 Thank you all for coming. I'm Andrew Brandt. I'm the Director of Threat Research at Blue Code Systems, which as of Monday is Symantec. I run a malware research lab in which we detonate a few million samples a week and observe the behavior on both the endpoints and over the network. This specific lab that I work in does deep research into APTs, Internet of Things, mobile devices, I mean kind of a broad spectrum of bad stuff and broken stuff. So today I wanted to talk about the SSL Visibility Appliance, which is one of the pieces of kit that I have in my lab and it's also one of the products that the company sells. Now this isn't a product pitch that there's a few marketing delivered slides that are kind of sprinkled throughout and the only reason they're in there is to put speeds and feeds and some other stuff in there and you'll be able to tell the difference really well plus I'm not going to make a sales pitch for this stuff. I'm just talking about how I use it in the lab and why people use it and maybe I should just go to the first slide and also why businesses use it and why they're interested in it and how it works, what it can and can't do. So Blue Code has, you know, a bunch of lines of business or, I mean, I'm going to assume Blue Code is a separate company for the moment just because, started out as a company that sold proxies and then they bought a company called Cash Flow which does bandwidth management and they did that for ten years and everybody who knows about Blue Code basically thinks of them as that company that sells proxies to companies that want to do filtering and stuff on the Internet and as a side business of that, the research division for Blue Code does a lot of work on URL categorization. Some really smart people who are experts in linguistics and, you know, all kinds of weird math theories as well and we do all this analysis and some of it automated some of manual to classify URLs as good, bad or when they're good into a host of other subcategories so that you can basically decide on the proxy how you want to, you know, what you want people to be able to get to while they're on your network. In 2013 they bought a bunch of security companies and kind of rebranded themselves into the security space a little bit more and I was, from one of those companies, I was the director of research at Solera Networks. Solera made a product called Deepsea which is now called Blue Code Security Analytics. They also bought Norman Shark which made the Norman Sandbox and Norman Malware Analyzer and now is called Just Malware Analysis and then they bought some technology from a company called Netronome which does, they had some custom silicon that they patented which is specifically for crunching the math involved in doing SSL decryption and the technology and some of that stuff is now in the product that's called SSL visibility. So and a lot of our customers are some of the biggest companies in the world in a whole host of industries and almost certainly like if you bought a coffee today or filled up your gas tank or like went to the store in the last week one of those businesses probably is using some of our stuff to protect their own internal networks and you know we like to think that that's a good thing. So I want to talk a little bit about the SSL visibility but I need to give you some context is how I'm going to show you the decrypted SSL is through the lens of security analytics because the SSL visibility product doesn't actually do anything except decrypt the stuff and then spit it out into another sort of span port. So even though it gives you some logs and stuff that it doesn't really give you a whole lot of context as what's going on. So most of what I'm going to be showing you is security analytics and what it is is it's a full fidelity high speed packet capture system that as the packets are all sprayed out onto the on to disk passes them through a DPI engine which then extracts some several hundred metadata attributes about the packets and indexes all of those attributes and then allows you to do things like search for traffic that is interesting to you in a very free form way and when you when you found something of interest it will reconstruct some of the types of artifacts like HTTP and SMTP and just a whole bunch of stuff. So and yeah this is what I talked about basically and the gist of it is is that SA is a retrospective analysis tool and it's it's it isn't focused on any one thing it basically allows you to search for whatever you want and can't block anything because it's a it's an out of band network tap and as such it's basically just everything that you see in security analytics is what happened from one second ago going back in time to as far back as storage you have to you know store all of the network data. So this is just a screen grab of the UI on a monitor that was not 1024 by 768 so it shows basically that there's different little reportlets they're shown on this dashboard are the different metadata attributes and it kind of shows some flow counts for each of those during the time slice that's indicated in the upper right hand corner and the the big rectangular bar is the metaphorical equivalent of the browser address bar in that it allows you to kind of narrow your searches and that's where you would search for a different metadata attributes in the product right and this is this was my favorite quote of the year so back in February at us next the guy who's the head of NSA's TAO was giving a talk and he gave this great quote which is basically that out of band network capture where people are actually paying attention and looking at the stuff is their worst nightmare because it's the kind of security solution that even nation state hackers cannot detect is present on the network and it will reveal their activities. Best sales pitch ever for us. So what's SSL visibility? So it's this box that is a standalone SSL man in the middle box. It has this UI for creating, maintaining, managing certs. It is an inline device meaning that it has one port for inbound ingress traffic, one port for egress traffic and then a bunch of other ports for just basically that's where you would put your tap out you know feed out ports. It doesn't do a whole lot else. In fact it pretty much only does the decryption and has a bunch of logs that you can look at to kind of see what's happening on the box but it doesn't show you any of that traffic per se. So this is the main reason why people are interested in SSL decryption and kind of a corporate you know big enterprise environment is that a lot of CSOs understand that if not it's not a large part of their threat traffic right so in our estimation 10 to 15% of malware is using SSL in one way or another either