 It's Sunday morning at 10 a.m. at Def Con be a bee amazed. I'm alive. I Didn't say not hungover I said alive So Everyone I'm Dan If you're expecting some you know second Dan Kaminsky talk, that's not at all what this is about A couple months ago Tiffany and end grain came to me asking for for some data for for some reason they thought I had DNS information And I asked you know what for and they they actually explained it to me, and I'm not gonna steal end grains thunder, but It was one of those really classic Hacking is not about you know some crazy stunt you pull sometimes It's just about noticing something so painfully obvious. You're amazed. It's never come up in discussion before I Was really impressed. I thought it was something that really should be at Def Con and I Think we really do need to have a have more speakers more mentorship in our community So I said dude come out to Def Con present your data We'll all like it and we'll all come and listen to you talk So that's what we're here for and I will give the mic over to end grain How's everyone doing? Yeah, thanks. This is my first time at Def Con and presenting so Thank you. Thank you Hi End grain drink No, thanks. No, thanks. That's I'm also I am end grain, but my real name is Elliot Bradbury Here we go. Well, first of all, I just want to say that While the information in my section of the presentation is specific to USM We actually found that it applies to other universities a lot of other universities So I don't want to make the impression that we're targeting the University of Southern Maine Because that's not what we're trying to do here Okay, so discovery well, I first connected to the USM network in in spring of 2008 and It was on the wireless network on our campus and I just want to start with saying our campus is split between two cities So it's kind of weird one of the cities has all the dorms and then there are some classrooms there And then the other campus has all classrooms. So When I say wireless network, I'm usually talking about the campus. That's all classrooms. That's in Portland So I first connected that network in the spring 2008 and Naturally one of the first things I did was connect IRC, you know, just as usual and Thanks So I was just hanging out join the normal servers that I do and all of a sudden I realized that people Were addressing me with my full name and I thought okay either I got hacked or someone's just playing a joke on me and I just dug around a little bit it really only took a simple who is on myself and discovered that First of all the DHCP server that's used on the wireless network Leases internet-reliable IP addresses completely public IP addresses And that more importantly the domain names take the form of first name dash last name Dot wireless that usm dot main dot edu and I was just yeah awesome. Thank you for that So later in the fall of 2008 discovered that the dorms I moved on campus, you know, so now to the other city of Gorham and discovered that the dorms have a similar configuration and In the dorms you generally use the wired ethernet land there so those That network has a similar configuration your domain name is first name dash last name dot dorm dot usm dot main dot edu and actually Earlier this summer. I had to go into it the it office on campus to get some help with a separate issue and I Don't know if anyone uses horde the webmail client, but it logs where you last Logged in from the IP address or the domain name and so when I went into the office the The person that helped me let me log into my email account from there So kind of exposed that they're using even a similar configuration for their own IT staff. So They the domain names take the form of first initial middle initial last name dot acs dot usm dot main dot edu So even from within the IT network, they have a similar configuration. So What does this mean? exactly with these Unnecessarily verbose Domain names it means that sensitive information is now unnecessarily public and It's out there for anyone, you know, it just takes a simple reverse DNS lookup and You have all this information so What information exactly does the domain name that is assigned to you when you connect to these different networks? What is it? What does it contain? Well? The most general thing and pretty much unavoidable is that the user is attending a main university You really can't avoid that piece of information more specifically that the user is attending University of Southern Maine and and how the user is connected to the network and if Well, there's basically two ways that you connect. There's the wireless network or there's the wired LAN in the dorms and Especially with prior knowledge of how the campus is set up the split campus It's it's easy to get an approximate physical location from Your domain name just from looking at it because there's the either Wireless sub-domain or dorms sub-domain and Lastly and most importantly the user's full name is in there for everyone to see So the bottom line is that it's just an unacceptable Policy why on earth are they using these naming conventions when you access the network when you when you log in? Why is why is it like this so? At about the time that I realized that this was a really bad thing I Wanted it to really do more research, so I decided to turn it into a class project for Tiffany and This is when I started looking into how Access is controlled on the network The the wireless network is Not open to the public. So there are some forms of access control So I remember when I first connected I think I was using my laptop you're required to log in with your With your university account This is probably very common Probably, you know any other college students could confirm that their Universities do a similar thing. So basically the first time you connected device. You're redirected to a web page That asked you to enter your your university account information and at USM Actually when you go to the page it tells you this is your MAC address and so enter your password So it was pretty obvious that what what they were doing for a an access control system was They were pairing your MAC address with your university account and So if you successfully authenticate then that MAC address is permanently paired with your account and It's also