1 00:00:00,042 --> 00:00:02,167 DAVID KENNEDY: How's it going DEF CON? 2 00:00:02,417 --> 00:00:05,792 (Applause) DAVID KENNEDY: I'm Nick and I appreciate you coming 3 00:00:05,792 --> 00:00:08,042 out and hearing us talk. 4 00:00:08,417 --> 00:00:12,083 This talk is called the Dirty South, Getting Justified with Technology. 5 00:00:12,083 --> 00:00:14,709 We will be getting into that in just a minute here. 6 00:00:14,709 --> 00:00:14,999 Appreciate you coming out and always honor 7 00:00:14,999 --> 00:00:17,042 the speaker year after year again. 8 00:00:17,584 --> 00:00:18,999 Just a quick introduction, I am the author 9 00:00:18,999 --> 00:00:21,459 of The Social Engineer Toolkit. 10 00:00:21,459 --> 00:00:23,834 I'm also founder of Trusted Sec. 11 00:00:23,999 --> 00:00:25,459 It is a consulting company. 12 00:00:25,542 --> 00:00:28,999 And co author of the Metasport, the Penetration Tester's Book. 13 00:00:28,999 --> 00:00:31,834 And also I have been presenting at Black Hat and DEF CON 14 00:00:31,834 --> 00:00:34,042 for a number of years. 15 00:00:34,042 --> 00:00:35,918 One of the co funders of Derby CON. 16 00:00:36,375 --> 00:00:39,167 Appreciate again coming up on stage again and talking. 17 00:00:39,167 --> 00:00:41,959 NICK HITCHCOCK: I'm Nick and I can see that 18 00:00:41,959 --> 00:00:45,417 the slide has been modified slightly. 19 00:00:45,709 --> 00:00:46,709 Thank you, Dave. 20 00:00:46,959 --> 00:00:51,999 I also work for TrustedSec, security consultant with Dave. 21 00:00:51,999 --> 00:00:55,000 It has been awesome working with him. 22 00:00:55,000 --> 00:00:56,999 Pen tester, breaker of things. 23 00:00:56,999 --> 00:01:00,209 And, yes, I am wearing one right now. 24 00:01:01,999 --> 00:01:05,709 Derby CON co organizer, head of security there. 25 00:01:05,709 --> 00:01:07,999 I am also a team member of social engineer.org. 26 00:01:07,999 --> 00:01:10,667 We are doing the SETF down in Palma. 27 00:01:10,667 --> 00:01:12,250 Come down and visit at some point. 28 00:01:12,250 --> 00:01:13,792 Not now because you're here. 29 00:01:15,209 --> 00:01:22,167 And I haven't wrote a book but I've read some. 30 00:01:22,167 --> 00:01:24,083 DAVID KENNEDY: The intro to this talk is literally, you know, 31 00:01:24,083 --> 00:01:26,999 if you look at kind of the evolution of security and where we are 32 00:01:26,999 --> 00:01:30,709 at today and why we're all here today, it has changed a lot. 33 00:01:30,834 --> 00:01:32,542 What we are going to do is kind of go through the evolution 34 00:01:32,542 --> 00:01:34,999 of security and where we're at today. 35 00:01:34,999 --> 00:01:35,999 And from there we will break some stuff and get 36 00:01:35,999 --> 00:01:38,501 a whole bunch of shells and do other stuff. 37 00:01:39,167 --> 00:01:41,334 We will do three major demos. 38 00:01:41,334 --> 00:01:43,209 I have big surprise here. 39 00:01:43,209 --> 00:01:45,125 I am full of surprises. 40 00:01:45,125 --> 00:01:48,292 When you come to my talk, you should expect something new. 41 00:01:48,709 --> 00:01:50,792 Nick and I will be going through the evolution of security 42 00:01:50,792 --> 00:01:52,959 and where we are at today. 43 00:01:52,999 --> 00:01:55,542 If you look at where we are at today, we continue to get new 44 00:01:55,542 --> 00:01:58,417 and new technology that's trying to strengthen and protect 45 00:01:58,417 --> 00:02:00,584 against hackers, right? 46 00:02:00,584 --> 00:02:02,999 So advanced persistent threat and all these other things that we hear 47 00:02:02,999 --> 00:02:06,334 out there to try to protect against which is funny, right? 48 00:02:06,626 --> 00:02:09,167 But this technology, you know, is becoming more and more complex 49 00:02:09,167 --> 00:02:10,999 and introducing more and more complexity 50 00:02:10,999 --> 00:02:13,584 and we are spending millions and millions of dollars on this type 51 00:02:13,584 --> 00:02:15,918 of stuff to try to protect us. 52 00:02:15,999 --> 00:02:17,542 Today we will try to break it all. 53 00:02:17,834 --> 00:02:18,834 Sound good? 54 00:02:18,834 --> 00:02:20,292 Yeah! 55 00:02:20,375 --> 00:02:22,792 DAVID KENNEDY: So the way that we structured this was 56 00:02:22,792 --> 00:02:24,459 an AA meeting. 57 00:02:24,667 --> 00:02:29,584 So, first, we need to realize we all have a problem, right? 58 00:02:29,584 --> 00:02:30,626 So, hi, I'm Dave. 59 00:02:30,626 --> 00:02:32,125 NICK HITCHCOCK: Hi, I'm Nick. 60 00:02:32,125 --> 00:02:33,626 DAVID KENNEDY: Welcome. 61 00:02:33,626 --> 00:02:34,209 We have been sober from technology, from buying technology 62 00:02:34,209 --> 00:02:37,501 for about two years now but we get tempted every time. 63 00:02:37,501 --> 00:02:40,167 You see this blinky box that does cool stuff that we have no idea what 64 00:02:40,167 --> 00:02:41,959 but we want to buy it and spend 65 00:02:41,959 --> 00:02:44,083 a million dollars on it. 66 00:02:44,083 --> 00:02:45,083 Trust me. 67 00:02:45,501 --> 00:02:47,292 The way we structured this is try to break you 68 00:02:47,292 --> 00:02:49,999 down into a reality that what this stuff really does, 69 00:02:49,999 --> 00:02:52,792 what it really stops us against and then really start 70 00:02:52,792 --> 00:02:54,999 to build us up and really what we need to do 71 00:02:54,999 --> 00:02:56,999 to fix all this stuff. 72 00:02:57,334 --> 00:03:00,375 I see security going this way or going this way. 73 00:03:00,876 --> 00:03:04,626 Either way is going to be interesting and fun and exciting. 74 00:03:04,792 --> 00:03:08,209 But we need to break you down first to realize where we're kind of at. 75 00:03:08,542 --> 00:03:10,667 If anybody is drinking a beer, please drink one right now 76 00:03:10,667 --> 00:03:13,834 for because it is not AA, it is for technology. 77 00:03:15,417 --> 00:03:16,501 Anyways ... 78 00:03:16,501 --> 00:03:17,083 Just a warning, we will try to walk 79 00:03:17,083 --> 00:03:19,125 through every single technology that we know 80 00:03:19,125 --> 00:03:22,375 of that most corporations implement, all right? 81 00:03:22,751 --> 00:03:25,334 Before we do that, we are going to get into the history of security 82 00:03:25,334 --> 00:03:27,375 and why we're kind of in this vicious cycle 83 00:03:27,375 --> 00:03:31,083 of continually investing in different types of technology. 84 00:03:31,083 --> 00:03:34,584 And then from there we will start to actually go and attack them all. 85 00:03:34,584 --> 00:03:35,584 Sound good? 86 00:03:35,584 --> 00:03:36,584 All right. 87 00:03:36,584 --> 00:03:37,584 Awesome. 88 00:03:37,584 --> 00:03:38,584 Nick? 89 00:03:38,584 --> 00:03:39,999 NICK HITCHCOCK: All right. 90 00:03:39,999 --> 00:03:42,167 So basically history of security in brief. 91 00:03:42,167 --> 00:03:44,375 So we have technology for about a century. 92 00:03:44,375 --> 00:03:45,834 So some type of technology. 93 00:03:45,834 --> 00:03:47,083 First the question is: Why? 94 00:03:47,083 --> 00:03:48,834 Why do we need security for this? 95 00:03:48,834 --> 00:03:52,125 You break into something, oh, I see why we need security. 