Post on 12-May-2015
Give Me Your Data!
Pilfering Data without Breaking In
Dave ChronisterCISSP, MCSE, C|HFIFounder / Managing Technical PartnerParameter Security
About Me
• Security Practitioner
• Ethical Hacker
• Forensic Investigator• (MO PI Lic#2012039253)
• Instructor
• Founder Parameter Security
• We Find, Not Fix Issues
Data is not Secured
Could I Obtain Sensitive Data?
Without Breaching Any Access Controls?
Determine Sources of Data
Purchase Old Hardware
Social Media Sites
FTP Sites
WARNING
This is a demonstration, not an instruction manual for criminal behavior.
Obfuscation of sensitive data was done by me.
When possible, the data owner was notified of insecure information.
The identity of the owners have been hidden to protect the Security Impaired.
Old Hardware
1. Create Forensic Image
2. Data Carve Files
3. Profit??
Old Hardware
EBay – 2 IPhone / 9 Hard Drives
Targeted Individuals Selling Equipment(IT Employees Offloading Equipment)
2 Rounds of Purchases
2nd Round Included Hardware Resellers
Total Cost - $50 IPhone, $120 Hard Drives
Results:
IPhones Forensically Clean
Drives Re-Partitioned w/ Artifacts
5 – “Floor Models” (Only OS)
Hard Drives Zero’d Out
University of ######## Drive Term Papers, Porn, and Mal-ware
Office Equipment Service company in PAService Logs, Time Off Request
2
1
7
Drive 9
Drive 9
Drive 9
Drive 9
Drive 9Purchased from Re-Seller
Drive 9
Drive 9
Drive 9
• Purchased from Re-Seller
• Drive was not Formatted
• Partitions were not Deleted
• Drive belonged to Re-Seller Owner
Conclusion – Promising but could be Expensive
How do you handle EoL Media??
Photo Sharing Sites
Photobucket
Recent Uploads
Photo Sharing SitesRecent Uploads – Open Buckets
App allows phones to upload pics automatically
Photo Sharing Sites
Before you ask, yes I found that
Photo Sharing Sites
Before you ask, yes I found that
Photo Sharing Sites
Before you start browsing…warning
Photo Sharing Sites
Before you ask, yes I found that
Photo Sharing Sites
Before you ask, yes I found that
Photo Sharing Sites
Before you ask, yes I found that
Photo Sharing Sites
Before you ask, yes I found that
Photo Sharing Sites
Before you ask, yes I found that
Photo Sharing Sites
But I Also Found…
Photo Sharing Sites
Credit Cards
Photo Sharing Sites
Address Information
Photo Sharing Sites
International Cards
Photo Sharing Sites
International Cards
Photo Sharing Sites
Vendor’s Notes
Photo Sharing Sites
Checks
Photo Sharing Sites
Lots of Checks
Photo Sharing Sites
Identity
Photo Sharing Sites
Identity
Photo Sharing SitesFamily Relationships
Photo Sharing Sites
With Their Info
Photo Sharing Sites
My Favorite
Photo Sharing SitesTarget #1
Photo Sharing SitesTarget #1
Photo Sharing SitesTarget #2
Photo Sharing SitesTarget #2
Results:
Credit Card Numbers
Login Information
Social Security Numbers
Also, Personal Info and Business Trade Secrets
Conclusion – Very Easy, No Cost, No way to Automate…. Yet….
10
15
30
Total Time Spent – Approx. 8 hours
How could you control “pix leakage?”
FTP Sites
Used Metasploit Framework – FTP Anon Scanner
Could also use Nmap
FTP Servers
Typical Finding
FTP ServersTypical Finding
FTP ServersStarted Getting Good
FTP ServersWTF?!?
FTP ServersTrends Forming
Anonymous READ (220 Welcome to ASUS RT-AC66U FTP Service.)
Default config creates external FTP Site
FTP ServersTrends Forming
FTP ServersWhat Did We Find?
• Financial Information
• Unencrypted Backups
• Medical Records (PHI)
• Intellectual Property
• Passwords Galore (Include System Passwords to Global
Companies)
• Voter Information/ Political Parties Info
In a Nutshell - Everything!
FTP ServersASUS Is Not Alone
• At least 3 more vendors have same issue
• Currently contacting vendors
• Will release when patched or after 3 months
FTP ServersAnything Else Interesting?
READ/Write Access
PCI / Safe Harbor Violations
FTP Servers
Results:
• IPs Scanned – ½ Class A
• Anonymous FTP Servers – 3000+
• “Legitimate” Servers - >100
Conclusion – THE Path of Least Resistance
Questions?
www.ShowMeCon.com
Dave<dot>Chronister<at>ParameterSecurity<dot>com
@Bagomojo