 Good afternoon everyone. Welcome to the day two and a half, whatever we are in Defconn. I've kind of lost track. I'm null. Crash went to get more beer for us, so I think that's a good thing. Round of applause for Crash when he gets back in. Over to my right here, we have I Like Sheep. My left, we have our snake, and Hacks are the Matrix. And last but not least, we have the Hoff, who will be doing a special interpretive dance for us today on keyboards. It's actually been established very early. Thank you for admitting in public though. I really like Sheep. You do, and this is what happens when you don't show up for the prep meeting. Thank you Crash. So you should know that this isn't going to be the most serious talk, so take it for what you will. So I've been asked to read this by Chris. Thanks to a certain journalist who didn't interview me correctly, but to inaccurate what I said at Black Cat, I'm not speaking today because I enjoy making my mortgage payments. And his voice is in fact totally fucked. So he could be laying at the pool at Caesar's enjoying some naked girls. That's cool. So instead, we were talking with Chris and I were talking a couple of weeks ago, and on his blog he often posts poetry. And he claims that he can do it live, and most of his posts come up about 15 minutes or so. But today, Chris isn't going to talk at all. Instead, well, he's going to heckle the rest of us via text. We're calling it the DEF CON poetry jam. And the theme today is failure. There's been a lot of talk about protecting data, keeping it protected. And really, we came to a conclusion as we were talking on the phone a few weeks ago, that failure really isn't an option in this industry. In fact, it's actually inevitable. So the theme today is pretty much get over it. You're going to get fucked, whether you're a researcher, whether you're a commercial, you know, corporate security person, whether you're a manufacturer of security software. So the best plan is to plan for failure and move on from there. So I was going to talk about some other stuff today, but really, earlier today, for those of you who haven't heard, the Massachusetts Bay Transportation Authority sued some speakers who were supposed to be speaking tomorrow. Because they felt that their research was a violation of assorted federal codes, including the Computer Crimes and Views Act. So they got their restraining order, and the speakers have pulled out their chalk. Yet, the MBTA missed a couple of key points, like 7,000 CDs that have been handed to all of the attendees here with the speaker's slides on them. Hey, does anybody remember Cisco Gate? Does anybody remember Cisco Gate? Yeah. So, you know, the one lesson I think people should have taken away from that is that once you turn your presentation over to someone else, you can't really reel it back in, no matter how many pages you tear out of a book or how many CDs you have shredded. It's on that score. Yes. So, and actually, as part of, actually, I'll get back to that in a second. So as part of the paperwork that the MBTA filed with the courts in Massachusetts, they included several exhibits that are actually publicly accessible and publicly available to anyone who wants them. You can see where this is going. Two of the exhibits they included were, one, the presentation. So it's now in the public domain. And two, an academic-style white paper that it describes in more detail than the slides did, the nature of the research and the attacks they did. So, if you know someone who has access to online legal documents, just have a little chat with them. And you can see the slides if you lost your CD or you want the white paper. It's out there. It's in the public domain and it's freely accessible. So all I can say to the MBTA is there are about 7,000 to 8,000 people here and you've now convinced three people they're not allowed to talk about it. But well, the rest of us are. I'm not going to go into a lot of details because we have a lot of other stuff going on. But the rest of us can talk about it. Take a look at the slides. And meanwhile, well, MBTA, you're today full of fail. Next, we have our snake to talk about his stuff. Thank you. Hey, everybody. So I wanted to talk a little bit about just kind of how we're trying to solve problems that are kind of bleeding edge. They're really interesting. We're all really excited about them. But we really haven't fixed anything. If you all noticed, everything's still broken. People are still getting owned all over the place, the wireless networks. I mean, it happened like two, three times at this conference, not including the wall of shame and everything else. Wall of sheep, brother. So I'm going to talk a little bit about authentication on the web and how it's totally broken and how there's a whole bunch of vendors out there selling stuff that doesn't work. And I'm going to tell you why you're going to pay for it anyway, which is pretty lame. So let's get on with it. So second factor off, how many people have one in their pocket right now? One of these? Four? This is a security conference? Really? Okay. Really? Oh, okay. Is it because you just didn't bring them? Yeah. Okay, all right. So this is my favorite way to get around it. Please mail us your username, password and token. There are users out there right now who will fall for this. I've actually met them. You go to an eBay live conference. You meet some average human beings. You know, they're not like us. They'll do pretty much anything you ask them to do. In fact, I like this picture. I know it's the back. Why am I showing a picture of the back? Because if you say enter the token number, that's the number they're going to type in. They don't know to flip it around and look at the other side. That one's the one changing. That's too hard. So banks won't federate. They say like, we're not going to work with one another. We're not going to work with the industry. And without banks, no one wants to do whole federation concept. And the reason why that's kind of a big deal is, you know, people are going to have to carry around multiple tokens and why am I going to have like five tokens to do all of my banking? The banks won't even talk to me on another. And the reason for that is they're worried that, you know, one central repository is going to get compromised, which it may or may not. But I think, you know, we've been a fairly good job of securing like CAs and stuff. So I think we could get around that. But it's a sort of a least common denominator, like whichever one's the least secure is the one that they're going to go after. So if you want to hack some kind of lame little porn site that happens to use federated tokens, they can also let you get into the bank. Well, that turns out to be a problem. So people lose them. They type them in wrong. They put them in backwards, like I said. It's just, it hurts the ability for consumers to interact quickly with websites. And consumers don't really understand the value of the tokens themselves. They'll give people their key chains and walk away with them and just all kinds of stuff. Event-based tokens, if you've seen them, they have little buttons on them. Kids love to press those things. They get out of sync pretty quick. You have them in your purse, your wallet. They get pressed just kind of sitting around. So they don't work just kind of a pain in the butt. So really terrible for consumers. Time critical functions. And I ran into one guy from the U.S. Mint. And I was talking to him about this exact topic. And he said he carries 13 around at the same time. 13. Can anyone beat that? Is there anybody who has more than that? Right. Okay. Good. We have a record. So if anyone beats that, I'd be curious to hear it. It's just ridiculous, right? I mean, how do you carry that around at the same time? You know, of course, he's got a bag full of key chains to log in, right? So other ones like bank TLDs. I've talked a little bit about it on my blog, but I really just, I'm super annoyed at this whole concept. Why have an entire TLD just for, you know, people are going to say, oh, well, if it's not a bank TLD, I know it's a fishing site. Well, the problem is if you tell people that you need to go, like, log into this bank, you know, it turns out that people actually have to read the URL bar for that to work. And fishers don't even use domains a lot of time. They use IP addresses. And consumers fall for it all the time. So I don't see why that's going to change anything. But I could be wrong. Not to mention you're going to have to hit this huge migration plan to move everything over. Everyone's going to say, well, I'm not a bank, but I want to be secure, too. I do transactions. I'm a real, you know, some gigantic real, what am I trying to say? You know what I'm talking about. Real estate, no. That's not right. Retailer, thank you. So mom and paws are going to thank you. A little hungover. It was late night. You guys hear about PDP? No one heard about that? Go read Full Disclosure. It's pretty interesting. It'll get me up until 1.30 just reading that. No one knows it? So PDP got compromised a couple days ago. Made it in Full Disclosure. They put his personal docs, pictures of his wife. It's pretty nasty. So we don't know how it happened. It was Gmail. It may or may not be an exploit in Gmail. They're looking into it. So basically we're just building like another version of EV certs. Another version of SSL. Another version of all the same crappy authentication that really never told a user where they were to begin with. People are going to fall for it in the same way they fell for everything else. So we haven't even slightly solved the phishing problem by using bank TLDs. I think it's just a terrible idea. It'll never get implemented properly. We have a huge migration plan. It's just a bad, bad idea. People are going to do it anyway, even though I tell them not to, but I'll just let you know ahead of time. So speaking of EV certs, phishers don't use SSL. So it turns out that if they don't use EV certs, it works pretty much the same way. They just don't implement it. And if it's magically, it doesn't do that. It's prohibitively expensive for the small customers. There are little guys out there who want the same authentication. So one thing is green. That's a huge pain. And I'll look for the lock messaging, which I'll show a little