2016 BSidesLV - Breaking Ground - Day One
Show transcript [en]
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e e
okay good afternoon ladies and gentlemen welcome to breaking ground before we get started I just want to do a shout out to our sponsors really quick uh thanks to the folks at ver Sprite tenable Amazon protiv and source of knowledge for putting uh helping us put all this on uh for the the couple days I do want to introduce our uh speakers today we have uh near and Patrick both from the NCR Corporation near is the uh head of application security uh at NCR and Patrick's a application security architect uh with NCR and they will be talking to us today about uh breaking the payment points of interaction so gentlemen over to you thank you welcome
everybody I know it's a tough hour after lunch but uh I can assure you that we're going to make it really interesting for you because uh today we're talking about breaking payment points of interaction and the main thing that we're going to do is um break few things that you think they may be secure so we have a bunch of demos uh we'll steal credit cards in live environment here so we really hope that uh that you're enjoying so um would like to make a quick introduction the main challenge that we have with this introduction is that we want to talk a lot about about ourselves but we can't do that we have really limited time so we made an XML file that
explains who we are I don't know if you'll be able to read it um but we just uh shorten it for you so um as I mentioned like my name is near and um I'm heading the application security um my motto is the if you think that security is expensive just try to ignore it spoke at several conferences and um I'm an open source contributor now I'm Patrick Watson I'm a application security architect with NCR and I am a firsttime speaker so for bsides and heray for me so thank you thank you very much you're a gracious audience uh and I've contributed to a few uh open source projects op SSL C curl but not that much mostly
proprietary close Source stuff you know business things uh I'm sort of the engineer the software developer guy so I like to brag about that a little bit I develop a bit better than near but let's let's move on see what we're going to be talking about our research so part of our jobs at NCR is not only to make sure that our software is secure but to make sure that the software in the ecosystem is secure so we take a look at other people's software and the devices running at stores or Banks or wherever as well part of that is sometimes we have to actually disable some of the security alter our code so that we can figure out
if our stuff is protecting everybody or if it's the protection built into say pin pads so that's sort of what we did in this case and lo and behold a whole bunch of stuff came out that we really didn't want to know about but now we do so we kind of have to deal with it now let's talk about the industry a little bit NCR serves a bunch of stuff but you don't really care about that it's we've got different aspects of the payment ecosystem and they all do kind of the same things but you've got retail doing it one way Hospitality that's uh uh hotels uh restaurants that sort of place and petroleum convenience stores all
doing things slightly different now couple years ago you may have heard of a few very high-profile breaches in the retail industry uh almost everybody in the US was affected in one way or another and because of that retail has started paying a lot more attention to security Now what would you guys say if I told you that the problems of security and Retail was were solved that people had figured it out and we're good now we can we can go home right well no not really that that just doesn't no okay so we have some background about the industries and one why we came here but before you get the information about how to hack some stuff I think that you
should understand the architecture that we're trying to break so there are several architecture types uh that that I want to cover especially three that if you go to any retail store or um you know Hospitality businesses you'll probably see the same architecture with minor changes so the first architecture is something called the segregated store architecture it's essentially uh an architecture that that um you have the point of sales in the store you have a store server and you have the pin pads so the pin pads the managed pin pads are the ones that can connect to Point of Sales using ethernet cable or just serial cables um in this specific architecture you may have firewalls in the store uh
which is great and you have your PIN pads in some cases you have the pin pads uh segregated to specific villain in the store or a specific villain for the whole chain whatever it is this is one attack Vector the other architecture that we're exploring is the all-in-one solution AR the all-in-one store architecture which means that you have the pin PAD as I mentioned can be connected using serial cables so when you see the malware attacks on pin pads or on point of sales in most cases you see it in this architecture meaning if you have any memory scraper that tries to get the credit card number from the memory that's pretty much the architecture
because you have the credit card number that is U received from the serial Port so this is one thing about this architecture the other thing that's worth mentioning is that when you have these memory scrapers on this point of sale eventually you will figure this out you will see that you have a malware there the reason for that is because there is a weak Hardware on most point of sales and memor scraping just takes CPU so you will eventually see that so when you scan an item you won't hear the bip immediately after that you will just probably hear it a little bit uh um you know a little bit after that and the last architecture that I want to cover
