 Testing. Howdy. How are you all doing? I am David Mainer and we are here to talk about bringing sexy back. However, if you're expecting to see Justin Timberlake, I am sorely disappointing you. You'll just have to see me topless, which I think will be just as good. So, if you don't know me, my name is David Mainer and I'm with a small company out of Atlanta called Arata Security. And this gentleman to my right is Robert Graham, he's the CEO. And Rob's famous for a lot of things like inventing IPS. That's pretty much about it. But what we're going to be talking about today is we as a company do a lot of pen testing and we don't do traditional pen testing because that's kind of boring. Everybody runs your vulnerability scanner that gets kind of old and repetitive and there's actually no real return on investment there. So we actually always seem to end up with clients that want weird custom things done. We're going to talk about two of the custom things we've done. But before, I have a question. Has anybody had sex with a hooker today? Has anybody been rejected by a hooker today? You know, we got more hands for that one. That's kind of good. So without further ado, I'm going to turn this over to Rob and I'm going to heckle him. If you can help me heckle Rob, that would be great. So what this talk is about is getting creative with pen tests. First of all, I want to mention the fact that pen tests in general are supposed to be boring. So Dave and I used to work for Internet Security Systems before they were bought out by IBM and ISS did a lot of pen tests. That's a nasty rumor by the way. There's no actual proof we ever worked for Internet Security Systems. So ISS would also have the X-Force Group, which is well known for finding zero-day vulnerabilities. So everyone assumed that ISS would use their ODes on pen tests. But the reality is that ISS never did. Because the point of a pen test is not to see if I can pop you with ODes, which in most cases everyone sort of accepts that's true. The point of a pen test is to say, are my defenses adequate for the likely sort of attacks I'm likely to get? So for most corporations, their likely attacks are from script kiddies or from this well-honed industry of fishing and script kiddies and crawlers coming against their sites. So the tests that most pen testers do are very simple. There, you port scan it, you run a bone scanner against it, you do some password cracking, you try some cross-site scripting attacks with automated tools, you run your automated tools looking for SQL injection. And that's the height of the threats that most corporations are going to be affected with. Now one of the interesting things we've noticed is that anytime you do a pen test, you know the first time you want to figure out anything, you just put it in the Google, right? Googling your client should be part of a pen test, but I have yet to see any reports that actually include it. Just like finding out everything that Google has indexed from your client is a lot easier than trying to find everything manually. As you've seen from Giant Lawn's talks and things like that, you can actually find a lot of interesting things just from Google. So that's the kind of stuff we're going to be talking about, weird and interesting things. So the next question is when creativity is good. And that is for the small subset of customers that realize that they're not just under attack from your standard script kiddies, but they've actually got serious people that are motivated to get them. And really they fall into two primary categories. One is financial firms, Wall Street firms. They've got a lot of money, hackers are trying to get it. The other is government agencies. Everyone in the world outside the United States and actually inside the United States too, when they go to bed at night dreaming about who am I going to attack tomorrow, they're dreaming about the Department of Defense. I dream about sending Margolis. So that's when creativity is good is the more fearful organizations that got reason to fear that they fear a well-funded determined adversary. So one thing we've looked at for a lot of our customers over the years of if you want to have a guaranteed return on investment, imagine that you're a venture capitalist firm, but you're not funding venture capital startups in Silicon Valley, you're funding Russian crime bosses to go after American financial firm to hack. So how much would it cost for a Russian crime boss to hack an American corporation? We estimate that would probably be about a million dollars. They would hire a few hackers, they would spend a year scanning the site, reverse engineering their applications and doing lots of strange things. And over that year they would gradually work their way into the network and then find things like, if we grab a million dollars or a hundred million dollars from this company, how do we avoid tripping financial controls? A good example of this is a French firm recently in the last six months is one of their traders was previously involved in setting up their financial controls to detect massive amounts of money are being transferred illegally. Since he worked on that system, when he became a financial trader himself, he nearly bankrupted the company, losing billions of dollars trading things that he wasn't supposed to. Now he wasn't trying to steal the money, as it turns out he had just made some bad trades and then kept doing more trades to try to recover and get back to his original position. We are all here in Vegas, so we know how that is, we lose ten bucks. Well, if I keep playing, maybe I'll win that ten dollars back, and go twenty down, hundred down, thousand down, ten thousand down, and