bit later. So this is grid mark. This is literally the worst looking authentication flow I've ever seen in my life. I see a lot of really bad implementations of authentication, but this one is particularly bad. So what you have to have is a password and a direction. So upper right, upper left, lower right, lower left. You just pick a direction and a password. So if I were to pick, if my password was the letter, in this case six, I can hardly see it. So you, and then you type in six, and therefore if someone was in the man in the middle, they wouldn't be able to tell what your password was. Wait, wait, wait, wait. This is real? Yeah, yeah. I didn't make this up. No, no, no. This is absolutely real. This exists. No, no, no. I didn't make this up. So it gets worse. So here's a different implementation, same product as using a two-digit series. It looks kind of secure, right? You're like, wow, I wouldn't know what to do with that thing. It's awful. And consumers, I tried, it took me 15 minutes to log in the first time. I'm like, what am I doing? So this is... That's just because you're waiting for the numbers to change. Yeah, no kidding. So what is it, CAPTCHA? What do I type? So this is my password. It looks pretty secure, right? Some random string of digits. You can't tell what it is. So I'm going to show you how to break it by hand. No, nothing on my sleeve, no calculators. You're going to do it by hand. You just take them apart piece by piece. And you say, okay, where's 0, 1? Well, that gave me two pieces of information. It gave me the direction, and it also gave me the first letter of my password, which is... How can you not see the letter that it's on? Come on, guys. Oh, you guys can't see it. I'm sorry. I apologize to this side of the audience. You're still idiots over here. You put the wrong side on. It's letter I. Come on, you got it? It's letter I. There's a big purple circle over there. That big purple circle, that's I. You're going to get the next one. I promise. Now it's... Thank you. It also turns out that the second letter of my password is... Thank you. So the next one's more complicated. It actually falls all over the place. For some reason this... I screwed it up now. What's that? I totally, totally blame Rich Mogul for this. Anyway, it falls over the place, but it turns out that there's only one place that matches that direction, and that's right there. So my password is... ISSA. So you can do it by hand, and it turns out that the longer your password is, the more secure you want to be. The easier this is to break, because you just find that there's more places so literally you can do this by hand. I suggest you try it if you ever get stuck in the man on the middle, and you're like, oh my god, I don't know what I'm doing. I'll just try to do it by hand. So that's total snake oil, and I see this kind of stuff all the time. So Psyche, which is actually semi-implemented into grid mark by the way, is also a terrible security mechanism. So there's an MIT study for those of you who don't know about it, so people didn't even notice when they uploaded or whatever. When it wasn't a picture of a puppy, they still didn't notice. When you just kind of got rid of it, they still didn't notice. In fact, consumers were more confused by it than they were actually helped by it, it turns out. So it's just total snake oil. It doesn't do anything for security at all. And it's also a pretty vulnerable demand on the middle attacks, because if I know your username, which you gave me before, that's why I know how to deliver you and I'm totally hungover. I'm sorry. Ask them how long he spends on his hair every day. What's that? What's that? Oh, well, that kept me up all night. What are you talking about? So ultimately, Fishers can just say I lost my password. I like Goatsy. I really hate this panel. I don't like any of these guys at all. The hair thing really threw him. He doesn't know how to recover. Yeah, exactly. I got a message while I was sitting here. Hey, you want to come over to this other speech? I think I'll stay at this one. Thanks. We appreciate that. Yeah, exactly. Are you reconsidering that decision now? No, I'm reconsidering. I really am. But anyway, all the sites are still vulnerable to all this other crap. So it doesn't really matter. You have this great authentication system that's super amazing and you paid millions of dollars to implement it across your huge enterprise and it doesn't matter. You're still vulnerable to everything else. I mean, we do a lot of audits and I really rarely find a site that's actually locked down. I mean, I'm sure they exist. I just, no one's asked me to look at it. I mean, this is Symantec's website. They've got a cross-domain.xml file that's open. That's just sad. So, like Paris Hilton, who can't spell, this is pretty useless. Yeah, that's not how you spell your. So most enterprises, they don't use any sort of email encryption. They encrypt their faxes. All their phones are all open. So physical security issues are just wide, wide, wide open. For the clients, when they're setting off, you log into this site or do this or whatever, all that stuff's wide and clear. I'm sure you guys all know this stuff, but we've never fixed any of this stuff. It's not done. There's a very, very select few people out there who are doing this stuff, but not enough to actually make a difference. This is one of the sciences of the authentication world. Not a lot of people talk about it, but there's like four different ways to do brute force, and maybe one of them is usually covered by sites who actually care about this stuff, and that's vertical password checking. So it's like username, password, the same username, different password, same username, different password, and so on. But it also works if you switch that up and say username, password, different username, same password, you can do horizontal or diagonal and then three dimensional with different IP addresses and so on. You can mix it up. There's also credential based brute forcing, which really no one ever talks about. We actually do find it in the wild fairly regularly. It's really bad. No one's fixed any of this stuff. There's a very, very few sites who are dealing with this stuff appropriately, and ultimately it's a really hard problem. They don't force strong passwords. There's no auto logout. Everything is broken. They store the credential in the database. They never wipe it out. It's a mess. And we have downloads over HTTP still. People are downloading executables all the time. So you're going to end up using all this stuff anyway, even though I just told you not to. And there's a reason for it. So there's this kind of the bear run. You need to run faster than the guy standing next to you. You don't need to outrun the bear. You don't need to outrun the guy thing. You know? Which... You see, here's how Sunday guys have the steak. So I actually really hate this analogy because it implies that that actually does anything for your security. It really doesn't change anything. So if you're running faster than the guy next to you, just use the same analogy. And he eventually gets eaten. Who's the bear going to go after next? And it's just a matter of time. If you have... Let's say there's two banks in the world just to make this simple. And one bank is using this new cutting edge piece of security and the other bank isn't. So the new cutting edge piece of security that actually isn't security at all but it looks nice and fancy is starting to reduce the amount of attacks over time because the bad guys just realize it's easier. I'm just getting a norm. And it's going to look, their fraud ratios are going to drop off. The other guys are going to get worse. And they're going to say, hey, look, you've got case studies to prove that this is working. Fraud is dropping off. This other is going up. It's perfect. The other guy implements it. The same thing happens. This guy's fraud goes up over time because the bad guys move over and so on. So everyone thinks, hey, this is a great security product. It worked. And we have metrics to prove it. But in the end, the bad guys are just shifting around and just trying new exploits and just work differently on different pages. How are you doing, Hoff? Good. Oh, there we go. See? Someone does love me. Oh, yeah. So basically just plan to fail because you're probably already doing it. I don't mean to hurt anyone's feelings, but there's a lot of crap out there and I have to deal with it. And cheers. I think it still works really, really well. And for the next part, Larry and I are going to talk a bit about some stuff that's, you know, it's basically taking attacks we've known about for years. It's going to be some wireless stuff. We have a demo and all sorts of things going along with it. And to be honest, I don't care if you've got the biggest OD in the world. I don't need it. There's just so many other more effective, easily effective things that get the job done. So for this next section, we're going to go talk about building access points and evil twins. And just because we combine a bunch of our work stuff. It is distracting. Oh, it's the short. The plane. Is he Jewish? Well, anyway. Hey, don't you just want to grab Rich and make him tell you where the pot of gold is? On that note, I'm going to switch over to Larry for a bit as he's going to talk about doing all sorts of wacky shit with access points and, well, let's just say they're internally motivated. Wait, before he starts, I have to make an announcement. I actually stopped drinking and one of my co-presenters just gave me a beer. So if the first person who can answer a funny question Rich is going to ask in a minute can have this beer. How many people think Dave Mainer sleeps with goats? Your hand was up first. You get the beer. Enjoy it. I'm going to put a few bits per minute. And I do believe his answer was who wouldn't. Sir, what you do on your own time is your own business. It takes all kinds. All right, so Rich is going to be talking about hiding some evil twin sort of wireless access points. I've got some creative ideas on where to hide these things and how we can get back access to some of the data. So I had a little bit of inspiration for the folks for this stuff and it was Render Man. He's probably up in a wireless village right now. So Render Man's first hack appeared at Shmukan 