is fuel stations when is the last time that you saw any fuel station getting hacked well probably you didn't hear a lot of it so with fuel station architecture it's even less secure than what you know or what you hear now with fuel architecture you actually have the fuel pump which has a pin pad and the fuel pump is connected to kind of a layer two adapter the layer two adapter gets kind of a two cables connected to it it's a propri protocol and the layer 2 adapter which in most cases nothing is authenticated to that then it speaks with a payment application so that's pretty much was the the architecture but let's talk for a moment
about the payment flow because that's what we're going to exploit in this talk so a typical payment flow let's say that you're getting into a store and U you're starting to scan the items you scan the items and eventually you need to check out so the cashier press on the pay uh on the pay button the pay button eventually brings you to the payment application the payment application um as I mentioned can be a d it can be a server that gets this request and um and eventually the payment application controls the pin pad the point of interaction it says the point of interaction what to do and what to get from the consumer so the first thing
that the payment application will ask will be the credit card data which may be a track one two data for those who don't know what track one2 means that's the uh the the data that is written on the magnetic stripe of your card it can be that or EMV tags in case using a chip and pin technology so once you get it if you're using a chip and pin technology or generally you need to to enter a pin then again the point of inter the payment application request from the point of interaction to get the pin receives it back and um in online scenarios it will just submit the request to the to the host in order to
process the the payment in other cases if the host is not available it will just store that transaction in most cases in encrypted manner in the payment application eventually the transaction ends when you get the authorization code and you're checking out so let's start talking about the interesting stuff because now I just thought that you know after lunch that's a good time to give you the background you can get asleep now that's the time to get awake so um with the authentication to point of inactions the first thing that I want to show you is um the layer 2 adapter somehow we managed to get a photo of it believe me we have access to some stuff
and um and this is an L2 adapter and the cable called um a current Loop So eventually if you're able to tap that you will be able to see all requests in clear text and do pretty much whatever you want including sending your own requests to the L2 adapter because there is no authentication there having said that there is a compensated control because these cables are just under concrete in the fuel stations so you won't be able to see these adapters unless someone just um made a bug a small mistake in the design so our scenario is focuses mainly on something that called sham software the main idea is to put a man in the
middle between the payment application and the point of interaction we don't care about the point of sell we don't care how much secure the point of sell is all we care about is how to tap the connection between these two components so by tapping the the connection between these components we can do it by um you know wi shark with TCP IP we can do it with serial Port monitoring that we can just check what is going on um back and forth and obviously we can just um use it as a binary so when I mention binary it's not a malware binary means that you take the payment application dll make your own changes to this dll and just replace it
so essentially it's not a malware and it will not be identified anywhere it will not affect the performance because no one reads the damn memory no one cares about it we just care about getting the credit card number from the same DL that handles that handles it so take it away Pat yes so the first thing we're going to tell you about is just sort of what we've got up here because you guys can't see it you especially those of you in the back we've got my laptop this is running a point of s simulator and one of our payment applications the like I mentioned early or that payment application has has been modified so
some of its own proprietary security stuff is disabled that way we concentrate on the security of the pin pad pause simulator is just something we use internally to so that we don't have to Lug a giant point of sail around got a switch we've got a Raspberry Pi 3 here which is running our attack code the man in the middle part the Raspberry Pi 3 frankly is a little bit of overkill for this but it's fun to have Hardware so you know apparently having a little bit of technical difficulty with the display that'll be fine finally we've got a pin pad here the hello audience we've got a what we call a shroud of secrecy over the pin pad
because we didn't want to specifically call out this vendor there's a lot of pin pad vendors out there a lot of different models and this isn't a vulnerability in a single pin pad it's sort of a problem in the way the system works so now let's go to the demo and I believe with this one we're just swiping a card and seeing if we can see the track to see what that looks like while Patrick does it uh it's important to mention that we're running a production image on this pin pad so it's not that we disabled some functionality on the pin pad itself it just that's the way it works in production when you pay yeah
