black ops 2006
play

Black Ops 2006 pattern recognition Dan Kaminsky DoxPara Research - PowerPoint PPT Presentation

Sep 16, 2022 •584 likes •1.17k views

Black Ops 2006 pattern recognition Dan Kaminsky DoxPara Research Who Am I? Coauthor of several book series Hack Proofing Your Network Stealing The Network Formerly of Cisco and Avaya Presently partnering with IOActive

  1. Black Ops 2006 pattern recognition Dan Kaminsky DoxPara Research

  2. Who Am I? • Coauthor of several book series – Hack Proofing Your Network – Stealing The Network • Formerly of Cisco and Avaya – Presently partnering with IOActive – One of the “Blue Hat Hackers” that has been auditing Windows Vista • Sixth Year Speaking At Black Hat! – TCP/IP, DNS, MD5, SSH, etc.

  3. What Are We Here To Do Today? • Enforce Network Neutrality • Gaze Horrified Upon 2.4 Million SSL Servers • Fix Online Banking (just a little) • Fix the security hole I put in OpenSSH • Make entropy recognizable – Useful for cryptosystems (like SSH) – Really useful for fuzzing • Pretty, pretty pictures. – New for this year: USEFUL pretty, pretty pictures • Even if they’re +100Mpix

  4. Making Use of 100+ Megapixels: Visual Bindiff

  5. Enforce Network Neutrality? • Telecom Companies have essentially stated – they wish to spy upon and selectively censor traffic, so as to maximize revenue from those who will pay the most to see their traffic pass unhindered. • This devolves down to a common refrain in Crypto: “Alice and Bob are in prison, and are attempting to communicate without the Warden interfering” – Don’t believe the premise?

  6. Internet Isolationism: $1140 A Year To Check Your Email • “To accommodate the needs of our customers who do choose to operate VPN, Comcast offers the Comcast @Home Professional product. @Home Pro is designed to meet the needs of the ever growing population of small office/home office customers and telecommuters that need to take advantage of protocols such as VPN. This product will cost $95 per month, and afford you with standards which differ from the standard residential product.” – What, you didn’t actually think the war against Network Neutrality had anything to do with video, did you?

  7. What It’s Really About • It’s all about $1100+ a year per telecommuter – 40M telecommuters in 2004 * $1140 a year = $45.6B – How many telecommuters if the US has to cut back on oil consumption, by saying every Friday is a telecommute-to-work day? • As people realize what’s coming, the question will stop being, “Should the network be neutral”, and will become, “Is it possible to detect non-neutral networks?” – The answer is yes. Yes it is.

  8. TCP Bandwidth Estimation: An Elegant Weapon, For A More Civilized Age • TCP automatically determines the amount of available bandwidth between any two points – Multiple TCP streams sharing the same communication channel do not send packets to one another – All communication happens implicitly, via dropped packets – Dropped packets are a source of information about the amount of bandwidth available on a given channel • If more packets show up, then a particular line is willing to route, then some will be dropped, and TCP will quickly notice. – Can we figure out who’s causing our packets to drop?

  9. Active Network Probing, or how TTLs just never go out of style • Suppose you can only send data to someone at 5k/sec, and you’re curious, why so slow? – What this means is – you get dropped packets whenever you try to send faster than 5k/sec. • Experiment: Send more data alongside the session, but TTL limit the transmissions until you figure out which hop causes packet drops in the primary. – Too much data…one hop…no effect on 5k/sec stream. – Too much data…two hops…no effect on 5k/sec stream. – Too much data…three hops…5k/sec stream stops. Third hop is your limiting node. – Demo

  10. What Can You Detect? • Source Preference – Spoof the source IP for your extra packets. If Viacom can send extra data, but random_blackhole_ip can’t, then you know Viacom has preference. • Possible to detect this even if full TCP sessions are required, by controlling the client (Google Desktop) and having it send the requisite series of fake SYNs and ACKs, TTL limited to prevent the real site from responding. Ask me later if you want more details. • Content Preference – Spoof particular payloads for your extra packets. If encrypted traffic causes TCP to detect dropped packets, but unencrypted traffic gets through just fine, you get signal.