2005 was known as Teddy Net. He walked around with a teddy bear on his back, which is rather unusual, or maybe not at a hacker convention. Well, not if you're a Japanese schoolgirl. Not if you're a Japanese schoolgirl? No. I'll start drinking again, Dave, because it wouldn't help. So no one seemed to notice that So this panel is also epically failing right now. Okay, so they're taking my slides away. Okay, so I can keep talking anyway. So no one seemed to notice that Render Man was walking around with this teddy bear and every once in a while an SSID would pop up called Teddy Net. Fantastic. What did you know before Rich worked for Gartner? He was actually the Teddy Rutspin model as well. You can sit right there. Thank you very much. All right. So I thought about this and I said, well, that's pretty neat. Hide an axis point into something that seems rather innocuous. So he initially built this to give to one of his friends who had just had a little baby girl and that was the joke. You're going to provide her an axis point to Teddy Bear for her to carry around. Well, so that's what he did. And he took it to Shmucon to test. But I thought, well, I'm not going to find too many teddy bears in an office when I'm doing a penetration test or trying to own some companies. So he actually ended up coming with this known as Evil Bastard. It's a broken APC UPS that he removed the batteries from, added some wiring, put an axis point in it, reused the existing Ethernet ports so that he can now plug this into the network. Looks like it's supposed to be there until the power goes out because now your PC shuts down because there's no batteries left. But it works. Works well. So I thought about this and I said, alright, so what can I do with this? But using a WRT-54G is kind of large. So let's pick something a little smaller. I've used the LaFonera, the phone, the original one with open-work installed. Here it is out of its case. I am definitely not Jewish. Okay. When you take this out of the case and remove the antenna, it's about the size of my wallet. So it's actually pretty small and we can actually fit this in some good stuff. However, we do have a problem. Part of my wanting to be able to hide these things is to keep the host device functional. So whatever we put this in, I want to make it continue to work. So it looks like it's supposed to be there and we're not having people call the help desk saying, oh, my X doesn't work. Can you come fix it? I want to avoid that. So part of the problem with the LaFonera was that we only have one Ethernet port. So again, help desk calls. My device isn't functioning. So in the long short of it, we need another couple of ports. So we're going to take a Netgear EN104 out of the case. I've got some lines drawn on this for those of you that can see it. Take the Dremel to it. Remove a bunch of traces. Re-put them back on with jumper wire. Take all the Ethernet ports off and off we go. So we've got a couple more challenges with hiding some of these rogues. We want to make sure that, again, the host device is functional. Some of these things, we're not going to have a lot of size to deal with, a lot of room to put these in. Okay. Is it something I said? Okay. Potentially, if we're in a more robust environment, we're going to have to deal with network access control. But maybe not, because some of these devices that we'll be inserting access points into don't necessarily support the client. So they're on an open segment that doesn't have NAC. We also need to find a sacrificial device. And depending on what it is, may be rather expensive on your budget, so you better be billing for time and materials. And we got a few other things too. So we do end up needing to do some creative soldering in order to make some of these devices small. We can actually remove all the Ethernet ports and I actually found out that I can't. So, fail. We can lay down the capacitors where we need, trim the boards, jump for the bits to remove. And we can do both of this for La Finera and the host as well. How much have you spent so far? A couple hundred bucks. You could do this with an iPhone. Yeah. But that's not nearly as much fun. The problem is that the iPhone does not have an Ethernet port. So I'm plugging into an Ethernet jack somewhere adding a rogue access point and grabbing data off of their network. You could do it in the EPC. Very true. Still much larger. And you'll see why. So from my experience with this, one of the most difficult parts was the Ethernet ports. I figured when I started this, great, I'll just desolder the Ethernet port from the board, solder the wires directly to the board and off I go. Well, what I failed to remember was that Ethernet ports are designed electrically isolated from the actual device so that if there's a stray voltage spike coming down the wire, it doesn't fry either your switch or the device. Yeah, and I wanted to re-dehane that because I want to keep some of this stuff. So the problem that I run into is now I'm taking apart the devices, soldering directly to the pins on the Ethernet jack, and as my wife says, I end up looking like a dork because I spent a couple of hours wearing one of these. Wait, that's what made you look like a dork? Well, that too. Okay. So one of the other problems is finding power. So... Yes, so technically you can do this on an iPhone when you leave it in a cab. So one of the other things that's a challenge also is powering these access points and or the switch hub if we need it. We both need 5 volts DC to power both of these. And again, I don't want it to go undiscovered for quite some time. So I don't want to have someone walk up to a printer, for example, and see that 110 mains power plugged into the printer and also a wall wart because that's kind of unusual. And someone who's a little bit more sophisticated if a tech is walking by, they'll note that, well, that's kind of strange. That shouldn't be in that configuration and take a look at it, hopefully. So let's find power internally, tap from it, and deal with it. Now we're not going to find matching voltage all the time, so we're going to have to build a small circuit and we're off. So once we've hidden it, Rich will get into some more about being able to retrieve some of your data. In my instance that I'm doing it via Ethernet, I'm deploying it in a customer's network, or I'm deploying it in some organization that I don't want them to find it. I'm never probably going to see this device again because you think it was a rush hiding this device. Yeah, now return to the scene of the crime and go get it. So I had a thought about getting the data back and because I'm installing OpenWert on these devices, it's all Linux-based. So now I can take a cron job, run the cron job at say 3 AM to change my wireless settings so that it sets up a wireless access point that I know about and I can park out in front of the building, connect to it, pull my data off, shut it back down after 10 minutes. Now ask your guys that monitor your wireless entry detection systems and your rogue access point detection to find that at 3 AM for 10 minutes. They're not going to be happy and you'll see why. So are you saying wireless IDS vendors like Airtight would not provide you any benefit here? I did not say that. Could you say that? You're just going to drive your admin's nuts because they're going to get it for 10 minutes every day. So yeah, it will pick it up. It's going to give them some pretty darn good ideas as to where it's going to be, but you're going to see why they're going to go nuts when you see where I'm hiding them. Are you hiding in their desk? What's that? Are you hiding it in my ass? We'll get to that. Don't give away the punchline. Yes. There you go. Randomize the cron job too. But then again, I need to know when it's going to be there so that I can go back and collect the data so I need to know what the randomization is. Now I'm sending have it email me. Now I'm sending traffic from a device that shouldn't be emailing anyone outbound from the customer's network. They may pick up on that and now they have a device know what to look for because it's coming from the IP address and can locate it via switch port. If I hit an iPhone and didn't leave it in a cab, I could deal with that. Guys, we'll get to that. Yeah, so we'll get there. So now we have our requirements. I'll see you later. Here's my room key. So what can we find in an office environment where we can start hiding your rogue access points in and it's now time to get more evil and more bastard. But remember every time you hide a rogue, Homer eats a kitten. So printers. One of the most ubiquitous pieces of tech in most office buildings. I've seen a facility where they had a printer overrun. They had three printers for every person in the building. Don't ask, I don't know. All right, so let's start in the beginning. The HPMIO. Okay, so, yeah, looks pretty big. Looks like we should be able to fit both the devices in there. There's one slight problem with this because where do you find these printers that support HPMIO? No, Quentin, you don't find it in that kind of storage. You find it in dead printer storage. So I found these printers at a customer site in storage. So unless you work for somebody that doesn't have a lot of money and maybe a community college, you probably have a bad time finding these devices. So we're going to fail on that one. That is the theme of this presentation after all. So let's upgrade to the EIO. Great. Looks good. It's a little bit smaller. We're going to have to get really creative with trimming and soldering and all that good stuff. The problem is that EIO, the best I can tell, is based on PCI-30 which only delivers 3.3 volts and we need 5. So now we have to, you know, build circuit to increase 3.3 volts to 5 volts and we don't have that much space. So no luck there. Yeah, you want to hold this for me? Are your hands clean? So what about external print servers? Yeah, with these places, these are, you know, we can find these, but we'll fit. Yeah, looks like we've got some pretty good luck. Well, I heard someone laughing, so I have to look. I'm nervous. But you may be asking me, oh Larry, these things are really old technology. Well, I took this picture six months ago. It prints multi-part medical forms. Think about the type of stuff if we had a rogue access point in