 So a little bit about Pink, the speaker, former Black Badge winner, through Capture the Packet, and he's going to talk about, you know, something, something hard to reach places. It's bound to be a good one, not much, without much to do, Silas Cutler, Pink. Hey, so, hey, formally this was sniffing the hard to reach places. However, we changed slightly to burning the look out. So, I don't just go by Pink, my name is Silas Cutler. I'm a senior security researcher for CrowdStrike. I also run two projects that folks know me for. One of which is Nileshare, which is a site similar to VirusTotal. We offer free malware samples. And an internet scanning project called 25499. Depending on if you're a vendor and you ask who I, or what level I'm at, I'm an intern because, yeah, contact information, feel free to reach out afterwards if I don't, or am unable to answer any questions you have. So, in this talk we're going to talk a little bit about some lawful intercept. Just out of a quick show of hands, how many people are familiar with what lawful intercept entails? So, a lot of fresh faces. So, what we're going to talk about is very commonly known as wire tapping. And this is how they do it at the ISP and carrier level. So, I'm going to let you know very upfront, I am not an expert in lawful intercept. I'm a security researcher. I follow breadcrumbs from one place to another. Through it, I've learned about lawful intercept while researching this system. So, lawful intercept, in a very formal definition, provides law enforcement the tools and access they need in order to conduct investigations. So, if they have a suspect, they can work with an ISP's, will provide them the ability to capture the things they need to for their case. There's two really important laws and standards that are the sort of framework for how this works. The first is KALIA, which is the Communications Assistance for Law Enforcement Act. I've also seen it called the Computer Assistance for Law Enforcement Act, and then the other is SD, which is the European Telecommunications Standard Institute. And they sort of define, here's what the protocols are that hardware needs to speak and what data should be collected. Cisco has some amazing documentation for their routers and switches on doing this. And so, basically, ISPs will provide through their infrastructure the ability for law enforcement to place taps on people. With that, it's also access to things like subscriber information so they don't have to say, this IP address I want to tap, it's I want to tap Silo Scuttler's phone, like that's the name, their system will look up my subscriber information and any IP address or phone number I'm calling from, they'll be able to tap without a problem. So, these systems usually are comprised of three different components. The intercept access point, usually the switch or wherever my traffic is passing through, the mediation device, which is something we're going to talk a little about in a few minutes, and what's called the Lawful Intercept Administration, which controls subscriber information and verifies that they can place taps when they need. So, this whole story started a few years ago on what is probably on my favorite site on the internet, Payspin. I've been scraping Payspin now with a 99.99% capture rate for about eight years. I have keywords set up, so if you post something with any of the sort of keywords I'm watching for, I'll get an email alert. And it's really important because in the days when Anonymous was heavily active, they were sharing configuration scripts and so I was able to watch all of those. In 2015, I was doing some work for an Iranian and Middle Eastern cyber group, so I had a keyword set up for cyber army, which triggered on this really unusual paste. This paste was somebody who had claimed to have hacked the Brazilian army after they had done a capital flag event. I know what you might be thinking, which is how does this relate to Lawful Intercept? But we're going to get there in a second. So in this paste, they had included three addresses that they claimed to have hacked. And it was a very tongue-in-cheek post saying if you like to play, you guys like to play hackers, but we're going to show you our skills. So I was curious and decided to check out and see what one of those sites looked like, which I assume you're all curious about as well. So I fired a tool browser and it was presented with this, an invalid SSL certificate because it expired. But what it then took me to was this, which is the login panel for one of these mediation devices for something called Vigia, the Vigia Interception Achievement Suite. And so this is one of those systems that law enforcement used to login and place taps or view the records from somebody they've tapped. And this made me really uncomfortable as it should all of you because I was able to publicly access this system, which it shouldn't be. Since its release, they've actually done their updates. But again, haven't updated their SSL certificates, which are expired. So I dug a little more. And I found that Vigia is actually developed by a company out of Buenos Aires, Suntac. In this interface, and they have a lot of information on their site about how with their product, they can assist law enforcement in fulfilling all of the needs they have before an investigation. Now, I'm not here to sway one way or another on things like surveillance and lawful intercept, but I was concerned because all three of these systems were Vigia mediation