now I have to walk home instead of driving. So this guy had bypassed the internal controls. So that's the sort of thing you need to start thinking about from creative attacks, is if I'm a well-funded adversary and I'm trying to emulate a well-funded adversary against a corporation, I need to start thinking creatively. As a disclaimer for this slide, we're not singling out Russian crime lords. It's also where it's the Brazilian crime lords, Japanese crime lords, Indonesian crime lords, if there is such a thing. So one of our ideas that we came up with that we've used is iPhone in the box. And that was sort of the impotence for the title for the talk. What's the title of the talk? Getting Sexy Back? Unfortunately, Dave Maynard here is the Justin Timberlake fan, and so I'm not really up on Justin Timberlake as Dave is. But Justin Timberlake did a sketch for Saturday Night Live, I know last year and Christmas are two years ago, which sounds like iPhone in the box. So the idea is simple. You get a box, you put your iPhone in the box, and you mail the box. In case you were wondering, this idea literally came from a drunken night while watching that Justin Timberlake video. So step one, you have to get a box. We use the original iPhone box because if you're shipping an iPhone and an iPhone box, that doesn't really look all that suspicious. So it's the perfect size for everything because under the little plastic tray that the iPhone comes in, there's all this space, and you know what would fit perfectly in that space is a battery. So this is all the material we used. That's the iPhone box, that's the iPhone itself, and that is the APC battery, and we have one actually right here on stage. Unfortunately, due to a mishap, we don't have ours, but we were able to borrow rich moguls, so we're going to have to do something bad to it before we give it back to them. So Dave did a lot of work to get his iPhone, actually my iPhone, packaged up. And before he took the flight here, we fed exit to the hotel here. It arrived fine, was carried up to his room, then showed it to a bunch of reporters. And then this morning Dave wants to bring the box here. He wants to bring the box here for the presentation, which was the whole point, and he leaves it in the cab. So somewhere somebody's enjoying a... You know, I should get the pony for Epic fail, I know, I know, I know. And the sad part about that is it's my iPhone, not his. This is his iPhone. So let's talk about some interesting things. That APC battery that we're talking about on a standard, not to 3G, because the 3G sucks battery life like crazy, but on a standard iPhone we found out with it fully charged, and with the battery fully charged, you put it in the box and send it somewhere, it can stay on for about five days, which means you have about five days to scan and do basically whatever you want from the iPhone, which is enough to fed exit overnight somewhere, let it sit in somebody's receiving facility, let them figure out that there's no one there named Jack Mioff, then have them send it back. So, so far we've always returned, gotten the iPhone back and it's still running. An iPhone? Yeah, ours is lost in the cab, so. And it's in the original, was it UPS or FedEx? So actually what we're worried about now is somebody's going to look at that and see there's an iPhone with a battery and think it's a bomb. So if you guys see a bomb scare tonight, don't tell anyone it was us. Let's just keep it between us. And one of the things we haven't done yet, I'm kind of disappointed Dave lost the box, because I wanted to see what it looks like through an X-ray machine. So my first thought was, okay, I'm going to carry it through the X-ray machine and take a picture of the X-ray as it goes through to see if it looks like a bomb. Then I thought the better of it in thinking that Dave should do that. So as a little back history, last year we were at a conference and Rob was reading a paper in Seattle and he said that you have to get tased now in the state of Washington to buy a taser. He goes, you know what we should do? We should have a poll on our website to see which one of us gets tased. Knowing full well I was going to lose, so I ended up getting tased. So basically when it comes to Rata and things where you can almost get arrested or more than likely, I seem to end up getting the short end of the stick. So by the way, just as an offside, is that this APC battery pack, I've never really heard much news about it, but it's very light and it really lasts actually a fairly long time. We're being sponsored by APC. No, we're not. So this is actually really cool. If you're thinking about using mobile devices to hack with, this is actually a fairly useful device to have with you. It's great because it charges via USB and you know the other end of the iPhone is just USB so you plug in and you're ready to go. No soldering, no hacking required. This could be almost script kitty hardware hacking. So it just got USB in and USB out and it rocks. So since we don't have the box to show you, here's the original picture of the box and as you can see it's got a nice little slot to hold up the iPhone and underneath it it's got a great place to put the iPhone. It needs a little bit of cardboard hacking to actually cut a hole in it so that you can fit in all the cables in. So here's pictures of Dave taking his box and cardboard hacking and here you can see the little... We actually had to end up cutting a slit right there so the battery and the cables and everything would fit but when you put the top of the box back on it looks just like a regular box. And that's it running. So one of the things you have to do is when the phone goes into auto lock