line in a hub that we could get off of this. Can you say identity theft? Paris Hilton's medical records? Paris Hilton? We already know what she's got. So now you may be noticing in that picture that there's a little sign up there, and yeah, it's the warning because it's in an area that's protected by FM200, which is fire suppression, because it's behind locked doors. Well, I've also seen these types of things in unsecured areas that print checks. Thank you. Okay, so what next? See anything interesting here that I might want to hide an access point in? The cocaine. The cocaine? I'm sorry, that's ink toner. Alright, so what about multifunction devices? Sure, they've got Ethernet. It's about the same as an EIO form factor. Unfortunately, this printer is directly across the hall from my office, and I would have had an office full of mad people if I decided to take this out and start soldering stuff to it. So you're saying that you weren't running the sacrifice for this presentation? I can only sacrifice so much. Start with a goat. Okay, what's that? Start with a goat. Dave, can I borrow your goat? Yes. You're not getting them back. Wash it out first. Never mind. Okay. Now... So now after we talked about grabbing print jobs from printers being in line with a hub, now we can also grab print jobs, copies, send over the network, scan documents over the network, faxes. Think about when you go to your office every day, the types of stuff you scan, fax, and print. That might be very useful to an attacker or me. What do you see here that we might want to hide when faxes point in? Pretty close. Not the clock, but that's a good opportunity because some of the clocks that I've encountered are actually controlled centrally by time server, but not via ethernet, so that would be interesting. I'd like to find those. You can buy an NTP clock? Pretty close. So yes, on this sign has a little box that converts serial to ethernet. This one's really small, but the same manufacturer make ones that are about the same size as an HP EIO. That's probably a pretty good idea. So, how about here? Fire alarm panel. Yes, some of these fire alarm panels are ethernet enabled. Not to mention that these switches are also fire rated, powered by multiple sources of power, battery, generator, multiple lines for backup power. So, my access point is going to stay up when there's a fire in the building. I like that. So, I have to make a warning of advice. I don't condone this type of... That's going to be a distraction. You're going to start a fire. Either start a fire doing this or, again, messing with this fire type system puts people's lives in danger. I'm not about that, but it's possible, so don't do this. What about here? Besides the IBM servers? Liebert, potentially? Climate control system. How's that? You say, Larry, it has a lock on it. Go talk to the guys in the lockpick village. They'll make Swiss cheese out of it in about 30 seconds. What about here? The doctor. We'll get to that. Yeah, time clock. Excellent. I'll take these photos off of eBay. The one on the right is a Kronos 4500 time clock branded with ADP, the world's largest payroll processing company. What are the chances you're going to find this somewhere? Pretty good. We've got plenty of room to hide stuff. The 4500 actually even has the optional model to have battery backup. Great. Now we know where we can get power from. The online available documentation also instructs us on how to clone these, so if you need to replace one in the field, you take it off the wall, you clone the configuration to your new device, and it's back. Thanks. Made my job easy. I also go to a lot of these. What do you see here besides maybe the ethernet ports on the desk or the table? The lamp. I'm not listening to Dave anymore. How about the projector? This particular Sony model actually already has Wi-Fi built in. So maybe a wire or a signal coming from this particular conference room might go unnoticed and expect it to be here. What about here? In the Furby. This looks promising. What about here? Yeah, how about voice over IP telephone? Think about what you might want to record or listen to over that. Let's take a look at the inside. Oh, great. The phone that was sitting on my desk in that first slide. Two ethernet ports. We have one to subvert. We also have power, but it doesn't have a power brick. It gets power via power ethernet. So now you're going to ask what Larry Power of Reethanet, based on 802.3 AF, requires special signaling. Now you have to build a device that plugs in, handles all that signaling to tell you what power you need and all that type of stuff. No. Let the phone do it. Grab it downstream. So we have another device that I'll be getting to in a second that actually does that. So we have it do all the power conversion, does all the AF negotiation, and then we grab it 48 volts off the center diode and then we split it for the center diode for itself. So now the next question is, Larry, those phones are in a secure area. They're obviously in your office. You're there or you lock your door when you leave. Well, what about keeping your guests happy? They show up to the facility. They walk in the front door. They meet the receptionist. They sit down. Yeah, I guess what? There's a phone sitting right there on the table. What would it take for me to walk in and swap out that phone I noticed? Now, here's my favorite. Even this 3-com net jack can turn into this. Standard size wall mount jack, a wall mount box with the LaFonara stuffed inside and it put back in front. So that power over ethernet pulling the power is actually this device that we pulled power from and I have this working at home. It's powered via power over ethernet with an access point in a wall jack. Dave, this is why you're going to drive your admins nuts because they're expecting that device to be there with stuff plugged into it and it not being an access point and it's stuffed in the wall. Ouch. So we've covered a bunch of office technology hardwired stuff that may be a little unusual but how about putting an access point? Oh my god, that's as bad as tunneling DNS over DNS. Does Dankimisky in here? Oh my god, that's as bad as tunneling DNS over DNS. Okay, so just a few that I encountered. The Lucent Proxima or an Ogre AP-1000 and 2000s actually saw these in a law school a couple months ago still in use. So we probably get enough room to hide one in there. We also get external power, good voltages. Links is WRT-54G. We're probably only going to find these in smaller businesses and those types of things but smaller businesses have types of data that we may want. I also looked at the Trapeze thin AP. It belongs to my employer. Has security screws and someone borrowed my security bit set and didn't return it. So I wasn't about to take this into the shop and get the drill press out. Again, sorry Dave, I can only sacrifice so much. Let me ask you a question. How much of this presentation has your employer seen? All of it. So they were totally okay with you taking your office phone apart? No comment. They didn't know about it until much later. Oh well. All right, so conclusion, yeah, we've got plenty of stuff in an office we can hide things in. Good places for APs. And how many folks, how many radmins monitoring wireless intrusion detection and rogue access point detection and potentially evil twin detection are going to find this type of stuff in a timely fashion. So let's think about this a little different. Just for fun, again sort of along that evil twin type of attack. So let's use open-work the open-source Linux distribution for the LaFonara and create WDS or WET so we're bridging wireless to another wireless network. We can extend the distance so now we can gain access from a different stuff from different area or do karma some other things we'll get to and don't know what to do then and then we can profit from it. So now we don't need ethernet, we just need power. Now we have endless possibilities. Like an iPhone? Yeah, like an iPhone. And if nothing else, we can always power it via battery and stick it in the plant. Okay, so now we've got a couple just for fun. And Dave, you're going to like this because I told you we were going to get to this. So we're going to bridge wireless, we're going to rebroadcast it for ourselves, take a small battery in some cases and we turn it into a Goatsie AP. I told you LaFonara was small and well, now you're not hiding it on a person. You're hiding it in a person. Told you Dave. So how many have heard about the 1960s CIA project called Acoustic Kitty? Acoustic Kitty? Wow, this is going to be fun. Alright, so in the 1960s the CIA had a project called Acoustic Kitty and I have a quote from Victor Marchetti which I'll read for those guys who can't read it over there. They slit the cat open, they put batteries in it and wired them up. The tail was used as an antenna. They made a monstrosity. They tested them and tested them. They found he would walk off the job when he got hungry. So they put in another wire to override that. Finally, they're ready. They took it out to a park bench and said listen to those two guys. Those two guys being Russian nationals at the Russian Consulate in Washington D.C. just down the street from the Warman Park Marriott. They take it out to the park bench, listen to those guys, don't listen to anything else. Listen to the dog. Just those two guys. So they have a wireless transmitter in the cat. Cool. They push the cat out of the van and is promptly run over by a taxi. Your tax dollars hard at work. It cost the CIA millions of dollars in the 1960s to come up with this project. So I thought, self, if the CIA can do it, so can I. So we have some early field trials of Wi-Fi Kitty. No animals were harmed during the course of this experiment. Was it monitored by PETA? What's that? Was your experiments monitored by PETA? No. But you'll just have to take my word for it. Because if I did anything to this cat, my wife would have killed me and I would not be here. Can you produce the cat today to prove that? Yes, I can. Do you have it with you? Not with me, but I can show you pictures. Wait a minute. I shouldn't say that, should I? But she's going to put the cat on the phone? Yeah, she'll put the cat on the phone. And no, not like that. Alright, so let's bring this full circle for fun. So you remember Render Man's Teddy