you could probably go and find this in a real store somewhere today uh they probably would have prettied up the graphics on the pin pad screen a little bit but that's the only difference so let's start a transaction uh this time let's just put a deli item on there and if you note it says please swipe your card so I'm going to go ahead and do what's called a swipe ahead transaction uh little tricky to get the card in there with the Privacy Screen in place what does swipe ahead me so swipe ahead is where you swipe the card before the transaction is complete the reason I'm doing that this time is is because when you're doing a swipe ahead
transaction you can actually easily see track one and two both of them versus with this an EMV enabled pin pad when you complete the transaction it goes into EMV mode and then you can really only see track two I'll show you a little bit about that later but this in the slot
let's just do a sale it's a live demo so you'll need to understand that uh so this we're swiping real data here this is the EMV screen I was talking about
earlier there we go all right so now it's swiped and if you look over there at the Raspberry Pi we've captured the entire track data let's complete out the sale sign things there we go and near if you could bring up wire shark for me so let's adjust this near where's the uh thingy well we need to enlarge it again ah all right so here you can see that the pin pad makes a request to the man in the middle man in Middle requests to the pause simulator so it's passing the data through so let's scroll over here to the right and here is that same track data in plain text that you saw appear on the
Raspberry Pi so from the track data perspective pretty darn easy to capture this stuff okay that was easy except the swiping stuff yeah um the thing is that you saw in our case that it's not encrypted in fact in most cases it's not encrypted the reason for that or at least in you know in in network communications is first of all the point of cells running Legacy operating system sometimes Windows XP um and sometimes the pin pads are pretty old but that's not an excuse this do Effect one time I remember that we requested um you know to enable TLS 1.2 on one of the pin pads and they said like why we can give you SSL 3 is that good
enough so that's the business justification eventually you know we want them to secure it but eventually hackers have also their own justifications so that was talking about ethernet man in the middle a passive man in the middle which you know everybody knows how to capture packets and wire shark o whoop-de-doo right so you might think to yourself well what about those pin pads connected via serial ports they're probably a little more secure right because it's not an ethernet cable you can't intercept those things right well no not really and because it's a pain to carry around a bunch of pin pads and you definitely can't switch them in the middle of a presentation we've got a
video here capturing us swiping the data while it's connected via uh serial Port this is some software from Elma software called serial Port monitor that's very useful for this sort of thing and you might not be able to see it on the screen there so we've got another slide here that's blown up and if you recognize it this would have been the exact same packet that you saw if we had done the swipe head however you get the same stuff when you do the EMV transaction as well point is you can see track one up there starting with the B and track two further down so not only Can you capture serial Port data and if serial Port monitor can
do it malware or a replace dll can do it too so that was swiping how many of you are really swiping today let's talk about EMV that's probably secure it's a good one so let's talk about what EMV does first EMV does prevent a duplication of the card because it has the chip on the card so this is one thing the other thing is in case you want to use a stalling card it prevents you to use it when you use the chip and pin like you don't know the pin so you shouldn't be able using it that's all let's talk about what he does not do let's say that someone stole my track data from the
card so first of all or let's say even someone stole my card that's it first of all he can use this card on pin pads that are not chip and pin enabled so if one if someone steals my chip and pin card he can use it in other places on e-commerce on like old pin pads or even in manual card entry how many times it happens to you that you scan the card and you just can't read it well it just happened here but um but eventually that that's a real scenario the other scenario is actually um the fact that you can take the track two data from the pin pad and you will need
to change only one number in this track in order to make it uh non chable or swipe card the thing is that um when you swipe the card the the pin pad knows to identify if it's a cheap and pin card it's not that it reads the card it's not it reads the chip it just sees the number that says this this is one moment this is the the type of the card and the last thing is um even if you steal the card or steal the track data you can come with a card with an image of a chip or broken chip it doesn't matter when you come to the cashier and you try to stick your chip
