00:00:00.267,00:00:02.736
>> Morning, Alex Chapman, this
is Paul Stone and this is our

00:00:02.736,00:00:06.874
talk: Toxic Proxies [cough] -
Bypassing HTTPS and VPNs to Pwn

00:00:06.874,00:00:09.643
Your Online Identity. [cough] So
first off, thank for you coming

00:00:09.643,00:00:12.546
here on a Sunday afternoon. Uh,
really good to see so many

00:00:12.546,00:00:15.048
people turning out for this,
so... uh, [thump] thank you very

00:00:15.048,00:00:18.852
much and we'll get started. [mic
contact] So, okay, first we're

00:00:18.852,00:00:23.524
gonna start with a demo, in the
video streaming this works.

00:00:23.524,00:00:26.860
[cough] So, this is what we're,
uh, this is an example of this

00:00:26.860,00:00:30.397
thing we're gonna be talking to,
about today. And this is

00:00:30.397,00:00:33.534
actually being, about being able
to extract information from

00:00:33.534,00:00:37.537
HTTPS streams on a local
network, uhm, you'll see some of

00:00:37.537,00:00:40.440
the information there so,
instead of just a boring slide

00:00:40.440,00:00:43.677
it's really just a quick demo of
the sort of thing that we're

00:00:43.677,00:00:45.012
gonna be showing you.
[background noise] So as I said

00:00:45.012,00:00:48.582
my name's Alex and my colleague
Paul Stone. We both work for

00:00:48.582,00:00:54.454
Context Information Security in
the UK, uh, I'm on.. Ooops! On

00:00:54.454,00:00:57.024
twitter and [vibration noise]
PPJ Stone standing next to me.

00:00:57.024,00:01:00.227
Uhm, I'll explain that demo in a
little bit more detail as we go

00:01:00.227,00:01:05.032
through. [thumping] >> So, this
is our talk, the exciting

00:01:05.032,00:01:07.701
introduction which you just saw,
I hope everyone else found it as

00:01:07.701,00:01:09.970
exciting as I did. [laughter]
Uhm, we're gonna start with some

00:01:09.970,00:01:11.672
history. This is the 1 0 1
track, [cough] we're gonna talk

00:01:11.672,00:01:14.708
a little bit about the problems
faced, what's been going on, uh,

00:01:14.708,00:01:16.710
how we got to where we are
today. [laughter] And, how are,

00:01:18.912,00:01:21.715
the attack that we're gonna
describe kinda fits into all of

00:01:21.715,00:01:23.717
that. We're going to explain the
attack, we're gonna show how you

00:01:23.717,00:01:28.355
can, uh, sniff data from a HTTPS
streams, we're gonna steal that

00:01:28.355,00:01:31.358
data, we're gonna actually do
something with it and then we're

00:01:31.358,00:01:33.760
gonna show [cough] how it can
ultimately be used to kindof

00:01:33.760,00:01:36.296
steal your, your online
accounts. Uh, we're then gonna

00:01:36.296,00:01:39.232
talk a little bit about VPNs and
how we're against this or not

00:01:39.232,00:01:42.669
against this. Uh, and then put
in place some real mitigations

00:01:42.669,00:01:46.773
about what we should be doing
on, uh, on these systems

00:01:46.773,00:01:49.242
[background noise] to, to help
make them more secure. And then

00:01:49.242,00:01:52.045
we'll talk, uh, a little bit
about the, the fixes that have

00:01:52.045,00:01:56.083
been put in place by various
fenders around these issues.

00:01:56.083,00:02:00.587
[pause] So... [sigh] Where are
we starting? This is a, uhm,

00:02:00.587,00:02:03.690
this is a kind of attack that
we're looking at from a rogue

00:02:03.690,00:02:06.660
access point perspective. So
rogue access points [cough] have

00:02:06.660,00:02:10.364
reasonably, uh, privileged
access to a network anyway. You,

00:02:10.364,00:02:14.001
you control the DNS, DHCP and
all the rest of it so you can,

00:02:14.001,00:02:18.805
you already in a system where
you can kinda monitor and insert

00:02:18.805,00:02:23.810
data. Uh, it's... so, good? h,
so, back in the 1993, no, no

00:02:28.315,00:02:31.985
encryption, right? So, we're,
we're here on a Mosaic browser,

00:02:31.985,00:02:34.321
browsing away, everyone can see
everything that's going on. And

00:02:34.321,00:02:36.923
then somebody came and thought
"Well, what if I want to do

00:02:36.923,00:02:41.028
something sensitive over this?"
[cough] So... [typing] we headed

00:02:41.028,00:02:44.931
off to encryption. We're talking
SSL here, so Netscape, uhm, to

00:02:44.931,00:02:48.035
shift with SSL in 1995,
[background noise] so again, a

00:02:48.035,00:02:52.205
good 20 years ago. Uhm, users
were somewhat safe from passive

00:02:52.205,00:02:55.308
sniffing attacks, we obviously
know nowadays that the SSL back

00:02:55.308,00:02:59.346
then was awful [laughter] and
terribly terribly broken, but,

00:02:59.346,00:03:02.716
at the time it was what we
needed it to be. [coughing] But,

00:03:02.716,00:03:06.086
SSL wasn't perfect so a lot of
websites can't seem to, over

00:03:06.086,00:03:08.755
both HTTPS and, uh, sorry and
HTTP and HTTPS and, uhm, people

00:03:08.755,00:03:13.527
connect of HTTP first - cause
who, who writes in the "S" when

00:03:13.527,00:03:16.296
putting their URLs? Who even
puts in the screener? [laughter]

00:03:16.296,00:03:19.399
Uh, and evil, uh, men and
invented such to prevent users

00:03:19.399,00:03:23.103
from reaching HTS, HTTPS sites
and having to fall back to the

00:03:23.103,00:03:27.474
unencrypted sites. [thump]
[cough] So, it wasn't great and

00:03:27.474,00:03:30.010
Moxie Marlinspike, uh,
demonstrated this in 2009

00:03:30.010,00:03:32.345
[microphone noise] with SSL
strip, great, for, for the

00:03:32.345,00:03:35.682
time... For man meddling, uhm,
these connections damn better

00:03:35.682,00:03:40.520
than the multiple HTTP and these
was the sort of padlock in the

00:03:40.520,00:03:44.024
corner of the screen wasn't
there.[laughing] Uh, and again a

00:03:44.024,00:03:46.426
lot of users wouldn't be
checking that anyway. [thump]

00:03:46.426,00:03:51.364
Uhm, script sample of... that's
the shell script for those, uh,

00:03:51.364,00:03:55.869
who haven't seen it before -
browse to an HTTP site, uh, what

00:03:55.869,00:03:58.939
it's supposed to do is redirect
to the HTTPS through to the

00:03:58.939,00:04:01.842
redirect, uhm, that's shell
script in the middle of that.

00:04:01.842,00:04:06.179
We'll actually stop the redirect
from happening. [thump] So, if

00:04:06.179,00:04:10.016
shell script broke HT, uh, HTTPS
connections by simply ignoring

00:04:10.016,00:04:13.019
them and straighten them out
with the string. Uh, and browse

00:04:13.019,00:04:15.021
members obviously had to do
something about this to make

00:04:15.021,00:04:18.291
those connections, and, uh, uh
to match various websites with

00:04:18.291,00:04:21.695
more secure. So this is where we
introduced, uh, introduced HTTP

00:04:21.695,00:04:24.397
strip transport security. Uhm
and this is somewhere around

00:04:24.397,00:04:29.136
2010, so again, a good 6 years
ago. That, that picks up by a

00:04:29.136,00:04:32.973
lot of major websites, uh, big
news article came out; Google

00:04:32.973,00:04:36.676
dot com going full, going HTTPS,
uhm, so it's taking a while but

00:04:36.676,00:04:40.981
it, but it is getting there.
Uhm, and, HTTPS essentially

00:04:40.981,00:04:44.151
prevents browsers from
requesting the plain text HTTP

00:04:44.151,00:04:47.787
resource in the first place. So,
we don't have the option of

00:04:47.787,00:04:52.058
doing the SSL strip. That's
[thump]... kind of where we are

00:04:52.058,00:04:55.295
in the present day. HTTPS is
doing a pretty good job. So

00:04:55.295,00:04:59.032
nearly all traffic to sites we
use on a daily basis, uhm, is

00:04:59.032,00:05:04.104
encrypted with HT, HTTPS and
HSTS protected so theoretically

00:05:04.104,00:05:08.108
we're now, we're in a coffee
shop, in the pub, on our laptops

00:05:08.108,00:05:13.580
we should be fine. Right?
[laughter] We need a new style

00:05:13.580,00:05:17.284
of attacks and this is something
we came across about 6 months

00:05:17.284,00:05:21.221
ago now and show the attack
too... show you how it can be

00:05:21.221,00:05:24.691
used and, uh, the work that
we've been able to do with it.