Net? Teddy Bear with the access point intended to be given to his friends, young girl? Yes. It was a PETA joke. So the teddy bear did finally make it to the little girl. She now is in possession of it. So I thought, sorry, Render, if you can do it, I can do it better. So we take one baby. This is my daughter who's now 10 months. She's three months old at the time. We could take a diaper, an access point, and power. We add the baby. Priceless. Was this waterproof? Yes, she's wearing another diaper. No real babies were harmed during the course of this experiment. So now I tend to find that I think about seeing access points all over the place and I gave this talk really quick at Shmucon. And Mr. Hoff and a good friend, Jack Daniel, were across the street at the Irish pub and took this picture. I am not a rogue access point, Larry. All right. So now I'm going to turn it over to Rich to talk about his evil twins. So if you think about what Larry's doing, he's hiding rogue access points, plugging him into the local ethernet to be able to capture that data and then sending it out so he can grab it by driving by or whatever else. Well, there's some other kinds of interesting things we can do with wireless access points. And the biggest one or the one that I like the best is the evil twin attack. This is basically, if you think about, oh, come on. How many people have ever taken their iPhone and connected it to an access point called Linksys, Tsunami, Default, Clearwire, any of those common things? Once you do that, unless it's an encrypted network it's in memory. Anytime your iPhone gets near any of those again it's going to go ahead and connect to those again. Or the other thing you can do is, hey, I'm just going to go into a Starbucks and I'm going to set up my evil twin access point. So if I walk in and I walk in and I see something that's going to be more powerful than whatever crappy thing that Starbucks has put in and I say this is AT&T or T-Mobile, depending on which Starbucks you're going to go into, the odds are people are going to go ahead and connect to me. They've got no idea. They don't think about these kinds of things. And once they connect to me I have the ultimate man in the middle. I basically have hijacked their entire network connection. I don't have to sniff anything locally or anything else like that. Now to make them, if they're already connected to make them forced to connect to me they're going to have to go ahead and reconnect to you. So what I tried to do is take evil twin and do it a little bit on steroids. Instead of, lots of times people do this with their laptops. You throw in one or two wireless cards. You can even bridge the local wireless network or EVDO or something along those lines. Instead, I wanted something I could just kind of make and leave some place for as long as I needed it to and would maybe go ahead and send me everybody's information back to my house. What I tried to do is go ahead and create something that was self-contained, high powered. Drop it and leave it. I don't just want to sniff their traffic. I'd kind of like to exploit them any time they connect into that system. And I can do all sorts of weird exploit stuff. I can go ahead and I can nail them with their browser with any browser vulnerabilities that are there. I can sniff, do man in the middle traffic. You can run Ettercap on these things. You can do almost anything that you need to. Maybe even inject HTML, drop images, imagine airplane for wired network, oh, I get worried when he goes, ah, got it. So, I'm going to go ahead, I'm going to do my best attempt to do a demo. Remember, I'm a former Gartner analyst, so the odds of this succeeding are pretty much fucking slim to none. Let me go ahead and get out of PowerPoint here. What I'm going to do is I have a vulnerable virtual machine. Now, this is all wireless but it's not currently running as wireless right now. I've got it running as wired because Dave and Rob threatened to screw me up with some fuzzing, wireless fuzzing so I wouldn't be able to do this. It's a blatant lie unless you were to do documentation to support that claim. Yeah. So, I've got running over here. I have one virtual machine that is, you know what? Let me just switch my display options here. That'll be a little bit easier. Do-do-do. That's Richard's boat, everybody, by the way. Is that the one that Beaker hacked? Yeah. Alright, does anybody remember where you clicked the, there we go, mirror displays. Alright, so what I've got here is one virtual machine. I'm running Core Impact on this one. You can do it with Metasploit. I actually set this up to run both a Metasploit exploit and a Core Impact exploit on the splash screen but just to make sure the demo is slightly more reliable I'm skipping the Metasploit part. This is my unpatched virtual machine. Now, the biggest problem I had with this is this thing is so unpatched even like half the exploits crashed it completely. Go ahead, run Internet Explorer. So what I've done here is this is the wired connection. It's as if I've already gone ahead and hijacked that wireless connection. I'll show you how I've done that. This is all going to that access point. That access point is set to go ahead and call out when back to whatever computer I'm running which could be remotely or could be attached into that local network. I'm doing it all locally and wired right now again just for demo's sake. Alright, so I have my evil squirrel enterprises public wireless access point crashed because if I switch over into core impact which is this one you'll see that I now have an agent on this system and again you can do this with Metasploit or whatever and I can go ahead and browse the files and everything else. What I did in this case is the actual splash page itself had those exploits so I own that system as soon as they connect to that access point and think they're flowing through. Now I said evil squirrel enterprises this could of course be anything like I don't know AT&T's page or T-Mobile's page and make it look exactly the same. So the next series of exploits that run because I don't like to just do just one little thing. I want to make sure that suppose the browser has passed there's other interesting stuff I can do. So these next sections are courtesy of our snake. He found all sorts of very interesting URLs and such over on Google and Yahoo and other places that when you connect to them it's going to go ahead not only are you going to be able to sniff cookie credentials and such but you can get things like my entire Google address book which is what's showing here my entire Yahoo address book which is showing here and these are the links that are actually embedded in the redirect page so I hit the splash page I hit continue it goes to another redirect page right now is on hackers.org but you could actually run locally we just had a little bit of timing issue on that page it kicks these off as they were in iFrames you use them as image tags right in the back end the user never sees this is happening and it's making all of these connections to all their sites and in the process it's pulling in all of that information here's one from maps.yahu if you have any saved location in maps yeah that's my old address where I grew up over here we've got what's this one I don't even remember what this one about to come up is it's another Google one oh here's a Google address book so these are my Google contacts dmaner at goats.com hoff at pimps.net our snakeydevilbaster.com those kinds of things so I can take control of anything why can I do this because they all have their cookies set on their system already and once they have those cookies and they're logged in they're maintaining those sessions I sniff all of that information in the background now the way this is set up on the access point what I've done and I'll switch back over to the presentation here and yes all of that was running live right now those weren't cashed or anything else whoops wrong one does anybody else love that techno music sweet sweet satisfaction alright let me get over here so I can hit play again to go through the rest of this so the sequence for the connection is I have the splash page with the exploits if I don't get them with the exploits I get the redirect page where I get all of their credentials if I don't get all their credentials then I'm capturing all of their traffic because on that access point I'm running TCP dumb and every 30 minutes it writes it all down to local storage and then every 30 minutes it FTPs that back to my server at home so I don't have to be anywhere I can take this and of course as Larry showed there's lots of easy ways to hide things this one's in those couple of fake books that are sitting on the desk right now the kinds of things you see in any say you know like internet cafe or whatever where they have the nice lamps and the comfy letter chairs and those kinds of things take a lamp put it on the top run the cord in the middle run the cord into the wall nobody's going to think about it now what's inside of this to make it the ultimate evil twin is a couple of things it's a hacked work router which is the big white-ish box on the bottom coming out of that is the cradle point router which is connected up to my EVDO card the reason I want the EVDO is I want this self-contained I don't want it to screw with the local wireless I don't want it to screw with an ether and cable going into the wall I just want this entire thing to be able to go ahead and run on its own and connected to that is a 500 mW boosted power the average access point Larry it's what it's about 29 to 50 mW I think something like that many of them max out no more than 250 this is at 500 and it's got a 7 DBI antenna I didn't even put a more powerful antenna but I ran out of space underneath it is power so everything's contained when you go ahead and plug it into the wall and then you can also make it portable that's a 5V battery I'll pull out of here in a second you just connect that up to a car charger and you just plug everything in stick it in your backpack and you're good to go this is the one that's been running on here as we've been going along I knew something was happening you don't read books especially books that big so something like this 5V battery here you take half hours you take this the stuff that's in there would