and pin card to the pin pad and you know sometimes it just doesn't work so the cashier can manually fall back to swipe that's the idea so EMV it's quite old standard should we be able to bypass it if it's like really old standard probably so we have three man in- the middle scenarios in this talk the first man in the middle scenario is kind of a passive man in the middle the passive man in the middle is relatively simple the main idea is to get the EMV data and see if we can see the track data and actually create a credit card from EMV transaction so the main idea is first of all injecting your man in the middle uh
stuff it can be you know the dll or just intercepting the communication so we have the adversary on the left side and we have the rest as we already had in the regular payment process so the main idea is that you're doing your selling activities obviously you finish then you ask from the payment application to pay the payment application will get a credit card number or request the credit card number from the pin pad which eventually will go to the adversary and from there to the uh to the pin pad and then once the consumer sticks the data sticks the card we will actually be able to see the full track data demo in a moment once we see
the data you can continue with the whole process including getting the Chip And you finish so I think that the best thing to show you is just hand it over to Patrick Yeah so near if you would please set up the camera for us uh so we're like near said we're going to run a regular EMV transaction this time just to see if we can capture the the EMV data and see what it looks like so let's start start a transaction put a deli item on here just cuz we like delies start a sale it should prompt for us to insert our card we got a standard UL test card here insert it into the
slot it's going to prompt me to accept the transaction amount and if you look over there near it should have the track data on the Raspberry Pi at this point you can take a photo of it but you can't use it it's a test card it's a test card okay so I don't know that all of you taking photos of it it won't work yeah and that explanation took long enough that the pin pad timed out now now so that you guys can get a good view of this let's start that over again in the transaction start it back up Deli item sale give it a minute insert accept the transaction amount now type in our pin which is
4315 by the way never tell anybody your pen but since it's a test card that's okay press enter and I must have mistyped it it's a love demo five there we go typed it right that time so approved remove the card and the transaction should process there we go all right so now near if you please could you switch the next slide for
us all right so just so that we don't have to uh go through wire shark every time and find the packets and all that we pre- captured this for you this is what the EMV response packet looks like to the request to get track data essentially so you can see some stuff over there on the right and I'm just going to tell you that where it says American Express that's called a Aid that's the application identifier which type of card it is below that it says eips blah blah blah that's the card holder name in this case because it's a test card it's kind of weird looking now does anybody in here see track data in
there near does cuz I made a deck yeah so we know where it is good we' got one person yep now anybody else nope not yet so in most payment applications uh it often is transferred via asy so you actually see asky card numbers like you know the standard 1 two 3 4 blah blah blah but EMV actually sticks it over in kind of a weird format where they take the the actual text representation CH change the binary bytes into that representation so it shows up that way in when you're looking at looking at it in HEX now that means that we've got the whole track there available for us from an EMV transaction now if you looked at down
here at the bottom of the screen you can see that we've got it in a couple different colors the red is obviously the card number the purple next to it the 1903 is the expiration date then in kind of a orange that doesn't display all that great is 2011 and I'll get to that what that is in a second and then a whole bunch of discretionary data that depends on what type of card it is that 201 is called a service code and the two is a VAR very important part of that code because that is what lets you know if it's a swipe card or a chip card so when you just swipe it that too tells the pin pad this
is a chip card don't allow the swipe so in the tax scenarios near was talking about earlier if you're offline and not being verified by a host you can switch that two to a one and your PIN pad will accept the transaction so that's great you know we found a way to get the credit card data great but we're still me we're still missing some data we still want to get more data to be able purchasing online for instance so when you purchase online what do you really need to enter exactly exactly so cvv2 is exactly what you need to enter the CB2 is um you know it's something that came with one of one of the brands but basically it's
the three or four digit number that you have in the back of your card or with MX you have the four digits in the front of your card that allows you to perform card not present transactions meaning online transactions and um and we want to check if we will be able to get the cvv2 here with this flow so we found a way surprising let's talk about the active man midal attacks so the first active Man midle attack is the one that compromises the CVV data we have the same flow again doing the payments asking for the the card holder data the the EMV tags are sent back to the adversary which we already know that we can get
