 Now, we have the next talk, Introduction to Network Security by No Master. No Master is part of the chaos door here, and also is active member of the fry from community, and he likes to take a practical approach to things. And so I think we will have a very practical introduction to network security now. No Master. Well, thank you. This is my very first talk at the congress. I'm so excited. I hope I'm not dissolving myself somewhere in the middle. Also, I'm glad you're all here. I've been asked to give some introduction that is probably more for the beginners. So I hope that you can enjoy what I'm speaking about. That's neither the problem that you don't get what I'm talking about, or that you have all heard of that before. So let's see where we can take this, yeah? So my idea was like practical, as you said. How can I get you some idea about what the actual issue about network security is? At Noc, we get questioned a lot about, is this network really secure to connect to? And the usual answer is the network is in itself not secure. It's your system, your laptop, that should be secure. But what is actually a realistic thing that can happen here? So that's what I'm wanting to show you. I have brought to you three examples for that. I hope that gives you some insight. So first, before we start, we need some mindset for that. The network stack we have, here's a totally oversamplified version of that. It relies on different layers, as you may have heard. So every computer has some medium access control address. That's the MAC address. It's not about Apple computers. We have the internet protocol address, which is additional to that. And on top of these, we have the application that uses some TCP or UDP socket and the protocol defined for that. You know that, huh? OK, so what really matters to us is the two layers here, because this is the network that you're using. This is the protocols that are involved with that. The other stuff is on the systems, the client on the server. And this is where the data goes. Of course, what we want to accomplish here is that no one can look into the application other than the client and the server. So your privacy is compromised when third parties have access to that. You probably see the S here in the end. We will talk about that later. So first, that we know what we're talking about, the easy examples here. IP address. You have seen that, IPv4, which is typically your home routers address, maybe. And IPv6, I have brought to you a very simple example for that, which is just a longer version, usually written down hexadecimal. So that's the IP address. And then we have the MAC address. This is a very unique address that every computer has on the network. So this is usually borne in on your device. You just start it up, it has the MAC address, and uses that MAC address to communicate on the network, to, for example, to get an IP address. And this is where the bad things can happen then. So my first example is ARP spoofing. Who has heard of ARP spoofing? So no point in explaining that. But I guess the rows in the back didn't raise their hands, so I'll get to you then. I usually like using whiteboards. I don't have one here, so I used my computer last night to make some whiteboard notes. I hope you can read that. My handwriting is really bad. So what we use here for the resolution of ARP addresses, of MAC addresses to IP addresses is the ARP protocol. As you know, as I told you, the MAC address is burned in on your device. And the IP address, which your computer uses to communicate on the internet, is then assigned to the computer. We need this address to be able to route a packet through to your computer. It needs to travel probably all over the world and reach its destination. So this is why we have totally two different address spaces. One which just gives your computer a unique address, which is always used, which is the MAC address. And the other one, the IP address, which is always individual for the location you are. Smart people know that the IPv4 address I showed you is not really unique, but we are simplifying things here. So on the local network, your router has to give the network packet to your client, to your computer. And to be able to do that, each one of these needs to know the MAC address of the computer that has the IP address for which the packet is destined. In this case here, the client asks for the IP address of the router. It sends a broadcast frame to the network, which is an ARP frame, and asks for who has the IP address. And the router answers, the IP address is at my MAC address. So what happens here, if you look closely, is that the router sends a packet. It says the IP address is at this MAC address. You get an idea? So what happens if someone tries to steal your traffic? They can send a reply saying, someone asked for the MAC address of the router, and the MAC address is that address. And what they do is they send a false MAC address, which is their address, and not really the router's, through into the network, so that your client learns the address and says, OK, well, then the router has the MAC address this and that, and sends its packets to you, to the attacker. You're looking at this from attacker's perspective. So then the problem is, for the client, you don't see on the client anything happening other than the usual data flow is commencing. The client sends the traffic to the attacker, which just forwards the packets to the router and back. So it's able, then, if it has compromised also the address of the client to observe any traffic that happens on the network, transparently, by just piping it through. And looking at it, and I wrote observing, of course, if you get hold of the packet, you can also modify that. So this is a very old-school type of network attack. And you get now the impression how that works. Hopefully, you can then get also an idea how to prevent that. What we have on the networks nowadays is switches that have security features. But you must be aware that on a usual network, this is not always the case. So every network you encounter is probably vulnerable to that kind of attack. So the next thing would be then the DNS hijacking. This attack is on a somewhat different layer of the protocol. It uses the DNS system. The DNS system is, of course, for the resolution of a host name to an IP address. So we have another layer here. It's not the IP address to the MAC address, but the host name to the IP address. That enables us to do a similar attack, but not only on our local network, but also on every host on the internet. What we then do is we try to get hold of the IP address of the DNS server. Usually, the client asks the DNS server for its address, for the real server it tries to connect to. In this case, an A record, which is the IP address. And the DNS server returns the IP address of the server in question. Then the client connects to the server and gets an answer back. Obviously, if we can get hold somehow of the DNS server's address, we can do then the same thing as before. We can return not our MAC address because we're not on the same network. We can return our IP address, which the client connects to. It can be on any host on the internet. And then the client sends, we return the IP address of ourselves instead. And the client sends the traffic to us. And we then, again, transparently forward that traffic to the server. And we see every request happening there. In that case, we don't observe the traffic coming back from the server to the client. We should also attack the server for that. But always keep in mind that the