Post on 07-Nov-2014
description
CYBER SECURITY VIA TECHNOLOGY FAILS
Jeremy Conway
Introduc:ons
• Founder and Managing Partner @ SudoSecure
• Creden:als: – 16+ Years in Informa:on Security
– NASA, DoD, US Army – MS, Informa:on Security – BS, Computer Science and Math
– 20+ Industry Cer:fica:ons
The true sign of intelligence is not knowledge but imagina9on.
Albert Einstein
Demo 1: This is not the A@ack your Looking for!
IDS/IPS and Correla:on Engines • Evading an IDS/IPS requires understanding the signature (matching paVern) – Most cases it is TRIVIAL at BEST to evade!
• Correla:on Engines tend to use simple logic – Evading these complex and expensive devices is EASY
when it relies on Insecure Protocols!
• Ge[ng it RIGHT! – Understand the limita:ons of Signature Detec:on Engines – Decompose complex rule engines and correla:on logic to
iden:fy possible evasion techniques – Consider adding a “TRUSTED”
metric value when designing a Secured Architecture
Demo 2: Can you spot the Imposter?
SSL MiTM • “YES” SSL can be MiTM’ed • Encryp:on does not imply “No Worries”! • Ge[ng it right! – Never use self-‐signed Cer:ficates – Never allow an Exemp:on – Be OVERLY Paranoid!
Demo 3: Outsourced Trust, the Domino Effect
Outsourced Trust • The Web and your Browser are GREAT at CACHING – Even when it is Malicious Injected Badness
• Two-‐Factor Authen:ca:on doesn’t solve EVERTHING!
• Ge[ng it Right! – Never include content you don’t control on a Secure Site!
Demo 4: Begging to be Hi-‐Jacked
WiFi Hi-‐Jacking • By DEFAULT most Wireless Devices Probe and Connect to Preferred Networks
• Ge[ng it Right – Disable Automa:c Connec:ons to Preferred Network List – Disable WiFi when NOT in Use
Demo 5: Passwords – Are you doing it wrong?
LM Passwords • Used to support the legacy LAN Manager protocol • Disabled by default on Windows star:ng with Vista • S:ll found enabled everywhere though! • Weaknesses:
– Password truncated at 14 Chars – Split into 2 halves of 7 Char passwords – Password is converted to UPPERCASE
• PROTIPS: – Crack LM hashes then use Cracked password to aVack NTLM
password – Free Rainbow Tables (freerainbowtables.com) will crack about
99% of LM hashes using rcracki_mt – John the ripper use: -‐-‐loopback -‐-‐format=nt -‐-‐rules=NT – Hashcat use -‐a to toggle case of LM cracked hashes
Albert Einstein
Something to consider!
Ques9ons?
Jeremy Conway jeremy@sudosecure.com
twi@er: cj3r3my
Thank You!
• THC-‐Hydra: h@p://www.thc.org/thc-‐hydra/ • Mitmproxy: h@p://mitmproxy.org/ • Burp Suite: h@p://portswigger.net/burp/ • HTTPS Cache Injec:on AVack (Bad Memories): h@p://elie.im/talks/bad-‐memories
• Wifi Pineapple (Karma AVack): h@ps://wifipineapple.com/
• LM Hash: h@p://en.wikipedia.org/wiki/LM_hash
References