for commanding control to pull down payloads something like that exfiltrate data but the stuff that's using it is the worst stuff that's out there and so these guys know that there's a visibility gap in these like really bad pieces of malware and they don't know they want to be able to answer the question when the boss calls them up and says there's been a breach what did we lose they don't want to be have to say we don't know so that's why they are interested in this stuff right so this is what the box actually looks like it's a it's a half width one you server this this particular one is the smallest one called the sv 800 but there's bigger ones that are one you and two you and for you and they're all capable of doing different performance levels on SL decrypt but basically what you need is the box that does the decryption and something to take that feed and store the the packets and let you search through it and so that's what we use SA for right and it you know I said it plays well with others right so it can feed out to tons of other products whether it's an IDS and IPS or you know next-gen firewall or anti-malware tool whatever it is it doesn't matter we play well with everybody alright so here's the here's the user interface walkthrough and this is the really boring part and I'm kind of go through it fast because it's the really boring part and I want to show you the cool stuff that we're able to find with the tool but this is the important part of the talk because it's the part that I think there's the most misunderstanding and apprehension about and it's important to understand it so the first thing when you set the box up in your network for the first time it has its own self-signed cert for doing it you know you everything is done through an HTTPS browser based UI so the first thing you're gonna see is well did just go by itself sorry something popped up in front of this window go back so you're gonna see the self-signed cert alert and you have to bypass it by hitting the the acknowledge thing and just allow it to talk once you've done that then you have a default username and password that you log in with and it prompts you to change that now by the way like you know just want to show like this is what the self-signed cert looks like so that if you're kind of curious to know what it what it is it's just it's a cert that's on the box it's generated at the time the install happens and it just is you know you can see it's self-signed cert and it doesn't even have because it has this is an older box so the validity expired on this one but basically it's from to its self-signed for two years after you first turn the box on yeah you could but until Monday we didn't work for Symantec so you know it's a look this is that association is brand new and and it's possible that that will happen in the future but there's a lot of appliances and when you buy them off the shelf they haven't their own self-signed cert that's just installed and that's pretty standard so this is the UI that pops up when you first see it and it's this is about as pretty as it gets so it's got this little diagram that shows you what the UI what the what the front of the box looks like and the status lights on all of the network ports that are on the front of the box and so this segment status thing that's just underneath the picture tells you that the box is in the most commonly used mode which is called active inline fail to network and what that means is that it is a bump in the wire between the inside and outside of your network and that if there's any kind of a failure on the network that there's literally a like six inch long ethernet cable plugged in to interfaces five and six that just loops back so that if the box fails for whatever reason it'll just pass the traffic through but it won't be doing any decrypting because it'll have failed for whatever reason and then in this one it says that the copy interfaces are three and four so the numbers of the ports are one on the left to eight on the right and so three and four that's the second pair where my copy interfaces are plugged into and I have one that goes to one security analytics box and one that goes to an ESX server that's running a different set of tools as well so this is the the SSL session log so up in the upper left corner where it says monitor that's like those are menus and the first thing in the menu is this thing that just says SSL session log and this is pretty much all of the data that you're going to see in the UI of the SSLV about what is happening on the box and so what I've what what this is is it's a list of it's in reverse chronological order so it's oldest at the bottom newest at the top and it just constantly feeds down and it's got the IP address of both the the machine that's making the outbound connection and the IP address of the server as well as the domain name of the server the cipher suite that's in use which is actually kind of interesting whether or not the certificate is valid on the on the server side so if you're if you're using this for checking outbound data and you see a couple of like there's one right in the middle there that says invalid issuer and it's actually whisper systems org had a bad cert on their server and it will alert you to that it'll also alert you to when and there are commercial entities they're using self-signed certs and other like bad certs for their own like business stuff and it will kind of throw that error but it shows you the cipher suite it shows the action tab here the action column is whether or not the decryption happened what I'm going to show you next is sort of like how you set up the rules for whether things are decrypted or not and if they're very fine rules that allow you to kind of decide what is appropriate in your circumstances to be decrypting and what you want to just allow to go through the box because you don't care about it in my case because I work at blue coat all the blue coat related stuff is just I just let it pass through because I don't actually want to inspect the operation of the boxes themselves but if you wanted to and you could install the certs on anything that you've got you can you can literally inspect everything and then the status column just says whether or not the decryption worked and most of them say success although some of them say alert because occasionally if you catch a SSL session that's kind of midstream and you don't get the beginning of it and you don't do the cert resign you'll get little alerts and errors where we didn't get to do the cert resigning because we're in the middle of the session and you have to get it from the beginning so this is the UI for creating the certificate right and so in this PKI menu that's one