WiFi Seepage and Web 2.0

WiFi Seepage and Web/2.0 Robert Graham – Founder & CEO David Maynor – Founder & CTO What is Data Seepage? • Don’t Confuse it with Data Leakage – Leakage of social-security number – Leakage of credit-card • Seepage – Thinks you don’t mind disclosing – Seepage of your name – Seepage of your contact info What is Data Seepage? • Think about what you laptop does when it starts up. – Programs set to autostart – Looking for certain resources like intranet homepage and shared drives – Email clients – Instant messaging clients Data seeps via the network… • • • • • Wifi packets Wired broadcasts DHCP Broadcast NetBIOS/SMB Broadcast DNS/Bonjour Requests DHCP ++ • You can offer up an address and pretend to be what ever server you are looking for. • Look at the Karma project. – – – – – – – Respond to WiFi “probe” Respond with DHCP address Respond to ARPs Respond to NetBIOS queries Respond to SMB/DCE-RPC connections Respond to DNS queries Respond to SMTP connections NetBIOS/SMB Broadcast • • • • WKSSVC announcements AD activity Attempting to connect to shared drives Printers Other Protocols • Bonjour – Very chatty about who you are • Skype – It always finds a way • Security tools – They are always update hungry • OS – They love the updates as well • AIM will update you to all you buddies status. – This tells an eavesdropper who is on your buddy list. Referer Cookie Unique ID Example: WiFi probes • A list of every place the person has been • MSFTINET? Example: e-mail • Finding the 6degrees of Kevin Bacon This person lives in Portland Sidejacking What is Sidejacking • Fundamental flaw with Web/2.0 • Encrypted passwords for logon – Maybe even SSL • …but data is unencrypted – – – – Set-Cookie sent back from logon with key Each HTTP request sends back the same cookie/key Sniff the cookie = grab the credentials Use that cookie yourself = hijack the connection • THIS IS NOT MAN-IN-THE-MIDDLE How to Side-Jack Client ID=j83Hkwq5Bne Server sniff Hacker ID=j83Hkwq5Bne proxy • proto="HTTP", op="GET", Host="farm1.static.flickr.com", URL="/190/495273334_ccb75752c1_m.jpg", cookie="cookie_epass=70fe73053a47f87eb 22a6373325b0db3; cookie_accid=365488; cookie_session=365488%3A70fe73053a47f 87eb22a6373325b0db3; use_master_until=1179009958" “trac_session” Undetected • Wifi Sidejacking – Behind the same NAT – Share the same IP address – Share the same time period • Doesn’t log off – Other software, like MSN, a new connection auto-logs-off the other one – …but in Web/2.0, multiple-connections from the same machine are normal Sidejacking: the software • What we are working on – Adding proxy server to Ferret code – Home page lists active sessions • i.e. links to the webpage they are currently viewing – Click on webpage, proxy fills in the Cookie – Gains access to website