96 00:03:52,417 --> 00:03:54,999 And then they say here you go, this will fix it. 97 00:03:54,999 --> 00:03:58,999 And then it breaks again five minutes, five years, whatever, breaks. 98 00:03:59,083 --> 00:04:00,083 Oh, wait. 99 00:04:00,083 --> 00:04:01,083 My bad. 100 00:04:01,083 --> 00:04:02,083 I can fix that. 101 00:04:02,083 --> 00:04:03,083 No problem. 102 00:04:03,083 --> 00:04:04,083 Rinse, repeat. 103 00:04:04,083 --> 00:04:06,501 It is an endless loop endless cycle really. 104 00:04:08,083 --> 00:04:10,584 So I thought there was a really interesting story about this 105 00:04:10,584 --> 00:04:12,417 the inventor Marconi. 106 00:04:12,667 --> 00:04:18,918 In 1903 his so called wireless telegraph system was being tested. 107 00:04:19,083 --> 00:04:21,751 And it was touted as the most secure communication 108 00:04:21,751 --> 00:04:23,417 at the time. 109 00:04:23,834 --> 00:04:27,584 So a magician by the name of Neville Mascolini said I 110 00:04:27,584 --> 00:04:30,209 will prove him wrong. 111 00:04:30,792 --> 00:04:32,792 He hijacked the presentation and sent his own little 112 00:04:32,792 --> 00:04:34,501 message through. 113 00:04:34,834 --> 00:04:38,751 If you know Morse code, that's actually lulls in Morse code. 114 00:04:38,999 --> 00:04:40,250 (Making noises). 115 00:04:40,999 --> 00:04:44,834 NICK HITCHCOCK: So he proves his point that this 116 00:04:44,834 --> 00:04:47,918 is not a secure technology. 117 00:04:48,083 --> 00:04:52,792 So then we get to the age of an actual programmable computer. 118 00:04:52,792 --> 00:04:54,417 Now, this is Zeus 3 where you can actually start 119 00:04:54,417 --> 00:04:57,250 to store some information on this. 120 00:04:57,250 --> 00:05:00,250 But what was really needed to secure that at that point? 121 00:05:00,250 --> 00:05:02,792 Well, you got next slide. 122 00:05:02,792 --> 00:05:05,417 DAVID KENNEDY: Oh, sorry. 123 00:05:05,417 --> 00:05:07,918 NICK HITCHCOCK: You got to lock that crap up. 124 00:05:07,918 --> 00:05:09,751 DAVID KENNEDY: I forgot I had this. 125 00:05:09,751 --> 00:05:11,417 NICK HITCHCOCK: Can I have that? 126 00:05:11,417 --> 00:05:13,125 DAVID KENNEDY: Yeah, here we go. 127 00:05:13,125 --> 00:05:14,125 Sorry. 128 00:05:14,125 --> 00:05:15,501 NICK HITCHCOCK: Sorry. 129 00:05:15,501 --> 00:05:16,542 You got to lock it up. 130 00:05:16,542 --> 00:05:17,542 Easy enough, right? 131 00:05:17,542 --> 00:05:18,542 Locks on the doors. 132 00:05:18,542 --> 00:05:21,334 But then DAVID KENNEDY: Did you hit the right button? 133 00:05:21,334 --> 00:05:23,375 NICK HITCHCOCK: I don't know. 134 00:05:23,375 --> 00:05:24,959 Technology is hard. 135 00:05:25,876 --> 00:05:26,999 (laughter). 136 00:05:26,999 --> 00:05:28,999 NICK HITCHCOCK: Then it happened. 137 00:05:28,999 --> 00:05:29,999 Al Gore came along. 138 00:05:29,999 --> 00:05:31,167 He invented the Internet. 139 00:05:31,167 --> 00:05:32,999 DAVID KENNEDY: Is it amazing. 140 00:05:32,999 --> 00:05:35,501 Can we get a round of applause for Al Gore, please? 141 00:05:35,501 --> 00:05:36,501 (applause). 142 00:05:36,501 --> 00:05:37,999 NICK HITCHCOCK: Thank you. 143 00:05:37,999 --> 00:05:40,834 DAVID KENNEDY: We are all here today because of him. 144 00:05:40,834 --> 00:05:42,999 NICK HITCHCOCK: So now we have the tubes. 145 00:05:43,083 --> 00:05:44,999 The tubes are here. 146 00:05:44,999 --> 00:05:45,999 They are invented. 147 00:05:45,999 --> 00:05:49,083 This opens us up for a whole mess of different things, anything 148 00:05:49,083 --> 00:05:52,375 from your standard virus malwares. 149 00:05:52,375 --> 00:05:55,999 We have phishing, normal malicious stuff that's out there. 150 00:05:56,626 --> 00:05:58,334 You need some security. 151 00:05:58,834 --> 00:06:00,417 All right, here's some security. 152 00:06:00,417 --> 00:06:01,584 This will protect you. 153 00:06:01,834 --> 00:06:04,334 Everything under the sun, AV, everything 154 00:06:04,334 --> 00:06:07,999 to protect clients, organizations. 155 00:06:08,083 --> 00:06:10,959 Then they start to realize, we need some type of protection 156 00:06:10,959 --> 00:06:12,709 on the perimeter. 157 00:06:12,999 --> 00:06:14,334 Let's put up the firewall. 158 00:06:14,334 --> 00:06:16,918 Let's deny all these ports. 159 00:06:16,918 --> 00:06:18,834 Let's allow only what we need through. 160 00:06:19,999 --> 00:06:23,542 But something is not working with the state of technology. 161 00:06:27,999 --> 00:06:32,751 (laughter) Verizon, they did this nine year study. 162 00:06:32,751 --> 00:06:35,083 Over a nine year period, they found 163 00:06:35,083 --> 00:06:42,292 around 2500 data disclosures and 1.1 billion compromised records. 164 00:06:42,501 --> 00:06:46,083 So what happens is there's some confusion. 165 00:06:47,375 --> 00:06:52,584 We are putting all this money and things to protect ourselves 166 00:06:52,584 --> 00:06:59,375 but 1.1 billion personal records are being breached, are being taken. 167 00:06:59,375 --> 00:07:00,375 So why? 168 00:07:01,250 --> 00:07:04,751 So, you know, we continue to see this a whole new industry 169 00:07:04,751 --> 00:07:09,792 is born, an industry where products can solve the problems of people. 170 00:07:09,918 --> 00:07:11,125 And so, you know, you look at these different products are 171 00:07:11,125 --> 00:07:13,999 out there and the different things that are happening. 172 00:07:13,999 --> 00:07:16,417 This technology that are specifically designed and made 173 00:07:16,417 --> 00:07:21,626 to social engineer us basically into trying to solve a specific problem. 174 00:07:21,834 --> 00:07:23,417 So the first one I will pick on most specifically 175 00:07:23,417 --> 00:07:25,999 is next generation firewalls, okay? 176 00:07:26,083 --> 00:07:31,999 So next generation firewalls are being touted as the way to prevent APTs. 177 00:07:31,999 --> 00:07:34,918 If you go to any other white sites, it is all over there. 178 00:07:34,918 --> 00:07:35,918 That's a giggle. 179 00:07:35,999 --> 00:07:38,125 You look at what they are trying to do. 180 00:07:38,125 --> 00:07:40,999 They are trying to consolidate so you have spam 181 00:07:40,999 --> 00:07:44,999 filtering and white listing and concept filtering and 182 00:07:44,999 --> 00:07:48,999 to move everything towards the perimeter. 183 00:07:51,083 --> 00:07:54,250 You are seeing this and companies are buying this so they can try 184 00:07:54,250 --> 00:07:58,709 to stop against the latest and greatest attacks of today, all right? 185 00:07:58,709 --> 00:07:59,999 So the first demo we are going to do it will you 186 00:07:59,999 --> 00:08:02,959 a new tool release that will be called in the social engineering tool kit, 187 00:08:02,959 --> 00:08:04,999 we call it silent but deadly. 188 00:08:05,751 --> 00:08:07,209 Thank you, Valerie. 189 00:08:10,083 --> 00:08:12,876 I'm definitely not silent but I'm definitely deadly when it comes 190 00:08:12,876 --> 00:08:15,501 to that stuff as my roommate can tell me. 191 00:08:16,751 --> 00:08:18,918 So what is this going to do? 192 00:08:18,918 --> 00:08:19,834 I'm going to show you a demonstration using 193 00:08:19,834 --> 00:08:21,959 the social engineering toolkit. 