actually get a little bit smaller stick it in your backpack you're good to go walk into your cafe you don't even have to have your laptop connected to it or anything else it's gonna sniff all that traffic everything it captures either stored on the USB or send it back over to your home server so there's some future projects there's some things I wanted to do with this but I ran out of time because Dan Kaminski called me up about a week before July 8th and said hey I've got this bug on DNS I need some help getting the word out and really fucked up my schedule and time to build these things are fully capable of running Metasploit natively on them I had a little bit of trouble getting the Ruby libraries and those kinds of things to work so I just gave up on it Core Impact actually has a Python agent and maybe we can talk HD into coming up with a Nix-based agent or a meta interpreter that we can go ahead and link in fail yeah so we can go ahead and run it and what that gives you is one of the things I found is that when you try and turn this into like a VPN server you can connect to it remotely and do whatever I want that a lot of that traffic actually gets blocked by Verizon so if you go ahead and you set it up so it'll actually connect back to you at home and send the traffic across you'll be able to go ahead and do that you can do other stuff man in the middle of it with Ettercap you can Carmetasploit is now working with you don't need to use the mad wifi no no they got it to work with the mad wifi I can't remember HD made some announcement a few days ago got it and so what Carmetasploit will do is Carmetasploit where it will accept any SSID probe and anybody will connect into you and then you can run all the Metasploit exploits automatically so assuming we can get the wireless driver set there's no reason that that can't be running on here and then you don't even have to fake to be AT&T you can fake to be well it's just going to connect any connection to anything the other thing that's not in that is the bridge to the internet itself so the user doesn't realize they've been owned yeah I'm next now why does all this matter nothing new here you guys have all seen this kind of stuff before it's just combining a couple of simple attacks it's combining the usual Metasploit stuff or core impact stuff with wireless sniffing on the background with some of the browser based vulnerabilities that actually pass those credentials across so you can capture all of those things and go and then finally you can get whatever you want so that's pretty much all I've got for this section and turn it back over to Larry to go ahead and plow through the problems with metadata and I'll turn the wireless on later but I didn't want anybody fuzzing it while I was up here or like compromising my access point and fucking up my demo so but it's all in here pardon me while I whip this out oh my oh sorry I was busy alright so you know it's going to be a good DEF CON presentation when it has a farting work hog or maybe it's just me alright so I've been doing some looking at it now that Rich is gone we will auction off his wireless gear starting at $20 who has $20, do I hear $20 $30, do I hear $30, anyone want $30 $30, $40, $40, do I hear $40 $40, $50, $50, do I hear $50 oh okay $50 is a very minimum we need to get into the strip club so ooh it's not a nice strip club either alright so I've been doing some research into how metadata and some common document types that we can find on web servers out there can lead to getting you owned ignore this slide so what is this metadata stuff it's some information hidden in files that they've not revealed typically to the user it's an additional data for searches, filing, routing even for potential file processing lawyers office is great for using this for doing content based searches, those types of things so if you ever go to the fail blog you'd know that secret nuclear bunker this is what something that should have been some metadata and hidden in the file it's sitting on the sign we can find some pretty interesting stuff in here so let's take a look at some metadata that might get populated in a Word document and my good friend Paul Acidorean is sort of the butt of this joke so this is the preference, sorry the options tab from Microsoft Word on my Mac and we're filling in a bunch of stuff, my manager is allegedly Paul it's some potential exploits and we've got some tests of the emergency system and we also have some page counts and Word counts and all that good stuff we can also add custom options I've included my email and a fake telephone number so now if we find this document out on a web server somewhere through Google, whichever we can run that through strings, ooh lead and find some concatenated output that includes, thank you sir this is a test this is a test metadata document Paul is my manager we also have the version of Word that created it about halfway down it says Microsoft Word 12.0.1 so you used Office on OSX to do this? did you find any differences between OSX and Windows? no difference I did not find any so one of the other things that can get revealed in some of this stuff is if you edit a document with track changes on and then turn track changes off and publish it all those changes get stored in the metadata so now you download the document you've got all those changes and Microsoft actually got bit by this a couple of times and they had some stuff in there talking about some customers and how they evaluated and what they replaced and that type of stuff so that may be some handy information for some attackers to know because in one of these instances they said they evaluated both and they crossed out 126 Windows 2000 servers okay might be helpful how about Adobe Acrobat? so again here's the option screen for an Adobe Acrobat document we've got some information filled in we can do some more descriptions my name, what shows up in PDF metadata and again we'll be real neat and do strings on testmetadata.pdf that I created and that may be out on a web server somewhere in your organization so we get a bunch of stuff here as well we get the distiller that created at Acrobat Distiller and we get the document O on Windows we get keywords, we get the author and we get some dates as to when it was created and last modified now why is that important? so if I find this document out on a web server somewhere I know when it was created I can likely determine when the last time this person updated so if Rich were to post a PDF document out on his web server that was created two days ago chances are he probably hasn't patched his machine so if this version of Adobe Acrobat is vulnerable I can deliver him a vulnerability for something that I know that he has on his system right now interesting it's not vulnerable because I use a Mac Mr. Mogle has had a little bit too much to drink today or not enough alright so picture this this picture was in an AP news story of a hacker named 0x80 okay so this was included in a story that he wanted to remain anonymous for he admitted to potentially committing some felonies when it was submitted to the AP it had some metadata for XF and a bunch of other stuff in it it went syndicated it got left so if you do a strings on this particular image which is still available via Wikipedia we get some information that it was taken with a Canon EOS20D it was processed with Adobe Photoshop CS2 on the Mac by Sarah Vossen when it was done and it has some location information so for someone that wanted to remain anonymous they gave up his location of Roland, Oklahoma is there anyone from Oklahoma here I guess nobody, oh great so that's apparently the reason why because Roland, Oklahoma is a town of about 2,000 people what would it take for someone to show up in Roland, Oklahoma and ask a kid who's about 19 years old smokes cigarettes and is into computers owned so not so anonymous so if we can do that federal authorities can do that especially when he cops the crimes in a news article so talk about a couple of tools that I used to come up with some stuff other than strings because all this stuff is manual download manual search and manual extract first one I looked at was Gulag which is a cool tool from the CDC takes all the Google Dorks scanning stuff, breaks Google's terms of service it includes unicorn chasers however it wasn't the right tool for this application because it wasn't actually looking at any of the metadata so this one was a fail so as this gentleman the image is called malisha.jpg I don't want him in my army oh dear god there's a series and why do you know this all as I know as I must possess them alright so another tool that I discovered was MetaGooFill from Edge Security it does automated Google queries for common document types Word, PDF, JPEGs and so forth does automatic extraction and reporting picks up user IDs document paths in some of the older versions of Word even MAC addresses so now if you think about that if you find a MAC address that's in your laptop what kind of wireless drivers were shipped with the Dell laptop Dave? above Rodcom and Atheros mine currently has a Rodcom driver how about Intel? Is that an option too? yeah but you have to pay more for that yeah well you never know but so Intel wireless cards in laptops Dave are there any exploits for Intel drivers? there are there's actually the reason why I'm not a network here I'm just trying to pay for Rodcom and I'm not even trying to take that chance exactly so now you know that there's a Dell machine that processed this particular document through this MAC address that has potentially drivers that are vulnerable to wireless attacks that don't even need to be connected to networks okay that's some information gathering through Google how about that there's some problems with this on OS 10 they're working on it so here's an example of a report I picked a document from Paul and it shows that his user name is P. Asador cool and it was one of the documents was created with Adobe Acrobat PDF Writer 5.0 for Windows NT that's old alright so let's take all the stuff that we've been talking about and put it together because this is how you get pwned it's also similar to something I think I may have seen at the hacker pimps party last night dance fail so I came across this tool called Maltigo no not a tasty malt beverage such as this you may have