00:05:24.691,00:05:29.362
So hand over to Paul to, uh,
share some information. >> Okay!

00:05:29.362,00:05:34.367
Uh, hello. So, uhm, Alex has
given you a bit of history, uhm,

00:05:36.436,00:05:39.105
and I'm gonna give you a little,
a little bit more history. So

00:05:39.105,00:05:42.542
bear with us until we get to the
fun, new stuff. Uhm, so just to

00:05:42.542,00:05:44.110
introduce PAC files [coughing]
for people who haven't heard

00:05:44.110,00:05:50.050
about them before. Uhm, so, a,
uh, PAC files exist because, uh,

00:05:50.050,00:05:53.653
large companies have very
complex internal networks; lots

00:05:53.653,00:05:55.855
of different proxies, and they
need some way to be able to

00:05:55.855,00:05:58.158
figure out which proxy to
connect to depending on the site

00:05:58.158,00:06:03.029
you, you want to visit. Uhm, so
a PAC file is simply a small bit

00:06:03.029,00:06:07.867
of Javascript, uhm, that the
browser ask the javascript

00:06:07.867,00:06:10.770
"Look, I wanna visit this URL"
and the javascript figures out

00:06:10.770,00:06:14.808
which proxy to visit, uh, which
proxy to use and then returns a

00:06:14.808,00:06:17.410
proxy as a string. [sniff]
[background noise] Uhm, and this

00:06:17.410,00:06:20.947
was invented in 1996, uh, by, by
Netscape so it's, it's their

00:06:20.947,00:06:24.951
fault. [laughter] Uhm, so, the,
the, the other piece of the

00:06:24.951,00:06:30.891
puzzle, uh, that kinda
compliments PAC is WPAD, so WPAD

00:06:30.891,00:06:35.495
is, uhm, essentially, uhm, if
your browser doesn't have a PAC

00:06:35.495,00:06:38.732
file, uh, then WPAD tells it
which PAC file to use or where

00:06:38.732,00:06:44.971
to go and get the PAC file. Uh,
so, uh, so, yea, WPAD was, uh,

00:06:44.971,00:06:50.310
invented in 1999 and Microsoft's
name is on this, uhm, uh, IOT,

00:06:50.310,00:06:53.713
IOTWF draft so it's kinda their
fault... [laughter] Uhm, so

00:06:53.713,00:06:58.785
there's a few way to do WPAD,
you've had, you can do it via

00:06:58.785,00:07:01.154
HTTP, uhm, you can kind of, uh,
uh, the gateway can push is to

00:07:01.154,00:07:05.458
the or the browser, uh, [cough]
after it fetches and IP. Uhm,

00:07:05.458,00:07:09.396
and they're various other things
as well so , uh, DNS, uhm,

00:07:09.396,00:07:14.467
lookups with, uh, will lose the,
uh, uh, DN suffix and look the

00:07:14.467,00:07:18.371
like WPAD dot internal dot
company or whatever. Uh, and

00:07:18.371,00:07:22.776
there's also, uhm, NETBIOS,
LLMNR and all of that as well.

00:07:22.776,00:07:27.180
So there are lots of way that
WPAD can work. [cough] So the

00:07:27.180,00:07:30.450
WPAD attacks are very well
known, uhm, they're, uh, a whole

00:07:30.450,00:07:35.021
bunch of tools that will make it
very simple to inject, [cough]

00:07:35.021,00:07:38.558
uh, or spoof WPAD responses,
[cough] uhm, and if you can do

00:07:38.558,00:07:41.795
that you can then target, uh,
one machine or a whole bunch of

00:07:41.795,00:07:44.197
machines and hijack all that
traffic and root, root their

00:07:44.197,00:07:47.000
traffic, uh, their web traffic
through their malicious proxy.

00:07:47.000,00:07:50.303
So that means that all
plaintext, uh, non-HTTPS traffic

00:07:50.303,00:07:54.674
can be modified or viewed by the
attacker. Uhm, so, this is a

00:07:54.674,00:07:57.944
bit, a bit, we quite enjoy
reading the WPADs it can be set

00:07:57.944,00:08:01.114
minimally, it can be set at the
WPAD protocol does not create

00:08:01.114,00:08:04.184
any new executing weaknesses -
kind of famous last words there.

00:08:04.184,00:08:10.957
[sniff] Uhm, did you want to...?
>> Oh, yea, yes. [background

00:08:10.957,00:08:13.360
noise] >> So, yea, just really
quick, uhm, overview of how this

00:08:13.360,00:08:17.964
thing get, uh, pushed out, so, a
laptop or network ask router

00:08:17.964,00:08:21.167
for, uh, HTTPS options through
to the, can correspond to the

00:08:21.167,00:08:26.539
option 2 5 2, uhm, which is the
URL to, uh, a PAC file which the

00:08:26.539,00:08:29.642
system then go download and use
as it's PAC file chooses the

00:08:29.642,00:08:34.414
proxies to get to the internet.
Alternatively the, uh, if , if

00:08:34.414,00:08:39.152
it doesn't receive, a, a PAC
file through that it'll do a DNS

00:08:39.152,00:08:42.822
lookup for WPAD dot search
domain - so the search domain

00:08:42.822,00:08:45.492
that was, uhm, either
preconfigured or was pushed out

00:08:45.492,00:08:48.528
of the HSTS. If the router, uh,
responds to that it can then

00:08:48.528,00:08:52.065
respond with the IP of the mal,
[cough] of the host which can

00:08:52.065,00:08:55.301
serve, uhm, a PAC file and in
this case will also be serving

00:08:55.301,00:09:00.073
malicious PAC files. Uhm, the
last method is from uh a network

00:09:00.073,00:09:03.076
with a malicious activist on the
network not actually on the

00:09:03.076,00:09:07.947
router. So if the system still
haven't got a, uhm, a PAC file

00:09:07.947,00:09:11.885
it'll send out a Link Local
Multicast Name Resolution

00:09:11.885,00:09:16.156
request for WPAD. So if you ever
washed up [cough] on a Windows

00:09:16.156,00:09:19.893
network you'll see loads of
request for things like WPAD,

00:09:19.893,00:09:24.064
uhm, just being broadcast to
other systems on network. If any

00:09:24.064,00:09:27.734
other system on that network
responds that system, sorry, the

00:09:27.734,00:09:31.471
the user's system will use that
response, uhm, uh, to go and

00:09:31.471,00:09:36.342
grab the, uh, PAC file from from
the IP address given there. I

00:09:36.342,00:09:40.280
think that got to... [mumbling]
So, uhm, Windows has had WPAD

00:09:40.280,00:09:43.450
turned on by default, uhm, and
this is even in Home edition so

00:09:43.450,00:09:47.320
this is a very, kind of,
corporate thing. There's no

00:09:47.320,00:09:50.457
reason to have this on your home
network but it's still in

00:09:50.457,00:09:54.427
Windows 10 enabled by default.
[coughing] Uhm, local network

00:09:54.427,00:09:57.730
attackers can, can exploit this
and there are tools that Paul

00:09:57.730,00:10:01.201
shared a link to earlier. But,
fortunately again, with these

00:10:01.201,00:10:05.905
HTTP, HTTPS and HSTS traffic
there's theoretically at this

00:10:05.905,00:10:09.108
point nothing the attacker could
be able to do our connections

00:10:09.108,00:10:12.512
to, uh, kind of [cough] get our
data. And that's what we're

00:10:12.512,00:10:17.350
gonna, gonna show you next. So,
throughout this research, uhm,

00:10:17.350,00:10:20.153
[cough] we also follow the trend
of naming our vulnerabilities

00:10:20.153,00:10:24.324
and we, we've got a few, kind of
projected titles and this was

00:10:24.324,00:10:27.827
one of my favourites: "breaking
WPAD". Uhm, Paul actually did

00:10:27.827,00:10:30.897
the, uhm, did the posters and I
think probably spent more time

00:10:30.897,00:10:32.899
on that than his actual talk...
[laughter] But, uhm.. [laughter]

00:10:32.899,00:10:38.104
Hang back... [background noise]
>> Okay, uh, a little bit theory

00:10:38.104,00:10:41.608
before we get to the really fun
stuff. Uhm, so what does a PAC

00:10:41.608,00:10:44.277
attack look like? So a typical
PAC script might look like

00:10:44.277,00:10:47.380
this... So the idea is that
there's three different proxies

00:10:47.380,00:10:51.818
and depending on, uhm, uh, what
your, the host name ends in or

00:10:51.818,00:10:55.622
routes, uh, the browser to one
of the proxies. So every PAC

00:10:55.622,00:10:58.458
script has to define this
function, this exact name called

00:10:58.458,00:11:01.127
"find proxy for URL" and it
takes two parameters, uh, the

00:11:01.127,00:11:04.731
full URL and the host name. So
most, uh, most PAC scripts will

00:11:04.731,00:11:08.101
look at a host and make a
decision based on, on a suffix

00:11:08.101,00:11:12.138
and say use this, use this proxy
or this proxy. Very simple.