  11. Of Course They’d Block Crypto • 1) Precedent – Comcast already tried to knock out IPsec • 2) Proxy Avoidance – “The Open Internet” is still out there – you just need to route to it, via SSH, SSL, IPsec, DNS… • Bouncing through proxies is a standard passtime in some lands – Encryption keeps them from being able to see that you’re not stealing service, therefore Encryption = Theft of Service • 3) Profit Capture – Who uses encryption? • Workplaces that make money from their employees at home • E-Commerce sites that make money from consumers at home • Money made = increased ability to pay • As security professionals, it’s hard enough deploying secure solutions without wondering if/when the telco’s going to block traffic for it being encrypted.

  12. On Deploying SSL • SSL/TLS: Standard Internet protocol for certificate-based authentication of otherwise unknown parties – Has a couple of basic rules for deployment: • Do not put anything secret into an SSL cert; there’s a reason they’re called public keys • Do not put the same key on two different boxes. SSL lacks Perfect Forward Secrecy, so not only will Alice be able to impersonate Bob, but Alice will be able to passively monitor all of Bob’s traffic. • I have a high speed scanning node called Deluvian, with which I found 2.4M SSL hosts (specifically, HTTPS) – Weirdest results of any scan I’ve ever done – enough that I’m not going to discuss all my results, they’re too weird

  13. Total Mysterious Statement • IF YOU ARE THE SORT OF SITE THAT DOES NOT WANT PEOPLE KNOWING ALL YOUR INTERNAL DNS NAMES, BE VERY CAREFUL WHAT SSL CERTS YOU LET THE PUBLIC SCAN FOR – Side note: You might not want to put this on your honeypot: – '/C=JP/ST=TOKYO/O=XXXXXX/OU=IT Division/CN=honeypot.xxxxxx.com/emailAddres s=nw-admin@xxxxxx.com'

  14. What Appears To Be The Case • What DID the numbers say? – Good: 90% of keys on only one box – Bad: 10% of keys were everywhere , enough that only one out of three boxes found had a unique key. • Theory: No two devices are supposed to have the same key – Reality: A depressing number of VPN concentrators and embedded devices had SSL keys pre-burned into them at ship. – Depressing Reality: It vaguely appears like a group that really should know better has deployed tens of thousands of machines with the same cert • Caveat: Absolute numbers are really sketchy. Only half of IP addresses that respond to TCP/443 actually had anything there, and a fair number of those addresses actually changed what key they were hosting when tested. – Someone in the audience probably knows WTF  – In the mean time, there is a very obvious SSL flaw…

  15. “Why Is This Secure” The World’s Most Depressing Google Search • Everything here is delivered over HTTP. So an attacker can just replace https with http and hijack your login. • 26% of the Top 50 banks operate insecurely; all but one use a picture of a lock to assure users the link is safe – .

  16. We’re Going To Need A Bigger Boat • People have been complaining about this for quite some time – believe me, I’m not the first to notice • Choices seem to be: – 1) Force everyone at the home page to go to SSL • Too expensive to send everyone to SSL, so that’s out – 2) Force everyone at the home page to click through to a login page • Confuses users = still too expensive. Users might call up instead, and who wants to talk to users? – 3) Allow people to log in directly through the home page • *crickets* • Is it possible for users on online applications to use a home page login screen securely?

