go and pull your record up on the internet by default it won't show it up on the who is wherever you've done that just put a request in to change it so you have a key if it turns out that you have a key and you didn't know you have a key you're in trouble you've got to do it by the old snail mail method to confirm who you are that's another good one as well actually I shouldn't have mentioned that should I you can request that out but you know I know what you mean at this point from the average company yes it will work the old letters the good one as well oh facts there's no one ever checked so the number the facts came from we all know that trick these are all basic tricks I'm sure you'll notice I don't want to deal too much on network solutions if I can have a couple of questions which isn't from network solutions that's the final question so we need to get off to the next set of speakers where are the next set of speakers okay okay do you want to run in the white shirt final question oh yes adding routes static routes sorry I'm English so it's a bit different systems like saying oh I'm a major system the entire internet is down this modern line which happened recently but yeah you can do some attacks based upon that I'm just wondering whether I don't think with the time left I'm going to have necessarily time to really explain that because there's some really sneaky tactics you can pull off with that I notice you're smiling there at that point yeah I'm just, it probably wouldn't be wise and I don't really have the time to go into that but let's just say the fact if you go and look that up on the web and have enough time to look at that on TCPRP basics and the way routes work you can cause essentially traffic to go around in the circle and all sorts of nasty tricks to pull off and all sorts of things I did say that gentlemen sorry okay I said that was one of the nasty things but I said that was the last question but I'll just take yours and I mean this is the final question okay alright so if everyone who didn't quite hear that I need to, I think it was very softly spoken I mean to point out it essentially worked in the very into what was discussed earlier essentially if they've got financial trading system which is in real time they've only got one hop between these targets and if you go to the route so it goes up to 32 you can do triple simple it's all these attacks are generally basically very simple attacks but they can cause a hell of a lot of problems and that's the thing you need to watch out for and I hope I haven't offended anyone for any companies anyone work for you in the audience I might expect my account to vanish now I might expect my account to vanish now I might expect my account to vanish now thank you okay okay that's a very good one I'll make sure it's off the DNS con website probably because it's more likely to remain up I think www.dnscon.org and I'll put it on forward slash def con in lower case okay so I'll make sorry www.dnscon.org forward slash def con okay I'll put it up on that side unless someone wants to tell me another side I'll put that up remember the fact is my main slides are in England so you're going to have to wait for me to get back it's going to be about two weeks until I get back to the United Kingdom if anyone wants to email me I'll put an email address up on the same page I guess it'll be about a week or so unless someone wants to actually see me now to get my email address okay right well I'm just going to throw a few things out in the audience if anyone's interested anyone want anything oh go grief I'm going to this so everyone wants to get in that corner ready catch the final one okay right there well thank you for listening and I hope you've enjoyed the talk