00:11:14.741,00:11:17.677
[pause] So, like I said, there's
this one function called "find

00:11:17.677,00:11:21.514
proxy for URL" and, and
according to the spec it takes

00:11:21.514,00:11:24.851
full URL and the host name as
parameters and returns the

00:11:24.851,00:11:27.387
string. And in this case it
returns direct which means don't

00:11:27.387,00:11:33.760
use any proxy. [cough] Uhm,
so... [pause] It's the full URL

00:11:33.760,00:11:36.930
that gets passed into this, uh,
PAC scripts which is potentially

00:11:36.930,00:11:40.166
a malicious PAC script. Can
anyone see the problem yet? So

00:11:40.166,00:11:45.438
the full HTTPS URL is now known
by this attack- uh attacker’s

00:11:45.438,00:11:48.207
piece of code and it’s
potentially malic- malicious. h

00:11:48.207,00:11:52.946
So what can we do with that and
why is that kind of bad? So java

00:11:52.946,00:11:55.114
scripts in the PAC file isn’t
like java script in the website

00:11:55.114,00:11:58.384
you don’t have the full range of
functions to uh put stuff on the

00:11:58.384,00:12:00.954
screen and talk to the dom and
all that kind of stuff. These

00:12:00.954,00:12:04.290
are the functions uh this is
essentially the API uh that PAC

00:12:04.290,00:12:07.060
scripts have access to and the
two that really stand out to us

00:12:07.060,00:12:11.064
is DNSresolve and isresolvable
so DNS resolve as you might

00:12:11.064,00:12:13.900
expect takes the host name and
returns an API address and

00:12:13.900,00:12:16.703
isresolvable takes a host name
and returns true or false so

00:12:16.703,00:12:19.339
these are interesting because
they let the PAC scripts talk to

00:12:19.339,00:12:22.375
the outside world so we have
sensitive data going in and we

00:12:22.375,00:12:25.478
now have a way to communicate
with the outside world. So

00:12:25.478,00:12:28.815
putting it altogether here is
our very simple malicious PAC

00:12:28.815,00:12:33.319
script uh and what it does is it
takes the uh takes the URL

00:12:33.319,00:12:35.955
checks if it’s uh HTTPS and
therefor potentially sensitive

00:12:35.955,00:12:41.127
um it then uh uh appends dot
leak onto the end so in this

00:12:41.127,00:12:44.030
case dot leak is uh a domain
that’s controlled by the

00:12:44.030,00:12:46.599
attacker and then it replaces
all the special characters with

00:12:46.599,00:12:51.604
this uh dot. Uh so uh for
example we have a sensitive URL

00:12:51.604,00:12:54.407
there with a with a nice
authtoken in and this the

00:12:54.407,00:12:58.544
scripts will uh convert it into
the string and then um uh do a

00:12:58.544,00:13:02.749
DNS look up and the attacker
receives this uh sensitive token

00:13:02.749,00:13:07.253
but to the um back to their DNS
server so that’s the attack. Uh

00:13:07.253,00:13:10.657
and of course um if you can’t
fit it in a tweet then it’s not

00:13:10.657,00:13:14.193
a real vulnerability and it fits
uh very nicely into a tweet

00:13:14.193,00:13:20.233
there. Uh so going back to the
uh variable attack the malicious

00:13:20.233,00:13:25.138
gateway so um as we said before
uh malicious gateway can uh can

00:13:25.138,00:13:29.909
incept any plain text HTTP
traffic easy but if we’re

00:13:29.909,00:13:34.080
talking HTTPs then uh this
hacker can’t incept that HTTPS

00:13:34.080,00:13:39.385
traffic. But if we now are
leaking every single HTTPS url

00:13:39.385,00:13:43.523
uh so the uh malicious gateway
uh tells your laptop to use a

00:13:43.523,00:13:46.592
malicious PAC script and now
it’s leaking at all the HTTPS

00:13:46.592,00:13:51.230
URLs um and then the https
traffic is going to the server

00:13:51.230,00:13:55.234
so you can sniff HTTPs URLs and
modify the plain sec- plain text

00:13:55.234,00:14:00.473
HTTPs traffic. So just to kind
of uh sum this up in a nutshell.

00:14:00.473,00:14:04.377
Um PAC files allow attacker
controlled java script to see

00:14:04.377,00:14:08.347
every single HTTPS URL before it
gets requested by the browser

00:14:08.347,00:14:12.919
the PAC file can then leak that
data to an attacker by DNS so

00:14:12.919,00:14:15.855
the whole point of HTTPS is to
protect uh sensitive data on

00:14:15.855,00:14:20.326
untrusted networks but with a
WPAD and Pac uh an attacker

00:14:20.326,00:14:24.430
essentially can do an end-run
around HTTPs. Uh this is the

00:14:24.430,00:14:28.067
second title we have but this is
my favorite one APACalypse now

00:14:28.067,00:14:33.072
uh I’m quite pleased with that
one. Okay so demo time. >>Right

00:14:36.008,00:14:39.612
you might have to bare with us
on this we uh we didn’t realize

00:14:39.612,00:14:41.447
we wouldn’t have any ethernet
connection up here so we’re

00:14:41.447,00:14:44.817
acutally trying to do these
demos live through uh the wifi

00:14:44.817,00:14:47.520
on my phone, we’ll see if it
works >>If it works there will

00:14:47.520,00:14:52.959
be a miracle okay so the set up
we have is on the right we have

00:14:52.959,00:14:57.296
a a VM which is the the victim
and on the left we have our, uh,

00:14:57.296,00:15:02.235
attacker with a, a fancy, uh,
control panel. So I'm gonna open

00:15:04.470,00:15:08.141
up Chrome. So at this point the
malicious gateway has already

00:15:08.141,00:15:10.977
sent the message PAC file and
you can see at the bottom here

00:15:10.977,00:15:14.714
we're already getting tons of
URLs being leaked, uh, by, by

00:15:14.714,00:15:21.554
Chrome. So, uh, I am now going
to search for something. So, uh,

00:15:21.554,00:15:25.424
everything you do on Google goes
to direct GPS as you can see, as

00:15:25.424,00:15:29.629
I was, as I was type, as I was
searching, as I was typing it's

00:15:29.629,00:15:32.265
being leaked to the attacker and
appearing on their side. Uhm,

00:15:32.265,00:15:37.937
and now I can browse to
Wikipedia which is HTTPS, uhm, I

00:15:37.937,00:15:41.941
can just browse around
Wikipedia. [coughing] And,

00:15:41.941,00:15:45.778
uh,the, tire's load, you get so
much, so much traffic here at

00:15:45.778,00:15:48.948
the bottom with all the URLs
being leaked, uh, and at the top

00:15:48.948,00:15:53.119
they're kind of pulling out the
interesting stuff. Not the pages

00:15:53.119,00:15:56.889
that you are actually visiting.
[coughing] That's that... I can

00:15:56.889,00:15:59.625
search for something else.
[typing noise] So again, DefCon

00:15:59.625,00:16:04.564
site is HTTPS, uhm, yea. So...
there we go, yea. So that's what

00:16:10.169,00:16:15.174
we can do, literally just be
leaking, a, leaking everything.

00:16:20.513,00:16:25.518
[applause] And... Thank you!
[applause] Uhm, so, yeah, most

00:16:28.054,00:16:33.059
websites these days are HTTPS
and, uh, we can see that stuff

00:16:35.461,00:16:36.963
now with this attack which is
quite nice. Right, I'mmm now

00:16:36.963,00:16:39.031
gonna hand over toooo, uh, no!
Not yet. >> You can keep going.