mode like a lot of the interactive stuff you have running on it will stop running. So we recommend that you turn off auto lock and make sure it doesn't automatically power off. And fortunately iPhone is shipped to you as a mobile device so Apple is very concerned about powering off as often as it can to avoid sucking down all the battery but we want to use it as a free BSD machine and so we had to actually turn off all these wonderful nice user features that Apple has just to make the free BSD stuff work. So this is the gayest picture of me ever taking. This is my thinker post. If you actually look at some ads for some gay bars here in Las Vegas you'll find that this is not the gayest picture of David ever taken. This was my audition photo for Thunder Down Under. So after you do this and if you work for Apple or their law firm please cover your ears. The first thing you have to do is jailbreak the iPhone. I assume everybody here has a jailbroken iPhone. So after that you saw the SSH and BSD subsystems and I've gotten a lot of flack like this week already from Max Zellitz they're like oh my god why are you doing this with an iPhone you can do this with any phone. Well it's actually really hard to do with a Windows Mobile phone because Windows Mobile doesn't have a Unix-like interface right underneath it. So I suppose you could do it with a Symbian but if you've ever tried to use that SDK it'd be better just to do it with the iPhone. So for disclaimer purposes you can pretty much do this with any device that has both a network connection to something like AT&T and a Wi-Fi connection. It's just a lot easier with the iPhone. Dave's notebook, like this notebook right here has an HSDPA connection built into it so in theory you can do the same thing with this notebook and ship it to a customer. Because I don't trust the Wi-Fi network here and I hope you don't either. But it's a lot heavier, it costs a lot more to ship and it's not quite as sexy. So there's a bunch of stuff you have to do. For example we use the AP logger to keep the Wi-Fi interface going otherwise the Apple software wants to turn it off. So we want to have TCP dump running like capturing all the packets all the Wi-Fi raw packets. We also have to do a little bit more custom stuff. One of the problems we have is the SSH daemon is you can't actually SSH to an iPhone across the Internet because AT&T's network has firewalls that block all incoming connections. We also have the problem of not knowing exactly what the IP address of the iPhone is. So and there's also issues it's not always actually on when it's flying in the airplane going from FedEx facility to like the hotel or something the Internet connectivity is not on. Now we like to point out that our device is not on while a plane is flying because that would be illegal according to the FAA. So we have an application that uses the accelerometer to detect when it's going faster. Just for FAA purposes. So we just set up a cron job and we just have a cron to a little reflecting app we've got that simply takes an incoming TCP connection and reflects it on back so that we have SSH into the reflector. You can use Netcat probably for this. We do actually. I assumed you wrote something, okay. So you SSH into the reflector. You can tell when someone gets into management they're like, you know, I just assume we do this and I just assume we do that. So you SSH are doing you basically wait an hour for the connection to get to come back in and then you've got a nice little SSH prompt that you start running your utilities from. Now there's two things that we like to do. That's Farah and Metasploit. Farah is the tool that I wrote last year and I've given presentations at at Black Hat and stuff. It pulls down all sorts of information that notebooks are leaking. So if you sniff right now on the Wi-Fi coming here you'll find out lots of information about people they're broadcasting about themselves, such as their names. So there's lots of people here that think that they're hackers evading the FBI or something, they're coming incognito but then their Apple MacBook is saying it's broadcasting out saying that this is John Smith's computer. So the FBI just listens on the Wi-Fi and they know everyone is here. And the last access point they connected to was John's secret layer. So in our Ferret tool we found out that all sorts of corporate machines are leaking the same information. So that's a great tool to run on the iPhone because you're sniffing the raw packets from the Wi-Fi packet. So imagine a corporation that's done the right thing for pen testing and they have no access points that we can access. We can still listen in on these notebook broadcasts and find out a lot about the corporation. One of the biggest things we found is that they go through most computers go through a list of all the previous access points that they've gone to. So you can map out for example where the sales guys have gone. If the CEO has gone to like Microsoft and logged on to their Microsoft internal corporate network access points then you know if they've been to Microsoft and why is the CEO going to Microsoft maybe they're getting bought out. Or if the CEO has gone to DEF CON. So that's one tool that we find that is great for doing a site survey, finding out a lot about the internal corporation even before we start thinking about hacking access points. Of course now the main thing we want to send the iPhone for is to find out does the company have open access points. And if they do we're going to log on to them and then we're going to start hacking with other tools. One tool for example that we like a lot is Metasploit. Metasploit's awesome. One of the cool things, Dave's added