194 00:08:21,999 --> 00:08:26,584 We will not take advantage of a social exploit yet. 195 00:08:33,083 --> 00:08:34,459 (laughter). 196 00:08:40,999 --> 00:08:46,751 Whew! 197 00:08:46,751 --> 00:08:48,999 (applause) DAVID KENNEDY: That's right. 198 00:08:48,999 --> 00:08:49,999 That's right. 199 00:08:49,999 --> 00:08:49,999 By the way, the chicken has no relevancy 200 00:08:49,999 --> 00:08:50,999 at all to this talk. 201 00:08:50,999 --> 00:08:51,417 We just wanted to put something random in here 202 00:08:51,417 --> 00:08:53,417 and put in a popup box. 203 00:08:53,417 --> 00:08:55,834 That's all we need here, right? 204 00:08:57,125 --> 00:08:59,709 So I'm going to use the social engineer toolkit. 205 00:09:00,083 --> 00:09:01,959 I show you an example. 206 00:09:01,959 --> 00:09:02,876 I will release the code hopefully either today 207 00:09:02,876 --> 00:09:04,292 or tomorrow. 208 00:09:04,834 --> 00:09:06,999 This is the new version, version 5.3. 209 00:09:07,167 --> 00:09:09,292 I haven't released the payload. 210 00:09:11,999 --> 00:09:14,292 We will clone a Web site and lure somebody into clicking 211 00:09:14,292 --> 00:09:16,959 on something via social engineering. 212 00:09:18,999 --> 00:09:22,209 No screen? 213 00:09:22,209 --> 00:09:24,999 DAVID KENNEDY: What happened to the screen? 214 00:09:24,999 --> 00:09:30,083 (laughter) Hey, I can see the screen. 215 00:09:37,999 --> 00:09:40,334 Can everybody see the screen now? 216 00:09:40,334 --> 00:09:41,334 No. 217 00:09:41,334 --> 00:09:42,709 DAVID KENNEDY: Whew. 218 00:09:43,999 --> 00:09:45,667 All right. 219 00:09:46,959 --> 00:09:49,959 I will not be able to do full screen for this for some reason. 220 00:09:49,959 --> 00:09:50,959 That's cool. 221 00:09:50,959 --> 00:09:51,959 We'll deal with it. 222 00:09:51,959 --> 00:09:52,959 Hang on. 223 00:09:52,959 --> 00:09:54,417 I got to minimize this one, too. 224 00:10:00,751 --> 00:10:02,209 Everybody see this? 225 00:10:02,209 --> 00:10:04,959 The logo. 226 00:10:04,959 --> 00:10:06,751 DAVID KENNEDY: It is not mirrored. 227 00:10:06,751 --> 00:10:07,751 That would be why. 228 00:10:07,751 --> 00:10:13,167 What we are going to discuss today is how to mirror displays on OSX. 229 00:10:13,167 --> 00:10:17,459 NICK HITCHCOCK: Look at the chicken, everyone. 230 00:10:19,000 --> 00:10:22,042 Nothing to see here. 231 00:10:22,042 --> 00:10:23,959 DAVID KENNEDY: Can you see that? 232 00:10:25,459 --> 00:10:26,999 Yeah! 233 00:10:26,999 --> 00:10:29,999 (applause) NICK HITCHCOCK: I want to thank you for coming. 234 00:10:29,999 --> 00:10:30,999 Bye. 235 00:10:30,999 --> 00:10:32,542 DAVID KENNEDY: All right. 236 00:10:32,542 --> 00:10:35,125 So I'm going to launch the social engineer toolkit. 237 00:10:35,125 --> 00:10:36,959 I will clone a Web site real quick. 238 00:10:36,959 --> 00:10:38,584 This is a new payload I developed. 239 00:10:38,584 --> 00:10:40,999 I don't know if you know this, a lot of the new next gen firewalls are doing 240 00:10:40,999 --> 00:10:43,959 behavioral analysis on the network side. 241 00:10:44,709 --> 00:10:47,584 They can see protocols going back and forth. 242 00:10:47,626 --> 00:10:49,501 They can flag on things that aren't necessarily 243 00:10:49,501 --> 00:10:51,459 protocol specific, okay? 244 00:10:51,667 --> 00:10:53,999 So me, loving Metasploit and Meterpreter and everything else, 245 00:10:53,999 --> 00:10:57,167 I wanted to figure out a way to develop something that would never, 246 00:10:57,167 --> 00:11:00,959 ever, ever in any way, shape or form be detected again. 247 00:11:00,999 --> 00:11:02,292 That's usually what I go for. 248 00:11:02,709 --> 00:11:07,918 So grab my I.P. 249 00:11:07,918 --> 00:11:09,667 address here real quick to clone it. 250 00:11:16,167 --> 00:11:22,959 I'm going to change it real quick. 251 00:11:22,959 --> 00:11:23,959 All right. 252 00:11:23,959 --> 00:11:24,959 There we go. 253 00:11:24,959 --> 00:11:28,083 I'm just going to clone TrustedSec so I don't get 254 00:11:28,083 --> 00:11:30,834 in trouble anywhere. 255 00:11:30,834 --> 00:11:32,501 That's not supposed to happen. 256 00:11:35,334 --> 00:11:37,083 We are connected. 257 00:11:37,918 --> 00:11:39,542 We're connected. 258 00:11:41,999 --> 00:11:44,083 Don't you worry. 259 00:11:46,709 --> 00:11:48,584 Don't you worry. 260 00:11:48,584 --> 00:11:49,584 Sorry. 261 00:11:49,584 --> 00:11:50,999 Stop it. 262 00:11:51,083 --> 00:11:52,083 There we go. 263 00:11:52,083 --> 00:11:53,083 We're good. 264 00:11:55,999 --> 00:11:57,250 That's right. 265 00:11:57,792 --> 00:12:02,375 Even hits the best of us, man. 266 00:12:02,375 --> 00:12:03,375 All right. 267 00:12:03,375 --> 00:12:05,501 So we are going to clone trustedsec.com. 268 00:12:05,501 --> 00:12:06,999 I will import my own payload. 269 00:12:06,999 --> 00:12:08,959 This is the code that will be released. 270 00:12:08,959 --> 00:12:11,375 The code will be public but it is basically Python and wrapped 271 00:12:11,375 --> 00:12:13,709 in an executable, okay? 272 00:12:22,209 --> 00:12:23,626 All right. 273 00:12:23,626 --> 00:12:24,751 Importing my own exe. 274 00:12:24,792 --> 00:12:26,292 You see it here. 275 00:12:28,501 --> 00:12:30,167 See that? 276 00:12:32,375 --> 00:12:34,083 All right. 277 00:12:36,250 --> 00:12:37,959 We're ready to go. 278 00:12:38,375 --> 00:12:40,876 Now what I need to do is create a quick listener. 279 00:12:40,999 --> 00:12:42,375 Go to DEF CON. 280 00:12:42,792 --> 00:12:45,083 Now, what this is going to do is we are going to do 281 00:12:45,083 --> 00:12:47,626 a social engineering kit. 282 00:12:47,626 --> 00:12:50,334 This is anybody from a post exploitation standpoint. 283 00:12:50,334 --> 00:12:53,626 We will hack a company and you will see that live here in a minute. 284 00:12:53,959 --> 00:12:56,167 It will come back to us and what's going to happen 285 00:12:56,167 --> 00:12:59,250 is we're going to assume Meterpreter in an interpreter 286 00:12:59,250 --> 00:13:02,626 in an encrypted bubble and wrap that around SSH and create 287 00:13:02,626 --> 00:13:05,334 a polymorphic tunnel over HTTP. 288 00:13:06,501 --> 00:13:08,417 FC compliant HTTP. 289 00:13:13,999 --> 00:13:15,542 Right now it is waiting. 290 00:13:19,125 --> 00:13:20,999 Launch the Web site. 291 00:13:20,999 --> 00:13:23,125 This is just the Java attack that's built in. 292 00:13:27,125 --> 00:13:30,250 So we go ahead and hit run. 293 00:13:30,417 --> 00:13:33,083 By the way, please don't report that I have 294 00:13:33,083 --> 00:13:35,667 a valid certificate. 295 00:13:35,667 --> 00:13:36,999 That's verified publisher. 296 00:13:39,959 --> 00:13:41,999 I forgot about that. 297 00:13:42,083 --> 00:13:45,999 So we should see here in a second, we got a response back, 298 00:13:45,999 --> 00:13:48,999 if everything went properly. 299 00:13:49,751 --> 00:13:51,125 There it goes. 300 00:13:51,250 --> 00:13:53,167 Notice encrypted tunnel identified. 