of the menus on the top you would go to resigning certificate authorities and then you would click the little icon that looks like a rose which is the generate certificate icon right and that's basically how you make the cert you then go into the next page there's a little pop up right and you can create a cert that has all of the basic information that you would have in an SSL cert and it's going to have you know the org name and street address but you can put whatever you want right so I made one specially for the talk called this is my DEF CON CA cert and then these are the drop downs that are in this little pop up box and I kind of exploded them out so you could see all of the options that are available to you so we do varying levels of expiration, different cipher suites and different like bit lengths on the keys right and then once it's then it just generates it and it's like boom you're done and and basically these are the details of the cert so there's two choices that you can do you can either generate the cert itself which you then have to distribute to all the boxes that you want to do decryption on or you can generate a certificate signing request and you can use that you can then take that to a you know a verisign type company and go and get that signed if you need to have that signed and you can use that as well right and so these are the sort of the option though what's at the end this is what you get right so it shows you the details or it shows you the signing request PEM file right and then the next thing you do is you go back to this certificate authorities window and you can see here's my I call this my Defcon CA certificate right and you can just select it and hit the export certificate button and it saves it as a PEM file with the name and convention you see here and then you can just use open SSL if you need to convert it to you know cert or CR you know all the various versions of certificate styles right so that's how you make the cert now once you have the cert in order to do decrypting everybody who's in the network whose traffic you want us to monitor has to have that cert installed so you would then at that point if you're an IT administrator I don't know set up group policy or walk around every machine and have to install that cert into the certificate store on every machine that you would want to have in your monitoring pool any machine that is not does not that does not have this certificate installed they you can monitor their stuff but every single every single flow within the set within HTTPS session the browser or whatever is going to pop an error message saying there's a certificate mismatch and and you're likely to being being monitored and you shouldn't go to the site and you get you get all kinds of browser errors and other some services won't work at all and some will just throw up error messages that you can click through repeatedly and really obnoxiously for a very long time before you can actually get through to things so you do need to actually put those certs on there to make it work in a in a comfortable way for the end user yeah question so so so the question is are there a lot of corporate users who are used to clicking through that and I don't know what the answer is to that I mean I guess some people might be yet depends I mean there are people who will just click OK on any dialog box you present to them just to get it out of their way but this is so obnoxious that and so persistent that it's going to attract attention or the very least you're going to notice you know and the and the whole point here is that nobody who's being monitored using any tool like this should be doing so without proper notification without proper awareness of the fact that that they're being monitored which is why this kind of stuff is only sold into corporate environments where you know as a as a character as a characteristic of your working there you usually have to sign an agreement that just says you know while you're on the corporate network you know IT is going to be monitoring what you do it's pretty standard yes that I mean that's it so the question is have I ever have I ever asked users if they know they're being monitored and if they understand it and the answer is no I have never asked users because I don't I'm not user facing I work internally and you know the laws differ in different countries like in places like Germany there's very strict privacy laws that prohibit the use of certain kinds of technologies whether or not notification has been given and it's really just jurisdictionally dependent but no I've never asked those questions and honestly the reality is is that you ask the typical user what that means and they don't really know so yes you're I mean it's a valid point that's true but we but they're using other technology they're doing it for other purposes and honestly so the comment that the person made was that there are companies like Akamai that might be doing certificate resigning and dropping the security level on certain sessions or URLs or flows and sending that stuff from different places and presumably that's true I'm only talking about what we do but that's a valid point well you can't generate the certificate until you've installed the device but you wouldn't necessarily start decrypting until you've deployed the certificates so you can you can have this box and have it having all the traffic just pass through it undecrypted until you're ready to flip the switch and turn on the decryption so that's where we're getting to because I'm glad you mentioned that because that's what this next step is so once you've got these certs out there and everything is ready to go oh sorry go ahead correct so if you already have certs installed on your network you we can just take that certain stick it in here right exactly a resiner whatever yeah so next you're going to set up your policies right because this is going to be how you define what you do and do not decrypt and so you you have to create all these lists of things that you use to set up these rules and you can set up lists of IP addresses or domain names or certain cipher suites you know the web pulse is the categorization service that's internal to blue coat you can set up for certain categories of websites that you do or do not want to decrypt so this is what the UI looks like for that so you create these rule sets based on these lists and then in my case I have a bunch of sites that are excluded from decryption right so there's IP addresses internally whose traffic I don't want to decrypt anything at all there's IP addresses externally or domain names externally that I don't want to decrypt or that the decryption of which would screw things up like my TV streams Netflix