payload of the traffic is not very interesting for an attacker, maybe. They just want to know which address you're really requesting. So very much of the privacy issues come from the metadata of the packets. Not with the metadata. In that case, it's the additional data. So which host name are we requesting? You can imagine some host names are worse than others to disclose. So that would be two examples on the usual networks. What we also have at the Congress, what we get questions about is how about the access points. That is a more complicated thing here. Of course, when we connect to a computer to a switch, we see that we just took a cable and just plugged it into a switch. So the computer is connected to that switch. Very similar the wireless system works. The engineers designed wireless traffic, the Wi-Fi system, to work as a wireless Ethernet. So it works as if I would plug in my computer into a switch, but otherwise it connects to the access point. So what I have on my computer is a system that chooses the access point to connect to and does that automatically. So it works just like if I had an assistant that when I move my computer, it takes the cable from one switch and plugs into another so that I don't have to care about that. It just makes sure that the connection stays up. When we think about this like that, we can see that there are issues. What we need to know first is that the network is identified by an SSID. This just means that I know which group of switches I want to connect to. On this conference is the 35C3 network. On your home you have probably chosen your own cool network name for that, but you may not have thought about that at your home you have one access point, otherwise we have here hundreds of them, and your computer changes the connection to the access point all the time. So what we have to prevent that your neighbors are connecting to your network, we have these encryption protocols. In the past there's been WEP, which is just broken and obsolete. So we now have the WPA protocol. And for that we use a pre-shared key, the Wi-Fi password. So the usual thing you go to your neighbor, to your friends, to a cafe, and you ask for them what is the Wi-Fi password, you just use that. One issue here is that it's only for preventing other parties from using your network. Everyone who has hold of the pre-shared key is able to connect not only to your network, but potentially able to decrypt all the traffic that is running through it. Then another problem is that I can say I place another access point, which has the same SSID as the currently existing network, but it's not an official access point, but my own. What then happens is that the client just connects to that access point, for example, because the reception of the signal is just stronger, you can move it towards the attack computer, and then just the same beacon with the same SSID as the attack network to the client. The client connects to the access point and sends its traffic through to it, and of course the way back. You could do that on the network here, which strongly asks you not to do that. Just one reason is we don't want too many access points running around here with too many channels to use. The other thing is, of course, you shouldn't attack other people, computers. Just explaining here how that works so that you get an idea how to prevent that. At this Congress, we have a system that is used in enterprise environments to prevent you from doing that, which uses another layer of encryption. It works like that the access point needs a certificate to make sure that there is an official access point you connect to. What happens then is that in the beacon, there is some encryption stuff, and your computer can check out whether the access point is really valid. When you set up with the Android app your wireless connection here, there is some Android app in the Play Store. This one generates a configuration in which a certificate is written down. Only the official access point here are in hold of the key for the connections then. So your computer, which is in that case your smartphone, can make sure that the access point is official. On your laptop, you have to configure it by hand. I would like you to try that out. Go forward and look into the wiki. There are details how to configure that. There's some handshake protocols, some encryption tunnel, there's a domain name, a fingerprint for the certificate, and you can say, please make sure that the certificate is valid. Only then, this attack doesn't work anymore. At your home, you probably don't have these enterprise authentication system, which needs another server, which needs to be configured and running, and usual home networks don't have that. In the future, with WPA3, there comes an extension which introduces that kind of protection. So, what can you do about that? I would recommend to you to make sure that you have a basic knowledge about protocol definition and the standards. Just look at the internet. There are RFCs, the Request for Comments, protocol documents you can read, how that stuff really works. And you see, when you read really how it works and you get your understanding of it, you also get an imagination of everything that can go wrong there. So, also, from the other side approaching that, read through the internet. There is plenty of documentation, not only more precisely and more clearly explaining what I did to you here, but also all kinds of different other attacks. And also, these give you a broader imagination of how stuff works. This also gives you an insight how to really protect yourself. And I mean, if you only want to do that, as I said, use HTTPS, which is a secure protocol for the application. So, the application clients make sure it connects to a valid server and encrypts all the traffic between that. So, the most of your traffic is not observable, even if these attacks are in place. And that is very important. We have, fortunately, a big increase of encrypted HTTP traffic in the past thanks to the Let's Encrypt organization, and we're always very grateful for that. Yeah, and if you want, you can try that out. Build your own WPA-EAP, Enterprise Authentication Protocol System. But that is, of course, also only limited. What you can do more practical even is, just with your laptop on your Congress network, look at the traffic, type Zoodo TCP, this that, and you just see the packets flowing in and out from your computer. You can check out the route packets actually are taking with the trace route software, the simple trace route protocol, or the more sophisticated program MTR is helping with that. And you can learn a lot by using a program like Skapey. I can recommend that to you. It's a simple Python shell that enables you to forge packets. You can say, like, I want a packet that has this source address, destination address and looks like that. Please be always respectful to others. You'll be excellent to each other. Use these tools to learn for yourself and to learn how traffic between your system and maybe your other system or your friend's system is working. Maybe you can pair with another person here with that computer and try that out. Yeah, so I hope I could spark your interest. And I guess my time's over now. So no real Q and A, I'm sorry. Thank you. Thank you for this really good introduction. And you were exactly in time, but sorry, no time left for Q and A, but I'm sure they can all find you and ask questions. Yeah, I'll be over there at ChaosDorf if you want. Okay, so let's have a nice warm thank you. Thank you, applause for no master again.