devices, which shouldn't be publicly accessible. So I started digging further to try and find out how many of these are out there. Where are they? How many other places could I find one of these mediation devices? So I'm a huge fan of Census. The guys at University of Michigan have done amazing work and it's a really awesome tool. So I started from those three sites trying to collect any sort of static elements that I could find. So looking at things like the SSL certificate, I noticed the common name was Vigia.vivo.com.br. And Vivo is a pretty important telecom provider, which they very directly identify as part of their DNS name also, which that resolves also to that intercept point. So through SSL information, through DNS information, I was able to start searching and hunting for more of these. As I was also looking, I found things like passive DNS, which indicated all of these systems started having common things. So the DNS names were Vigia.something. The SSL information had either SunTech or Vigia to identify what it was. And so this started to become a pattern where there was a pretty easy way to spot these. And then this was all for naught, because on the civil police of the state of Santa Cantorina, they actually listed three of the systems and their bookmarks tab for everyone. So these were very directly being used by law enforcement. I've actually redacted part of the session ID, which they left in the shortcut. Come on, guys. So, mapped it all out. With the six that I had conclusively found, I was really hoping to see them all over the world, but instead there's a really nice little cluster. And my geography of South America is a little rough, so I had to zoom in. And it was very clear that all six of these were in Brazil. And I was able to map them to some of their largest telecom providers. So each of these providers is providing law enforcement, law enforcement, wire tap ability through these Vigia systems. So police in these areas, hopefully police, can go in and place taps, view wire tap logs, and collect information on suspects. Hopefully law enforcement. So, why this matters? How many of you are familiar with the Olympics in Greece from 2004-2005? I know it's not really a specific thing, but it was a few years ago, because what ended up happening was there was a pretty severe diplomatic and international incident because someone had broken into the Ericsson switches used by Vodafone in Greece and placed taps on state officials. I think the prime minister was also included, where their phones were tapped during the Olympics. So pretty important time politically and culturally, where some third party had been listening to all their calls and reporting all their data. So the actual perpetrators behind this aren't known. It was suspected being a country that we all are maybe standing in. And they'd actually, the switches themselves, the Ericsson switches originally didn't have the lawful intercept feature installed, so someone actually installed it on it because it doesn't always come by default with switches and things. It was also called the Greek Watergate incident. So right now, these systems are out there. They are poorly set up for upset, so they are being targeted by people because the post from Payspin was a hacktivist group that said that this was a target of theirs and they had broken into it already. So there's hacktivists targeting these. There's governments targeting these. And there's also the very significant potential for cyber criminals to target these because if you can control someone's traffic, you can collect a lot of really sensitive information which can be exploited for financial gain through online banking, online shopping. So there's a significant risk that is being placed on the people where these systems are deployed. And one of the other points to make about it as well is this is likely not the only setup like this out there. There's likely other vendors that have weak and vulnerable lawful intercept mediation devices that could be attacked by third parties. And as a community, I think we need to hold the vendors and the developers of these to a higher level of standard where things like two-factor authentication, valid certificates and not being publicly accessible is a requirement and not just a hope or want. And so as a final point to it as well is as of last night at about 11 p.m., that's the population of Brazil. So all of those people are technically at risk of having their traffic and their communications intercepted because these devices are vulnerable. So I like the 20-minute talks because they're very quick and to the point. So, questions? Anything I could explain more? Yes. Any type of this access, excuse me? Domestically. Domestically. I have not. But Kalia was written for the U.S., there are telecom standards in the U.S. that require these same systems. And there's actually been some phenomenal research from, I think it was FX of Phono Elite and Tom, I want to say Cross from IBM X-Force in 2010 where they talk about some of these systems at least deployed in the U.S. and in Europe but more at the intercept gateway or the intercept access point where the actual switch has the ability to receive tap information and to send that information. So they are here in the U.S. as well for law enforcement. However, the deployment of the mediation devices, I'm not sure about anything else. Awesome. Well, thank you. If you have any questions, please feel free to email me and or contact me on Twitter.