I can't install my cert on my TV so if I have this thing on the same network where I'm doing the SSL inspection it's going to cause Netflix to not work so things like that and and so in this case and then the last thing in the step is just decrypt so this is the this is one of the things I wanted to show and again this is one of the marketing slides so I'm not going to talk about it too much but the idea is that you can use web categorization to decide the categories of sites that you do or do not want to decrypt and typically what happens is because there is a there is a computational cost in terms of what you choose to decrypt typically companies who do this will pick sites that they want to decrypt or categories of sites they do want to decrypt and everything else passes through so the stuff like Facebook and Twitter and stuff will pass through but they there's categories in web pulse for suspicious malicious outbound malicious sources spam fraud pornography and they will want to decrypt some are all of those and just let the rest go through just to conserve bandwidth and conserve resources right now this is just some of the UI that sort of defines how the how the decryption is basically being done the decode rules right and it's got these pretty little pictures that show you how you wire it up that's all that is right and there's different of these modes that you can use and for each one there's a different pretty little picture that shows you how to wire it up and make things work and you can do it in a number of different ways right and then there's failure mode settings so for example the Twitter app that you use in a mobile device has its own it uses certificate pinning so it has its own built-in cert on the app itself and doesn't use the host cert store that's on your mobile device and so even if you have a cert installed on a phone for example the Twitter app on a network in which the surveillance is enabled will just fail to connect to Twitter because of that certificate pin so that's one failure mode and in my case I've got it set up deliberately to fail because I want to see which apps and which devices have certificate pinning installed so that's the fourth one down in the column under decryptable actions where it says client certificate reject right so that's that's going to cause my connections to fail but if I wanted to I could just allow it to pass through and work unimpeded and just not be decrypted but again I'm trying to see like what is pinned and what isn't so I actually wanted to throw those error messages in the device when I'm doing that yes that's a really great question probably will have a harder time decrypting stuff yeah so this is where it gets used so the idea is you can put this in line in your internal network say you've got a big enterprise network you've got all these people at workstations and you want to be able to do monitoring and make sure that nobody's getting infected with something and beaconing out so you put it inside the network and you watch all the inspect all the sessions that start from the inside and go out the other use case or another use case that you can use is to put it on the outside of a web server that you're using to host some service to monitor the inbound connections and see what are people doing and how are people trying to break your service in you know a innumerable ways it can also be used to detect and thwart things like heart bleed although you know of course we all have patched our servers by now but you know for the one or two machines that haven't been patched it's basically a heart bleed filter so all of that kind of stuff that's like weird sessions and oddball sessions will get thrown out and the rest of it will pass through and you can inspect and monitor your own service to make sure that it's working properly and people are not abusing it right and this is just a pretty marketing picture of showing you a map of a network diagram next page right speeds and feeds just so you know so the at the highest end right this thing that's called the SV 3800 B it can handle 800,000 concurrent SSL flows it seems like a lot but in a big corporate environment that could be you know every image on a on an HTTPS page you guys are leaving before the good stuff this is where SSL visibility doesn't get used it does not get used on large public networks even at our highest level we don't have the performance capability to do SSL inspection on a whole ISP even on a small ISP and then the other thing where we don't do it is and by the way everybody who works at bluecoat every single year has to go through export control training so that we all very thoroughly understand what is the office of foreign asset controls export control list and who is on it right and those people cannot have our stuff ever right again and I've mentioned this a bunch of times I'll just say it again for for you know being redundant the certificate has to be installed on every device in certain devices has to be installed in multiple certificate stores otherwise it throws lots of errors it's very obnoxious and it even even with the certificates installed properly there's a lot of devices that display the notification that you're being monitored anyway it has to have this stuff on it doesn't work without it right so this is an example of like an android when you install the certs on an android device it is going to send is going to have this particular persistent notification in the in the notification bar that tells you there's a certificate installed in that this device can be used to be monitored while it's on a network you might be being monitored and if you click through it it shows you this bigger dialogue box that then leads you to the certificate page and allows you to remove those certs so there's nothing that's going to be invisible to you right and the other thing about this is that we're not downgrading the crypto so if if Akamai is doing this kind of stuff and downgrading the crypto they're clearly not using this tech because we don't do that everything that is using a certificate a certain crypto suite or certain crypto level when we resigned the stuff it's using that same suite and that same level when it goes between our box and the client box so that there is protection at least between your knock and the endpoint I don't know that's a really good question and I don't know why you would want to I mean it's possible I but that's a that would be a great question for us as he unfortunately I just use the tool I don't actually know all about its internals so there's a there's a really cool blog post on our site right now that talks about some of the SSL malware stuff that we've been seeing and as I mentioned 10 to 15 percent of