  17. Another Option • Web pages aren’t static – they can recode themselves in response to user input • <IFRAME> is a mechanism for putting a “mini- window” of another site in a page. – Known: IFRAMEs are useful for precaching entire web pages – Not Known: IFRAMEs can contain https links • Solution: When the user first interacts with the Username field, document.write an IFRAME to your SSL site. This initializes SSL, and starts precaching site content. When they shift focus into the password field, immediately redirect the window to the https site. – Demo

  18. Example(HTML) • Create a username and password field, plus a SPAN to inject an IFRAME into <td>Username: <input name="login" id="username" type="text" onKeyUp="precache();"</td> Password: <input name="password" id="username" type="text" onFocus="window.location.href='https://l ogin.yahoo.com';"></td> <hr> <span id="TextDisplay"></span>

  19. Example(JS) • Add an iframe, once, if precache is called. • <script> var changed=0; function precache() { if(changed) {return 0;} changed=1; var divel=document.getElementById("TextDisplay"); divel.innerHTML='<iframe height=400 width=400 SECURITY="restricted“ src="https://login.yahoo.com"></iframe>'; } </script>

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Black-hole dynamics Sean A. Hayward Paris, 22nd November 2006 1. Classical theory of black holes

Black-hole dynamics Sean A. Hayward Paris, 22nd November 2006 1. Classical theory of black holes

Black-hole dynamics Sean A. Hayward Paris, 22nd November 2006 1. Classical theory of black holes 2. Dynamical black holes: trapping horizons 3. Basic laws: trapping, signature, area, topology 4. Conservation of energy 5. Conservation of

495 views • 12 slides
Black collective territories Historical presence of black population Colombias main rivers

Black collective territories Historical presence of black population Colombias main rivers

Black collective territories Historical presence of black population Colombias main rivers The lower Mira River Oil palm landscape, 2006 View of palm oil processing plant, Palmas de Tumaco 2006 Lidoro Hurtado, Lower Mira River community

277 views • 10 slides
United States Court of Appeals for the Federal Circuit 2006-1523 STEVEN E. BYRNE,

United States Court of Appeals for the Federal Circuit 2006-1523 STEVEN E. BYRNE,

NOTE: This disposition is nonprecedential. United States Court of Appeals for the Federal Circuit 2006-1523 STEVEN E. BYRNE, Plaintiff-Appellant, v. THE BLACK &amp; DECKER CORPORATION, BLACK &amp; DECKER, INC., and BLACK &amp; DECKER (U.S.),

125 views • 10 slides
Black Hole Production N. Okada T. Matsuo (Taiwan Normal) T. Matsuo JHEP 0612 (2006) Alig (Bonn)

Black Hole Production N. Okada T. Matsuo (Taiwan Normal) T. Matsuo JHEP 0612 (2006) Alig (Bonn)

Black Hole Production N. Okada T. Matsuo (Taiwan Normal) T. Matsuo JHEP 0612 (2006) Alig (Bonn) C. Alig Drees and C. M. Drees M. PRD 66 [ph/0111298] N. Okada (KEK) and also Black Hole Production PRD 67 [th/0212108]; 71 (2005); 73 (2006) S.

682 views • 39 slides
Reflected entropy for an evaporating black hole Yang Zhou ( ) Based on arXiv:2006.10846

Reflected entropy for an evaporating black hole Yang Zhou ( ) Based on arXiv:2006.10846

Reflected entropy for an evaporating black hole Yang Zhou ( ) Based on arXiv:2006.10846 with Tianyi Li and Jinwei Chu Introduction Quantum gravity is the key to understand the origin of our universe A simpler object involving

344 views • 32 slides
GRAVITATIONAL RECOIL OF BINARY BLACK HOLES Luc Blanchet Gravitation et Cosmologie ( G R C O )

GRAVITATIONAL RECOIL OF BINARY BLACK HOLES Luc Blanchet Gravitation et Cosmologie ( G R C O )

GRAVITATIONAL RECOIL OF BINARY BLACK HOLES Luc Blanchet Gravitation et Cosmologie ( G R C O ) CNRS / Institut dAstrophysique de Paris 23 novembre 2006 Based on Gravitational recoil of inspiralling black-hole binaries to

362 views • 19 slides
Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II.

Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II.

Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II. The First Law of Black Hole Mechanics and Black Hole Entropy III. Dynamic and Thermodynamic Stability of Black Holes IV. Quantum Aspects of Black

1.74k views • 116 slides
Aaron Smith, Michael Frow, Joe Quddus,

Aaron Smith, Michael Frow, Joe Quddus,

Aaron Smith, Michael Frow, Joe Quddus, Donovan Howell, Thomas Reed, Clark Landrum, Brian Clifton May 2, 2006 The Big Black Box The Crude B Demand Big Crude A Black Crude C Profit

1.44k views • 142 slides
Constructing black holes and black hole microstates String theory and the fuzzball proposal Cl

Constructing black holes and black hole microstates String theory and the fuzzball proposal Cl

Introduction : black hole issues and entropy counting The fuzzball proposal Constructing three-charge supersymmetric solutions Non-BPS extremal black holes Conclusion and perspectives Constructing black holes and black hole microstates String

1.37k views • 95 slides
Neural Decoding of Cursor Motion using Kalman Filter W. Wu, M. J. Black, Y. Gao, E. Bienenstock,

Neural Decoding of Cursor Motion using Kalman Filter W. Wu, M. J. Black, Y. Gao, E. Bienenstock,

Neural Decoding of Cursor Motion using Kalman Filter W. Wu, M. J. Black, Y. Gao, E. Bienenstock, M. Serruya, A. Shaikhouni, J. P. Donoghue NIPS 15, 2003 CSE 599E: Brain-Computer Interfaces Presented by: Jean Wu 19 April 2006 Overview [

306 views • 12 slides
Red-Black Trees Binary Search Trees with O(log n) Worst-Case Time per Operation The Red-Black

Red-Black Trees Binary Search Trees with O(log n) Worst-Case Time per Operation The Red-Black

Red-Black Trees Binary Search Trees with O(log n) Worst-Case Time per Operation The Red-Black Tree Properties Red-black tree properties Every node has a color, red or black. The root is black. The leaves are black. nil nil nil nil nil

392 views • 36 slides
BLACK HISTORY MONTH 2014 African Americans in the Sciences BLACK HISTORY IS AMERICAN HISTORY

BLACK HISTORY MONTH 2014 African Americans in the Sciences BLACK HISTORY IS AMERICAN HISTORY

BLACK HISTORY MONTH 2014 African Americans in the Sciences BLACK HISTORY IS AMERICAN HISTORY HIGHLIGHTED OF BLACK ACHIEVEMENTS The creative contributions in all fields throughout the world. With this background, both Black students

635 views • 46 slides
Example of Black Body Spectra for different temperatures What is the best known example of a black

Example of Black Body Spectra for different temperatures What is the best known example of a black

Example of Black Body Spectra for different temperatures What is the best known example of a black body source? What is the best known example of a black body source? Hint Temperature = 2.7 K Planck Radiation Law Cosmic Microwave

504 views • 32 slides
Black Country Annual Economic Review 2018 May 2018 The Black Country Economy continues to Grow

Black Country Annual Economic Review 2018 May 2018 The Black Country Economy continues to Grow

Black Country Annual Economic Review 2018 May 2018 The Black Country Economy continues to Grow Source: Office for National Statistics, Regional Accounts, 2017 2 3 3 Business stock in the Black Country is at its highest since 2004 Black

532 views • 19 slides
Black Pre-Law Students Association (BPLSA) REQUEST TO FUND ATTENDANCE TO THE NATIONAL BLACK

Black Pre-Law Students Association (BPLSA) REQUEST TO FUND ATTENDANCE TO THE NATIONAL BLACK

Black Pre-Law Students Association (BPLSA) REQUEST TO FUND ATTENDANCE TO THE NATIONAL BLACK PRE-LAW CONFERENCE VALENCIA SCOTT | PRESIDENT SHONDREYA LANDRUM | INTERNAL AFFAIRS VICE PRESIDENT Our Organization Purpose - Goals The Black