paired with a semi-static public IP address I say semi-static because it's reserved for you But they still use DHCP and I want to stress public IP address meaning that it's internet routable You're not Shielded by any edge devices. There aren't any routers in your way. Everyone's just right out there completely public IP addresses So after you go through this authentication process for the first time Subsequent access to the network is just automatic. You don't have to log in every time you want to use the network And that's because you've already registered that device. You've already registered that MAC address So there's this network-wide device registration database and it somehow interfaces with the DHCP server so that it Leases the correct IP address to you Okay, so So weaknesses in this access control system well complete trust is placed in The MAC address as a unique identifier, which isn't a bad thing But it shouldn't be trusted that it can never be changed. Everyone knows that you can spoof MAC addresses Okay, so that's the probably the biggest weakness here The second one is why are they using global global IP addresses? it just puts the user at an unnecessary risk and I Don't maybe someone can tell me but I don't know why they use a Configuration like that just doesn't make sense to me then the third weakness is that there's no port based security on the on the land and the dorms meaning that MAC addresses are not Locked to physical ports on the switch And it's pretty much impossible to do that on campus because you know pretty much everyone has a laptop they Register it in their room run next door to their friends room plug it in there go to another dorm Whatever you just can't you can't lock down the network like that. It's just too mobile so Potential for abuse here. What if What if you spoof your MAC address to someone else's that's already registered on the network? you would effectively impersonate that user and Be able to do whatever you want Basically under their identity you could view questionable web content. You could do file sharing whatever you want to do and How how could that be done? Well? basically, well what it would involve was would be logging What users are on the network? And that's very simple. It's just you can basically sit there and passively sniff any kind of traffic and log who had who has access to the network and Basically what you're doing is recreating the database that the university uses to see if a user is Allowed on the network. So you're basically making your own copies, you know, okay? These these MAC addresses are valid and Because of the domain name that gets assigned To you when you access the network you actually have a list of full names and the MAC addresses that That go with those accounts so so You can basically pick and choose if you wanted to if someone wanted to do this you could pick by name. Okay. I want to screw Tiffany over so I'm gonna take her take her identity identity and I Don't know do some bad things hacking at some university servers or something that that's possible Not that you would want to do that. That's a terrible idea I'm just saying it's it's possible. I guess Okay, so kind of some unanswered questions here The DHCP servers build these domain names and dolemount to the users along with their IP address and all the other usual information that DHCP does but how exactly is the DHCP server Giving you your your Subdomain like how is it adding your full name in there? How does it know what your full name is? So is it is this feature part of a DHCP package or is it something that the university has created themselves? Are they possibly Pulling that information from their HR database or Something along those lines That's not clear the back end how they're getting your full name I mean, obviously they have it, but is this a feature that's built into a DHCP server already Why is each device on the network given an internet-reliable IP address? And Most importantly, why does my host name contain my full name? Okay, so I Created this proof of concept tool. It's just a network analysis tool very simple. You could actually kind of recreate it with other tools to group together, but it basically logs the MAC addresses and domain names which contain full names of anyone that accesses the network and Then So once you build up this database you can then At a later date scan the network Compare the two lists see what hosts are online which ones are offline and that kind of gives you an idea of Where you could go from there? And I'm still working on it Work in progress, but I will make it available at that URL and that's pretty much my part Hi, my name is Tiffany Rad and I'm an adjunct professor at the University of Southern Maine I teach in the computer science department and I teach a class where we analyze technical Aspects of computer programs hacking networks, and then we look at the legal aspects of it I'm also a licensed attorney in the state of Maine and We found that Having an ethics class required for all computer science undergraduates is pretty important because we do look at Network analysis tools for instance There's one part doesn't work. Yes Elliott's works fantastically, but then we look at other aspects of it Such as when we when Elliott came to me with us. This was his final project for my class We were looking through the code and I found out that it did something very interesting with reverse DNS So who do I call but Dan Kaminsky and I was talking to Dan and we talked a little bit about What the tool did and then we started thinking well the tool does this what kind of legal legal consequences or a relation can we make to To how USM is handling this University of Southern Maine and how other schools are doing it I got to say about Elliott Bradbury. That's fantastic is he's one of the best students I've had in the computer science department I come from Carnegie Mellon University where I got my BS and yeah, great Thank you and I'm very impressed with with Elliott in this class He is the result of a high school program that goes on in Maine I don't know if it still exists, but it did when he was in high school called a tiger team it's where they teach high school students how to hack and They they learn how to break stuff. They learn how to fix it. They learn