malware using SSL or TLS in some way to either infiltrate or exfiltrate and the stuff that we're seeing that's doing it is the the baddest of the bad stuff alright so we've got some halfway done are there any other questions and then we're going to just go into demoing yeah the speeds and feeds let me go back to that oh sorry that's a that's one of those questions that I have no idea did it go there go back just it just doesn't want to go back boop boop oh crap I did go the wrong way I'm so sorry driving people away this projector is goofy too because it actually has the top of the screen is at the bottom of the projector screen there it is okay there speeds and feeds did get your screen shots now that's all of our stuff okay so did does that answer your question who was the person to ask that question sorry it doesn't okay I'm I'm sorry okay boom boom boom bad stuff draws pretty graph you can tell the stuff that was made by marketing because I don't do that animation crap alright but here's so here's the real use uh real use cases so at um at b-sides I did a really interesting talk that I thought it was pretty interesting the people were there thought it was pretty interesting about augmented reality gaming and the talk was about primarily ingress which was the game that Niantic released four years ago and that and basically is the sort of predecessor to and progenitor of uh pokemon go um so this is the link to the video of the talk and it's it that video is the whole days worth of talk so go to the last hour to see the talk itself but the gist is is that there's this game called ingress and it runs on your phone and it uses geolocation on your phone to uh place you in the world and you have to interact with the the game at physical locations and what I did was I used SSLV to intercept the traffic um between the mobile device and their cloud services um as a way of sort of starting my research project and so this is the uh this is the log from the SSL Visibility UI that just shows the uh like this is the cipher suites that they're using and some of the servers that they were using um the appspot.com domain that they're using they're using a sub domain off that is their cloud service right but then they have all these other API uh these analytics APIs that they're using right so one of the things that it does is it um it's tied in with Google OAuth and and what a lot of people don't realize is Niantic is a spin off of Google they were at the time that creating ingress was created it was an internal Google project and um so it's using a lot of Google services including OAuth to basically log you into the game so this is the session data that was decrypted showing the Google OAuth keys and the and the fact that it was the Niantic um ingress app that was making the request right and then um uh Google will respond with an OAuth key and basically say okay you're good to go um also the game communications all of the game communications uh while the transport layer is encrypted once you've removed the TLS everything is just plain text JSON and um there's an enormous amount of personal and and geological or geolocation data that's transmitted with every in-game action and broadcast out to every player of the game so the the reason that I got into this this talk is because there there was an there is an epidemic and kind of a an arms race of cheaters trying to game the system for their own advantage within uh uh ingress and then there are other players who are exploiting open APIs and the ability to decrypt the SSL to do huge amounts of data scraping of ingress uh to track the cheating players and then report them to Niantic and that as a result of the fact that there are these enormous databases that profile and lock onto and locate players within the game some mentally unstable players have been using that information to actually physically stalk and harass other players in the game so like I said it's a really interesting talk so go check it out but basically this is showing some of the decrypted stuff that that's in the game which includes all of the text messaging all of the game event messaging and and tied to that all of the unique player IDs unique location IDs and the the um uh Latin long for every event that takes place within the game so everything is geolocated and there are these amazing heat maps that show um where things happened or where players frequent within the game uh that they were able to get from the scraping um the other thing that they were able to get what that we were able to get is some of the API calls to these analytics services right so so upside API is what Niantic is using for their in app purchasing um and to sort of get a baseline for the device they have this enormous amount of data that they pull down about the device and again this is all transported over TLS but once you've decrypted it it's all in plain text right this is just the the this is the actual file that was sent from one of the test devices that I was using and you can see it's showing you know not just them the make and model but how it's connected where it's located um uh just a ton of information about the phone and the user and its state um and in addition to that they're using a different analytics tool to monitor how people are using the app that analytics analytics tool is called criticism and that is also collecting a lot of the same information that upside API is collecting um and uh but but it also includes things like um the country code of the phone number of the device as well because again most people are playing it on their phones or on a mobile network connected tablet um it's a way for them to monitor who's cheating because they're looking specifically at combinations of metadata about the phones itself that would indicate whether or not the phone has a propensity to be doing bad stuff um they're still working on that I think that's that's a hard problem for them alright so here's another interesting one the um in in April we stumbled upon an exploit kit that was delivering ransomware to android devices and so this is this is something that I would typically do is I do manual uh browsing around sites that have a propensity to do bad stuff and I allow those those sites to infect the machines and then we allow the infection to just progress and run for an extended period of time um typically with android devices we generally see there's sort of two ways that android malware will get onto a device and it usually involves some form or some degree of user interaction whether or not the user is prompted with a either they get redirected to a page on google play for some crappy battery saver app or something and then they have to click install in order to do that and