301 00:13:53,167 --> 00:13:54,792 Sending challenge to verify. 302 00:13:54,792 --> 00:13:56,542 Making sure it is the right session. 303 00:13:56,542 --> 00:13:58,209 What it is going to do, it is going to create a SSH tunnel 304 00:13:58,209 --> 00:14:00,292 over HTTP for us. 305 00:14:00,292 --> 00:14:02,542 It is going to then send a Meterpreter shell via second stage 306 00:14:02,542 --> 00:14:04,876 over our local host over to the victim machine 307 00:14:04,876 --> 00:14:06,667 and then we have a full shell running 308 00:14:06,667 --> 00:14:09,250 over the network over native HTTP. 309 00:14:09,999 --> 00:14:11,250 Yeah. 310 00:14:12,584 --> 00:14:18,959 (applause) Let's pop a box. 311 00:14:18,959 --> 00:14:21,209 Now, notice here it is telling over local host. 312 00:14:21,209 --> 00:14:23,876 It is actually running through a local host environments 313 00:14:23,876 --> 00:14:25,999 over SSH, over HTTP. 314 00:14:25,999 --> 00:14:27,834 And then what it does is it actually chunks it 315 00:14:27,834 --> 00:14:31,083 up every single time it gets a post request. 316 00:14:31,083 --> 00:14:33,999 So it is a little slow but it chunks it up different every time and changes 317 00:14:33,999 --> 00:14:36,876 the behavior and patterns every time. 318 00:14:36,999 --> 00:14:40,292 Every packet you send will be completely different over HTTP. 319 00:14:40,876 --> 00:14:42,999 I figured I would stop it. 320 00:14:47,626 --> 00:14:48,999 Nick? 321 00:14:53,667 --> 00:14:57,626 NICK HITCHCOCK: I think I'm up now, good, good. 322 00:14:57,999 --> 00:15:00,501 So, type some next gens. 323 00:15:00,501 --> 00:15:02,999 Welcome to the era of Marty McFly. 324 00:15:08,876 --> 00:15:10,918 We are dealing with static signatures 325 00:15:10,918 --> 00:15:14,999 and anomaly detections and antivirus on a different level. 326 00:15:15,751 --> 00:15:19,250 DAVID KENNEDY: We started doing analysis on next gen firewalls. 327 00:15:21,334 --> 00:15:23,542 The analysis dealt with minor modification 328 00:15:23,542 --> 00:15:26,959 or changes done based on what is the payload. 329 00:15:28,334 --> 00:15:30,959 For example, a lot of the next gen firewalls will flag 330 00:15:30,959 --> 00:15:33,751 on a second stage Meterpreter but if you change that modified 331 00:15:33,751 --> 00:15:36,626 in any way shape or form, just a tiny bit it allows you to get 332 00:15:36,626 --> 00:15:39,375 around it and exfiltrate out around the protocols whether it 333 00:15:39,375 --> 00:15:41,626 is HTTP or something else. 334 00:15:41,626 --> 00:15:43,999 It is basically static based signature again. 335 00:15:43,999 --> 00:15:46,999 We are going back to the mid '80s, '90s on the behavioral side 336 00:15:46,999 --> 00:15:48,876 of the house. 337 00:15:50,792 --> 00:15:53,167 One of the claims is stop HTTP. 338 00:15:53,292 --> 00:15:54,876 That's ridiculous. 339 00:15:55,083 --> 00:15:56,999 Move to the perimeter. 340 00:15:57,209 --> 00:15:59,083 This is kind of crazy. 341 00:15:59,083 --> 00:16:00,999 So security, we started to really doing a little bit 342 00:16:00,999 --> 00:16:03,999 of a decent job when we started having firewalls, DMZs, 343 00:16:03,999 --> 00:16:07,584 network segmentation and we had layers of defense. 344 00:16:07,876 --> 00:16:10,417 Instead we are moving to the cloud and mobile devices and laptops 345 00:16:10,417 --> 00:16:12,792 and just everything is completely decentralized 346 00:16:12,792 --> 00:16:15,167 and no longer at the perimeter. 347 00:16:15,417 --> 00:16:17,459 So it is all the way out and about. 348 00:16:17,459 --> 00:16:18,918 That actually creates a large exposure for something 349 00:16:18,918 --> 00:16:22,083 and something these things won't come close to touching. 350 00:16:22,834 --> 00:16:25,626 Now, next demo (laughter) (applause) (Music). 351 00:16:34,709 --> 00:16:38,999 DAVID KENNEDY: That's awesome. 352 00:16:38,999 --> 00:16:39,999 (Clapping). 353 00:16:39,999 --> 00:16:42,083 DAVID KENNEDY: All right. 354 00:16:42,083 --> 00:16:49,667 All right. 355 00:16:50,083 --> 00:16:51,250 Yes. 356 00:16:51,542 --> 00:16:55,584 Thank you, sir. 357 00:16:55,584 --> 00:16:56,584 Thank you, sir. 358 00:16:56,584 --> 00:17:00,459 We ran into a customer recently where there were basically I don't know how 359 00:17:00,459 --> 00:17:02,501 you manage this. 360 00:17:02,501 --> 00:17:03,542 But basically they were doing whitelisting 361 00:17:03,542 --> 00:17:06,999 of only Web sites that they legitimately allowed. 362 00:17:06,999 --> 00:17:10,083 A lot of them use social medias and allowed exceptions. 363 00:17:10,083 --> 00:17:12,334 Regardless, this is just anything that you can use that 364 00:17:12,334 --> 00:17:16,709 allows you to put information to something that's whitelisted. 365 00:17:16,999 --> 00:17:18,167 Now, what we are going to be releasing 366 00:17:18,167 --> 00:17:21,083 is a new tool that allows a framework for that that allows you 367 00:17:21,083 --> 00:17:23,083 to insert a Web site that may be whitelisted 368 00:17:23,083 --> 00:17:25,999 that's public, that's used all the time. 369 00:17:25,999 --> 00:17:27,417 And then you can use it as an intermediary 370 00:17:27,417 --> 00:17:31,999 for encrypted protocol traffic over HTTP as a thing in the middle. 371 00:17:32,250 --> 00:17:36,125 So what we are going to do here just to show you 372 00:17:36,125 --> 00:17:40,125 an example that's not an example. 373 00:17:45,999 --> 00:17:47,959 We're going to run this listener. 374 00:17:48,083 --> 00:17:50,501 I will launch a payload on my windows machine. 375 00:17:51,918 --> 00:17:55,334 It will connect to Facebook and allow and direct intermediary 376 00:17:55,334 --> 00:17:58,542 over HTTP encrypted traffic to allow us to do a command 377 00:17:58,542 --> 00:18:01,417 and control all through Facebook. 378 00:18:01,501 --> 00:18:06,083 Again, it is not a Facebook issue, anything you have public access to. 379 00:18:06,083 --> 00:18:14,334 It will inject into there. 380 00:18:14,999 --> 00:18:16,584 We get our shell. 381 00:18:16,999 --> 00:18:18,999 Now, it is really quick. 382 00:18:18,999 --> 00:18:19,834 It is fast because we are continuously 383 00:18:19,834 --> 00:18:22,999 monitoring any major modifications based on the notification system which 384 00:18:22,999 --> 00:18:24,334 is nice. 385 00:18:25,751 --> 00:18:27,083 It takes a second when I type something 386 00:18:27,083 --> 00:18:29,459 in because I have to post it, read it back in, execute the command, 387 00:18:29,459 --> 00:18:32,626 post it back up with the data so it is a little bit of a lag. 388 00:18:36,834 --> 00:18:39,834 It usually takes about four seconds. 389 00:18:39,834 --> 00:18:42,834 I gave it eight just in case, especially for demo purposes. 390 00:18:42,834 --> 00:18:44,292 And then we are able to autos Facebook as essentially 391 00:18:44,292 --> 00:18:46,918 a man in the middle to communicate. 