heard H.D. Moore and Val Smith talk about this these are the guys that really turn me on to this and this thing is really cool so you give it some place to start a name a web URL an email address and it will go take all of its search type of bits in the background go through all sorts of social networking sites indexes you name it it goes and finds it it will also find documents to extract metadata so when I'm going through these I'm going to keep with the theme of this presentation that failure is inevitable I failed at this because I have information disclosure out there we'll see so I did a search on my good buddy Paul Asadorian and for those of you can't see it on the far side of the room I've got a bunch of email addresses we've got a phone number that actually isn't his we can see that he's associated with sans and that another person shows up Roger Dingledine so I asked Paul Paul why does Roger Dingledine show up and he told me well a couple of years ago I met Roger in Boston and he signed my PGP key so obviously Paul must trust Roger so now we have someone whom we can potentially spoof email from this sounds kinky alright so now we know someone that Paul apparently trusts that we could potentially spoof email from to Paul and deliver an attack via the document that we know that may be vulnerable okay I can't even read the slides I don't even know why it's here good question alright so some of the documents that turned up we can now use MetaGoof sorry we can use a Maltigo to pull the metadata out of these documents directly right click there we go a couple of them that Paul had revealed that his username was Piazzador we also note that there is a document linked to Paul's website that has me involved and reveals some information about me sexual orientation maybe and the goat so for that I give myself a fail oh I'm sorry let me cover that up for you oh no wait a minute this part alright so what do we know about some of this stuff about Paul Dave missed it do you want to see it again Dave it's fairly silent this alright so what do we know Paul uses word and even a possible version with certain time see I can look down here he doesn't have to take it off the screen fail so Paul uses word and possible version with certain vulnerable version within a certain time frame he creates PDFs with time frames output DLL so we know what the types of attacks to deliver we know his email addresses we know some potential login IDs we know what his website is and we know some people that he trusts so that we can smooth some contacts and send him over some documents I'm sure we can find some exploits for those and what is this called sexy ladies in leather we can use just through document metadata to conduct spear phishing attacks as well as some Google searches okay so clean up your act limit your exposure if it's on the internet it's already too late so fail at least take care of the stuff that's new clean up your office 2003 docs don't put the metadata in on documents you're publishing on the internet if you want to use it internally great go ahead just configure office not to do this to begin with and you can also use the Microsoft remove hidden data add on works pretty well you can use some meditation extraction for some other stuff info probes but she too the rev and hack or metadata I haven't a chance to play with a lot of these but I'm told they work really well there's a few available tools for PDFs to this particular one is advanced PDF tools I still need something better because I think this one was a trial version I'm not willing to pay for it just yet JPEGs great XF tool is free runs on our unix and it's real easy to remove all the stuff okay why do we have no more slides okay that's it thank you hey before you go could you give us some more information on that tool you're using Montego before you go could you give everybody some more information on the tool you're using Montego because I've never heard of it so I assumed a lot of people really so yeah quick google search for Maltego M-A-L-T-E-G-O you'll turn up the tool and of course I can't remember the name of the company that is doing it it's by Rolof Temming from South Africa Paterva it's on the backtrack 3 CD Rolof was kind enough to give a license to the backtrack folks to include that so check it out on there too before you go and download it it is a pay for tool now it's still for the type of powerful tool it is it's very inexpensive you heard it where is the demo podcasters meet up I'm from the south when we get on stage people in the south we always say howdy we were wearing cowboy boots but I'm not quite that gay not quite on my window of vista screen did we get my desk up awesome side show so I make a lot of jokes so yesterday I was heckling everybody because yesterday I actually gave a presentation and I have to rant a little bit before we start I have to rant a little bit before we start because I don't know if everybody might not know a couple of years ago I found some problems in Apple computers and the problem with finding anything in Apple computers is that Apple's outlets will then instantly try to tear everything apart so yesterday because I used an iPhone and the general principle was the same kind of stuff rich in what we were talking about you take an iPhone you put it in a box and we ship it somewhere while it's sitting there in somebody's mail room because you're supposed to send it to a non-existent person so it doesn't get delivered somebody opens the box and thinks it's a bomb so while it's sitting there in the mail room generally for pentests in the past we've had access to their internal network so using a connect back program on the iPhone we can actually connect to the iPhone then use the Wi-Fi interface on the iPhone to attack the network so I started getting all kinds of hate mail last night to start it off with the iPhone you just shift them and start using it you can just right there in the Guinness bottle the Guinness bottle use the bottle use the force so it always annoys me because half of the security problems that you've seen or talked about today in this panel are because people think that our experts who really aren't so if anyone asks me I'm not really an expert in anything but for some reason I get emails from assistants who are Mac fans telling me why my attack can't possibly work and that's kind of annoying so I'd like to call upon everybody today to start the cult of the non-Mac user if you see a Mac user who is professing to be an expert in anything please hit them with something preferably they're Mac it's that rich, rich is a good guy alright we'll have to add this thing over there no pig me, mutilations so I have a blog called eredice.blogspot.com and occasionally before I stop drinking would drink something then get an idea under my head that I could probably do something at one point I thought I might be able to be an Olympic athlete in drinking but a couple of months ago I was like I can be an artist I read XKCD, I can do that so the funny thing about this is this is my epic fail because apparently I don't do it very well but this is an actual conversation I've had with somebody they have a bunch of security tools they run the security tools and if it's not on their checklist it's not a problem so this is my attempt at humor because literally somebody had an open SMB share that had PeopleSoft payroll data so basically you could connect with no authentication grab the PeopleSoft data and see what everybody in the company was being paid they told the CSO this so he goes well our ISS scans don't show anything it's like well that doesn't matter it's right there he goes well according to compliance we're compliant so this is the kind of stuff that actually really keeps me up at night because these are the kind of people that are protecting you your enterprise even your consumer information no I didn't write ISS Chris Klaus wrote ISS I'm sorry you just get really sucked in up here with this so this is basically what's wrong with security everybody here has a web browser right I'm going to tell you a funny story personally I've been an identity theft victim twice the last time was in February I got a call from my bank on a Saturday morning at 6am excuse me sir where are you I was like I'm in bed and they were like no sir what country are you in at this point I'm irate because it's 6am and I had a hangover and I was like what country do you think I'm in you just called me so they started getting irate with me and they were like sir this is a fraud department I'm like oh crap what did I do last night I was like no sir we show you have activity on your credit card in Guatemala have you been to any chicken restaurants in Guatemala and I found this to be utterly hilarious because I didn't know there were specifically chicken restaurants in Guatemala like Polo Leoco or something like that so the long story made much sure that somebody spent $2,800 for my credit card in five hours on a Friday night in Guatemala and I can only think what the hell can you buy for $2,800 on a Friday night in Guatemala somebody must have had a hell of a good time so I was like I'm careful I don't really shop online that much I don't throw receipts away I shred everything I follow everything everybody tells me to and more to the point I do this for a living so I know what pitfalls to avoid how the hell did this happen to me it happened to me because many people don't know this I actually like guns a lot so I actually build custom long distance shooting rifles and stuff like this in a site I had bought a custom stock and had apparently been compromised Visa told me it was a point of convergence and if anybody know what that means that actually doesn't really mean anything that just means that some fishers were using it to verify whether the credit card data was real or not so I started getting an idea so I've worked for security companies in the past I've evaluated almost every security tool and I'd like to take this moment to point out that Chris Hoff is the only person on this panel to wear sunglasses inside he is a David Caruso of this panel so if you don't know who David Caruso is that's freaking funny wasn't me so the point is I work for security companies that made every kind of security product you can imagine and there's one thing that we'd always get done and I don't know