presentation is called "Guests N' Goblins: Exposing Wi-Fi Exfiltration and Mitigration Techniques." With me is Pete and Naveed. We work for a company called TELUS. And we are a tele communication company and we are based out of Canada. Again, my name is Josh and I have been working on my book and I enjoy watching movies that nobody should watch in their right mind what so ever. On to Pete. >> I'm Pete. I live in a cave. I don't get out that much. I don't know how to talk, that's why I have these two guys with me. Thanks, guys. By day, I'm a security analyst and by night, I like to break things and my hobbies is breaking more things. I always end up with more screws. Damned screws. And here is Naveed. >> My name is Naveed and I work with the security department. My job is to work on the outside of the network. I keep an eye on the customer parameter and I collect intelligent analyst and what is happening on the inside. Keeping an eye on all of the IP's that are coming this is part of my job. A little bit of background. A lot of people know about Tor and Hula. They are getting popularity. They hide your IP address. The question is what is a fingerprint? If you are not on a network, your fingerprint is going to be the Tor network and adding complexity, we are going to talk about Wi-Fi. Anyone here heard of proxy M? Anyone heard of them? We all know that security is a big concern and if you are an enterprise and deploying a Wi-Fi network and you try and isolate and try and employ the latest encryption and however, is it really secure? And helping you in the future. One of the features is to deploy all of the Wi-Fi networks is for convenience and for the public space, I'm going to switch to Josh. >> So, just a quick question for everybody. How many people here use Wi-Fi. Hands up. All right. How many people trust Wi-Fi? But we all use it. It is a little weird when you think about it. Any ways, as our presentation is titled -- one of the problems is people getting into your Wi-Fi and doing that stuff. TELUS has open Wi-Fi for people to get on and also, secure. Maybe, you can wiggle around. With exfiltration and not a lot of people are monitoring outside traffic. People are monitoring people coming in and not a lot of people monitoring outside going in. And let's create a quick scenario. TELUS has Wi-Fi and a major competitor up in Canada is Rogers and what happens if someone jumped on our network and launched a form of attack to our network to Rogers and the smear campaign would read that Rogers were implicated in a massive attack against TELUS and even though, they have not done a major attack, it is in the news and people are going to lose faith in TELUS. We were quite concerned about that. >> Branding, in general is something that a lot of companies and corporations spend millions and millions dollars for. Besides the whole TELUS thing, it could be anybody. It takes one small incident and having it out there and you are done. >> And on to Naveed. >> A person supplies an email address and you have to basically trust them. You have to send a verification code in the email and how can you check it if your customer can't access the email address? So, we provide an email address that we trust and let the guest join the network and there we go. That's a big problem. And SSL is a problem. You cannot provide monitoring of what is going out from your guest network. On top of it, the Mac addresses and if you have allowed someone and you can have someone spoofing your Mac address taking the identity. Introduction to our concept. >> Our concept, we have developed a system that has two servers and dedicated IP's and they scan for Wi-Fi and if there is anything that a guest needs a page to logon to. For the sake of this, it is straight open. It tags the location and learns about the network, and collects the public fingerprints and syncs with the central server. There is a list of stuff that we have spent many weekends banging our heads against the wall. And Josh has gone through the tools. The analytics and the Android phones. The tool kit or suite is broken up in two pieces. Garble is data connectivity and data connection and the repo is the results of all of the collecting. >> So, back to me. This is my part. What is it in a nutshell? It is basically a Wi-Fi scanner with spilled radon built into it. It gathers core information and the encryption uses and anything that it can't find, it will store. First, scan for the access points and then, the values. Like your ESS ID etc. And flexible values, so your location and signal strength. I'm going to come back to that later, just to explain why that is why it is. And three, we enhance the location data and compare to the existing data and through the process, we select it. Let's go to the flexible data information. When you first connect to an access point, it is going to tell you how strong that signal is. We are going to take it one-step further and while you are walking, it is going to take samples and as it is going i long and as the signal increases, it is going to find the access point and where it actually exists and then, it is going to dip into that location. There are (Indiscernible) with this technique that I will cover at the end of the presentation. It actually is working pretty darn good by just using bits. How do we select the candidate? First, do we have any results what so ever? If the answer is yeah, we go to the access point. If the answer is yes, we pass it off to Pete scripts and if it is weakened, maybe, we can pass it to Pete's scripts and stuff can happen. We may store the information for later usage and you may have the strong access points and you are only going to be able to connect to one because let's face it; Android phones don't have networks bouncing off of the side of it. Usually, just one. Here's a screen of the app itself. This is something that we picked up last night. If you would like a live demo of this later on, come and find