then go through the regular install process where they download it and see the permissions and have to accept them or sometimes you see these uh uh malvertising sites will redirect to a an APK that's been hosted on some server somewhere that's not google play um and that they use that they basically push the APK down and assume that you have uh third-party sources turned on in android and then the install just starts happening and you have no idea why you just see the pop-up dialog box again that asks you for the it says what permissions the app is asking for and and because a lot of people will just click anything regardless um most of the time these things work um so here's here's the device that we use is galaxy tab two uh stock browser and running cyanogen mod so it was running android 4 2 2 and this is just one of our test beds that we use all the time um and I there's these uh feeds of bad URLs that come to us uh daily through our system uh this one's called popular site monitor and what it does it shows what are the top ten sites who are referring to the most malicious sites so um pretty interesting stuff but you can see like the first one on the list is a porn site and the next one on the list is an ad site and we still see that generally speaking these uh porn and advertising are the refers to most uh bad stuff so um so this one day that uh I was using the the android device and I was walking through the list of the cert the pages that are in that email and I just browsed to them and the first thing that happened was this weird pop up appeared that says update now please read do not turn off or reboot your phone during update please try again later interesting because it's running cyanogen mod and it doesn't get over the updates unless you go and ask for them so and there hasn't been one for this particular version of android uh at least in the release channel for a couple of years which is why it's still running 422 so interesting stuff um so I just kind of hit the back button and this this screen went away but then a minute later this thing popped up and filled the screen and it was this weird android ransomware and uh you can thank me later but I've blocked out the piece that shows the person and a dog doing something really nasty which is which is why we called the malware dog spectus so um so what it says is um uh your device has been locked reasons indicated below with a timer and then there's um there's actually some metadata here that actually has the uh the Google account name the IP address the public facing part of the IP address that I was on you can see that says device OS Samsung it actually had the uh model and stuff and then uh device OS 422 uh at the bottom here right and then um there was apparently there was some activities that has been undertaken on my device that it found to be illegal right and it was all valid right because J. Johnson the head of Homeland Security signed it himself right this is his personal note that um you've been doing bad right so what it was doing was asking me for 200 bucks but what was interesting about this attack was that it all happened with no user interaction whatsoever you I never at one point saw that dialogue box that was asking me to install something and have permissions awesome go into security analytics right and the first thing you get is the exploit which looks like this bunch of JavaScript and um I did not know what it was I had no idea how it worked but I knew that it was referencing something called XSL transform and I did know you know that there were certain characteristics of it that looked really familiar so when I started doing my research on this I um I contacted a really smart researcher named Josh Drake who works for a company called Zimperium and I asked him for some help because I don't know how to I don't know what this is and he came back to me and uh and subsequently another guy who works in our company came back to me and they both said yeah we're pretty sure that this was the leaked hacking team uh exploit against XSL transform so as far as we were aware this is the first time that we had seen the hacking team exploits being used in an in an exploit kit uh uh to deliver malware so it was pretty exciting to see that um you know for a researcher perspective really bad for mobile device users right um what this thing did was it sent this exploit the exploit delivered an elf file right on an android executable uh directly into the operating system uh installed as root on the device and that um that app was another uh interesting tool called towel root which is um a rooting it it's basically an open source root tool that people use to root their android devices right so so we see they were using hacking team to install towel root and then they use towel root to install this so um it came down from this weird website directbalancejs.com as an HTTP post it sent up a sort query with with that string in it and what came down was uh uh basically a post data response that contained the apk in it so it delivered the apk right there's there it's it says net dot prospectus okay and then it was kind of cool because it when it's finished installing the app it then contacts and it says final and as part of the final configuration on this particular piece of malware there's no command and control URL that's embedded in the apk it actually writes the string directly into the apk uh to a memory location where it knows it's installed which I thought was really cool so at any whenever they install this particular piece of malware they can after it's installed they can send the they they then hard code the command and control address into it but they can do that after it's installed I had never seen that before that was really neat so here's the the slice out of security analytics that showed the flow of this um the malicious traffic that was involved in this exploit kit and so what happened was so the original site that was visited is called zipporn.mobi and there were two parallel advertising calls that happened at the same time and the the one that follows the red line is the flow of stuff that was happening that led to the malware but there was a separate set of ad calls that were benign that went to regular advertising sites so we had these IOC's that were able to get out of it thanks to most of this stuff was all through SSL but we were able to figure it out we knew what the servers were so then we plugged it into our tools um the ad network going going back one stage so there's this the second link in the thing is terraclicks.com so we plug this into our internal research tool and it's um it's kind of in the center there terraclicks.com has um a few IPs associated with it and the things that have the