392 00:18:46,918 --> 00:18:48,459 It can be any Web site, any Web site you have the ability 393 00:18:48,459 --> 00:18:50,999 to put any type of information of. 394 00:18:54,999 --> 00:18:57,999 That's the new one we will be releasing for our framework. 395 00:19:04,918 --> 00:19:06,292 All right. 396 00:19:06,292 --> 00:19:07,918 So the next one is my favorite. 397 00:19:07,918 --> 00:19:08,999 This is the best demo. 398 00:19:08,999 --> 00:19:10,709 This is kind of the pinnacle, okay? 399 00:19:10,709 --> 00:19:12,375 So we are going to through a bunch of different technologies, 400 00:19:12,375 --> 00:19:14,918 everything we use for corporations. 401 00:19:14,918 --> 00:19:15,876 And then from there we will kind of expand 402 00:19:15,876 --> 00:19:18,459 on it and see what we can actually do, okay? 403 00:19:18,459 --> 00:19:22,834 NICK HITCHCOCK: So behavior analysis. 404 00:19:22,999 --> 00:19:27,292 The best, say we can liken this to the FBI and their behavioral 405 00:19:27,292 --> 00:19:29,334 analysis unit. 406 00:19:29,334 --> 00:19:32,999 They base their profiles on behavior. 407 00:19:32,999 --> 00:19:35,459 And that's exactly what behavior analysis does. 408 00:19:35,459 --> 00:19:38,667 But the problem is people can change their behavior 409 00:19:38,667 --> 00:19:43,501 and so can the attacks, the malware, everything that the attack 410 00:19:43,501 --> 00:19:46,999 is actually based on can change. 411 00:19:47,125 --> 00:19:51,125 So we estimate about 30 seconds for this to be bypassed and we're going 412 00:19:51,125 --> 00:19:54,501 to demo how that's going to be done. 413 00:19:54,709 --> 00:19:58,083 DAVID KENNEDY: Application wireless thing. 414 00:19:58,584 --> 00:20:02,083 Really a pain in the butt to manage, especially in large corporations. 415 00:20:02,083 --> 00:20:02,125 But a lot of companies are moving towards that 416 00:20:02,125 --> 00:20:04,876 because you get to more of a trusted model where you only allow 417 00:20:04,876 --> 00:20:06,918 whitelisted applications. 418 00:20:06,999 --> 00:20:09,751 That's all fine and dandy but all the whitelisted applications you 419 00:20:09,751 --> 00:20:12,083 use we use as an exploit play field. 420 00:20:12,083 --> 00:20:13,584 So it doesn't do you much go. 421 00:20:13,584 --> 00:20:18,999 We don't really need a slide on that but I put it in there. 422 00:20:18,999 --> 00:20:20,250 NICK HITCHCOCK: Filler. 423 00:20:20,250 --> 00:20:23,501 DAVID KENNEDY: Just like do anything and it's good. 424 00:20:23,501 --> 00:20:25,834 So here we go. 425 00:20:25,999 --> 00:20:27,667 Monitoring and detection, could be a good concept 426 00:20:27,667 --> 00:20:30,292 because we want to detect these attacks. 427 00:20:30,292 --> 00:20:31,959 Most companies outsource them to MSBs, right, 428 00:20:31,959 --> 00:20:34,959 who have no idea what their network is and what their data is and 429 00:20:34,959 --> 00:20:37,292 they are looking for port scans. 430 00:20:37,292 --> 00:20:38,292 Sounds good. 431 00:20:38,292 --> 00:20:40,375 That's their monitor and detection. 432 00:20:40,375 --> 00:20:44,501 NICK HITCHCOCK: Content filtering works awesome. 433 00:20:44,584 --> 00:20:46,083 No, it does not. 434 00:20:46,083 --> 00:20:47,999 It does not work at all. 435 00:20:47,999 --> 00:20:48,999 Because why? 436 00:20:48,999 --> 00:20:50,334 We can change the content. 437 00:20:50,334 --> 00:20:52,083 DAVID KENNEDY: Exactly. 438 00:20:52,083 --> 00:20:55,334 NICK HITCHCOCK: That's all I got to say about that. 439 00:20:55,334 --> 00:20:55,959 DAVID KENNEDY: Is everybody ready for one 440 00:20:55,959 --> 00:20:57,918 of the most epic demos ever? 441 00:20:58,501 --> 00:20:59,959 (applause). 442 00:21:00,584 --> 00:21:02,959 This is one of the most epic demos ever. 443 00:21:04,083 --> 00:21:05,125 (laughter). 444 00:21:05,125 --> 00:21:09,999 NICK HITCHCOCK: You don't hear that a lot in talks. 445 00:21:09,999 --> 00:21:11,876 Bring out your chicken. 446 00:21:11,999 --> 00:21:13,125 (Clapping). 447 00:21:13,375 --> 00:21:16,292 DAVID KENNEDY: All right. 448 00:21:16,292 --> 00:21:19,375 So what we're going to do here and this could go horribly wrong 449 00:21:19,375 --> 00:21:21,999 or go horribly right, okay? 450 00:21:22,209 --> 00:21:23,999 I actually have got a customer who said that 451 00:21:23,999 --> 00:21:26,999 he would let us social engineer somebody on stage realtime 452 00:21:26,999 --> 00:21:28,999 and I can't think of anybody else better 453 00:21:28,999 --> 00:21:31,417 to do it than one of my good friends Kevin Mendick 454 00:21:31,417 --> 00:21:32,918 up here. 455 00:21:34,417 --> 00:21:42,751 (applause). 456 00:21:42,751 --> 00:21:43,375 So what I'm going to do first is give Sam a call 457 00:21:43,375 --> 00:21:46,417 to make sure he's still good and hasn't chickened out yet. 458 00:21:46,918 --> 00:21:51,250 We will give Sam a call and make sure he's good with it. 459 00:21:51,959 --> 00:21:54,083 We have five numbers. 460 00:21:54,083 --> 00:21:56,709 This could go horribly wrong where we don't get anybody or go horribly right 461 00:21:56,709 --> 00:21:58,792 and be fucking awesome. 462 00:21:58,876 --> 00:22:00,626 Either way, we will figure it out. 463 00:22:09,417 --> 00:22:12,083 Hopefully you don't see this right now so that's fine. 464 00:22:17,667 --> 00:22:20,292 Let's see what you are seeing on the screen right now. 465 00:22:20,292 --> 00:22:21,292 Just blank? 466 00:22:21,292 --> 00:22:22,292 Cool. 467 00:22:22,834 --> 00:22:25,125 I don't want to give the phone numbers out. 468 00:22:26,083 --> 00:22:28,709 Because you guys are crazy sons of bitches. 469 00:22:28,999 --> 00:22:30,334 (laughter). 470 00:22:30,751 --> 00:22:32,292 Not going to lie. 471 00:22:32,292 --> 00:22:42,250 (Music) Give us one second to set this up. 472 00:22:42,250 --> 00:22:43,250 (laughter). 473 00:22:43,250 --> 00:22:44,501 (Theme to "Jeopardy" ). 474 00:22:47,459 --> 00:23:01,709 All right, you ready? 475 00:23:01,709 --> 00:23:05,709 (applause). 476 00:23:05,918 --> 00:23:07,292 All right. 477 00:23:07,292 --> 00:23:08,626 Mirror display. 478 00:23:17,417 --> 00:23:20,083 Yes, I have live show windows up. 479 00:23:21,751 --> 00:23:23,250 All right. 480 00:23:23,250 --> 00:23:24,334 Let's give him a call. 481 00:23:27,459 --> 00:23:29,999 Can everybody see the screen with the shells up? 482 00:23:29,999 --> 00:23:30,999 Good. 483 00:23:30,999 --> 00:23:31,999 Let's do this. 484 00:23:42,959 --> 00:23:44,167 (laughter). 485 00:23:55,292 --> 00:23:57,459 That sounded like it hurt. 486 00:23:58,751 --> 00:24:00,542 That's how you roll a teacher. 487 00:24:00,834 --> 00:24:03,999 You got to put a rock inside of it. 488 00:24:04,334 --> 00:24:05,792 (laughter). 489 00:24:06,083 --> 00:24:07,751 The Browns are recruiting. 490 00:24:07,876 --> 00:24:19,709 We still have them? 491 00:24:20,292 --> 00:24:22,626 (Phone ringing.) SAM: Hello, this is Sam. 492 00:24:22,626 --> 00:24:24,918 DAVID KENNEDY: Sam, it is David Kennedy. 