me. I'm going to be hanging around and if it is on my phone, it is in limited capacity to make sure that it is not doing anything iffy. And now, to garble. >> And once that's done, it is passed on to me or my module and I look for open networks. I connect to that same network and find out your public gateway from the inside and I make an inbound connection and to determine which ports are open based on a range or port specified or configed. What I mean is port loud outside. Whatever is allowed out bound from a policies, gateway, firewalls, etc. I store them in a database and for the parsing and the plotting. And then, hand it off to Naveed. And then, it, it works with Python sockets and left crying. [ LAUGHTER ] This one here, I will get back to you, again, a little part of it. Basically, this is one section of some of the sets that we have collected and just to go over quickly. We have collected the Mac addresses of the AP's and the names of them. The SSID's and the off mode and in this particular app, there is WPA, ISM and it also gets the latitude and longitude and it is taken from the phone or the device itself. And then, the public gateway. Naveed is going to talk, but those are the longitudes and the latitudes of the gateway, which later, you will see why it is important. >> Mine part is the utilization of the data. This is the basic idea of the device collection. There is a second part to it, which is the reversal scan engine. In addition to this (Indiscernible) latitude and longitude applying and the server or the public side of the connection. We have a server that responds to all of the ports that you ask for. The server scans and gets the scans of the open ports that are available. This is running a (Indiscernible), which responds to a range, which is configured into it. The basically plan was to have IP (Indiscernible) and let's give it a try with new technologies. It does let you have a real-time on the front end. Longer (Indiscernible) is or noted and feel free to try it out. This is basically, what you plot. Once you have the IP and it is on the Internet and the location. If you are connected here to the monitoring people who are monitoring your traffic, you are going to appear here. This scan for the reversal and I will tell you that if you are using this open Wi-Fi connection, you are allowed to go out on 1,000 to 1500 to 72, as an example. This is a fixed range. It goes to any port that you want. Now, to a demo. Right? How much time do we have? [ Laughs ] Okay, the tool is a meteor instance of a real-time belt. I'm going to start it here. Is the screen big enough? >> No. >> Yep. Hold on a second. [ LAUGHTER ] >> This is what happens when you use a Mac, I guess. [ LAUGHTER ] [ Yay ] [ APPLAUSE ] >> Once, we have the meteor run and the website up, and then, (Indiscernible) okay. So, what Pete gives us, it collects that data from Josh and attaches the coordinates and once the data is compiled in the file, it creates the file. You can up load to the system. The system is going to keep an eye on the folder. Once the system is detected, it is going to compile it. There is also another way and that's manual and I'm going to show you right now. This is what we scanned before coming here. The file has been uploaded. You can see it is reading the port information from this scan. Once it is done, I'm going to refresh the page. It is the same from the previous slide and this guest network and you are appearing here basically, in GTA from Richmond Hill. A better example, however, Josh was taking a ride on B rail and I'm going to open this camera and once it's processed. Yep. I'm going to refresh the page here. And you can see, real-time in Union Station Toronto. >> Basically, I was on a trip and I decided to poke around and see where we are actually exiting. While I was waiting for the train to move, my exit point for the free Wi-Fi on the train was saying I was in Ottawa and we also get Amtrak. Where does that exit? Does it exit in the states? I have not tried it as much I should, I guess. But thinking about multinational companies and where do their access points actually exit? Do they set it up local? In some cases, yes. Do they set it up remotely and tunnel across the network. Quite possibly. If you want to have an entry point from one country to another and this is why we are concerned about this thing to keep an eye on this. >> Just to add, once it is imported, we refresh it. >> This is what happens when you have to make data manually in the last minute. >> Thanks, Pete. Exit point in different point in the world. That's part of the server side. For the client side, the one that detects the port on the traffic. I'm going to show you here. This is the Python Script that talks to the server. If you run it, the server responding on the other side is telling us that this port is allowed and we are making a list and the mapping based on the script here. The interesting side of the story, you don't need Python or any other server side script. The whole scan can be done on the client side using belt pockets. I think that I have written a code here that I can show you. I have an older instance that is running locally. It is not listening to all of the ports on this machine, but you will get the idea. If I run the command in the browser, local IP and the port range and it is going to tell me all of the port sockets that are blocked and the ones that are allowed. So, let me turn this on. I'm going to turn it on, on one port only and read my scan. You can see that the client detected 1337 as an open port. You can map this (Indiscernible). Okay. Off to Josh. >> All right. So, like you can see, we are quite concerned about this. Full disclosure. This was not the actually the first convention that we submitted this presentation to. This is the second one. The first one was sector is more for the people that we end up working with nine times out of ten. We presented this to them and you should watch