the data from there and then the the most important part here is to understand the timing so we the adversary gets the EMV tags back the adversary will not send the EMV tags back to the payment application until he gets more data because eventually we want to make sure that we uh successfully finish the transaction from that reason the ver sends another API call to the pin pad the API call will just request the CVV data that it's it's a builtin functionality within the pin pads so we don't need to exploit anything we just need to have additional API call it's nothing essentially we're not exploiting anything we're just playing with the flows so let's take a look let's take a look
at it cameraman if you will so once near gets that set up we'll go ahead and start the transaction but while he sets it up an important thing to know about cvv2 and the equivalence from other Merchant or card Brands is in theory the CVV helps protect online transactions because it's never encoded anywhere in the actual data on like the mag stripe or the chip so that's why it's on the back of the card so let's start a transaction let's put two Deli items on there this time we'll we'll feel daring start the sale should prompt for entry there it goes insert the chip card and at this point we've already got the track data over there at the
Raspberry Pi now we'll accept the transaction amount it'll prompt me for my pin 4 3 1 5 and hopefully I typed it correctly looks like I did and look at this a new prompt that wasn't there before and this is since this is a test card it doesn't actually have a real cvv2 so I'm just going to make one up anybody got a suggestion need three or four 1 two 3 four type that in processes for a minute the Raspberry Pi picks it up and the pin pad approves payment application is none the
wiser okay so that was good enough to get online payments anyone needs a yacht something um but the thing is that we want to get more information what happened if we could get the pin well we can that's the idea so in this flow um we're actually doing pretty much the same thing but in this case we won't stop in the um in the EMV tags so let's assume that we finished together the EMV tags now the payment application requests for pin which by the way we avoided in the previous flow but we had it in the demo so you request the pin or the payment application requests the pin the encrypted pin from the point of
interaction the point of interaction responds with a pin to the adversary and then the adversary does it again before responding with the encrypted pin to the payment application it actually requests a numeric screen the numeric screen will eventually ask to reenter the pin when it will request to re-enter the pin it will be our screen something that we injected into this process and then we'll get the pin so let's get few pins yep and for time's sake I'm going to go ahead and start the transaction put a couple items on here and once near gets the camera ready so we've got the couple items on the screen click sale so it'll prompt for the card
entry if I can find the slot there it is now we've got the track data on the Raspberry Pi accept the transaction amount now here's the real pen entry screen like you've been seeing before 4315 push enter and here's a new screen this one's kind of important though now if I was at a place I'd know hey this I I shouldn't be prompted for this but it's a pin pad what if you're all Security Professionals maybe you'll catch it maybe you won't but check out the raspberry pot it's got the pin number now and Joe from the a farm down the street not to impin on Farmers but a a Layman isn't going to know the pin pad shouldn't be doing this
and in our informal testing even in the payments industry 90% of the people weren't even suspicious of it they just entered their pen anyway the ones that were suspicious still thought well maybe I mistyped it it's kind of weird that security guys are having me do this demo and whatever and they typed it in
anyway C number did you hear the question yes I prefer to keep the questions to the end because we have a few more things to cover okay and quickly running out of time yes we'll get to you though so let let's say that we've got the pin and we've got the CVV these were great demos but in fact um you know several uh Point poter interaction manufacturers they actually put some security uh uh measures in these pen in these pin pads so one of the security measures is do not allow any text except the text that I allowed in this long list guess what this long list includes please re-enter so when you have the screen of
enter PIN and then you re and then you request to re-enter it refers to the pin it's not reenter your address address which is quite difficult to enter your address there so that's pretty much what we're exploiting so let's say that we bypass the white list and uh and succeeded with that that's great but in some cases uh we can't bypass the white list because the white list is so strict so that's it we ended up with it not exactly several manufacturers actually allow you to inject a form or a screen to the software the reason for that is because as Patrick mentioned at the beginning of the talk in the re in the hospitality and petroleum petroleum
and convenience stores they have uh their their own flows and the pinent manufacturers cannot come up with all of the flows in retail it's pretty more pretty much standard but that's what we're we can do because it's just something available so in order to bypass the white list we can actually put a photo with please enter PIN that's it and obviously add the um the control to get the card number so I guess that in order to um for us to believe us we did it too so um so Patrick will demonstrate in a moment one thing that's worth mentioning is that several manufacturers actually have protection against it they request or require a signed form that is signed