493 00:24:24,918 --> 00:24:25,918 How are you? 494 00:24:25,918 --> 00:24:26,918 SAM: I'm good. 495 00:24:26,918 --> 00:24:27,918 How are you? 496 00:24:27,918 --> 00:24:28,125 DAVID KENNEDY: I wanted to verify that we're still good 497 00:24:28,125 --> 00:24:29,999 to do that thing we agreed of. 498 00:24:29,999 --> 00:24:32,459 You are talking in front of everybody at DEF CON. 499 00:24:32,999 --> 00:24:34,584 Are you cool with that? 500 00:24:34,584 --> 00:24:35,834 SAM: That's perfect. 501 00:24:35,834 --> 00:24:36,834 (applause). 502 00:24:36,834 --> 00:24:40,834 DAVID KENNEDY: All right. 503 00:24:40,834 --> 00:24:43,999 Listen, we are going to try to keep the company confidential. 504 00:24:44,834 --> 00:24:47,083 And we will not start tweeting by the company. 505 00:24:47,501 --> 00:24:51,083 If they see their name on the phone is that good with everybody? 506 00:24:51,083 --> 00:24:53,250 SAM: That's perfect. 507 00:24:53,250 --> 00:24:54,792 DAVID KENNEDY: All right. 508 00:24:54,792 --> 00:24:56,542 Just a couple questions real quick. 509 00:24:56,542 --> 00:24:58,999 Again, we are not going to use this for our attack. 510 00:24:58,999 --> 00:25:01,999 We want to see what type of technologies you have in place. 511 00:25:01,999 --> 00:25:03,083 First of all, are you using some sort of next gen firewall that's one 512 00:25:03,083 --> 00:25:05,209 of the top providers out there? 513 00:25:05,209 --> 00:25:06,876 SAM: Yes. 514 00:25:06,999 --> 00:25:08,999 DAVID KENNEDY: All right. 515 00:25:08,999 --> 00:25:11,709 Are you using any type of whitelisting technology? 516 00:25:11,709 --> 00:25:12,792 SAM: Yes, we are. 517 00:25:12,792 --> 00:25:14,999 DAVID KENNEDY: Do you do egress filtering? 518 00:25:14,999 --> 00:25:16,250 SAM: Yes. 519 00:25:16,250 --> 00:25:18,167 DAVID KENNEDY: All right. 520 00:25:18,167 --> 00:25:20,083 And then as far as anything else, do you have any type 521 00:25:20,083 --> 00:25:24,083 of virtualization sandboxy technology at your SMTP gateways? 522 00:25:24,083 --> 00:25:25,709 SAM: Absolutely we do. 523 00:25:25,709 --> 00:25:27,167 DAVID KENNEDY: Thanks, Sam. 524 00:25:27,167 --> 00:25:29,375 I will give you a call back after this done. 525 00:25:29,375 --> 00:25:30,999 I will let you know how it goes. 526 00:25:30,999 --> 00:25:32,209 SAM: I look forward to it. 527 00:25:32,209 --> 00:25:33,209 Thank you. 528 00:25:33,209 --> 00:25:34,918 DAVID KENNEDY: Thanks, bye. 529 00:25:34,918 --> 00:25:35,999 Let's see how it goes. 530 00:25:36,542 --> 00:25:38,375 Hold on. 531 00:25:46,250 --> 00:25:54,667 I got to enter my password in here really quick here. 532 00:25:56,709 --> 00:27:03,083 (laughter) (Phone ringing.) Hi, you've reached (laughter) DAVID 533 00:27:03,083 --> 00:27:35,999 KENNEDY: We got three more to go. 534 00:27:35,999 --> 00:27:39,417 We are going to keep trying until we get it. 535 00:27:39,834 --> 00:27:44,083 NICK HITCHCOCK: Dance, chicken, dance. 536 00:27:46,417 --> 00:27:47,999 What are we paying you for? 537 00:27:59,542 --> 00:28:02,999 (Phone ringing.) Can I help you? 538 00:28:14,542 --> 00:28:17,999 KEVIN: Yes, can I speak to James, please? 539 00:28:19,250 --> 00:28:20,667 Hello? 540 00:28:21,959 --> 00:28:22,999 Hello? 541 00:28:22,999 --> 00:28:24,792 (Busy signal.) Leave a message. 542 00:28:24,792 --> 00:28:25,792 (Phone ringing). 543 00:28:25,792 --> 00:28:35,751 This is (inaudible) can I help you? 544 00:29:01,667 --> 00:29:04,999 Yeah, James? 545 00:29:05,334 --> 00:29:07,501 (inaudible). 546 00:29:07,876 --> 00:29:09,542 Hello, James? 547 00:29:09,667 --> 00:29:11,250 Hello? 548 00:29:11,375 --> 00:29:13,083 James, can you hear me? 549 00:29:13,083 --> 00:29:14,667 Yes. 550 00:29:14,667 --> 00:29:16,292 Oh, great, great. 551 00:29:16,292 --> 00:29:18,083 This is Tom Bodett over with the HR department, 552 00:29:18,083 --> 00:29:20,375 specifically benefits. 553 00:29:20,375 --> 00:29:21,459 How's it going today? 554 00:29:26,083 --> 00:29:27,542 Hello? 555 00:29:32,626 --> 00:29:34,959 Can you hear me? 556 00:29:34,999 --> 00:29:36,501 Yes. 557 00:29:36,584 --> 00:29:37,584 I'm sorry. 558 00:29:37,584 --> 00:29:39,083 I'm having issues with my phone. 559 00:29:39,083 --> 00:29:40,083 Is this James? 560 00:29:40,083 --> 00:29:41,751 Yes. 561 00:29:41,792 --> 00:29:43,626 Oh, great, great, great. 562 00:29:43,626 --> 00:29:44,626 This is Tom Bodett. 563 00:29:44,626 --> 00:29:45,751 I'm over with HR. 564 00:29:45,999 --> 00:29:48,501 I work specifically in benefits. 565 00:29:48,999 --> 00:29:53,209 And I sent you we sent you over a form about a week ago 566 00:29:53,209 --> 00:29:56,459 on our benefits privacy form. 567 00:29:56,459 --> 00:29:57,999 Did you actually receive it? 568 00:29:57,999 --> 00:30:00,999 I don't remember seeing it. 569 00:30:01,083 --> 00:30:02,792 You don't. 570 00:30:02,792 --> 00:30:06,083 Well, unfortunately I'm calling several people. 571 00:30:06,083 --> 00:30:08,584 You're the eighth person I'm talking to today. 572 00:30:08,584 --> 00:30:10,751 We must have had an issue getting them out. 573 00:30:10,751 --> 00:30:12,542 And we have to send you this form because legal 574 00:30:12,542 --> 00:30:16,083 is requiring that you accept a new policy. 575 00:30:16,083 --> 00:30:18,375 It's part of our legal requirement to continue receiving benefits, so it 576 00:30:18,375 --> 00:30:21,959 is kind of important and we need to get this done today. 577 00:30:21,959 --> 00:30:22,959 It's Friday. 578 00:30:22,959 --> 00:30:25,626 And do you have a moment? 579 00:30:25,626 --> 00:30:29,417 Do you have a fax machine or do you have a computer handy? 580 00:30:29,918 --> 00:30:31,667 Better yet, are you near your PC? 581 00:30:34,250 --> 00:30:36,667 I'm at my computer. 582 00:30:36,667 --> 00:30:37,834 Do you have a moment? 583 00:30:37,834 --> 00:30:38,999 Sure. 584 00:30:39,083 --> 00:30:41,000 Okay, okay, great. 585 00:30:41,000 --> 00:30:43,334 If you could if you could open up a browser 586 00:30:43,334 --> 00:30:47,042 like use Internet Explorer or FireFox? 587 00:30:50,042 --> 00:30:51,999 We have Internet Explorer. 588 00:30:51,999 --> 00:30:53,999 If you can go ahead and open it up for me. 589 00:30:53,999 --> 00:30:54,999 Okay. 590 00:30:54,999 --> 00:30:56,918 And what we're going to do I'm just going 591 00:30:56,918 --> 00:31:00,792 to have you accept the new policy over your computer so you don't have 592 00:31:00,792 --> 00:31:03,292 to go ahead and fax it to us. 593 00:31:03,292 --> 00:31:07,125 It makes it easier and quick so you don't have to fill out a form. 594 00:31:07,501 --> 00:31:09,626 Okay. 595 00:31:09,999 --> 00:31:10,999 Okay. 596 00:31:10,999 --> 00:31:12,167 Tell me when you're ready. 597 00:31:12,167 --> 00:31:13,167 I'm ready. 598 00:31:13,584 --> 00:31:15,125 Okay. 599 00:31:15,125 --> 00:31:23,375 If you can go to www.healthbenefits and this 600 00:31:23,375 --> 00:31:32,209 is all one word, no spaces portal.com. 601 00:31:32,709 --> 00:31:34,834 That's www.healthbenefitsportal.com. 602 00:31:34,999 --> 00:31:36,918 www.healthbenefitsportal.com. 603 00:31:36,918 --> 00:31:37,918 Correct. 604 00:31:43,918 --> 00:31:46,459 When you get there, you should see a popup. 