lots of codes like Wi-Fi fuzzing to Metasploit. One of the cool things we found we tried to do this with the latest 3G iPhone but it sucks battery so it actually doesn't work as well. So it'll go from running from 5 days to about a day and a half which means by the time FedEx delivers it it's bad. So as a side note one of the interesting things we've noticed about this and we've tried this with DHL with UPS and with FedEx, internally all these companies they seem to have a lot of access points that are not locked down. So as your package is traversing this carrier company you could do really bad things to a carrier company. Yeah, it's sort of the inadvertent pen testing. Yes, we wouldn't actually do that because that would be unethical. But one thing we found is that... We shy away from unethical. When you grab the latest iPhone stuff, the latest jailbreak stuff and all the little tools and stuff you can actually download a Metasploit package for it. I don't know, did you try it and see if it ran? Yeah, no it runs. You get the little move banner. That's my favorite Metasploit startup banner. Now let's hear what your own favorite Metasploit startup banner is. No? No one? Alright, well... So once again we're back to gay pictures of me. So actually wait... So strangely if you're ever in Atlanta that's a really good Thai restaurant, nah. So as you can see this picture the picture on the side is the finished version. And as you can tell, if you were looking at it it doesn't look any different than you had just bought an iPhone. In fact, we told everybody at all the stores where we set FedExium or... So you can't FedEx from a UPS store but we told everybody we were shipping them from that somebody had won an eBay auction and we were sending them an iPhone. You know, we didn't need to tell them that. It just felt like, you know, people were staring at you you feel weird and you want to tell them why you're doing this. And we're hacking your network didn't seem like a good idea. So I don't know if you've noticed this. I've actually lost a lot of weight. 250 pounds and now I'm down to 205. That tells you how long we've been doing this. Although I'm wearing almost the exact same outfit. I washed my clothes I swear. So another thing we've been working with is... There's something more stuff. So the thing that we found out about this is when it gets to a receiving facility somewhere it will just sit there for a while. So people will accept... I don't know if you've ever worked in a mail room or seen how a mail room works or anything like that but generally like when UPS, FedEx or DHL comes to the company you'll get a whole lot of packages. You'll sign for them all and then somebody will sit and sort through them all. And then they'll be like, hey there's nobody here to name jack me off. We've got to send this back. You know, return to sender. There's no one that's ever worked here. While that package is sitting there in their mail room generally which has an access point generally for nothing more than the symbol technology for meters, for inventory control systems and things like that you can then connect to the iPhone and use the Wi-Fi interface to start scanning for different types of packets. You can associate to the access point or you can just basically start collecting data you can use to crack passwords with tools like K and Able and things like that. So that's basically the gist of the entire thing that we were doing here is this is a way to get past all the firewalls and crap that people were buying because I mean, who here has ever implemented a DLP system? Right, so something like this would completely bypass your DLP system and allow us to grab credit cards while it's sitting in your mail room. There's a point of cell terminal close to your mail room. So the other thing that this really comes in handy with and I don't know if anyone here has ever done it but if you ever talk to a SCADA guy or somebody who runs like SCADA systems they get very uppity about security. Like we have guys with guns. We can get near our wireless access points. We'll have them shot. It's like does a FedEx guy come in? Oh yeah, he comes in every day at 10 a.m. Well that's that then. I was talking to a reporter about one of the benefits of this is that you don't have to sit outside in your car and be typing on your laptop, which is very suspicious. And the reporter said, yeah, that he actually has been detained by the police before because when he writes stories he often sits outside in a car typing on a laptop in a place where the police come by and says that guy doing that, it's suspicious, let's detain him. So doing this means that you don't have to get arrested for being physically close to your target. Another thing is from a pen testing point of view it's much cheaper. Pen testers are part of pen test engagement. They'll negotiate with us and say, hey, we want you to come by five different sites in the United States and do a site audit, a pen test. I don't mean a wireless pen test. Well, it costs us a day of travel time from there and back that we have to build a customer plus a couple hours on site, which kind of sucks. So doing this. Especially when you're going to a place like Wisconsin. I don't mean to offend anybody if anybody here is from Wisconsin. You see what I mean? And so, of course, when we do that that's the sort of boring part of the pen test so that's the job I delegate to David. I'm a bitch. He doesn't want to do that so he figures out he doesn't have to go. But thinking about from a point of view of hacking if the site gets this and they figure out, hey, this is actually probably something hostile. Maybe the x-ray and think it looks like a bomber. They