00:16:39.031,00:16:40.399
[chuckle] >> Okay, so,
passively, uh, seeing this data

00:16:40.399,00:16:43.035
as the user browses is quite
nice, but, were impatient. As an

00:16:43.035,00:16:46.405
attacker they may be connected
to our malicious hotspot only

00:16:46.405,00:16:49.909
for a short amount of time. So,
the challenge we set ourselves

00:16:49.909,00:16:53.713
was to actively steal as much
data as possible. Using only

00:16:53.713,00:16:57.516
URLs. Now remember, this attack
doesn't let us completely vacate

00:16:57.516,00:16:59.585
the GPS, we can't see
everything, uhm, [coughing] we

00:16:59.585,00:17:03.723
can only see the URLs including
the path networking string. We

00:17:03.723,00:17:06.659
don't get any, uh, post data, we
don't get any cookies, any

00:17:06.659,00:17:10.763
headers, we don't get the
responses, uh, uh, response

00:17:10.763,00:17:15.268
bodies. Uhm, so we have this,
uh, kind of superpower but it's

00:17:15.268,00:17:18.437
a really limited super power.
Uhm, but, yea... limitation is

00:17:18.437,00:17:22.475
good, let's just be creative.
Uh, and, one of the key things

00:17:22.475,00:17:27.079
is that because there is not a
100 percent HTTPS yet, uh, the

00:17:27.079,00:17:30.616
malicious gateway can still
inject stuff into, into the HTTP

00:17:30.616,00:17:33.619
pages. So we can, we can get the
user to visit our malicious web

00:17:33.619,00:17:37.924
page and then start messing with
our browser. Uh, for example,

00:17:37.924,00:17:40.860
captive portal pages which I'm
sure everyone has encountered,

00:17:40.860,00:17:43.462
uhm, since they've been in
Vegas. [audience noise] Okay,

00:17:43.462,00:17:47.166
so, we came up with a few basic
techniques, uhm, that let use do

00:17:47.166,00:17:49.101
pretty much everything that
you've seen in the demo so far

00:17:49.101,00:17:51.237
and in the demos that we're
gonna show you. So one of the

00:17:51.237,00:17:54.507
simplest ones that works really
really well is taking advantages

00:17:54.507,00:17:59.979
through to vdirect. So, uhm, the
idea is that we make the user's

00:17:59.979,00:18:05.418
browser visit a known URL, uhm,
that's not sensitive and that

00:18:05.418,00:18:08.454
URL redirects to sensitive URL
with sensitive information that

00:18:08.454,00:18:11.857
we can then steal. So, for
example, if you are logged into

00:18:11.857,00:18:15.161
Google and you go to this URL,
uh, so plus dot Google dot com

00:18:15.161,00:18:18.531
slash mesos posts. If you're
logged in it redirects to a u,

00:18:18.531,00:18:22.301
a, a URL with your user ID in
it. So, now we know who you are

00:18:22.301,00:18:25.271
on Google, uh, the same goes for
Reddit - we can get your Reddit

00:18:25.271,00:18:28.841
username if you're logged in
there.. And, uh, very simple way

00:18:28.841,00:18:31.644
to do this, uhm, is Literally
just to, uh, put let's say, an

00:18:31.644,00:18:34.747
image tag, uh, on a page, and
uh, won't be visible and it's

00:18:34.747,00:18:38.617
not even an image but the
browser doesn't care or go and

00:18:38.617,00:18:42.088
request that URL and then we can
leak that via, uh, via DNS. So,

00:18:42.088,00:18:43.422
for example, uhm, that would be
sent to the attacker would get

00:18:43.422,00:18:44.757
the username for Facebook. [deep
breath] So that's the first

00:18:44.757,00:18:46.759
technique. The second technique,
uh, we're gonna use, uhm, which

00:18:46.759,00:18:48.094
you'll see in a demo is, uh,
soon. is dealing with kind of,

00:18:48.094,00:18:49.462
one time auth tokens, so perhaps
we, you know, do this, uh,

00:18:49.462,00:18:51.464
redirect, [background noise] uh,
so the user's browser redirects

00:18:51.464,00:18:53.199
to a URL we can leak the token
but the problem is the attacker

00:18:53.199,00:18:54.533
wants to use that token
[coughing] and if the user's

00:18:54.533,00:18:56.602
browser get that first then that
token's no good to us anymore,

00:18:56.602,00:19:01.540
if it's a one time token. So the
attacker wants to use it, they

00:19:04.977,00:19:09.749
want to stop the us, the victim
browser from requesting it. So

00:19:09.749,00:19:11.751
the PAC scripts, [cough] uhm, as
well as just leaking the data we

00:19:11.751,00:19:13.085
can say actually if the URL
matches this, uh, uh, exact

00:19:13.085,00:19:14.420
pattern, uhm, then return a
proxy that doesn't exist the

00:19:14.420,00:19:16.422
user's browser won't be able to,
uhm, resolve the proxy that URL

00:19:16.422,00:19:17.790
won't get fetched but we can
still leak it to the attacker to

00:19:17.790,00:19:22.795
use that data. [pause] Now the
third trick we came up with,

00:19:39.678,00:19:45.184
uhm, which was, was which quite
fun, is um essentially what we

00:19:45.184,00:19:48.220
want to do is get, uh, load a
page that the user is logged

00:19:48.220,00:19:51.390
into and that page will have
loads of, uh, stuff on it we

00:19:51.390,00:19:54.093
want to get. And it will be
loading lots of URLs that we

00:19:54.093,00:19:56.996
want to, we want to leak. But we
don't want the user to know that

00:19:56.996,00:20:01.600
this is happening, uhm, so...
Uh, in the past things like

00:20:01.600,00:20:03.803
iframe should be really good for
this we could quote a, a tiny

00:20:03.803,00:20:07.173
invisible iframe, load the URL
in there and we'd get all this,

00:20:07.173,00:20:10.676
this stuff loaded. Uhm, but
iframes tend not to work these

00:20:10.676,00:20:13.612
days because most sites use the
X-frame-options which says

00:20:13.612,00:20:17.283
"Don't allow this site to be
framed" so we came across, uh,

00:20:17.283,00:20:21.287
something called "pre-render".
So pre-render is something that

00:20:21.287,00:20:26.025
Chrome, uh, uhm, invented first,
uh, and is now Edge as well. Uhm

00:20:26.025,00:20:29.695
and essentially what it does,
uh, assist HTML type here and

00:20:29.695,00:20:33.165
what it says is "Uh, completely
load this page in a kinda

00:20:33.165,00:20:37.169
hidden, in a hidden window, uhm,
offscreen. Uhm, load it so it's

00:20:37.169,00:20:40.106
ready so when the user actually
clicks that link it'll all be

00:20:40.106,00:20:42.308
pre-rendered and ready to go and
it'll appear really quickly."

00:20:42.308,00:20:46.145
So, uhm, like Google uses this,
uses this, so the first often

00:20:46.145,00:20:49.815
the first hit on a Google search
results will be pre-rendered so

00:20:49.815,00:20:52.118
when you click it it looks like
it just magically appears really

00:20:52.118,00:20:58.057
quickly. Uhm, so what this, what
this lets us do is, uh, load a

00:20:58.057,00:21:00.693
known URL, uhm, that fetches
other sensitive stuff. So for

00:21:00.693,00:21:04.864
example, if I load, uhm, your
Facebook photo album or your

00:21:04.864,00:21:08.000
Google photos page, uhm, it'll
go and request, uhm, all the

00:21:08.000,00:21:11.737
thumbnails of all your photos,
uhm... Now these, uh, these

00:21:11.737,00:21:17.176
URLs, uhm, are always on CDMs so
they're over HTTPS but they're

00:21:17.176,00:21:20.012
not authenticated at all so they
have these long, random-looking

00:21:20.012,00:21:23.182
URLs which are impossible to
guess. Uhm, but if we tear that

00:21:23.182,00:21:26.185
URL and, uhm, load it in another
browser, uhm, you don't even

00:21:26.185,00:21:28.454
need cookies, you don't need to
be logged in... you can see, you

00:21:28.454,00:21:31.323
can, you can get that data. Uhm,
so pre-render's good for that

00:21:31.323,00:21:35.961
and you will see, uh, some demos
of that in a sec. Right, over to