the vulnerabilities and teaching Kids on that level Encouraged him to go into computer science in college and now he's if he's going to I already know He's gonna be a fantastic security infosec researcher someday. So I'm just saying he's a fantastic product of a high school program that he took through into into the college program All right, so how these host name host name equals real names are used at many universities University of Southern Maine is only one of about 65 that we found and One of the things that we started talking about is okay real names equals host names There's some privacy concerns. What are those and what types of federal law and privacy law affect those and why one of the Questions we had is why the universities some of them do this and so many do this We were quite surprised when Dan was running some look-ups how many we did find So University of Southern Maine is in no way the only school doing this. They are quite a few The first thing we thought about was FERPA FERPA is federal legislation that the the government requires universities to protect students personally identifying information and That means that There's information that students Such as in a directory by default most schools have it that if you sign up for school You go into like for instance a directory of who's at that school You can sign forms to opt out of that, but often that means your name won't get listed on Dean's list for instance so FERPA is something that we looked at with this and a lot of schools need to consider that because when People's real names are so say with the host names If you think you're sending email anonymously like from an account that you've set up some some other username You're probably not it is something that if you're doing Google searches It is possible for people to find out who you who you are If they look so this information is coming outside of the University The way that it is set up and we thought okay What other issues can there be with FERPA one of the the things is if it's considered to be directory information that the School is releasing and the student hasn't signed an opt-up at form That's not a violation of FERPA, but with this there is personally identifying information that is it's possible for people to Find out a lot more about students than just this is their name and they're on the internet Some of the legal issues we talked about is is Why why why do schools have this set up and one of my specialties in addition to computer laws intellectual property and There are certain types of legislation. I'm going to talk briefly about the digital learning copyright act and just privacy law Some of them use the we believe the digital learning copyright act is one of the reasons why Some schools do release this information when IT departments get takedown notices for instance Very quickly they have a short window when they need to address who did this and send them a legal notice that this this information must Must come down So I think that IT departments we do set this up for in relation to how to deal with some of this copyright law This is something that is one of the most interesting pieces that I found about this project when I read Elliot's final project is that What can be done with this information? If you're law school if you have a university at which you're studying and there is a law school there So there's something called attorney client confidentiality and in the clinic setting in the law school The lawyers work or professors who are licensed practitioners take clients into the program and you do real cases You go to court you make filings Privacy is really important if you're one of these universities that has 65 that we found we're not releasing those names, but It's not very difficult to do as Dan's going to talk about some reversing as lookups to find who is doing this But if you have confidentiality that needs to be preserved It's difficult to do that for instance some for an hypothetical would be in a law school clinic If for instance if if they're filing patents, it's very important when the patent system being first to file that You don't release any information about what the technology is if you're helping someone write the patent if you're in a clinic setting and The one of the attorneys working on the case has real name equals the host name And this is kind of going out to the internet someone could watch and potentially Find out what you're looking at and kind of piece together the technologies that make up the patent All right, one of the other issues we talked about is did they do this to combat anti-wealth combat piracy? We were looking at some cases with the help I was working with a little bit of information from Ray Beckerman He's done a lot of defense for students and has a great database about RIA cases and The question we had is is it possible for someone to determine who in like a person's full or person's full Name who is searching from music downloading music or movies? Where they're living and is it possible that you could get around warrants required or court orders for? For instance the RIA or any organization like that to figure out who's doing what without having to go through the traditional warrant requirement And serve or get a court order and talk to the IT department at the University about that We one of the things that We what I will tell you is Are we did not find a way that we could technically prove that? So when I say that it there might be a correlation and is it possible that the RIA could determine What's coming out of universities find out people's real names who's downloading what and then get the legal threat notices? Yes, it is possible. That's something that was one of the most interesting issues. We had do we know they do it? No, we do not Dan and I were saying the only way that we could really figure that out is if one of us goes You know for instance I would probably me me because I have an account on the universities at the University going down on like nine nine thousand Songs get on the RIA's radar and then determine did they follow proper warrant procedures to find out my real name and Neither of us wanted to do that Yeah, pretty risky, especially with a lot of the the way that They're pretty severe Fines now people are getting