little nuclear symbol are um known malware hashes and when it's an arrow pointing towards something it means it's the malware is communicating with that server so there's a couple of malware that was communicating with either terraclicks.com or the IP address that it was hosted on and that was kind of cool but then the longer we let this run we started to see that there was this elaborate network of malware that was all communicating with the servers that were connected to these ad networks and and that was hosting these ads and um just to show you that one that's in the red box there that's terraclicks.com that was the one we started with and you can see how much it branched off into this really bad network of a bunch of different malware that was all talking to the same stuff. Um the other thing we looked at was the the end of that uh infection right so the uh direct balance JS is right here and another URL that was part of the attack image Tums JS is right here and they're tied to another really bad set of IPs if you if we showed all of the stuff that was here it would fill the whole wall with all these bubbles of different relationship connections between these things but the main thing is that these guys at the center are at the hub of a really bad network of a lot of malware and it was really cool to discover that and by by looking at just these few um domains we were able to uh discover a whole lot of newer IOC's that kind of that we weren't aware of that weren't really part of the uh the initial attack but when we started looking at them we found that they were connected right and then one of the things that was notable was that off to the bottom here and off to the left was this one domain registration who is uh email address Daniel M. Cano at mail dot com and it's fake and all the who is information is fake but it was the one domain that wasn't private who is in the whole attack and it was connected off to the side to this thing ad astra dot pro and I thought that was kind of cool that that's their site that they were using to sell their services from so um so we're at eleven forty five and I can show you some more examples of bad stuff if you guys want to see a little I can drill into some security analytics do you guys are you interested in that we got more time so I can show you more stuff or you can or you can just take off early it's up to you what do you think show fans want to see more stuff yes what was that well feel free to jump in so if you have any questions or comments please okay I'm sorry what was the thing that I don't know what okay I'm sorry it's just your accent and I'm having a hard time hearing you right you mean package right now I talked about key pinning key so key pinning yeah no that's true I didn't talk about it in the context of the web so the comment was it seems like some of these features the security products are designed to subvert or to reduce the amount of security of other security features so it's an interesting discussion you know and and yes I I use the product but I don't build it and I'm not a crypto expert so I'm apologizing that I don't know how all of these things work I would love to if you have examples of websites and want to come up to afterwards and we can actually walk through like visiting a few of these websites and doing some some inspection on what what works and what doesn't okay do you want the mic so you can be heard yes please sg by the way is the proxy right communicating with the outside right so we use the tools to not only choose what we want to resign and decrypt and then we use the VA to feed into the various other tools because I PSS are great they don't work on encrypted products and if you got an internal customer that's using a client side certificate or a private insert right we've just lost the ability to see into it so we will actively lock it they'll come to us and say hey this is broken I can't do it we then have to go through a risk assessment to find out what is it that you're trying to do right now for a home user right you want the private penny because I don't want Akamai and the handful of other bastards that sit in the middle and subvert my traffic to see what I'm doing right that's why I've got the private pin but from a large entity perspective that's that's a dangerous tool right and it goes back to what you said of art somebody had mentioned if you're on an enterprise machine you have to click okay right and you're dumb if you're on your work computer and you believe that you're not being monitoring right we watch everything right and we're not reducing the security for people who are using this at home or who are not on a corporate network where where they know that the corporation is feeding the network to them and could be surveilling it but again you know and and we're not reducing the security level on the certs but but you know it's it's a valid point that you know there are certain things that this will reveal in the course of you doing stuff but it's a trade off because there's enough of the really bad stuff that's using SSL I mean again would you and I'm not saying that it's it's a philosophical discussion right do we allow the bad guys to use our own privacy tools against us to steal stuff and take it places you know and do bad things is that okay right I mean okay so yeah and then yes that's true that goes back to the discussion of whether or not a product will cover it but like it say if you you know you want to if we if we want to allow users to have certain private interactions like you want them to use Gmail and stuff you can just exclude it and and and again it's it comes down to a risk assessment on an organization by organization basis it's not it's not pure it's not the best purest security let me tell you something else the SSL visibility product does not decrypt tour so if you really want to use tour to make sure that you're basically private entirely private you can try to do that and on a policy level the proxy can block tour and again you then have to go to the guy and explain why you're trying to use tour at work but you know the point is that like there are solutions that will basically not either not allow you to communicate in an insecure way or that will protect your communication so I mean this is it is again it's that's why I said it's not a magic decoder ring it's not going to work in a hundred percent of cases go ahead well it's all tied to the projector yeah just come on up and I saw your talk on the L.S. but I was also I was right your talk on the L.S. one point free and I saw that they liked it yeah okay thanks so you're saying that you're expecting this to be used in a corporate network where the users are aware of it well first of all I had