You've Been Hacked
"So now I know your name, and the name of everybody in your little circle. Suddenly I'm building a picture of who you are, just by you turning on your computer."
Purple pill, Ferret, blue pill, hypervisor, rootkit, Dangling Cursors in Oracle,
Metasploit Framework, Anti-Virus Software Is Ineffective
Throughout the Black Hat conference hall, laptops babbled incessantly about their users. Errata Security's Robert Graham and David Maynor just sat back and sipped from the data firehose. Except, that is, when they jumped to hide an attendee's user name and password for whatever wireless service happened to appear in the flow of information that was scrolling down the overhead projection of Graham's laptop screen.
It was part of a demonstration the duo gave on Thursday of the 1.0 code-only version of a new tool called Ferret that prints data to a command line. That data includes everything that seeps out of your wireless device: Wi-Fi access points cached on your PC, the last IP address you used (requested by DHCP), your NetBIOS name, your log-in ID, and a list of servers (via a NetBIOS request) you want connections to.
"Think about what happens when you start up your laptop," CEO Graham said. "The programs set to autostart look for resources like the intranet homepage and shared drives, e-mail clients and IM clients."
With wireless devices looking for resources by name, it's child's play for a hacker to determine his or her target's corporate server name, for example. "People name their Exchange server 'Exchange' or 'Exchange 5,'" Graham said. "When we see [people's laptops] looking for ... queries for trying to start Exchange, that tells me you're running Exchange and trying to run an e-mail client.
"And if you have Outlook trying to talk to Yahoo, it will try to disclose your log-in name," he continued. "Clients are very chatty about what information they try to provide. So now I know your name, and the name of everybody in your little circle. Suddenly I'm building a picture of who you are, just by you turning on your computer."
This list of "data seepage" is indicative of the data that "people willingly broadcast to the world," Graham said, as opposed to data leakage, which is data people are trying to hide.
"Even if you then establish a VPN connection to hide everything else, you've already broadcasted this information to everyone on the local network," Graham told the audience. In fact, the list of information Errata was displaying was that which wireless devices broadcast simply when they're powered on—an example of how much data we expose to hackers.
The Ferret tool was rushed out for Black Hat, Graham said, and as such is "feature-poor, buggy, and probably has a remote vulnerability in it." Ferret is just in the proof-of-concept stage at this point, he said, and simply prints the data to the command line. In the works is a "viewer" utility that correlates the data, although "it's fairly straightforward to parse the command-line output and do your own correlation," he said.
In an interview with eWEEK before the Black Hat demonstration, Graham said companies don't realize how much damage a hacker can do with this apparently benign information. They don't realize, he said, how much of a complete picture a hacker can get of a person from the wireless network.
"Say an executive is in an airport lounge," he said. "The tool will extract everything the executive broadcasts in the lounge: user names, account names, his MySpace account, even his corporate [e-mail] account name. I can find out where he's been by looking at the access points he's trying to connect to. I can map his corporate network, because in the lounge he attempts to connect to the corporate network.
"Within moments I can build up a complete picture of who this person is by monitoring the wireless network."
All the data exported is public on the Web, he pointed out. From reading a MySpace page, a hacker can read up on the subject's friends. Employees or former employees often post their resumes on MySpace or elsewhere online, and they have their corporate contacts listed on their IM accounts—all information that can be grabbed.
Another example of the damage that can be done with data seepage: Say a hacker finds that a person is going to Redmond pretty frequently. Say the hacker has pieced together benign pieces of information to find out that the person works at a wireless startup—a company that rumors have it is soon to be acquired by Microsoft. With data seepage, the hacker learns that the person's wireless device access points are wireless points at Microsoft. The hacker can then buy stock in a company knowing it's going to be acquired.
There's no silver-bullet fix for stopping data stoppage, Graham told eWEEK, since wireless lock-down is a tradeoff between usability and security. At least, with the promise that the Ferret prototype shows, a company can know what information its users are handing out.
