Baconizing: how the NSA collects buddy-lists

Over the weekend it was revealed that the NSA is slurping up everyone's email "address book" and chat "buddy lists". How does this work?

You can look at my open-source "ferret" utility for the answer. It parses a bunch of different email (SMTP, POP, IMAP) and chat protocols (MSN, Yahoo, and AOL). I wrote this code back in 2007. It's unlikely that any NSA engineer writing similar code since wouldn't have seen my ferret program. Also, my code is very fast, it can reasonable be run on multi-gigabit links -- the sort you'd find in underwater taps of fiber-optic links.

Likewise, there's a good chance they saw my presentations on ferret and "data seepage", such as this one from Black Hat DC in 2007 where I explain on how to grab a person's address book:

In my presentation, I called this "baconizing", refering to the "6 degrees of Kevin Bacon" theory. I was hoping it would catch on. It didn't.

Anyway, if you want to understand this issue more, I highly recommend either the above presentation or the ferret source code itself.

DefCon network analysis vs. NSA

Despite the Snowden revelations, we still don't know the capabilities of the NSA. What can they really discover from their world-wide undersea fiber optic taps?

There's an answer to that: let's monitor the DefCon Internet connection. It's 100-mbps sustained traffic throughout the day with the craziest stuff that goes across the Internet. DefCon protects this traffic, protecting peoples privacy (except the public WiFi of course), but maybe they should open this up to researchers.

For example, consider these questions:

• What percentage of the websites attendees visit (like Facebook) are protected with 1024-bit SSL keys that can be easily broken by the NSA?
• How many use "forward security"?
• How many use VPNs in a manner that can easily be cracked, such as those using MSChapV2?
• How many BitCoin transactions, and what's the totally value transferred at DefCon?
• What is the percentage of HTTPS vs. HTTP?
• What is the percentage of mobile vs. desktop browsers? Mobile apps?
• How much is Tor? BitTorrent? YouTube streaming?
• How much is "hacker" traffic, such as nmap scans or tunneling non-DNS traffic on DNS port 53?
• What are some cool Maltego transforms that can link people together in 3 degrees of separation?
• How many unique SMTP email addresses were seen? unique login names? passwords? password hashes?

In short, assuming that the NSA is monitoring the DefCon traffic, what do they see?

All of this info is interesting without having to tie it back to individual identities. We can report the number of BitCoins transferred at DefCon without revealing who did them, for example.

Unfortunately, the privacy difficulties may be insurmountable. The number of researchers data mining this would have to be small, and they'd have to sign NDAs, but there is a good chance that even this isn't practical.

The sorts of researchers you want is those making deep-packet-inspection tools, such as my Ferret tool. So consider me a typical researcher.

I never need to see the network traffic itself. I can update my tool to answer the above statistics using traffic from other sources. Thus, I can build a tool that generates the above information so that DefCon can show the updating statistics live on their website next year. But the results will be incomplete. To extract the best information, I need a copy of the real traffic to work from. I need to run it through my code, produce results, then go back and modify the code to produce better results.

I'm going to update my Ferret tool over the next year to produce such results live for next year. Hopefully, the conference organizers will find a way to do a live display of the results. But, the reason I'm posting this is to encourage The Dark Tangent to collect a large capture (e.g. 1-terabyte) of real data and let me play with it under an NDA.

Ferret/3.0 (64-bit)

I haven't been maintaining my Ferret program because I've been working a rewrite of the core engine that is super-duper. But then, my rewrite got too ambitious and it's in a state of perpetual incompleteness. Sigh.

So I've gone back and fixed the bugs with the original Ferret. In particular, 64-bit is the major issue. There is a bug preventing it from working on 64-bit. I've fixed the bug and now it seems to work just fine.

I've checked it into http://ferret.googlecode.com. If you are a developer, I can add you to the list of contributors.

Also, I've made it link to "libSegFault.so", which should print out more useful crash dumps. If it crashes, you can send that output to me (robert_david_graham@yahoo.com).

Call for Beta Testers

Errata is looking for Beta testers for the next release of the Ferret iPhone package. You will need an unlocked iPhone and the capability to install a binary on it.

Please contact me at marisa@erratasec.com if you are interested.

New Team Member at Errata Security

Hi Everyone,

I'm Marisa and I am the new product manager for Errata's ProtoDev line of products. If you have feature requests for Ferret/Hamster, LookingGlass, or AxBan you can contact me at marisa@erratasec.com.

I'll also be contributing to the blog from time to time about the latest ProtoDev news and updates. It's really great to be a part of the Errata team, and I look forward to hearing from you all!

-marisa

Errata goes to the races...

Today I spent time in the pits of the NASCAR truck series. It was a fun day, there was a minor accident, but the most surprising was the wireless access.