00:21:35.961,00:21:39.465
you... >> Good, so let's see if
we can, uh, we can, uh, see this

00:21:39.465,00:21:46.138
in practice. So, find RDM again,
so in this case we have the,

00:21:46.138,00:21:50.576
uhm, same as before - the user's
there but, we've, uh, we've

00:21:50.576,00:21:54.480
managed to force them to a, a
webpage we control and are able

00:21:54.480,00:21:57.416
to inject content into. We've
chosen a [coughing] particularly

00:21:57.416,00:22:00.819
complicated, secure, uh, captive
portal so we'll be on there for

00:22:00.819,00:22:03.722
a little while. On the
attacker's side we can, uhm, we

00:22:03.722,00:22:06.525
can start the attack so
hopefully if I click this button

00:22:06.525,00:22:09.528
here we'll start to see, uh,
information coming back from

00:22:09.528,00:22:11.964
that user's browser session so
we've already been able to grab

00:22:11.964,00:22:16.669
their, uhm, Google ID, Facebook
ID and name from Google. >> Hope

00:22:16.669,00:22:18.904
it's working... >> This is where
we cross our fingers and hope

00:22:18.904,00:22:25.110
the next bit works. [coughing]
>> Yup. Yea... come'on. You can

00:22:25.110,00:22:30.916
do it! >> Fine! So it looks
like, uhm, pulling the google

00:22:30.916,00:22:35.354
images hasn't worked this time.
>> Show the video... >> Uhm, I

00:22:35.354,00:22:38.924
might rerun it. [chuckle] But we
can also, you can also get their

00:22:38.924,00:22:42.261
Twitter ID, uh, LinkedIn ID and
their, uh, employment from

00:22:42.261,00:22:45.464
LinkedIn, GitHub ID. This, I
mean this, I mean this is just a

00:22:45.464,00:22:48.534
really small subset of, of
services we were querying here.

00:22:48.534,00:22:53.706
Uhm, but, there's a lot lot more
we can do with that. I'll just

00:22:53.706,00:22:55.741
try rerunning it - see if we,
see if we can get anything else

00:22:55.741,00:22:58.911
or not. But essentially that
allows any [cough] captive

00:22:58.911,00:23:01.880
portal to completely denom,
deanonymize the user. Here we

00:23:01.880,00:23:05.584
go! The images as well...
Deanonymize the user that's

00:23:05.584,00:23:09.688
connected, connected to their
gateway and get all sorts of

00:23:09.688,00:23:12.791
what we would call, I guess,
public but sensitive information

00:23:12.791,00:23:16.962
about that user. Uh, and you can
see we can also get onto these

00:23:16.962,00:23:21.967
images. Uh... [background noise]
[pause] Oops, we can achieve a

00:23:24.069,00:23:26.405
full-sized image just cause,
cause it's served on a, from a

00:23:26.405,00:23:31.844
CVN, they're all there. And we
can, we just grab those files,

00:23:31.844,00:23:37.316
and, and, kind of get all that
offline data from them. So...

00:23:37.316,00:23:42.321
number two! [applause] We, we've
done well so far! [applause] So,

00:23:48.794,00:23:53.866
just, just to summarise that...
so, uhm, if you force the user

00:23:53.866,00:23:57.269
to, uh, request a webpage or URL
we can get identifying

00:23:57.269,00:24:01.206
information from it, we can then
use that, uh, those IDs and

00:24:01.206,00:24:04.543
usernames to kind of get further
information. So, further public

00:24:04.543,00:24:07.546
information but information that
we wouldn't otherwise [thump]

00:24:07.546,00:24:12.785
have. So in order to do this we
need to create a bit of a C2

00:24:12.785,00:24:17.256
infrastructure between the
user's browser, the PAC

00:24:17.256,00:24:20.326
javascript that's running on
their system, uhm, the DNS

00:24:20.326,00:24:23.862
server we're using for leaking
information and the, uh,

00:24:23.862,00:24:25.964
malicious... and the [cough] web
server that we're using to kind

00:24:25.964,00:24:28.767
of control all of this. So the
first thing you have to consider

00:24:28.767,00:24:33.005
is DNS, so leaking data over
DNS. Uhm, DNS searching has a

00:24:33.005,00:24:36.241
kind of limited character search
so we can't just throw in any,

00:24:36.241,00:24:38.610
any data we want. [cough] It's
gotta be within the, kind of,

00:24:38.610,00:24:41.347
ASIK, 0 to 9, underscore and
hyphen range, I believe, I don't

00:24:41.347,00:24:45.984
see periods. Uhm, you can have a
maximum of 63 characters per

00:24:45.984,00:24:49.855
sub-domain and on a DNS lookup,
and a max, a total maximum of

00:24:49.855,00:24:54.193
253 characters. And, that's
just, that's just through the

00:24:54.193,00:24:59.798
way the DNS is, uhm, has been,
has been setup. So, what we end

00:24:59.798,00:25:03.335
up doing was base 36 encoding
all the data, not the most, the

00:25:03.335,00:25:07.005
most efficient but very easy to
do. Uh, split long data into

00:25:07.005,00:25:09.375
multiple host names, so
multiple, multiple subdomains

00:25:09.375,00:25:13.245
and host names. And then forming
those lookups or more than one

00:25:13.245,00:25:18.384
lookup, uhm, for each leaked URL
if the, uhm, resulting DNS query

00:25:18.384,00:25:22.654
was more the 253 characters. Uh,
and then this is decoded, and

00:25:22.654,00:25:25.491
uhm, reassembled on the
attacker's DNS server.

00:25:25.491,00:25:28.594
[coughing] Uhm, so that's,
that's how we get the

00:25:28.594,00:25:32.364
information out, uhm, we,
implemented an API interface

00:25:32.364,00:25:37.102
between the attack, sorry,
between the victim's web browser

00:25:37.102,00:25:41.807
and the PAC script running on
their system. So,uh, the PAC

00:25:41.807,00:25:46.412
script, uh, decodes and
javascript evals any domains

00:25:46.412,00:25:52.651
that end in the "dot etld". Uhm,
it will encode the eval results

00:25:52.651,00:25:58.223
of "dot r" tld host names and
send that back to the server and

00:25:58.223,00:26:01.627
leak all URLs by default. We
added a small number of

00:26:01.627,00:26:03.829
functions just, [cough] just to
help out what we were doing

00:26:03.829,00:26:08.033
here. So, adblock URL so tell
the PAC script to block all

00:26:08.033,00:26:13.305
requests of a specific rejects
URL as a leak URL. So, if it the

00:26:13.305,00:26:15.741
URL, if the URL matches the
rechecks there it will leak it

00:26:15.741,00:26:18.777
to our server and the clear
everything just incase we need

00:26:18.777,00:26:22.548
to clear everything down and
return, the, the PAC to a known

00:26:22.548,00:26:26.051
good state. And this is kinda
how all of that looks, so the

00:26:26.051,00:26:29.788
top two, uhm, portions on the
user's system so the injected

00:26:29.788,00:26:33.225
javascript running in their
browser is communication to the

00:26:33.225,00:26:37.296
PAC script running on their
system by DNS lookups, uh, the,

00:26:37.296,00:26:42.334
the PAC file leaks encoded data
to our DNS server and the DNS

00:26:42.334,00:26:46.905
server passes that data back.
So, our controlled web server

00:26:46.905,00:26:51.243
and we can serve, uhm, commands
to the, to the browser from our

00:26:51.243,00:26:53.378
controlled web server. So it's a
bit of a, bit of a cycle going

00:26:53.378,00:26:56.515
on there but that's kinda the
overview of, of how everything

00:26:56.515,00:27:02.154
works. [thump] So kind of
getting the information about

00:27:02.154,00:27:04.723
who somebody is is good and we,
we were chuffed with that. We

00:27:04.723,00:27:07.626
thought "Right, we're really on
to something!" But we can do

00:27:07.626,00:27:12.498
better. [laughing] And so we
kinda... doing this research

00:27:12.498,00:27:15.968
over a period of months and
kinda just, these things, ideas

00:27:15.968,00:27:19.571
are coming up so as, as we're
going through. And one of the

00:27:19.571,00:27:23.242
things we were quite interested
to look at is, is OAuth. So,

00:27:23.242,00:27:26.845
uhm, OAuth for those who don't
know, is a, a way of allowing a

00:27:26.845,00:27:29.781
third party to authenticate
users to your website. So

00:27:29.781,00:27:33.185
there's some, some really OAth
writers, Facebook seems to be

00:27:33.185,00:27:35.721
one of the biggest, uh, Twitter,
LinkedIn, Google, Yahoo,

00:27:35.721,00:27:40.959
Microsoft, and these services
allow websites to hand off the

00:27:40.959,00:27:43.729
authentication to these
essential authorities. So, you,

00:27:43.729,00:27:46.198
you would all have seen it
"Sign-in to this site... Sign-in

00:27:46.198,00:27:48.500
with Facebook, sign-in with
Google". Uh, you just click

00:27:48.500,00:27:50.736
those buttons, if you're logged
into Facebook or Google

00:27:50.736,00:27:53.205
automatically you're logged into
that site without having to type

00:27:53.205,00:27:56.341
in your username and password.
This is, this is great from a,

00:27:56.341,00:27:58.944
from a usability perspective you
don't need to remember another

00:27:58.944,00:28:03.148
set of credentials - it just all
works. Theoretically anyway...