pull it open and say, why do we have a running iPhone? So one of the questions we have is anonymity. How maybe they want to track back who sent them this, this hostile device. And well, since you've already jailbroken the iPhone it means you can put in pretty much any sim you want which means you can go to Czechoslovakia get a prepaid phone there, pull out the sims to get in your iPhone and it'll be perfectly anonymous so that you sent an iPhone to a site and there's no clear backtracking back to the person who sent it. Unless, of course, you get a picture taken at the FedEx or Kinko's location you sent it to in which case you should smile. So the software for this is going to be released open source. We're trying to set up a repository right now where you can just hit one button and have your iPhone on a go. But if you check our website next week the software should be up. It would be up right now if we had the iPhone but some cabby right now I'm sure has the power to take down the CIA. You know what's funny is I was thinking about that we should actually just set up a listener and wait for it. Unfortunately our listeners back at home when we were here at DEF CON. Like I said, Epic fail. Epic fail. We also think unfortunately we didn't have the email client set up so we can't email like naked pictures promising the cabby things if he brings the phone back to us. We do have a young new bio intern that we were offering up in exchange for the iPhone. So the original iPhone doesn't have very good GPS. It's got that cell tower, locational crappy stuff where you can find it within 400 meters. If you walk out on the street and look around 400 meters how many cabs are there? Hey you and the cab stop. So the second thing we did is we came across a client it was like hey you know we've had people do these penetration tests before we never get anything out of it and we've done some studies 80% of the malware that we get in our network comes from secretaries and I'm not being derogatory. Secretaries clicking on things. So they wanted to see how you could test phishing without actually you know being phished. So basically what we did was set up a VMware image you know Linux you know basically a lamp set up with a fake website on it and do you know how easy it is to get certificates to make your fake website look authentic? Rob how easy is it? So that's a couple slides from here. Oh I'm sorry I'm getting ahead of ourselves. So one thing is that, well it's talking to a reporter and he was saying you know like with this Dan Kaminsky thing that one of the things Can we get a hand for Dan Kaminsky and the DNS thing? That was pretty awesome wasn't it? Wait did anybody use that to do anything bad or malicious? For good things. So Dan's stuff, the reporter was saying how and one of the things that Dan mentioned is that this yet again shows some of the weaknesses with SSL because of course when you're spoofing these websites you're sending things back through to the wrong website and SSL really doesn't really help you all that much. And that was one of the points he made about our talk too is that this yet again shows some of the weaknesses of SSL it doesn't quite work as well as we thought. The way that SSL works is that a certificate authority like VeriSign verifies that you are who you say you are. So we've got certificates from a rat of security and so VeriSign verifies that we are actually rat of security. And the way they do that is they go and do a done in Bradstreet report. When you are a company done in Bradstreet verifies that you're actually a legitimate company and you have to pay them some money to prove that you're actually a company. So it's kind of like Equifax for companies. And it's really kind of simple as if you can afford the $395 you're probably legitimate and not living out of your grandmother's basement. Like Chris Glass. So to create a legitimate company going down $29 to local county's office and say that you're now a bad company you spend a little bit of money usually you can even do it for free you got a domain name you go done in Bradstreet for them $400 and then you get your SSL certificate from VeriSign or somebody for $700. We're also sponsored by VeriSign. Or another like thought or something. So now that you're a legitimate company so that when people go to rat security to their SSL that will have a nice little padlock icon that says this connection is now trusted and people will tend to trust that. Interactive S-control is signed. And so you apply it to spearfishing. Spearfishing is the idea of you target somebody like an internal corporation. So instead of broadcasting out to everyone in the world you get a mailing list of let's say every public mailing email address for a corporation. Or you can send an iPhone to their shipping department and then enumerate all the user names on the windows domain. So that's spearfishing. But when you do a phishing attack you'll often send it back to a website that is fundamentally untrustworthy. And the SSL will tell you at this site you can't trust do you want to continue. Now phishing works because enough people will continue that you get to break in. This is a true story. Everybody in here has ever heard a story like this where some guy is very indignant and they're like I would never download malware. Like really? Would your secretary? And then they go oh. I mean that happens to us generally on a daily basis. Now having been an executive at a security company we quickly realized that the secretaries are not security knowledgeable. You think that for an average security company imagine a five-man consulting company they've got a secretary and she still does not know anything about security. So