if anybody have ever seen a sales pitch from a security company if you haven't I highly recommend doing it at least once it's kind of like getting your penis pierced you'll do it once tell your friends about it and never ever want to do it again Rich told me that story how many times have you pierced your penis well me none because I'm a chicken Dave I can attest to that fact you know the problem with a panel like this is you throw out a joke like that thinking you're just going to go on and then you feel uncomfortable suddenly that's not what you said last night to Hoff some things are just better left unsaid so a typical sales pitch from a security company you know the sales guy would come in buy those sell high don't worry about it I got a polo shirt I'm trustworthy and he'll bring with him a sales engineer and a sales engineer is a guy that's going to answer all your sales questions so formally being an engineer an actual sales company I look at sales engineers as sales guys that have a sheet with answers on them now if you're a sales engineer and I'm offending you I'm sorry so you can hide your sheet of questions and answers before anybody sees them and we won't make fun of you hey howdy you're actually pretty cute how are you doing that's JJ whose shoes I had to carry around Vegas and body Hoff had to carry around Vegas the other night until we got her back in her room well wait I have to be honest this story sounds far more interesting than this talk wait a minute there's women at DEF CON when did this happen so the point is and I've had to do this before is they'll always bring in something that shows you why they're better than competitors that's why they're there they're there to explain to you the differences otherwise this could be just like the Amazon of security you'd be like I need some IPS Fortinet's got the lowest price I'm going to go with them you know so what they want to do is they want to explain to you why you're going to buy twice as much for a product that does half as much so what they'll always do is they'll bring demos with them and say hey look at this this is like the MS-03026 DCRPC exploit tipping point doesn't catch it but our product does so what they're not telling you is that someone at some point like me had went through and analyzed all the other competitors signatures and has come up with a demo that will evade everybody but our product so you know it's kind of disingenuous I have to be kind of honest about that but so the point is any security product with enough time can catch or fail at anything you know so I used to work for ISS and if you spend enough time you can almost any attack pass them same thing for tipping point tipping point is a little bit easier than ISS but it's still there you know all these things so one of the problems is most people like my mother is very unarmed when it comes to the internet this is are we telling mother jokes now wait oh I can't spell that's actually my dirty secret I never learned to read I can read Hex but once I translate to Hex and ask you I don't know what the hell it says so Rich how about you have a seat you know it's bad when the analyst is doing tech support so you know bringing this full circle to the story of how I got owned in somebody in Guatemala I had a hell of a night at my expense I was thinking why the hell isn't everyone armed I mean to be honest everybody uses a wild west metaphor for the internet anyway you know I'm sure if you google wild west internet you'll find 9 million stories written by cnet reporters about how the internet is a wild wild west and you should buy Kaspersky antivirus or something like that to keep you safe maybe even some by Gartner analysts yeah well I'm sure I do not work for Gartner anymore so on Monday of actually two days from today Arrest Security the company I work for we'll be releasing a tool it's basically a tool bar that runs in the internet's floor that will actually do a vulnerability scan on every site you serve and there's a reason for this we're not looking for deep inspection stuff like arsenic would look for we're looking for a low hanging fruit like you can do easy PHP includes or you're easily susceptible to SQL injection the reason we're releasing the tool to do this is it's really going to piss every security vendor in the world off because what's going to happen is once you start surfing all these sites all these security tools people bought are going to light up like Christmas trees because the signatures that are written aren't very good everybody that uses this tool and surfs to the site will look like an attacker suddenly Amazon will have nine million attackers well I'm not assuming nine million people will use the tool but it'll start looking like it so we're going to call it barrier because I'm actually a dork and I love ghosts in the show but this is the actual plan so the reason we're doing this is for some reason security companies don't think end users should have the ability to determine whether a site is good I mean even the Google stuff goes send it back to us we'll analyze it and then we'll tell you via toolbar whether it's good or not we like to put the power to do that into the user's hands now I know this sounds like a bad idea from people who are still trying to find the any key this might be a kind of giving kids AK-47s it's working on quality and poor it might work out here so that's what we're going to do we're going to run a demo because somebody here does have somebody here does have Broadcom Wireless O-Day and I'm not turning on my laptop no thank you no thank you oh no you can't do it over your video the interface is different so you have to just have the adapter but this is what it looks like this is what the interface looks like this is the so if you've ever run any of our tools before we have two other tools called Looking Glass and ActSpan and Looking Glass basically looks and see how compatible an application is with Microsoft's SDL and ActSpan will actually just go through and look for all the known bad active X controls so we always have this information screen and this down here will give you information from us it'll be a web page but basically this is the scan so you won't actually have to worry about this because this is going to be populated from your address field but basically when you run this tool you'll be running a vulnerability scan on every site you visit and like I said I attribute this or I kind of compare this to army everybody in the wild west because I really do believe neighbors with guns make good neighbors so somebody likes that idea not a lot of NRA members here huh I'm not going to plug anything you can do I look that crazy so Dave works with Rob Graham Sir and Fair at the side jacking tools and it took about how many nine months before you stopped using your Gmail when Rob was sitting across the table I have actually stopped using Wi-Fi all together it's kind of like heroin I went cold turkey I don't even use Wi-Fi in my home anymore I have a built in HSDPA card but for some reason Christopher Hoff killed my HSDPA card with those sunglasses so that's basically my portion of the presentation aside from the heckling is that on Monday if you want you'll be able to download a toolbar so to answer a question before anyone asks we decided to do it as a toolbar because we want to be able to evaluate SSL data as well after it gets rendered so we need access to the DOM and we didn't really want to do it in such a way that it's a proxy and right now it's it is just Internet Explorer only so if you're a Firefox fan you're probably safe anyway or Safari so without further ado I'll turn this back over to Mr. Mogul who I want to capture after this and make him tell me what a pot of gold is does anybody ever think Pokemon? Pikachu I'm a leprechaun dude come up with a good one short red hair look like I'm irish jewish but I married an irish chick so it works out you didn't tell us you were going to have clip art man okay we've got about 10 minutes left for Q&A look we've covered a lot of different things today honestly some of that was trying to figure out how the fuck we could put all this stuff together into one panel and have a little bit of fun and we probably utterly failed but I think the goal of this is a lot of things we show are simple you take this grid app thing that's supposed to be this incredibly hard convoluted mathematical impossibility and arsenate cracks it in like 2 minutes by hand on stage with the short password and when long passwords make it easier and really bad keynote skills and that's because arsenake is a pimp keynote skills we had to convert his stuff from powerpoint you know Larry learned how to hide things in his baby which we are worried about in most states that would get you arrested we've got a question right there shout it out so his question was because we're recording this doesn't the tool make you Dave look like a hacker whoever is using it to the site there's a method to this madness in reality before you leave home you check it to make sure it's locked you know if you walk up to a business and you know they're closed and you try to open the door to the door's locked you by default have interrogative techniques to know if the places you are safe for instance if you're going to a strip club and there's guys with guns outside it's probably not a strip club you want to go to I use a lot of strip clubs in my metaphors so the problem is that the internet has become a place where any activity to determine whether you're safe or not looks bad and this is because security companies are very lazy and they want to see in the search to cover a wide range of attacks so yes you will look like an attacker yes yes you would look like an attacker to your own bank the problem is is that as more people use tools like this the profile of what an attacker is has to change the three people who are going to use that tool my mom's going to use it yeah Dave Rob and Dave's mom we had all three my mom's been using it for quite some time she just doesn't know it alright any other questions this is a long one we feel we thank you for saying through it when we're drinking and leaving to go to the bathroom and you didn't what alright that's gone way too far thank you all for joining us today we're going to get the hell off this stage enjoy the rest of DEF CON