00:28:03.148,00:28:08.020
Uhm, OAuth has a number of ways
of passing tickets and, and

00:28:08.020,00:28:11.356
tokens between the, the, I guess
the client application and the

00:28:11.356,00:28:15.160
central OAuth server. Uh, but
one of the more, uhm, common

00:28:15.160,00:28:19.364
implementations i, uh, using URL
parameters via, through 3 0 2

00:28:19.364,00:28:26.071
redirect over HTTPS. So, we
thought can we force this, uh,

00:28:26.071,00:28:29.474
users to attempt to OAuth
authenticator, large range of

00:28:29.474,00:28:34.246
services intercept the, uhm,
[cough] the final authentication

00:28:34.246,00:28:38.984
token and replay that ourselves.
And that's something we're also

00:28:38.984,00:28:42.487
gonna attempt to demonstrate.
So, again, users still here,

00:28:42.487,00:28:46.124
trying to fill out their, uhm,
[coughing] Uhm, their form

00:28:46.124,00:28:50.796
password overtake. They're gonna
be there awhile, uhm, so we, we

00:28:50.796,00:28:53.231
kicked off the next attack and
you can see this one's

00:28:53.231,00:28:55.767
particularly quick. It's a
roamer using 3 0 2 redirect,

00:28:55.767,00:28:58.170
we're not trying to do the
pre-render pages which we have

00:28:58.170,00:29:01.306
to do in serial, so, only one at
a time. This, this is going

00:29:01.306,00:29:03.542
quick - lighting fast! [cough]
Uhm, from the, from the

00:29:03.542,00:29:06.311
attacker's console we have now
got all of these potential, uhm,

00:29:06.311,00:29:10.649
OAuth sessions, so if I for
example open coded and then an

00:29:10.649,00:29:14.987
incognito window,
theoretically... good, that bit

00:29:14.987,00:29:18.323
worked. Yip! Brilliant! I'm now,
now logged into, to codepen as a

00:29:18.323,00:29:23.328
user with that, uhm, bin, bin on
there... [applause] Keep going,

00:29:30.535,00:29:32.938
we've got loads of other
services, so for example

00:29:32.938,00:29:36.508
developed on Mozilla, got that
account, someone's interested,

00:29:36.508,00:29:40.278
dunno if anyone's used ForShared
before but, it's a, uhm, cloud

00:29:40.278,00:29:43.515
storage platform so we can grab
that and then start grabbing

00:29:43.515,00:29:45.884
their files from, from that
platform. And we've got full

00:29:45.884,00:29:49.454
control of these accounts at
this point. So, uhm, we're just

00:29:49.454,00:29:52.958
logged in as if we were those
users. Those are going well

00:29:52.958,00:29:57.963
now... >> Yea. >> Alright! S...
So back to the slides. So this

00:30:00.032,00:30:02.501
is, this could be done
passively, we could wait for the

00:30:02.501,00:30:06.171
user to log in but, as Paul
mentioned, [cough] we're kind of

00:30:06.171,00:30:10.509
impatient. So we can force this
and you. if you're using the 3 0

00:30:10.509,00:30:13.812
2 lookups you can actually
force, uhm, a large number of,

00:30:13.812,00:30:16.515
uh, authentication attempts
against a large number of

00:30:16.515,00:30:19.084
services very, very quickly.
[background noise] Uhm, the user

00:30:19.084,00:30:22.254
won't say anything necessarily
when they, uhm, go to log back

00:30:22.254,00:30:26.491
into that service. Uh, they, in
our experience they haven't,

00:30:26.491,00:30:29.661
they won't see "Failed login
attempt" to this or anything

00:30:29.661,00:30:33.365
else. So, it, it's pretty blind
from the user's side of things.

00:30:33.365,00:30:37.202
And it does allow attackers to
gain full control over the

00:30:37.202,00:30:41.073
victim's account. [pause] >>
Okay, so, uh, we've shown you a

00:30:41.073,00:30:45.243
few demos, which we were quite
pleased with but we wanna go

00:30:45.243,00:30:49.781
even further, so, uhm, we wanna,
so we've to learn some of the,

00:30:49.781,00:30:53.218
uh, kind of, uh, accounts the
Facebooks doesn't care about, I

00:30:53.218,00:30:56.054
mean, they tend to use OAuth for
things that you just can't be

00:30:56.054,00:30:57.889
bothered to create an account.
[cough] But we wanna go after

00:30:57.889,00:31:00.592
the, uh, the good stuff. So when
they attempt to get into your

00:31:00.592,00:31:05.297
Google account now. So, uh, the
way that, uhm, Google works is

00:31:05.297,00:31:07.165
quite interesting and they've
got lots of different domains.

00:31:07.165,00:31:10.302
And, you can't share cookies
between top-level domains. So,

00:31:10.302,00:31:13.805
what happens is when you log
into Google, uh, most of your

00:31:13.805,00:31:16.208
cookies, uh, go up to the main
Google dot com domain and, uh,

00:31:16.208,00:31:18.944
when you go to another website,
like YouTube or Blogger or one

00:31:18.944,00:31:22.748
of the regional Google search
sites, uh, then, uh, there will

00:31:22.748,00:31:28.620
be a kind of first party SSO,
so, uh, we use, uh, the say

00:31:28.620,00:31:31.823
Google dot co UK will ask the
main site, uh, for an auth token

00:31:31.823,00:31:35.093
and it will use a 3 0 2, 3 0 2
redirect so we can steal that.

00:31:35.093,00:31:39.064
So, like this, uhm, so we'd go
"accounts dot Google dot com;

00:31:39.064,00:31:40.432
please log me into Google dot co
dot UK" and it'll say [cough]

00:31:40.432,00:31:41.767
"Okay, you, you're logged in,
that's fine; here's a redirect,

00:31:41.767,00:31:43.101
here's auth token". And it will
go and set the redirect on the,

00:31:43.101,00:31:44.436
the local site. [typing noise]
[cough] So, uhm, and then you're

00:31:44.436,00:31:45.771
logged into Google dot, Google
co UK. [typing] Kay, and... uh,

00:31:45.771,00:31:51.710
ah gee! Uh, the second thing,
the second demo we're gonna see,

00:31:51.710,00:31:56.715
uh, is, uh, stealing stuff from
Google Drive. So, again, when

00:32:05.023,00:32:07.459
you download stuff from Google
Drive there's a few different

00:32:07.459,00:32:10.028
ways it worked depending on how
you got the file, uhm, so we're

00:32:10.028,00:32:12.197
looking in this case at files
which have been emailed to you

00:32:12.197,00:32:17.803
and that you, uhm, saved to your
Google Drive. Uh, so, uh....

00:32:17.803,00:32:19.905
What happens when you, uh,
clicked download the document?