605 00:31:47,751 --> 00:31:52,459 When the site loads, you see a popup come up. 606 00:31:52,459 --> 00:31:55,999 (inaudible). 607 00:31:55,999 --> 00:31:56,999 Repeat that. 608 00:31:56,999 --> 00:32:00,542 I saw the popup. 609 00:32:00,542 --> 00:32:01,542 I just click okay? 610 00:32:01,542 --> 00:32:02,999 Click okay, that's right. 611 00:32:03,083 --> 00:32:04,125 Okay. 612 00:32:04,292 --> 00:32:07,125 Now, since you clicked okay on the popup, we went ahead 613 00:32:07,125 --> 00:32:10,792 and just automatically accepted the policy, so if you receive 614 00:32:10,792 --> 00:32:14,999 if you find that email or you find that in spam that we sent you earlier, 615 00:32:14,999 --> 00:32:19,083 just go ahead and ignore it because everything is fine. 616 00:32:19,459 --> 00:32:21,959 Oh, that's it? 617 00:32:21,959 --> 00:32:24,542 Well, unfortunately I have to call six more people that didn't fill 618 00:32:24,542 --> 00:32:26,542 out the form either. 619 00:32:26,542 --> 00:32:29,501 It is kind of my Friday work. 620 00:32:30,959 --> 00:32:32,959 All right. 621 00:32:32,959 --> 00:32:33,959 All right. 622 00:32:33,959 --> 00:32:39,375 Have a great weekend and talk to you soon. 623 00:32:39,375 --> 00:32:40,375 All right. 624 00:32:40,375 --> 00:32:41,375 Take care. 625 00:32:45,999 --> 00:33:07,501 Bye bye. 626 00:33:15,584 --> 00:33:16,709 (applause). 627 00:33:16,709 --> 00:33:17,999 DAVID KENNEDY: Oh, snap. 628 00:33:17,999 --> 00:33:28,083 (applause) Oh, my nerves are like holy shit. 629 00:33:28,083 --> 00:33:29,083 (laughter). 630 00:33:29,626 --> 00:33:31,375 Can we just stop there? 631 00:33:32,876 --> 00:33:36,083 So you might be wondering why I got multiple shells. 632 00:33:36,083 --> 00:33:42,959 The way this attack works is I love that Windows is end of XP. 633 00:33:42,959 --> 00:33:46,417 That is the best thing that could have ever happened to us since ever. 634 00:33:46,501 --> 00:33:47,999 Because with Windows Vista and above we get 635 00:33:47,999 --> 00:33:50,584 a thing called Power Shell, right? 636 00:33:50,584 --> 00:33:51,999 (laughter). 637 00:33:52,083 --> 00:33:54,792 And Power Shell is whitelisted, right? 638 00:33:55,334 --> 00:33:57,999 So what we can do with Power Shell is Matthew Graber came 639 00:33:57,999 --> 00:34:00,918 out with an awesome attack that allows you to basically inject 640 00:34:00,918 --> 00:34:03,375 a shell code straight into memory. 641 00:34:04,709 --> 00:34:08,709 I did a talk a couple years Baghdad with Josh Kelly and myself 642 00:34:08,709 --> 00:34:12,709 and we presented on how to basically take your malicious code, 643 00:34:12,709 --> 00:34:15,334 unicode, base 64 X code it and you can get 644 00:34:15,334 --> 00:34:18,876 around execution restriction policies. 645 00:34:19,209 --> 00:34:21,999 That still is the same case. 646 00:34:22,334 --> 00:34:24,584 Windows 7 and Windows 8, et cetera, we have the ability 647 00:34:24,584 --> 00:34:27,083 to directly access memory without ever touching disk 648 00:34:27,083 --> 00:34:28,999 on a whitelist. 649 00:34:29,334 --> 00:34:30,334 Sounds awesome. 650 00:34:31,999 --> 00:34:36,167 I recently released a native X86 which allows if you are 651 00:34:36,167 --> 00:34:41,751 on a 64 bit platform or X86 platform, it doesn't matter, it down grades 652 00:34:41,751 --> 00:34:45,999 to a X86 process to allow you to inject 32 bit shell code 653 00:34:45,999 --> 00:34:49,542 into memory to actually execute. 654 00:34:49,876 --> 00:34:51,667 Basically we have full execution on all systems 655 00:34:51,667 --> 00:34:54,334 through Power Shell no matter what. 656 00:34:54,542 --> 00:34:56,459 And as you saw here, whew, again, we were able 657 00:34:56,459 --> 00:34:59,125 to basically circumvent a lot of the different types 658 00:34:59,125 --> 00:35:01,459 of technology out there. 659 00:35:01,501 --> 00:35:05,918 This one was special custom shell code that basically encrypts the first stage, 660 00:35:05,918 --> 00:35:08,459 puts it back and then use the chicada to do 661 00:35:08,459 --> 00:35:12,999 the second stage that's polymorphic so it worked out well. 662 00:35:12,999 --> 00:35:15,292 It is all default set right now. 663 00:35:15,876 --> 00:35:24,709 You can use this right now in SET. 664 00:35:24,709 --> 00:35:26,999 (applause) So the truth is, since hacking is a people problem, 665 00:35:26,999 --> 00:35:31,209 it's people coming up with new ways to get into organizations. 666 00:35:31,209 --> 00:35:34,709 It is people that are sitting there attacking our infrastructure. 667 00:35:34,709 --> 00:35:37,501 It is people that are continuously trying to attack us. 668 00:35:37,501 --> 00:35:40,083 It cannot be solved solely by the use of technology. 669 00:35:40,292 --> 00:35:42,125 That's not going to fix the security. 670 00:35:42,125 --> 00:35:45,792 Technology itself isn't going to fix the problems that we face, okay? 671 00:35:46,083 --> 00:35:49,999 And so NICK HITCHCOCK: And defense in depth, air quotes, 672 00:35:49,999 --> 00:35:52,709 taken way out of context. 673 00:35:52,709 --> 00:35:56,083 It doesn't mean using multiple technology layers. 674 00:35:56,083 --> 00:35:59,417 It means using multiple layers in general. 675 00:35:59,584 --> 00:36:01,792 This is why these things do not work. 676 00:36:01,792 --> 00:36:03,626 They're not implemented correctly. 677 00:36:03,999 --> 00:36:04,999 Why? 678 00:36:04,999 --> 00:36:06,501 DAVID KENNEDY: The main reason why we have the problems today 679 00:36:06,501 --> 00:36:08,375 is because we are lazy. 680 00:36:08,375 --> 00:36:09,709 Anybody agree with that? 681 00:36:09,709 --> 00:36:10,709 Yeah. 682 00:36:10,709 --> 00:36:11,959 DAVID KENNEDY: Yeah. 683 00:36:11,959 --> 00:36:13,584 We are lazy bastards, seriously. 684 00:36:13,709 --> 00:36:16,959 We expect we don't have enough staffing. 685 00:36:16,959 --> 00:36:18,334 We don't have enough funding. 686 00:36:18,334 --> 00:36:19,584 We he don't have enough. 687 00:36:19,584 --> 00:36:21,876 So we will buy a piece of technology, right? 688 00:36:21,876 --> 00:36:22,959 We will implement it. 689 00:36:22,959 --> 00:36:23,542 We don't have enough people and resources to support any 690 00:36:23,542 --> 00:36:26,999 of the other technology we have, so those go to waste. 691 00:36:26,999 --> 00:36:27,999 We focus our six months to a year roadmap cycle 692 00:36:27,999 --> 00:36:30,083 of implementing this into our company while the rest 693 00:36:30,083 --> 00:36:31,999 of it goes to crap. 694 00:36:31,999 --> 00:36:33,250 And then we implement something else and then we do something else 695 00:36:33,250 --> 00:36:34,999 and we buy more and more. 696 00:36:35,584 --> 00:36:38,292 What I will introduce to you is revolutionary, I know. 697 00:36:38,292 --> 00:36:39,459 It is a 12 step program. 698 00:36:39,501 --> 00:36:40,667 (laughter). 699 00:36:40,876 --> 00:36:41,999 I came up with this, okay? 700 00:36:41,999 --> 00:36:46,250 So this is a 12 step program of actually fixing security. 701 00:36:46,250 --> 00:36:48,250 It is not going to cost you a penny. 