I See YouWhat not to do when someone is monitoring your network traffic

Andrew BeardBrian Wohlwinder

In honor of Brian

• Lift with your legs, not your back

• Engage your core, keep your abs pulled in

• Avoid twisting your trunk

DEFCON 22

Our Setup• COTS network visibility appliance for capture and analysis• Common data tap from Packet Hacking Village• General purpose rules and some written specifically for Wall of Sheep

to generate alerts and capture content for specific sessions• Metadata capture for the duration of the event• About 500M of compressed metadata between August 8 and 10,

2014• A little over 6M transactions

Rules of Engagement• Completely passive listener• Ignore SSL/TLS content (metadata only)• All credentials partially redacted

Overall Protocol Mix

HTTPTLS/SSLFTPOtherXMPPWebSocketBitTorrentIRC

Where’s the VPN traffic?• Good question…• Very few encrypted tunnels from what

we could tell. A few sessions, but nowhere near what we expected.

• More Teredo IPv6 tunnels than real VPN traffic

• Best guess, most aren’t using the WiFi

It’s all about the passwords

Plain Text Credentials• POP3, IMAP, SMTP• FTP• IRC• Telnet• Occasional HTTP (mostly via URL or POST content)

POP3+OK <21066.1407692429@************************>CAPA-ERR authorization firstUSER lodgetreasurer@***************+OK PASS 2Q********+OK STAT+OK 8 107321

IMAP* OK IMAP4 Service Ready1 LOGIN yihui.xu@******** N*****1 OK LOGIN completed

FTP220------- Welcome to Pure-FTPd [privsep] [TLS] -------220-You are user number 129 of 200 allowed.220-Local time is now 14:45. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 3 minutes of inactivity.USER dpi03@******331 User dpi03@****** OK. Password requiredPASS **********230 OK. Current restricted directory is /

HTTP – In URL/login?username=jacky&password=******

/login.php?username=revelation&password=******

/perfils/autenticar/5512899033.json?passwordKey=******&telefono=**********&dispositivo=IPH&password=******&SO=iOS 7.1.2&deviceId=iPhone

When it comes to plaintext fail, mail is king

POP3IMAPSMTPFTPTELNETIRCHTTP

A problem of their own making

• For mail protocols, vast majority iPhones based on outgoing MIME headers and IMAP ID responses

• From what we can tell, most providers supported SSL

• If your provider doesn’t support SSL, find a provider that isn’t crap

• None of the major email service providers represented

• Built-in profiles, SSL automatically enabled

HTTP Basic Access AuthenticationGET / HTTP/1.1Host: ******************************Connection: keep-aliveAuthorization: Basic bmF0YXMwOm5hdHRhczA=Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,*/*;q= 0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750; __utma=1768596 43.984037758.1407700117.1407700117.1407700117.1; __utmb=176859643.3.10.140770011 7; __utmc=176859643; __utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir ect)|utmcmd=(none)

HTTP Basic Access AuthenticationGET / HTTP/1.1Host: ******************************Connection: keep-aliveAuthorization: Basic bmF0YXMwOm5hdHRhczA=Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,*/*;q= 0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750; __utma=1768596 43.984037758.1407700117.1407700117.1407700117.1; __utmb=176859643.3.10.140770011 7; __utmc=176859643; __utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir ect)|utmcmd=(none)

HTTP Basic Access AuthenticationThat looks a lot like base64…

localhost$ echo "bmF0YXMwOm5hdHRhczA=" | base64 -D; echonatas0:nattas0

Username and password encoding. OK if the transport layer is providing confidentiality, but not for straight HTTP.

curl http://natas0:nattas0@*************

Basic Auth and API KeysGET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1 HTTP/1.1Host: *********************Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Content-Type: application/jsonAuthorization: Basic YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0Referer: http://**************************/Las-Vegas Nevada-printer-ink-toner-cartridge-leader/Origin: http://**************************Connection: keep-alive

Basic Auth and API KeysGET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1 HTTP/1.1Host: *********************Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Content-Type: application/jsonAuthorization: Basic YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0Referer: http://**************************/Las-Vegas Nevada-printer-ink-toner-cartridge-leader/Origin: http://**************************Connection: keep-alive

Basic Auth and API Keyslocalhost$ echo \ "YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0" | \ base64 -D; echo

api:41665abccbeb09b1cd650077b9ebdec4

Session key for the current user. Anyone interested in buying a couple tons of toner on their account?