for this. There's it's illegal. I wasn't going to do that So we cannot find you're not going to get sued by the RIA for DEF CON. I thought you were hardcore Hey, Dan, you know, I think Elliot might be able to set up an account for you. Why don't we want to give it a try? Yeah, I think he's okay. I am too so we technically could not prove that The RIA the cases that I looked through probably a hundred cases in the RIA ones that were universities got legal take down Legal threats for students not necessarily take down notices and all I can say is there there are quite a few that have this set up and One thing that's kind of funny is if the RIA wasn't doing this before well Here we're telling you right now. It's it's possible to do and whether you like the RIA or not This is information that we wanted to talk about and for instance also this applies to law enforcement If there any There it is possible to get information about what people are doing on the network This is public information that's going out there. This isn't your private This isn't the question is is there an expectation of privacy if your name is just going out saying I am searching for Medicinal use as a marijuana. It's something like that Um, if there if there is someone under investigation, this possibly is a way that you can get around getting a search warrant It's just look what's already being out being put out there There is a privacy concern and Dan's going to talk a little bit more about that When you're like IRC chat rooms your real name host I mean your host it comes right up red does the diversity in us look up and there's your name Xbox live. He was mentioning does this too. So if you think you're at Nice University and your search is a private They they probably are not and we found that this applies to both students and faculty members I did a little bit of research some faculty members their information is also being broadcast out All right, are there influences under the digital learning copyright act with the RIA like I said We're not going to we can't prove that technically from what we've we've looked into But it would be disappointing to find that intellectual property law is affecting privacy in infosec I I got to say I believe it probably is and it's disappointing to see that some universities may have Set up under pressure Set up I'd say and where privacy isn't a concern because of Copyright law and vigilant enforcement of that and Lastly, I was about the DMCA. I mentioned already that there's a there's a takedown notice requirement IT departments are under a ton of pressure You got to take this down. You got to find out who this is or you lose your safe harbor provision And I'm working on a case right now where an ISP has lost a safe harbor provision Which means that they are going to be to held civilly liable for Whatever it is that the defendant in the case is so ISPs are under a great deal of stress under the takedown notice requirements, you don't want to lose the safe harbor provision unless you're challenging the DMCA and We talked about FERPA and one of the things that Dan might is probably going to talk about is Recommendations for what should schools do if you do care about if you are concerned about this issue Maybe students should be opt-in You know if you want your name to be your host name Let them opt into that instead of opt out and if schools are going to have opt out make the procedure Yeah, make the procedure very clear So that students and all students understand exactly technically what well technically explain the privacy implications of this and We don't want to say that there is a correlation, but It's it is We're well the RA could use this technology especially since we're talking about it And it's interesting after the school's been our well the school that we looked at has been our University of Southern Maine doing this for about ten years. And so if they are I hasn't been doing it already Well, maybe maybe they can now and we're not supporting that I'm just saying that that is it's possible with this information and sorry. That's the last slide, but I'm gonna I'm gonna have Dan Dan talk about what he did with Rourstianus look up in his results. Thank you all right, so Just in case anyone in the room is not actually familiar with the the database being exposed the data set being exposed Normal DNS traffic you have a name www.food.com you get an IP address 1.2.3.4 in reverse DNS You have the exact opposite you provide an IP address 1.2.3.4 and you get back a name Now usually this name is like the name of a computer and doesn't mean anything This case. No, that's the guy sitting behind the terminal Which is actually a fairly amusing thing to populate inside of DNS In terms of being someone who's trying to use or abuse this data you pretty much have two different channels The first channel is to just sweep the net sweep by sweep IP ranges and see who's where So you take a particular university that uses the system you take their IP range you just sweep through DNS reverse DNS and see what comes back and What are you finding out? Well, there are this list of students. They're on this campus Maybe you know who they're in you know north main, you know this area main or that area main It's interesting. It's it's not It's not as interesting as the second mode Second mode is where you host some service on the internet You host a web page and add network You you host or you're in part of a peer-to-peer network or you're playing Xbox live and in each of these situations The IP address of a university student is provided to individuals outside of the university that at that time the fact of what they are doing and Who they are can actually be linked so I Bring up Xbox 360 because it's the source of what I thought was probably the funniest change to internet security in the last few years Some guys figured out how to monetize botnets and And the way they figured out how to monetize botnets was they rented you had 12-year-old kids Renting botnets to each other so that that guy who was really pissing them off on Halo 3 Well, they just go ahead and flood them off the internet for a few hours I Thought that was kind of amusing and that that they get so they get even more amusing when you realize not only that but You kind of find out where