users contacting me about weird stuff and it turned out this was used and they had no idea what was going on there so that's why I earlier asked if you have ever tried to assess whether that's really true that the users are aware of this yeah and I'm sorry you're saying that some of your users not my users like people contacting me because they know I know about this stuff but it was a blue coat product I mean I don't know that but like corporate networks so in addition to us there's other proxies including open source projects the U.S. is on inspection we just do it with custom silicone that's why ours is fast but you said you don't know whether your users know that I don't speak to users but we do when we sell the product and I'll answer that question so when we sell the product we make it really clear everybody who's aware of what this inspection does understands what the law is in the United States at least in North America you have to provide some kind of notification where you're doing inspection or where you're doing surveillance on an internal network and so I don't I don't know whether they understand it but I mean I've spent the last 15 years doing user education and people still don't understand that they shouldn't open you know zip attachments that they get from some random person that contain an executable either so you know it's you could keep coming up with hypotheticals but to me it all comes across as kind of red herrings I mean we try as hard as we can to tell the users to tell the public to tell the customers to tell their users and a lot of them will notify every time they log in but if the user I mean you can walk around with blinders on and still miss a whole lot of stuff too people play Pokemon Go and walk into posts and fall off cliffs right at a certain point user education just goes so far if they're not aware they're not aware that was just a minor point I mean I think there are a lot of points to this debate and last year on CCC camp I did a whole talk on this issue where I kind of try to make the point that I think these products are by design misguided so yeah and I'm happy to have this discussion afterwards I think I'll leave it with that but yeah and that's a fair point I mean you're you're welcome to your opinion but I've seen enough really bad malware that's using SSL so Trojan Dyer and Trojan for the last 18 months you know it's pretty much died out at this point but basically everything they were doing was trying to circumvent security by using the strongest security possible to encrypt its traffic and then they also tried using experimental stuff like I2P which is kind of like a different type of TOR over UDP and so I know that there are well there are realities is that the really really bad bad guys are using it too and we gotta know what they're doing we gotta know what they're doing because they're stealing stuff and it's a free-for-all yeah go ahead so a couple things on that is one is governance so like PCI or HIPAA you need to notify your employees and probably have them sign off that they are being monitored anyway right the other thing is what you didn't address like DLP at all in this does your product have any DLP add-ons or no so again the SSL visibility all it does is feeds to other devices so if there's DLP tool that you use you can plug the DLP tool into the feed and it can see whether you know or or let it go or not well my problem with DLP right at the moment is that we have four of them and sorry I ain't saying who I am but right now we haven't just set the log but it captures all kinds of crap that it thinks is a credit card and it's like this is useless info you can't show me on afterwards and there has to be a lot of processing done because of the way the packaging and fuzzing goes on it's a huge deal unique statisticians and people that really know how to munch the data to have true DLP done I have yet to see anybody do it on show all right so question back here the SSL inspection but clearly most of us are concerned about privacy also I mean it gets back to a segregation of network if you're in a black riser you set it up right don't I mean turning off SSL inspection for blue coat categorized sites works with blue coat categorized sites but there's always an oversight just block all those sites on your network you can't go to vacuum you can't go to social media and set up a segregated personal browsing network because like users aren't going to know they're being monitored they'll definitely not know anything including all of us nobody reads the terms of services so what we had done was we had set up a personal network it's you know it's not an elegant solution there's a separate network for your personal browsing you use separate systems and then you have your business network it's heavily filtered so you can't even go to those so if the blue coat SSL or whatever SSL I've been employing data they just can't do it levels of control levels of segregation it also protects the international companies with the data privacy issues for Europeans because if you've got those people coming over to America what happens I mean I don't know if that's entirely clear so on one side we're not looking at you but then over here we are like that's not cool just from that which you should be doing anyway right right and I would just make the point that I don't think there's a false dichotomy that's set up you have to lose privacy to gain security I don't believe that that's true I think it's a configuration issue and it takes being smart about the way you set things up so that you can have both and I really believe that I don't think that you have to lose privacy and have security so I'm sorry you had a question or comment things yeah yeah so I mean I think everyone in this room would fundamentally agree with what you said about privacy and so on but I think your perspective and I think my perspective working for very very large Fortune 100 companies is that we're on a very corporate style network that there is no expectation so the other thing about the ICAP you guys you guys already have a solution for that so you know the proxy SG's using ICAP protocol will communicate with other DLP solutions so that's already solved can you please divorce from ICAP pretty please I can I can hand your suggestions off to product management but I don't make those decisions again all I do is I run malware and break machines all day long that's all I do and use our tools to look at what happens when you know the pieces fall so so now we're a little over time so I just want to thank you very much for your comments and your interest and thank you for you know providing the you know the contrasting opinion I really appreciate it and thanks for coming