00:32:19.905,00:32:22.774
Uh, as you start off from "Drive
dot Google dot com" uhm, and

00:32:22.774,00:32:26.211
then it redirects to a redirect
to "Google user content dot com"

00:32:26.211,00:32:29.714
which is, uhm, uh,
unauthenticated but uses uses

00:32:29.714,00:32:33.018
and auth token. Uhm, and it
kinda does this, uh, kind of

00:32:33.018,00:32:35.520
redirect back and forth between
the two different sites. Uh,

00:32:35.520,00:32:37.455
eventually we can get the
[cough] auth token essentially,

00:32:37.455,00:32:42.227
uhm, and download the documents.
So, I'm gonna show you, uh, that

00:32:42.227,00:32:47.332
domain... [pause] Uhm, I should
point out that none of these are

00:32:47.332,00:32:50.001
vulnerabilities in, like, google
or any of those. So of all

00:32:50.001,00:32:55.006
sites, this is just, this is
just because, uh, we can, uh,

00:32:55.006,00:32:59.711
steal the HTTPS URLs. [deep
breath] Okay, so we will click

00:32:59.711,00:33:04.683
this button and we'll see...
there we go! So, uhm, we can see

00:33:04.683,00:33:07.719
the URL here has got the
[cough], uh, uh, the auth token

00:33:07.719,00:33:11.223
in it and all I'm gonna do is
literally just open that URL in

00:33:11.223,00:33:17.495
a private browsing window... So,
there we go, I'm now logged in

00:33:17.495,00:33:22.767
to Google dot co dot UK. So,
like I said, this isn't your

00:33:22.767,00:33:25.003
main Google account, uhm, we
haven't got, like, the crown

00:33:25.003,00:33:27.839
jewels but we can still do quite
a lot of stuff. So if I search

00:33:27.839,00:33:33.612
for, like, uhm, my email... I
can't type... Uhm, so we get a

00:33:33.612,00:33:36.114
summary of what's in your gmail
inbox, I can't click on those

00:33:36.114,00:33:38.984
but, you know, I can still see,
yea I see a summary, I can view

00:33:38.984,00:33:43.989
my photos... uh, I can do my
home address, there we go.

00:33:46.658,00:33:50.328
[laughter] Uh, I can do my
location... Uhm, my location

00:33:50.328,00:33:55.934
isn't working... Okay! Uh, but,
another thing we can do, if you,

00:33:55.934,00:34:01.339
if you happen to have, uhm.
Location history turned on on

00:34:01.339,00:34:04.242
your phone, uhm, then Google is
basically tracking you

00:34:04.242,00:34:09.247
everywhere you go. And...
because, uhm, google maps is,

00:34:11.383,00:34:13.385
kind of, again, regional - it's
not the main Google dot com

00:34:13.385,00:34:18.390
site, you can get your timeline.
Come on! Please start working.

00:34:28.767,00:34:31.770
So you can see everywhere we've
been in Vegas. All the best

00:34:31.770,00:34:38.243
places we've been... Uhm, and
so, uh, where did we go today,

00:34:38.243,00:34:43.248
ah, it's being a bit slow but
anyway. Uh, we thought that was

00:34:45.951,00:34:50.689
quite nice. [applause] Thank
you. [applause] Yea, right,

00:34:50.689,00:34:55.694
we've gotta get on. Okay, so
I'll hand it back to ... >> You

00:34:59.030,00:35:03.969
want to do the Google drive demo
quickly? >> Oh, Google drive,

00:35:06.071,00:35:12.010
yes! Thank you, right. Uh...
okay [mumbling] So Google drive,

00:35:12.010,00:35:17.949
click the last button, and
hopefully we some stuff popup.

00:35:17.949,00:35:22.954
Here we go, so you can see all
the URLs going through the

00:35:25.690,00:35:31.596
bottom, uh, now the attacker's
server is going to download

00:35:31.596,00:35:36.601
those, uh, to the server and
then we can load some of these

00:35:39.337,00:35:44.676
things. [laughter] Did? How did
you get... [chatter] Alright,

00:35:44.676,00:35:49.681
uh, so yea, so you know, if
you've added some passwords to

00:35:51.816,00:35:57.155
your account, some pdf. Uh,
that's someone else...

00:35:57.155,00:36:01.726
[laughter] Uhm, that's some
passwords there. Right... >>

00:36:01.726,00:36:03.495
Great! [applause] So that last
demo, that's, that was all

00:36:03.495,00:36:06.631
Paul's work. Uh, he spent ages
doing that and I thought well I

00:36:06.631,00:36:10.769
can't let him have the best demo
this talk. So, I spent a little

00:36:10.769,00:36:17.709
while looking around and thought
I'll try Facebook. There's got

00:36:17.709,00:36:19.144
to be a way to get into
somebody's Facebook account,

00:36:19.144,00:36:21.880
right? And... there was! And up
until about three days ago this

00:36:21.880,00:36:25.650
worked. [laughter] It was only
when I went to record a video of

00:36:25.650,00:36:28.653
showing stealing somebody's
Facebook account using, uh,

00:36:28.653,00:36:32.524
OAuth that it all stopped
working and Facebook broke it.

00:36:32.524,00:36:36.895
So, I don't have a demo of that
I'm afraid, uhm, Facebook didn't

00:36:36.895,00:36:40.231
break it in the sense that they
fixed it they just broke it.

00:36:42.300,00:36:45.203
[laughter] So, the attack was
through the forgotten password

00:36:45.203,00:36:49.007
functionality, there's an
implicit authorization between

00:36:49.007,00:36:52.877
Facebook and Microsoft's OAuth.
So if you've signed up to

00:36:52.877,00:36:56.281
Facebook with a Microsoft
account you can hit, uhm,

00:36:56.281,00:37:00.051
forgotten my password, type in
your email address and as an

00:37:00.051,00:37:04.522
option to just... reset it via
the OAuth authentication to

00:37:04.522,00:37:07.592
Microsoft. Uhm, but that now
asks you to log back into your

00:37:07.592,00:37:10.962
Facebook account so it's a reset
your password, you have to log

00:37:10.962,00:37:15.433
into your facebook account.
Anyway, uhm, so I'll move on

00:37:15.433,00:37:20.371
from that. So one of the kind of
key points we thought we were

00:37:20.371,00:37:23.274
gonna get from this is people
turning around and saying "So

00:37:23.274,00:37:27.846
what I use a VPN?". VPNs allow
us to kind of travel safely over

00:37:27.846,00:37:32.183
hostile networks and, uh, kind
of should protect us in this and

00:37:32.183,00:37:38.156
this area. Right? So, just to go
back to our previous examples,

00:37:38.156,00:37:43.728
so, let's just, uhm, gateway,
uhm, with the user's connection

00:37:43.728,00:37:47.499
over a VPN user channels through
to that VPN ser, server and then

00:37:47.499,00:37:51.002
all traffic gets out to the, to
the, uh, intercept from that VPN

00:37:51.002,00:37:54.672
server. So the attacker can't
sniff HTTPS URLs or they can't

00:37:54.672,00:37:58.877
intercept traffic. Using the PAC
break, similar sort of thing, we

00:37:58.877,00:38:01.312
tell, we tell where the pack
file is, they've got their

00:38:01.312,00:38:04.482
secure tunnel set up but the PAC
is situated on the local

00:38:04.482,00:38:08.553
network. There's no route from
the VPN server to, uh, to where

00:38:08.553,00:38:11.422
we're hosting the PAC file and
then the user, because the user

00:38:11.422,00:38:14.425
browser can't find the PAC file
it'll just ignore it and

00:38:14.425,00:38:18.763
disconnect directly off of the
internet. [typing] So what if we

00:38:18.763,00:38:21.132
moved the, uh, web server
hosting the PAC file to the

00:38:21.132,00:38:26.070
internet? [typing] So we, so we,
tell the, uh, the client that

00:38:26.070,00:38:30.041
the PAC file is on an internet
accessible, uhm, server, they

00:38:30.041,00:38:35.647
connect to that VPN server, they
can now access that PAC file and

00:38:35.647,00:38:38.516
connect to the internet. [thump]
So, at this point we are

00:38:38.516,00:38:42.620
sniffing the URLs as we were
before but we can go one better

00:38:42.620,00:38:44.756
than this. What are PAC files
supposed to do? They're supposed

00:38:44.756,00:38:48.660
to specify a proxy, so if we
stick our proxy server on the

00:38:48.660,00:38:52.597
internet as well... we've now
got the user's traffic coming

00:38:52.597,00:38:57.368
out of that VPN endpoint leaking
the, uh, HTTPS URLs to our, to

00:38:57.368,00:39:01.272
our DNS server proxying all of
their HTTP traffic before it's

00:39:01.272,00:39:06.010
even hit the intended, uhm, the
intended target. This kinda blew

00:39:06.010,00:39:11.683
my mind, this is really quite
cool! [typing] [laughter] Yea...

