DEFCON 14

1
DEFCON 14

• Kristy Westphal
• Chief Information Security Officer
• DES
• 602-254-2779, 7301

2
What is DEFCON

• Been around for 14 years
• http//www.defcon.org
• The largest underground hacking event in the
  world
• Info sharing of the latest and greatest
• Why was I there??

3
Prevalent themes for 2006

• Privacy
• Organized crime on the Internet
• Privacy
• New hacks
• Privacy
• Did I say privacy?

4
Organized Crime

• Thomas X. Grasso of the FBI
• Talked about organized efforts to combat
  cybercrime
• But also showed how scary the organized crime is
  getting
• Cyber crime cost the United States alone more
  than 67 billion last year. That means online
  criminal gangs like Carderplanet are carting off
  about 183 million worth of stolen U.S. goods,
  services and identities each day, or about 7.5
  million every hour.

5
New hacks (and eye openers)

• Blackberry by x30n
• Always on, always connected
• We usually worry about the data
• But what about a back door??
• Enter BBProxy
• Use of Metasploit
• And a Blackberry trojan
• Its a trifecta!

6
(No Transcript)
7
Pocket PCs

• Colin Mulliner does advanced attacks
• Uses Mulitmedia Messaging Service (MMS)
• Also known as Picture Messaging
• Audio, video, pictures
• Store and forward manner
• Exploit of the user agent

8
Two things that are interesting

• First mobile phone remote code execution exploit
• Exploits the return address and stack size
• Easily sent by a message
• Notification attack
• Thousands of WAPPush messages
• Slows down device
• Eats up memory
• Tool available

9
Phishing

• Weve tried to condition users to pay attention
  to security
• Yet Financial Institutions are telling folks to
  ignore security certificates, but describe how
  safe their sites are
• Who validates certs?
• Users are under pressure to get things done
• Little information available to make good
  decisions

10
(No Transcript)
11
More on phishing

• A usability test of IE6 SP2 security warning
  strip found that not one user noticed its
  presence
• In another test, no-one noticed a flashing
  message saying There is a 50 bill taped to the
  bottom of the chair. Take it!
• Dont sweat the small stuff
• Padlocks, security ribbons, other indicators

12
Legal Precedents

• First Wifi stealing crime- David Kauchak
  remotely accessed another computer system without
  owners approval.
• Charge 250 and one year of court supervision
• Davidoff vs. Davidoff, 2006 N.Y.
• Interesting case of jurisdiction

13
Google what?

• Ever considered what footprints are left on a
  computer when you Google?
• Quiz what is a Zeitgeist?
• What if all that info can lead back to you?
• To avoid this use anonymous browsing, go
  directly to the website you want, encrypt
  content, cookie rewriters

14
(No Transcript)
15
(No Transcript)
16
SAMAEL

• Blackbox gateway that creates a secure,
  anonymizing transparent firewall, protecting its
  users from public disclosure
• Also have Anonym.OS, an OpenBSD Live CD
• SAMAEL extends to the network using TOR

17
Census Bureau

• What does the census gather?
• Lots!
• What do they use it for?
• Some questionable uses
• 2004 use by DHS to identify where Arabic citizens
  lived
• More paranoia?
• Dont not do it, youll be fined!

18
Mainframe Security

• Mainframes still not going away
• They are vulnerable too!
• Exploiting the DLSw protocol
• Exploit router using this in promiscuous mode
• Creates a tunnel into your network
• Need MAC address of the mainframe to work
• Sniff SNA packets
• Ensure even your mainframe transports are
  encrypted!

19
The Alternate Identity

• Big debate over what info is needed to steal an
  identity
• Unfortunately, not much ?
• SSN, DL, BC, Diplomas, Passport
• Multiple websites that can provide these
• Ever tried to get a passport for British
  Honduras, Zanzibar, New Granada or Rhodesia?

20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
How much of the Internet is already hacked?

• How do we really know if our computers have been
  compromised?
• Used for SPAM, botnets, open proxies, DDOS
• By analyzing traffic over 30 days, could tell who
  was compromised
• BIG company names seen
• Account and email address info captured
• This helps increase economic value, therefore
  keeps the bad stuff happening
• Average rate of 267,489 infections per day

25
(No Transcript)
26
(No Transcript)
27
The point?

• There is always a lot to think about
• Stay vigilant
• Question your security and your privacy
• Be cautious where it makes sense
• Complacency is dangerous