Give Me Your Data!

Give Me Your Data!

Pilfering Data without Breaking In

Dave ChronisterCISSP, MCSE, C|HFIFounder / Managing Technical PartnerParameter Security

About Me

• Security Practitioner

• Ethical Hacker

• Forensic Investigator• (MO PI Lic#2012039253)

• Instructor

• Founder Parameter Security

• We Find, Not Fix Issues

Data is not Secured

Could I Obtain Sensitive Data?

Without Breaching Any Access Controls?

Determine Sources of Data

Purchase Old Hardware

Social Media Sites

FTP Sites

WARNING

This is a demonstration, not an instruction manual for criminal behavior.

Obfuscation of sensitive data was done by me.

When possible, the data owner was notified of insecure information.

The identity of the owners have been hidden to protect the Security Impaired.

Old Hardware

1. Create Forensic Image

2. Data Carve Files

3. Profit??

Old Hardware

EBay – 2 IPhone / 9 Hard Drives

Targeted Individuals Selling Equipment(IT Employees Offloading Equipment)

2 Rounds of Purchases

2nd Round Included Hardware Resellers

Total Cost - $50 IPhone, $120 Hard Drives

Results:

IPhones Forensically Clean

Drives Re-Partitioned w/ Artifacts

5 – “Floor Models” (Only OS)

Hard Drives Zero’d Out

University of ######## Drive Term Papers, Porn, and Mal-ware

Office Equipment Service company in PAService Logs, Time Off Request

2

1

7

Drive 9

Drive 9Purchased from Re-Seller

Drive 9

Drive 9

• Purchased from Re-Seller

• Drive was not Formatted

• Partitions were not Deleted

• Drive belonged to Re-Seller Owner

Conclusion – Promising but could be Expensive

How do you handle EoL Media??

Photo Sharing Sites

Photobucket

Recent Uploads

Photo Sharing SitesRecent Uploads – Open Buckets

App allows phones to upload pics automatically

Photo Sharing Sites

Before you ask, yes I found that

Photo Sharing Sites

Before you start browsing…warning

Photo Sharing Sites

Before you ask, yes I found that

Photo Sharing Sites

But I Also Found…

Photo Sharing Sites

Credit Cards

Photo Sharing Sites

Address Information

Photo Sharing Sites

International Cards

Photo Sharing Sites

Vendor’s Notes

Photo Sharing Sites

Checks

Photo Sharing Sites

Lots of Checks

Photo Sharing Sites

Identity

Photo Sharing SitesFamily Relationships

Photo Sharing Sites

With Their Info

Photo Sharing Sites

My Favorite

Photo Sharing SitesTarget #1

Photo Sharing SitesTarget #2

Results:

Credit Card Numbers

Login Information

Social Security Numbers

Also, Personal Info and Business Trade Secrets

Conclusion – Very Easy, No Cost, No way to Automate…. Yet….

10

15

30

Total Time Spent – Approx. 8 hours

How could you control “pix leakage?”

FTP Sites

Used Metasploit Framework – FTP Anon Scanner

Could also use Nmap

FTP Servers

Typical Finding

FTP ServersTypical Finding

FTP ServersStarted Getting Good

FTP ServersWTF?!?

FTP ServersTrends Forming

Anonymous READ (220 Welcome to ASUS RT-AC66U FTP Service.)

Default config creates external FTP Site

FTP ServersTrends Forming

FTP ServersWhat Did We Find?

• Financial Information

• Unencrypted Backups

• Medical Records (PHI)

• Intellectual Property

• Passwords Galore (Include System Passwords to Global

Companies)

• Voter Information/ Political Parties Info

In a Nutshell - Everything!

FTP ServersASUS Is Not Alone

• At least 3 more vendors have same issue

• Currently contacting vendors

• Will release when patched or after 3 months

FTP ServersAnything Else Interesting?

READ/Write Access

PCI / Safe Harbor Violations

FTP Servers

Results:

• IPs Scanned – ½ Class A

• Anonymous FTP Servers – 3000+

• “Legitimate” Servers - >100

Conclusion – THE Path of Least Resistance

Questions?

www.ShowMeCon.com

Dave<dot>Chronister<at>ParameterSecurity<dot>com

@Bagomojo

Give Me Your Data!

Technology

Transcript of Give Me Your Data!