"So now I know your name, and the name of everybody in your little circle. Suddenly I'm building a picture of who you are, just by you turning on your computer."
Purple pill, Ferret, blue pill, hypervisor, rootkit, Dangling Cursors in Oracle,
Metasploit Framework, Anti-Virus Software Is Ineffective
Throughout the Black Hat conference hall, laptops babbled incessantly about their users. Errata Security's Robert Graham and David Maynor just sat back and sipped from the data firehose. Except, that is, when they jumped to hide an attendee's user name and password for whatever wireless service happened to appear in the flow of information that was scrolling down the overhead projection of Graham's laptop screen.
It was part of a demonstration the duo gave on Thursday of the 1.0 code-only version of a new tool called Ferret that prints data to a command line. That data includes everything that seeps out of your wireless device: Wi-Fi access points cached on your PC, the last IP address you used (requested by DHCP), your NetBIOS name, your log-in ID, and a list of servers (via a NetBIOS request) you want connections to.
"Think about what happens when you start up your laptop," CEO Graham said. "The programs set to autostart look for resources like the intranet homepage and shared drives, e-mail clients and IM clients."
With wireless devices looking for resources by name, it's child's play for a hacker to determine his or her target's corporate server name, for example. "People name their Exchange server 'Exchange' or 'Exchange 5,'" Graham said. "When we see [people's laptops] looking for ... queries for trying to start Exchange, that tells me you're running Exchange and trying to run an e-mail client.
"And if you have Outlook trying to talk to Yahoo, it will try to disclose your log-in name," he continued. "Clients are very chatty about what information they try to provide. So now I know your name, and the name of everybody in your little circle. Suddenly I'm building a picture of who you are, just by you turning on your computer."
This list of "data seepage" is indicative of the data that "people willingly broadcast to the world," Graham said, as opposed to data leakage, which is data people are trying to hide.
"Even if you then establish a VPN connection to hide everything else, you've already broadcasted this information to everyone on the local network," Graham told the audience. In fact, the list of information Errata was displaying was that which wireless devices broadcast simply when they're powered on—an example of how much data we expose to hackers.
The Ferret tool was rushed out for Black Hat, Graham said, and as such is "feature-poor, buggy, and probably has a remote vulnerability in it." Ferret is just in the proof-of-concept stage at this point, he said, and simply prints the data to the command line. In the works is a "viewer" utility that correlates the data, although "it's fairly straightforward to parse the command-line output and do your own correlation," he said.
In an interview with eWEEK before the Black Hat demonstration, Graham said companies don't realize how much damage a hacker can do with this apparently benign information. They don't realize, he said, how much of a complete picture a hacker can get of a person from the wireless network.
"Say an executive is in an airport lounge," he said. "The tool will extract everything the executive broadcasts in the lounge: user names, account names, his MySpace account, even his corporate [e-mail] account name. I can find out where he's been by looking at the access points he's trying to connect to. I can map his corporate network, because in the lounge he attempts to connect to the corporate network.
"Within moments I can build up a complete picture of who this person is by monitoring the wireless network."
All the data exported is public on the Web, he pointed out. From reading a MySpace page, a hacker can read up on the subject's friends. Employees or former employees often post their resumes on MySpace or elsewhere online, and they have their corporate contacts listed on their IM accounts—all information that can be grabbed.
Another example of the damage that can be done with data seepage: Say a hacker finds that a person is going to Redmond pretty frequently. Say the hacker has pieced together benign pieces of information to find out that the person works at a wireless startup—a company that rumors have it is soon to be acquired by Microsoft. With data seepage, the hacker learns that the person's wireless device access points are wireless points at Microsoft. The hacker can then buy stock in a company knowing it's going to be acquired.
There's no silver-bullet fix for stopping data stoppage, Graham told eWEEK, since wireless lock-down is a tradeoff between usability and security. At least, with the promise that the Ferret prototype shows, a company can know what information its users are handing out.