the kid is and can you go look him up and send him a horse's head or something? You shot me too many times So, you know, this is a deaf con is traditionally considered a Security conference and here we are talking about a lot of privacy implications. What's up with that? Well, this is really interesting. I mean, this has come up This has come up professionally in a fair number of audits that I've done. It turns out security work and privacy work We kind of work together a lot Consider something like a phone home you have a piece of software that is is calling back to the mothership for something on The one hand. Well, this is a privacy implication Did you ask the user is it okay for you to go back? On the other hand, it's an awesome attack surface Which is very often quite as vulnerable So, you know, it is a very relatively common instance during an audit where phone homes are found If you're doing in a security context, you pop it over the fence to the privacy guys and say, hey does this meet all the the the legal requirements and And That's the other thing that that's one thing that's really different. There are legal requirements in privacy Insecurity it's pretty much us geeks that think something needs to be done You know, we're we're all raw raw. We want to see secure code. We want to see quality No one really knows what that means Well, no one knows what privacy means either but that doesn't stop a heck of a lot of law and a heck of a Lot of activism around I don't want anyone to know It turns out there's in security. There's a thinking there might be a hacker and we should stop them if there were a hacker In privacy, the assumption is always those bastard advertisers are selling my infos so it's a totally different presumption it's a totally different burden of proof and It does actually it does actually show up all over the place there are There's an interesting implication behind all of this Nobody is saying that use of the internet at a university should be fully anonymous In fact the whole point to take down provisions and other things is that you should actually with some work be able to get Back to the individual that That was behind the traffic We seem to be wanting to have a system which can be summarized as in order to extract someone's identity from the network It should be difficult, but not impossible Building systems where it's difficult, but not impossible for your personal information to be exposed is starting to prove difficult if not impossible itself either you are fully anonymous and can't be tracked down at all or There's a thousand different ways to get at your personal information This particular path is a ridiculously easy way of getting at your information And that's kind of where where the concerns come in There isn't a really Interesting implication of the spoofing work. This is what I thought was really cool Um, I don't know if you guys notice this people really believe whatever the hell it is the computer tells them It's you a lookup. It gives them answers as I have the answer. I'm going to go move on with my life What what endgrain found is that it's actually really easy to do Look around figure out what other people's MAC addresses are and then later on spoof those MAC addresses So you can actually assume their identity on the network now I think from his work when he was looking at this He found this specifically in terms of just looking at what was on your land and just saying okay Well, whoever has the IP 1.2.3.4 has the MAC address of this if I use the MAC address of this I will now have their name. That's how the system works Turns out that actually also works off-lan as well You issue a query with NBT stat and one of the helpful things you get out of Samba out of SMB is okay Well, here's some fires the the user here's the shares and by the way, here's this MAC address Which it turns out on this network lets you go ahead and assume their identity to appear as them It's bad enough having people think IP addresses or identities, but You know, what happens if any kid can just go ahead and appear to grab a bunch of porn or grab a bunch of problematic content or do a bunch of attacks and stick, you know His his buddy or not so much his buddy's name all over it That's gonna be lawsuit bait that's gonna be really easy lawsuit bait and at the end of the day Not only is it lawsuit bait. It's lawsuit bait that wouldn't have been possible before If you actually had a situation where it was difficult but not impossible to acquire the Authenticating information or the identifying information there would be a human involved There'd be an investigation and there'd actually be enough resources applied to figure out the difference between oh This is just a trivial spoof and wait a second. There's a there's something in more interesting going on The reality is a lot of people when they're looking at computer systems don't ask enough questions This is Defcon we ask questions so You know, I think I think I've gone on kind of long enough about all the the interesting Implications of security and privacy here As Tiffany said like I said, you know, this is a small thing now This could grow this could be something that that we turn around and lots of places are doing it just to stop the flood of Requests if it's you know what we're getting a thousand takedown requests an hour Why don't we just publish all the information and now people don't need to ask for it? That is a model it could come it would not actually be a good thing for the future of the internet The reality is and this is what all the privacy guys have figured out perhaps long before the rest of us have If you can't use the internet if you can't use a resource without an implication that no one's watching over your shoulder You just won't and we won't end up with a particularly free society So that's pretty much what I've got on this. I have one final thought to leave you with How many of you guys are still in school? Cool all of you every last one of you are gonna have huge final projects to do and you could do The normal thing do something. It's been done a thousand times before get a pat on the back by a teacher Who's done the same review over and over and over again or? You could end up dragging your teacher out to Def Con and showing off what you done