SSL gives you a warning but people ignore the warning. But imagine that you train people to pay attention to that warning. If you go through this process you'll get no warning and people will trust you. So one question about this I put a larger number here for creating a real company is that it comes back to you so you'll get caught if you're actually doing this maliciously. That's why you date a lawyer and have her do it. Or him depending on who you are. Dave dates a lawyer. I won't divulge whether it's him or her. So one thing you do for a company of those you can anonymize it. You hire a lawyer who will then act as the officer of the corporation your one-man corporation and you'll have a nice full board of directors of other lawyers in the law firm and they now are the public face of your company and people can't really easily penetrate that. Now law enforcement can law enforcement can give a warrant but actually for the average private investigator or normal investigator they can't penetrate the corporation and find out who you are within your one-man corporation. So a lot of people actually do this. For example I own a home but my home is not owned by Robert Graham it's owned by my corporation. A corporation that exists solely just to own the home. And I do that for privacy reasons so people can't look up in the county's assessor's office and look at my social security number and see what's the tax ID of the corporation. Doesn't due diligence just sound dirty? So you might want to anonymize the company so people can't find out who actually you are. So between one and two thousand dollars you enter the system of trust the circle of trust. We've all seen that movie Meet the Parents where the XCI agent is like, you know, grilling his new son-in-law or soon to be son-in-law in the circle of trust. And you're on Ben Stiller. So for about two thousand dollars for two thousand dollars you now enter the circle of trust. You now become the man and all the other of the men trust you as the man. And now you're on the inside and now all your SSL is good all your ActiveX is good. So basically you know the secret handshake and you have a key to the executive washroom. Now there are some ways to do it cheaper if you don't want to spend seven hundred dollars for an ActiveX control signing key you can actually steal someone else's ActiveX control. There have been a number of ActiveX controls in the last couple years that you can actually serve them from your own website. You can serve a Flash ActiveX, you can serve other stuff from your website that people will then run on their computers. And it's vulnerable, it's signed by a well-known corporation but it's vulnerable and you can hack into it. A lot of ActiveX controls we bought we actually make a tool and we make it available for free called ActSpan a little bit bad ActiveX controls we know about and a lot of the bad ActiveX controls we've tested don't check to see where it's instantiated from. So you could literally host it on your own site. A good example is a recent one about three months ago I think the HP Infocenter ActiveX control and it was part of HP Laptop so if you have an HP Laptop you had this ActiveX control. Don't worry Dale, Toshiba and Sony all have similar issues. Luckily Apple doesn't though they don't have security issues. I've been told that by lawyers. So it exported a couple of good things like you can write arbitrary register values and that's enough to break in registry values but also this launch app method that we export so with a little JavaScript programming you say launch app and you can launch any arbitrary app you want like CMD downloads some hostile code via FTP and then CMD run that hostile code and then you own the box with a botnet. And it's signed by Hewlett Packard Corporation which everyone trusts. Hewlett Packard is good. So now imagine a more advanced spear phishing attack is first of all you get an email address list which you can Google you get a large list you can also do other stuff and then you've got your email addresses. Now you spoof an email address from HR at whatever corp that you're hacking and then you have a message saying we've now changed 401K providers now you need to go to this new website and log in with your corporate credentials and you'd better do it before the next paycheck cycle otherwise you won't get your deduction done correctly and you won't get your matching 401K money. Also be very careful to follow IT security guidelines we remind you again that you should check the padlock to make sure that you've got secure SSL connection and that no one's been spoofing your man and then if you're the man though you have a trusted SSL connection you have a nice little padlock and they'll come to your website and it looks like a nice corporate IT website a nice touch outsourced IT website and then they log on with their corporate credentials a nice touch is on your fake website you set up under the news section write an article about how whatever corporation you're targeting has just partnered with this company to provide their 401K services that always looks legitimate now I've worked with companies now for a long time that send out these emails that look just like this I used to get them at ISS we used to get them at ISS I.S.S. changed their 401K provider and they told us to go out and log on to this website basically the email they have right here how many people have received emails like this saying go to an outsourced provider for HR stuff and log on with your credentials well that's more people that have sex with a prostitute in Vegas this time so that's a fair number of people here that their own corporations have essentially phished them