00:39:11.683,00:39:16.754
shouldn't work like that, should
it? So, many VPN clients do not

00:39:16.754,00:39:18.723
actually clear the proxy
settings obtained via their

00:39:18.723,00:39:23.895
WPAD. Uhm, we tried a few and
I'll run through this, uhm,

00:39:23.895,00:39:28.266
shortly. Uh, the, the traffic's
travelled all the way from the

00:39:28.266,00:39:31.569
VPN end-point through our proxy
on the internet before it hits

00:39:31.569,00:39:35.373
the, uhm, the intended
destination. [thump] So, the

00:39:35.373,00:39:39.877
effect itself on this...over VPN
is effected. They are working on

00:39:39.877,00:39:44.716
a fix but to this point it has
not been released... Uhm, and

00:39:44.716,00:39:46.851
this, so there's no way of
mitigating this through an open

00:39:46.851,00:39:49.954
VPN server configuration.
"Private internet access" I

00:39:49.954,00:39:52.624
dunno who uses private internet
access in this room for, uh, for

00:39:52.624,00:39:55.460
VPN configuration... Uh, we
reported these issues to them as

00:39:55.460,00:39:58.630
well as open VPN they have fixed
it... so they are based, uh, uh,

00:39:58.630,00:40:01.466
their client's based on open VPN
but they've been implemented

00:40:01.466,00:40:03.701
[cough] client's site fix to
disable the really bad, to

00:40:03.701,00:40:07.405
kinda, to kinda fix this. Uh,
and, uh, kinda more corporate,

00:40:07.405,00:40:10.308
uh, VPN solutions for example
Sysco only connects, actually

00:40:10.308,00:40:14.312
have an option to say push your
own proxy or kind of completely

00:40:14.312,00:40:18.616
wipe all proxies settings
before, before coming this way.

00:40:18.616,00:40:21.419
Uhm, the windows built in VPN
clients aren't vulnerable to

00:40:21.419,00:40:24.422
this, they actually looks like
they've thought about this issue

00:40:24.422,00:40:29.060
and have disabled the WPAD by
default on these. L2TP and PPTP,

00:40:29.060,00:40:35.533
uh, connections. Yea, oh, yea...
[laughter] This picture is, uh,

00:40:35.533,00:40:38.136
Paul's third work of art there,
the rejected vulnerability title

00:40:38.136,00:40:43.074
for, for this issue. Uh, so the
next response "So what, I don't

00:40:43.074,00:40:47.845
use Windows?". Uh, yea, actually
other operating systems do use

00:40:47.845,00:40:53.851
pattern PAC [cough] so... OSX
does, iOS does, Android does.

00:40:53.851,00:40:58.089
Okay, not by default, so it's
not quite as bad as on Windows

00:40:58.089,00:41:03.761
but you do need to be aware of
it. [pause] [cough] Uhm, I think

00:41:03.761,00:41:08.199
that's pretty much everything I
covered. [thump] Yea... So, to

00:41:08.199,00:41:11.336
mitigate this first thing you do
on a Windows system is you turn

00:41:11.336,00:41:14.739
off the WPAD. Seriously, turn
off WPAD... [laughter] Because,

00:41:14.739,00:41:17.308
there's no, there's no good
reason to have it on. So if you

00:41:17.308,00:41:20.244
still need to use PAC, which a
lot of organizations will, will

00:41:20.244,00:41:25.450
need to do. Turn off WPAD...
[laughter] And configure an

00:41:25.450,00:41:28.853
explicit URL for your PAS script
so you can do this securely over

00:41:28.853,00:41:33.257
HTTPS, uh, to an internal server
or you can actually save it from

00:41:33.257,00:41:36.094
a local file in Windows if you
specify another registry key. So

00:41:36.094,00:41:39.597
we'll just put it from the, the,
uh, from the disk. And those are

00:41:39.597,00:41:43.101
really the only two secure ways
of, of doing, or distributing

00:41:43.101,00:41:48.039
PAC files. Uh... to mitigate the
VPN turn of WPAD! Only so many

00:41:48.039,00:41:51.309
times you can say that...
[laughter] Uhm, VPN is safe if

00:41:51.309,00:41:55.680
WPAD is enabled, uh, if the VPN
environment requires a proxy

00:41:55.680,00:41:59.317
server to get out to the
internet then it effectively

00:41:59.317,00:42:02.286
mitigates this issue. We can't
chain proxies using, using PAC

00:42:02.286,00:42:05.990
as far as we're aware. Uhm, or
if the VPN server pushes in

00:42:05.990,00:42:10.261
explicit proxy configuration the
this, this won't be an issue and

00:42:10.261,00:42:16.934
that's certainly an option on
enterprise-level VPN solutions.

00:42:16.934,00:42:20.872
So, the good news! We reported
this issue to, uh, vendors back

00:42:20.872,00:42:25.042
in March, and, uhm, and a lot of
them have fixed it so Apple came

00:42:25.042,00:42:29.313
out pretty quick, uh, releasing
fixes, uh, for OSX and iOS, uh,

00:42:29.313,00:42:32.583
and Apple TV. Didn't know they
still did that but... Uhm,

00:42:32.583,00:42:35.620
Google Chrome patched, just a
few weeks ago. In fact I was

00:42:35.620,00:42:37.321
setting up these demos and I
couldn't work out why they

00:42:37.321,00:42:40.625
weren't working the other day,
it's cause my, uh, my Chrome had

00:42:40.625,00:42:44.595
automatically updated and I just
had to downgrade it again.

00:42:44.595,00:42:48.766
[laughter] Uhm, Android patched,
patched in July, uh, FireFox -

00:42:48.766,00:42:51.369
waiting on a patch for this
issue but it's also not the

00:42:51.369,00:42:53.838
default configuration if, in
Firefox. So, it has to be

00:42:53.838,00:42:57.241
explicitly enabled, uh, and
Microsoft, uh, kind of a patch

00:42:57.241,00:43:00.144
pending, again slightly
different on Microsoft,

00:43:00.144,00:43:03.147
certainly on, uhm, on Edge on
Windows 10 it does some really

00:43:03.147,00:43:07.418
funky caching stuff so, it's
really not quite as big as, as

00:43:07.418,00:43:12.356
big as it deal with that. How
long we got? We'll run through

00:43:12.356,00:43:15.193
it - two minutes. So we were
actually not the first people

00:43:15.193,00:43:18.329
to, to spot, to spot this issue,
but we were the first to report

00:43:18.329,00:43:22.066
it. So, there was a talk at
Black Hat this year, literally

00:43:22.066,00:43:25.369
last week on this exact same
issue. Uh, the guys didn't

00:43:25.369,00:43:28.506
report it to any vendors, for
some reason. Uhm, the, then

00:43:28.506,00:43:33.144
this, hope I'm pronouncing this
right: Bas Venis, uhm, reported

00:43:33.144,00:43:36.314
this issue to, to Google and
FireFox literally two weeks

00:43:36.314,00:43:40.785
after we did, uhm, so plenty of
people looking in the same

00:43:40.785,00:43:45.389
place. Uhm, there was a master's
thesis, uhm, from may this year

00:43:45.389,00:43:49.360
which outlined this issue, uh,
there was a Russian blog post

00:43:49.360,00:43:54.799
from June last year outlining
this issue, and there was a

00:43:54.799,00:43:57.935
StackOverflow question from May
last year outlining this issue.

00:43:57.935,00:44:00.371
Lots of people have found this,
nobody reported it to the

00:44:00.371,00:44:04.275
vendors... interesting.
[background noise] Uhm, not sure

00:44:04.275,00:44:10.848
if we got time for that slide...
So, to summarize network based

00:44:10.848,00:44:14.452
attackers can inject PAC scripts
into browsers. [cough] PAC

00:44:14.452,00:44:18.222
scripts can leak all HTTPS URLs
via DNS to an attacker, at least

00:44:18.222,00:44:21.826
on unpatched systems. We showed
how to deanonymize users; steal

00:44:21.826,00:44:26.163
OAuth tokens; access photos,
personal data and documents. VPN

00:44:26.163,00:44:30.034
wouldn't necessarily prevent you
from a malicious proxy... No go

00:44:30.034,00:44:35.039
turn of WPAD! [applause] >> Uhm,
very quickly I just wanna say

00:44:43.247,00:44:45.816
we're gonna be releasing all the
code for all the demos, uhm,

00:44:45.816,00:44:48.519
like, as soon as we get back
home and have had some sleep,

00:44:48.519,00:44:51.255
uhm, so, it'll be on GitHUb.
Just watch our Twitter feeds and

00:44:51.255,00:44:52.657
we'll let you know when we've
released it. If you're

00:44:52.657,00:44:53.057
interested.