hyper island - 2012
DESCRIPTION
The slides presented at the Hyper Island - October 18, 2012 for the DDS13 class regarding malicious datamining.TRANSCRIPT
FOR FUN AND PROFIT!
EVIL DATA MINING
Contents
● Web Scraping
● Quick and Dirty SQL Injections
● iPhones, WiFi and Evil Twins
● Hacking Neighbours
● Port scanning on Steroids
Introduction
● Fredrik Nordberg Almroth (@Almroot)Head application engineer and co-founder @ detectify.comIT-security guyHacked Google. Twice.
● Johan Edholm (@norrskal)Server administrator and co-founder @ detectify.comWorked with IT security analytics and anti-scrapingStudied system and network management in Linux
What is Detectify?
Detectify is an automated vulnerability scanner.
● You sign up using beta code.
● You press start!
● Detectify emulates a hacking attack.
● You get a report regarding your vulnerabilities.
● Detectify is currently in closed beta!
● You may try it for free using the beta code: HyperMine
● http://detectify.com/
● We love feedback! :)
What is data mining?● Data mining is mostly associated with statistics and machine learning.
● ...or discovery of patterns (intelligence) in large datasets...
● No fancy algorithms! Just real life examples.
Web scraping
● Grab content from websites
● Host somewhere else
● Study the data
● Sell the data
Web scraping
● Manual copy-paste
Web scraping
Web scraping
● Googlebot
Web scraping
● Bad scrapers○ Downloadable or online tools
○ Homemade scripts
○ HTTP rewriters
Web scraping
● Homemade scripts○ Made for one site/purpose○ No hacking○ May be against ToS○ Probably legal
Web scraping
● Sosseblaskan.se○ Copy of aftonbladet (rewrite)○ A joke○ Not ads for aftonbladet○ Not phishing○ Illegal
SQL
● Structured Query Language
● Used to talk with databases. MySQL, PostgreSQL, etc...
How it's used
● Websites use databases to maintain data.
● The SQL queries often contain user-data.
● You search on a website for a few keywords.
● The odds of it being done by some SQL dialect is huge.
What could possibly go wrong?
● User supplied data may alter the SQL query.
● Example:SELECT title FROM blog WHERE title = '$search_keywords';
● If the searched data contain a quote, the SQL query will break.
● Attackers may gain other data than just the "blog title".
● Usernames, passwords, emails, credit-cards...
SQL Injections
● Devastating attack.
● Worst part. It's really common.
● Remember Sony last year?
● Victims 2012.○ eHarmony○ last.fm○ Yahoo!○ Android Forums○ Billabong○ Formspring○ nVidia○ Gamigo○ ...List goes on...
● Thousands of sites attacked daily.
● Incredibly easy to get going.
● Loads of guides and tools on the internet.
● Devastating for the vulnerable organizations.
(This is the time we'll stand here and struggle with the equipment.)
LIVE DEMO!
Fun with WLAN
● Create an evil twin
● Jasager
Evil twin
● You connect to eg. "espresso house free"● iPhone will save and remember that network● When you come back it will automatically
connect
Evil twin
● Someone creates a network called "espresso house free"
● Your phone will automatically connect
What if the attacker don't know which networks you've been connected to?
Jasager
Fun with WLAN
● Works on everything○ Windows, linux, Mac, Android, iPhone etc
● Can be monitored○ See which networks you are looking for and in which
order
Fun with WLAN
WiGLE.net
IT-Security @ Home
● Devices on local networks.○ Routers○ Printers○ Heat Pumps○ Laptops○ PC's○ Tablets○ Cellphones○ XBOX'es○ ...etc...
Telecom operator ComHem provide "Tre-hål-i-väggen"
● Routers may act as switches
● IP Forwarding
● You can see your neighbours devices
● Portscan!
● A port scanner finds open services on IP-addresses.
● nmap
● Find vulnerabilityor
● Weak (default) passwordor
● No password!
Protip:http://www.routerpasswords.com/
GAME OVER
Conclusion
You can with ease gain access to your neighbours data.
Speaking of portscanning...
● Spring 2010, the "spoon" project.
● Got interested in packet crafting.
● 3000 packets/second
● Sweden got 25.000.000 allocated IPv4-addresses.
● ...Results in a timeframe of 2 hours and 20 min to scan.
● Resolve all servers on a given port in a Sweden.
● Could of course be applied to any country.
● Early 2011, "spoon2".
● 30000 packets/second. Ten times as fast!
● From 2½ hour, to approximate 15 minutes.
● Same result.
● Imagine a company. Like ACME Corp.
● 10 servers running "spoon2".
● Get a fresh map of Sweden every 90 second.
● 100 servers, every 9'th second second.
● ACME Corp got potential to become a global "pingdom".
● Results in large scale data mining.
● Would require loads of clever algorithms and infrastructure to maintain it all though.
shodanhq.com
● The firm shodanhq already crawls countries for open services.
● Identified ~438.000 web servers in Sweden alone.
● Mostly devices found on local networks.(routers / printers).
● No security. Loads of vulnerable devices.
● Eavesdrop your neighbour? No problem.
● Why bother?
● Can be applied to a whole country.
Summary
● Web Scraping
● Quick and Dirty SQL Injections
● iPhones, WiFi and Evil Twins
● Hacking Neighbours
● Port scanning on Steroids
Q & A
http://detectify.com/
Hack the planet!
References● http://www.theta44.org/karma/aawns.pdf
● http://timtux.net/posts/10-Vad-delar-du-ut-IT-skerhet-i-hemmet
● http://krebsonsecurity.com/2010/06/wi-fi-street-smarts-iphone-edition/
● http://nmap.org/6/
● http://www.ietf.org/rfc/rfc793.txt
● http://www.ietf.org/rfc/rfc791.txt
● http://www.ietf.org/rfc/rfc1323.txt
● http://www.zdnet.com/sql-injection-attacks-up-69-7000001742/