now it was a legitimate thing to do I mean they send out saying go to this website and give your credentials but that's indistinguishable from phishing and so the second thing we then add once we've got their corporate credentials is add the ActiveX control to it and saying okay now to actually change your 401K you need to run this ActiveX control what's funny is the ActiveX control is presented as a security feature to enhance the security so what we'll actually find out is people will say yes install the ActiveX control then they'll get to the part where they have to put in their credentials and they're like ha ha fuck off Fisher and you're like it doesn't really matter you even install the ActiveX control at that point you're owned so we'll just take your credentials it doesn't matter so the upside is is that phishing attacks are actually pretty darn lame I mean I follow phishing attacks so I don't have an account at B of A so I'll gladly click on a link to B of A website to enter in some credentials because I know it's not B of A but I know they're not my credentials that's actually how I end up with most of my identity fraud is Rob puts in my credentials so you wake up in the morning find out someone spent $2,800 in Guatemala you're like what the hell I've never been to Guatemala and what's polio so but when I go to those sites I can tell that they're not secure I mean they're going through a botnet that's got spamming all those IP addresses everywhere SSL does not work and they're pretty well done visually they look like B of A or whatever and they look very good server-side includes are your friends for this kind of stuff but when it says bankofamerica.foo.tk or something you know it's not really dot defconn.org you know it's not actually Bank of America but with this we were going to like you know in our example we told them go to erraticorp because erraticorp is now we're outsourcing our 401k to it so they see erraticorp.com and according to SSL it's actually the certificate it's actually the name of the email you know it all looks legitimate the most important part of this entire process aside from the depressed release is you have to come up with a catchy slogan for the fake company like erraticorp we're watching your money and then you can laugh every time you own somebody because you really are watching their money but it's also one of those things if you go to these outsourced HR human resources websites they always have a bunch of you know very well looking good looking people in suits shaking hands with each other nobody from this room stock file photography yeah so it's stock photography and it's amazing how when you see two people wearing suits it's kind of like the SSL analogy when you see people wearing suits you automatically trust them if you see people wearing chagrabara t-shirts you tend not to want to give them your money so that's the logical equivalent of what we're doing here is for a certain amount of money you now have the cyber equivalent of a suit and people trust you so the continuing rods point you can actually google stock photography you can buy all that stuff to make your site look legitimate for like a buck if you're missing on the iPhone the box we've also done some other stuff it's actually pretty boring but we find it interesting one financial firm used an ActiveX control to provide security to their site so we reverse engineered the ActiveX control and we found out that they had secrets embedded that they assumed no one would be able to reverse engineer that we were then able to use to help get into their site reverse engineer who does that only a legal hacker kind of people there was another customer they had a software application that would update itself via FTP and we just put a sniffer on the wire to watch the software application and it would just FTP to an FTP site it would give a secret password that only they knew in clear text of course and it would then look for a newer version of the software just by the date on doing the FTP date on the directory listing that's a security application and it was a security application by the way so we logged so getting the password from stiffing we then logged on to the FTP server and found that that directory was read writeable anybody want to own a security company now you guys have all laughed because you've immediately made the connection I write a new version of the software it's my hostel software and every one of those client applications downloads and updates themselves with my software it took you a millisecond to figure that out for yourself this company actually took a while for them for us to really prove that yes this could happen this way are you sure it's bad I mean it's FTP it's pretty safe the results of that were kind of fun but using sniffers is pretty basic and it's pretty common best quote ever out of that story is do you know what the best thing to do to resolve this is let's just not tell anybody what are you Apple ooh I hit an Apple joke somewhere Steve Jobs is plotting to take your money so thank you very much so the conclusion is is that pen testing today is pretty boring I know how many people here have done pen test or worked on pen test but they're pretty boring because the customer fundamentally doesn't want you to do exciting things so one thing that Dave and I get to do is we get to find the customers that want us to actually stretch our wings a little bit and actually have fun with the pen test so we actually enjoy pen test quite a lot so do we have any questions comments suggestions does anybody here have an iPhone in a box that they recently found in a cab it's not eBay thank you very much thank you for attending our boring talk