589 views • 16 slides
5 Rules 1 Red Black Tree Properties - A 1. Every Node Is Either RED or BLACK 2. Every NILL Node

5 Rules 1 Red Black Tree Properties - A 1. Every Node Is Either RED or BLACK 2. Every NILL Node

Red Black Tree 5 Rules 1 Red Black Tree Properties - A 1. Every Node Is Either RED or BLACK 2. Every NILL Node Is BLACK sometimes referred to as a &quot;Null Leaf&quot; Red Black Tree Properties - B 3. Every RED Node Has Two Black Child

1.14k views • 100 slides
Adventures in Load Balancing at Scale: Successes, Fizzles, and Next Steps Rusty Lusk Mathematics

Adventures in Load Balancing at Scale: Successes, Fizzles, and Next Steps Rusty Lusk Mathematics

Adventures in Load Balancing at Scale: Successes, Fizzles, and Next Steps Rusty Lusk Mathematics and Computer Science Division Argonne National Laboratory Outline Introduction Two abstract programming models Load balancing and

538 views • 28 slides
A B rie f In tro d u c tio n to th e H is to ry o f C o m p u tin g - 5 W

A B rie f In tro d u c tio n to th e H is to ry o f C o m p u tin g - 5 W

In tro to h isto ry o f co m p u tin g 4 .5 A B rie f In tro d u c tio n to th e H is to ry o f C o m p u tin g - 5 W hat computers were used for, who made them: Operating system s, applications and

254 views • 6 slides
A High Assurance Smart Meter Using Protected Module Architectures Jan Tobias Mhlberg

A High Assurance Smart Meter Using Protected Module Architectures Jan Tobias Mhlberg

empty An Implementation of A High Assurance Smart Meter Using Protected Module Architectures Jan Tobias Mhlberg jantobias.muehlberg@cs.kuleuven.be iMinds-DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Belgium WISTP @ Heraklion,

915 views • 44 slides
Mississippi Board of Nursing Request for Proposal No. 3733 License Management System RFP 3733

Mississippi Board of Nursing Request for Proposal No. 3733 License Management System RFP 3733

Mississippi Board of Nursing Request for Proposal No. 3733 License Management System RFP 3733 The Mississippi Board of Nursing (MBON) is seeking a web-based COTS License Management System for a field- proven product based on current

285 views • 13 slides
Smart metering architecture to enable and simulate novel services in smart grids Edoardo Patti

Smart metering architecture to enable and simulate novel services in smart grids Edoardo Patti

IEEE International Conference on Innovative Smart Grid Technologies Smart metering architecture to enable and simulate novel services in smart grids Edoardo Patti Francesco Arrigo Dept. Of Control and Computer Dept. of Energy Engineering,

1.33k views • 114 slides
Linux on Sun Logical Domains David S. Miller Red Hat Inc. linux.conf.au, MEL8OURNE, 2008 David

Linux on Sun Logical Domains David S. Miller Red Hat Inc. linux.conf.au, MEL8OURNE, 2008 David

Background Userland Simulator Implementation Challenges/Futures Summary Linux on Sun Logical Domains David S. Miller Red Hat Inc. linux.conf.au, MEL8OURNE, 2008 David S. Miller Red Hat Inc. Linux on Sun LDOMs Background Userland

515 views • 36 slides
AOS Linux Tutorial Remote Access and Transferring Files Michael Havas Dept. of Atmospheric and

AOS Linux Tutorial Remote Access and Transferring Files Michael Havas Dept. of Atmospheric and

AOS Linux Tutorial Remote Access and Transferring Files Michael Havas Dept. of Atmospheric and Oceanic Sciences McGill University September 28, 2010 Outline 1 Remote Access SSH From Linux or OS X SSH from Windows Transferring Files SSH

394 views • 20 slides
Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of Science, Finland {bbrumley,ntuveri}@tcs.hut.fi Synopsis New remote timing attack vulnerability in OpenSSLs implementation of Montgomerys

487 views • 25 slides

More recommend