Then we started getting bored…A bunch of bored guys looking at your network traffic probably isn’t a good thing

Fun With Mobile AppsGET /gw/mtop.taobao.wireless.homepage.ac.loadPageContent/3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=originaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4JgNi4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%22%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C%22nick%22%3A%22******%22%2C%22longitude%22%3A%22120.050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%22%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition%22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D HTTP/1.1Host: api.m.taobao.com

Fun With Mobile AppsGET /gw/mtop.taobao.wireless.homepage.ac.loadPageContent/3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=originaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4JgNi4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%22%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C%22nick%22%3A%22******%22%2C%22longitude%22%3A%22120.050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%22%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition%22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D HTTP/1.1Host: api.m.taobao.com

User’s Default Location{ "utdid": "U0gUZGIZnIwDAFX4JgNi4RRk”, "userId": ”*********", "ua": "iPhone", "cityCode": "330100", "nick": ”******", "longitude": "120.050453", "cityName": "杭州 ", "latitude": "30.286152", "isPosition": false, "platformVersion": "7.1”}

What’s the worst that could happen?It can’t be that bad…

“Is this important?”From: Deborah Simon <dms@************>To: Mitchell IPad Simon <md.simon@************>

“Is this important?”From: Deborah Simon <dms@************>To: Mitchell IPad Simon <md.simon@************>Subject: Megan’s W-4

“Is this important?”From: Deborah Simon <dms@************>To: Mitchell IPad Simon <md.simon@************>Subject: Megan’s W-4

One attachment, “2014 W4.pdf”

Nothing to worry about here

Dear God WHY!?• Data confidentiality in transit vs at rest• PGP• S/MIME certificates cheap/free. Supported by most major mail client

(including mobile devices)• Encrypted zip files or document-based encryption better than nothing

DEF CON 22 MUSIC ANNOUNCEMENT: THE ORBYou better have just done that spit-take. That's right. Electronica/Trip-Hop/IDM/dub music classics and pioneers: The Orb. They're here. They're kicking. And on the 3rd day of DEF CON (Saturday night/Sunday morning 00:00-01:00) their divine presence shall bless the glorious attendees who... attend their glorious and divine performance. Those who do not attend will be forsaken and cast into the dystopian landscape known as "the rest of Las Vegas." And so this event shall henceforth be written into the Dark Tangent's Book of DEF CON, Volume 22 - also referred to by some as "the conference program." So say we all.

More fun with misconfigured mail clientsTo: *****@theorb.comFrom: Bill QuinnSubject: ***** pick up amount Rio 8/9

Hey *****,Please pick up the balance of $6,500 for tonights performance in Vegas. Let me know if you have any questions.

Thanks,Bill QuinnMadison House, Inc.

Imagine for a moment…• You know someone is going to

be picking up a check for $6500• You have detailed knowledge of

the transaction• You have unrestricted access to

the intended recipient’s email account

Imagine for a moment…• You know someone is going to

be picking up a check for $6500• You have detailed knowledge of

the transaction• You have unrestricted access to

the intended recipient’s email account

Quick Recap• Through misconfiguration or a lack of controls it’s pretty easy for

potentially sensitive or harmful info to make it’s way over a network• Consider defense in depth. Use multiple layers of encryption in

transit, just in case.• Don’t trust your email password as the only thing keeping you from

financial or other loss. • Treat every network as untrusted (especially the ones that warn you

ahead of time)