the traffic that is leaving your network and you could be implicated and bad things are happening and people are using it for weird things and please let us tell our story and we got a meh, which was disheartening really. It happens more often than not. If it is not shiny and flashy, people just are not interested. The things that we like to present as an option to hold back this. Prior the review of our traffic and firewall policies, both ways. A lot of people do it one way on a somewhat frequent basis. Egress is done when they install a device and that's about it. For your applications and with my work with SIEMs and I see a lot of logs and the power is plugged in and it is doing something and that's it. That's really bad. We need to make sure that you are tuned into looking at the right information and it is actually collecting accurate information. The third point and segment your infrastructure and isolate your access points entirely and with the presentation when we got the resounding meh from people, was listen to your minute I don't knows. We said we are concerned about this. People can get hurt. Please do something about it. Well, we hear, it is not in the budget. How severe is it? Well, it is bad. And secondly, know your clients and who is connected to your wireless network and making sure that everything is properly segmented. If you don't know who is connected to you, how are you going to stop them from doing things they shouldn't be doing? >> I blame POC's for vendors a lot of time. It is exactly what Josh said. Vendors and great products and whatnot and they go in and to catch the cooperation and they drop in said IPS and said firewall and oh, it has caught everything. We are going to leave it the way it is. We are secure. You need to understand that port wise and policies and there is more to a few things and for example, some protocols have suites and there are five plus ports that you can use. To talk about our points and okay, we are blocked from the other site coming in. But port 5900 and I have a guest network and I can segment my stuff and after doing my bad deeds, I can shovel that port outside or put it somewhere else and capture what I need. To drive the point home, where is your presentation? It is here. When I was talking about the ESS ID's now, think about what we just talked and apply it to corporations. If it is a bank, a hospital, a gas company. These are common targets these days and what most of us are responsible for defending and a lot of times when we print out those reports and you know what, MTP, you have out bound? No. DNS if you have to go out, do you have at least a trusted or isolated policy? No. Look at how many DNS attacks there are. No one is taking into consideration there is a lot of bad things happening and it is big and damage things really, really big. It can take only one-half. >> To give you a light at the end of the tunnel. We have roadmaps of the software that we have written and that will help other people. First off, I want to do better triangulation algorithms and detecting where you are. It is based on a static value that some guy that was working on Android shoveled on in and all strengths are based off of that value. Like a real-time Wi-Fi map and if you have two people walking around with this stuff, it can complement each other's stuff. I like to absorb a lot of the scripts that Pete was showing from the Python and straight on into Java and the Android app itself. It turns out that a lot of the stuff that he is doing; you can do if you are a little creative with the default libraries that Android provides. Also, I would like to do easier integration points for any other tool to just this information somehow. >> For the other module and map scanning, it is done and beautifully. We couldn't do it this time. I would like to make this section more modular and instead of using the -- what do you call it? The cellular section and you can take pieces of it and put it in your network for mission critical servers that need to talk to each other only and it is amazing what goes through there without anyone else knowing. Maybe, shoot an email and automate it and run it and send an email to your CFO's managers or whatnot and keep track of any outstanding issues and your plans to fix things. The last one. The deployment and trying to make the garble a little bit evil and kind of drive points home and another step and about to make it a little bit more aggressive. There is a framework that is done. It is in its infancy stages and hopefully we come back with a more finished product. >> For my part, I have a plan to integrate all of the new features that Naveed and Josh are going to have. A centralized system and if you are trying to analyze a source output for your day-to-day analytics and know that this public fingerprint could mean that the sources could be anywhere and we should be able to identify them. That feature would be nice. A browser-based scanner would be a cool edition. I showed you it works flawlessly. Go to the website and anyone that is trying to analyze your network from a security perspective. Lastly, I node to do securitization checks. When you parse the CSP files, it is subject to attacks. That work still has to be done. This code that we are working on is going to be available on GitHelp and anyone can have a copy of it. That's it. Open for questions. >> (Indiscernible). >> We talked to our lawyer. >> Yeah, we have a legal team at TELUS. [ LAUGHTER ] >> The scanning is not allowed. Legally, it shouldn't be done. This is a full implantation tester. You need to have the authorization from the network that you are trying to scan. But I think that hackers don't practice legal or laws, right? We have to be aware of them, right. >> (Indiscernible). >> Yeah. >> We are hopefully, looking to change the name of the product to something better. Thanks guys for your time and we appreciate it. If you have any questions let us know. [ APPLAUSE ]