There were open wifi access points all over the pits. From Direct TV to access points used by reporters, it was ripe for credential theft not to mention people still using unencrypted pop3. Below are some screen shots from my iPhone running stumbler. These were collected just walking up and down the track. Sometimes people need to remember that although people who do security for a living know about these types of problems, the general public doesn't.

We should have a hamster and ferret package for the iPhone available soon.

SideJacking with Hamster

NOTE: you can download the program at http://www.erratasec.com/sidejacking.zip; make sure to read the instructions.

Others have done a better job blogging on my Hamster/SideJacking stuff than I could, so I'll just link to their sites: [DarkReading] [Brian Krebs] [tgdaily] [George Ou] (George has screenshots).

This isn't really "new" in theory. Man-in-the-middle on public WiFi's can do this sort of thing. Also, stealing cookies via XSS (Cross Site Scripting) can also do this for the hacker. What makes this interesting is that it's point-and-click easy with a sniffer on WiFi hotspots.

I played around with the "Wall of Sheep" yesterday at DefCon. I was owning more accounts using my tools than everyone else using Dsniff and EtterCap. I spent most of my time hunting for people using HotMail or Yahoo! Mail - I could have gotten a lot more accounts if I focused just on Gmail instead (it's like 20-to-one the ratio of DefCon attendees using Gmail vs. other online e-mail accounts).

I gave out my tools to a bunch of people personally, I'll be officially posting the tools on Monday afternoon to our website. Also, you can do this manually by using a traditional packet-sniffer and a tool like the Edit Cookies add-on for Firefox.

While copying/replaying cookies sounds easy, there are some additional tricks to it that I've found in practice. One trick is that URLs also contain unique identifiers. In order to sidejack a HotMail or Yahoo! Mail connection, you have to know which URL to use. The other is that when starting in the middle of a session, you see the "Cookie:" commands the browser sends to the server, but not the "Set-Cookie:" commands the server sent in the opposite direction. Sometimes things don't work because when I clone cookies sent with the path /aaa/bbb, I won't know that I should also send them with the path /aaa/ccc. I've found that when you gain access to a site, but the access is flaky, if you start browsing around the site, you'll eventually get the correct "Set-Cookie:" from the server, then everything will work correctly.

Blogging Toorcon/Seattle

The San Diego cybersecurity convention Toorcon has branched northwards with a cool concept. This year, they had a small con (150 people) on the weekend after BlueHat (Microsoft's internal cybersecurity con). It was in a small bar, talks lasted 20 minutes, and ended in with an hour of 5 minute "lightning" talks. The format rocked, hard.

I want to apologize for my talk. My talk was later in the day, so in the time leading up to the talk I was sniffing the wireless. (I wasn't alone, MANY other people were also sniffing the wireless). I started my talk by showing the sorts of things I could sniff about somebody, such as their AIM buddy list, their DNS requests, alternate e-mail addresses they use, and so forth. The person I showed was somebody that had a diverse set of information, but not somebody who was doing anything embarrassing. I specifically chose NOT to 'out' the attendee who was surfing gay porn during the talks (although I probably should have, since virtually nobody who goes to cybersecurity cons would be embarrassed by surfing gay porn). However, even if nothing embarrassing is shown, it's still embarrassing feeling a bit exposed like that (although, I should repeat: a lot of people will sniffing the traffic as well, my talk just exposed it).

The moral of the story is: DON'T USE OPEN WIFI AT CYBERSECURITY CONVENTIONS. Seriously, any wifi is dangerous. The dangers are:
1. I can sniff more interesting bits out of your traffic than you realize
2. I can hijack (or "sidejack") the web accounts you log onto
3. I can grab control of your browser (download history, cached passwords, etc.)
4. I can probably break into your machine
5. This works on Internet Explorer and Firefox on Mac, Linux, and Windows
6. …all using well-known, unpatched (and often unpatchable) techniques

I've already released my Ferret tool that sniffs interesting info (like I showed at the start of my talk). I'm going to be releasing my "sidejacking" tool that sniffs Web/2.0 session IDs, allow other people on the same wifi to gain access to your accounts even without man-in-the-middle attacks. I'm going to be releasing a "man-in-the-middle" tool that inserts JavaScript into your browser, essentially making every website you visit vulnerable to Cross Site Scripting (XSS) attacks against your browser.

There are two good alternatives to public wifi. The first is to setup a box at home and VPN to it, and harden the wifi adapter so that none of your normal system applications (e.g. NetBIOS) are bound to it.

The second alternative is mobile broadband like GPRS, EDGE, HSDPA, or EVDO. You can often access the Internet by "tethering" your mobile phone, or get one of the new notebooks with built-in adapters.

It's interesting to see that public wifi is still growing fast, with cities all across the United State creating municipal wifi networks. This means that more and more hackers will be attacking it. Now is a good time to start weaning yourself off of it.