702 00:36:48,667 --> 00:36:51,292 Big advocate of being able to do things that don't cost you a ton 703 00:36:51,292 --> 00:36:53,751 of money that you really can fix. 704 00:36:54,083 --> 00:36:56,334 So the first thing is get your hands dirty. 705 00:36:56,334 --> 00:36:58,626 We actually have to talk to people. 706 00:36:58,999 --> 00:37:00,626 Trust me, I know. 707 00:37:00,626 --> 00:37:02,375 We actually have to talk to people and interact with them and figure 708 00:37:02,375 --> 00:37:04,250 out our business and how they actually make money 709 00:37:04,250 --> 00:37:07,999 and how we actually have assets and how do we protect those assets. 710 00:37:07,999 --> 00:37:09,459 That's important, right? 711 00:37:09,459 --> 00:37:12,459 But that requires us to actually do some work ahead of time. 712 00:37:12,999 --> 00:37:17,292 Step 2 was Bill and Ted in the '80s or '90s? 713 00:37:18,459 --> 00:37:19,999 Thank you, sir. 714 00:37:21,542 --> 00:37:25,083 Getting back to the '90s, I remember sitting there and saying this 715 00:37:25,083 --> 00:37:28,083 is how you do egress filtering and network segmentation 716 00:37:28,083 --> 00:37:30,209 and build a firewall. 717 00:37:30,209 --> 00:37:32,375 Those are the element we don't do today. 718 00:37:35,417 --> 00:37:38,918 Once I compromise one machine, I'm into the rest of them. 719 00:37:39,125 --> 00:37:40,999 Isolating people to only access what they need, 720 00:37:40,999 --> 00:37:44,083 data that they need, systems that they need. 721 00:37:44,459 --> 00:37:48,334 Segmenting accounting and finance, those are concepts we built in the '90s. 722 00:37:52,709 --> 00:37:55,667 NICK HITCHCOCK: And this works. 723 00:37:55,667 --> 00:37:59,876 A recent engagement, fairly small, what we just did would not work. 724 00:37:59,999 --> 00:38:02,125 They didn't have anything revolutionary. 725 00:38:02,125 --> 00:38:05,709 They are using exactly what Dave just said, proper follow rule sets. 726 00:38:05,709 --> 00:38:06,834 Segmented networks. 727 00:38:06,834 --> 00:38:09,999 We have a customizable executable that we used a week 728 00:38:09,999 --> 00:38:12,999 before at a large organization. 729 00:38:12,999 --> 00:38:14,709 I think the phish well, it was about a thousand shells 730 00:38:14,709 --> 00:38:16,918 or something like that. 731 00:38:16,918 --> 00:38:18,667 It was one that just kept popping up. 732 00:38:18,667 --> 00:38:21,083 It was really cool to watch. 733 00:38:21,083 --> 00:38:23,083 It is completely true in the real world. 734 00:38:23,083 --> 00:38:25,501 DAVID KENNEDY: Now, education awareness. 735 00:38:25,876 --> 00:38:26,999 Interesting concept. 736 00:38:26,999 --> 00:38:30,083 New, revolutionary, we haven't been talking about this a lot. 737 00:38:30,542 --> 00:38:33,501 Education awareness, really trying to touch our people. 738 00:38:33,501 --> 00:38:35,999 NICK HITCHCOCK: Whoa, whoa, whoa. 739 00:38:35,999 --> 00:38:37,459 DAVID KENNEDY: Nevermind. 740 00:38:37,459 --> 00:38:39,250 We are not going to go there right now. 741 00:38:39,250 --> 00:38:40,250 Bruce Snyder. 742 00:38:40,250 --> 00:38:44,334 Anyways, education awareness is the concept to really focus on people. 743 00:38:44,334 --> 00:38:47,125 Making sure they understand key concepts, right? 744 00:38:47,125 --> 00:38:48,125 We all know that. 745 00:38:48,125 --> 00:38:50,292 Making security your friend. 746 00:38:50,375 --> 00:38:53,501 You know, they want people want hugs. 747 00:38:53,501 --> 00:38:55,334 There is no question about it except Andrew from Maltego, 748 00:38:55,334 --> 00:38:58,292 he only gives one every year on his birthday. 749 00:38:59,667 --> 00:39:01,667 But making friends of security. 750 00:39:01,667 --> 00:39:04,083 Making sure we are an inhibitor of the business. 751 00:39:05,999 --> 00:39:07,918 The one year challenge. 752 00:39:07,918 --> 00:39:11,999 Don't buy a damn for an entire year, not one thing for a year. 753 00:39:12,083 --> 00:39:13,083 Stay away from something and focus 754 00:39:13,083 --> 00:39:14,999 on what you already have and start focusing 755 00:39:14,999 --> 00:39:17,501 on that defensive strategy around security because at the end 756 00:39:17,501 --> 00:39:21,584 of the day, that's what's going to make it or break it for your company. 757 00:39:22,292 --> 00:39:25,999 This is my thing in security right here. 758 00:39:26,292 --> 00:39:27,999 If it introduces complexity, it doesn't need to be 759 00:39:27,999 --> 00:39:29,999 in your environment. 760 00:39:30,125 --> 00:39:32,125 If it's simple for you to understand, then you should put it 761 00:39:32,125 --> 00:39:33,999 in your environment. 762 00:39:34,751 --> 00:39:37,626 Something that will take you four years to implement, 763 00:39:37,626 --> 00:39:39,292 dude, really? 764 00:39:39,834 --> 00:39:40,834 Seriously? 765 00:39:40,834 --> 00:39:42,334 That's where we're at right now? 766 00:39:42,876 --> 00:39:44,334 You need to focus on the basics. 767 00:39:44,334 --> 00:39:45,999 Getting back to the easy things. 768 00:39:45,999 --> 00:39:47,918 That's ultimately what will stop us. 769 00:39:47,999 --> 00:39:50,083 Penetration testing, I'm biased. 770 00:39:51,999 --> 00:39:54,999 Understanding where your risks and simulating that and getting people 771 00:39:54,999 --> 00:39:57,999 that can actually help you out on that side. 772 00:39:57,999 --> 00:39:58,999 Step 9? 773 00:39:58,999 --> 00:39:59,999 Was it step 9? 774 00:39:59,999 --> 00:40:00,999 8? 775 00:40:00,999 --> 00:40:02,125 Take a one week hiatus. 776 00:40:02,334 --> 00:40:04,083 Go get your chi, grab a beer, sit for a week and actually think 777 00:40:04,083 --> 00:40:07,459 about what you are going to do and how you are going to do it. 778 00:40:07,459 --> 00:40:10,167 We come in where we are fire fighting every single day. 779 00:40:10,876 --> 00:40:15,334 We fire fight, fire fight, sit back, crack open a beer. 780 00:40:15,334 --> 00:40:18,834 I know this is an AA meeting, crack open a beer and you will be fine. 781 00:40:20,334 --> 00:40:24,584 Chris Nickerson had a book called "Rework." 782 00:40:24,999 --> 00:40:28,083 It is one of the most fantastic books. 783 00:40:28,083 --> 00:40:30,751 When you apply it to security, it actually works. 784 00:40:33,709 --> 00:40:36,959 Step 10, removing complexity from your environment and going back 785 00:40:36,959 --> 00:40:38,584 to the basics. 786 00:40:38,999 --> 00:40:41,999 Step 11, actually just do it. 787 00:40:42,125 --> 00:40:44,626 Don't pontificate and talk about doing it. 788 00:40:44,709 --> 00:40:45,999 Actually go and do it. 789 00:40:45,999 --> 00:40:46,999 Change it. 790 00:40:47,209 --> 00:40:49,000 And, lastly, just rinse and repeat. 791 00:40:49,709 --> 00:40:51,999 Do the same thing over and over again. 792 00:40:51,999 --> 00:40:52,999 You will be fine. 793 00:40:53,000 --> 00:40:54,999 Thanks everybody for the talk. 794 00:40:54,999 --> 00:40:55,999 I appreciate it. 795 00:40:55,999 --> 00:40:57,999 NICK HITCHCOCK: Thank you very much.