by the vendor or by the by themselves so let's see how it works so normally when a attacker is injecting forms like this it would happen pretty quick so we're going to actually slow down a little bit so you can see what's happening a smart attacker would also do this part like at midnight or whenever sometime where the store is not actually open however with some pin pad models it is possible to do it mid transaction although it' be kind of crazy so I'm about to inject a form into the pin pad you should see a downloading screen and it'll pause there click okay give it a second there it goes now if you saw the progress bar go across
there really really fast once it reached the end that's when a normal pin pad would have went right back to the welcome screen the this obviously is paused here so you can see it but this is what would have flashed almost instantaneously in a real Attack now let's go back and start a transaction start transaction let's put a deli item and a grocery item this time click sale go prompt for card
entry accept the amount as usual we've got the track data over there enter the pen
4315 and now we've got our own Uh custom screen now obviously nobody's really going to enter their pen in this screen but the point is so that you know that it's a a form from us a screen from us it's not uh a it didn't come from the pin pad vendor we'll say that but in all one maybe cool if it comes from the vendor well I don't know if I want my face on every transaction out there but to each their own so remove the card take a look at the pie we've got the pen again and there we
go now thank you thank you so we've talked about a bunch of stuff here but but what other attack vectors are there and I'm going to Breeze through this because we're short on time a little bit you've probably heard about skimmers before they're still a problem uh we get reports about them happening all the time some of them are incredibly clever too like I wouldn't be able to identify them myself if they were sitting right here in front of me point is those are kind of a known thing next is remember this diagram from before we've got the pin pad over there too now and we've only really been taking a look at one application on that
pin Pad but remember like most Internet of Things type devices this is really a computer it's running all kinds of code on there there's a OS there's a secure reading and entry device that's kind of like a TPM and a whole bunch of other applications for example what if there's a buffer overflow in the form loading app it's accepting input for just from just any body there so maybe there are other places we can look for attacks as well so I'll review quickly the mitigations that may be taken by the vendors or um like point of interaction vendors mainly um so the idea is to have a point-to-point encryption the point-to-point encryption should be Hardware
based and uh with the pin pad vendors they have uh few options to encrypt the data in the hardware they can use it like in regular memory or they can put it in a separate memory which is a secure memory um the new V the new PIN pads um the majority of them at least support the srad functionality which means separate component separate Hardware component that no sensitive data goes out from there the thing is that this pin pad also supports the same functionality we just didn't enable it to do the sread stuff um important to mention that the pin pad vendors they invest a lot in crypto like it's essentially a crypto product it's a hardware crypto
product and um and the idea is to use um strong enough algorithms so even though you see here triple Dez which you may think why the hell do you have triple de on a pin pad well actually it's a triple D Duck butut it means that for every transaction you have your different key that you encrypt with the transaction uh itself next thing is um obviously preventing remote firment downgrades like let's say that we have harder encryption on the pin pad we just want to prevent downgrading it to a sofware encryption like we had this time um if there is a white list in some cases you can add your own Whit listed component um in this case you'll probably need to
have your trusted um root Authority that at least accepted on a pin pad and um in some cases you also have exceptions of credit card numbers so everything is encrypted except specific bin ranges it's a common thing for loyalty memberships and last but not least is um encrypt offline transactions as I mentioned in the first place in most cases if you won't be able to get out to the host to the processing host you'll need to encryp the data um at TR so let's say that the point of inaction doesn't support it we don't have point of Point encryption does it mean that we screwed probably not you can request from the vendors to try to TLS it or at
least SSL it with your certificates or just sign all request to the point of interaction in several cases you will be surprised that they can do that for you and um as for the consumers well except paying with cash um I think you can actually do a few things one of them is do not re-enter pin like ever okay you saw what we can do check what the forms prompt to you in general because sometimes they may request Social Security numbers and it's something that is acceptable but by um you know by these pin Peds and the last thing is try to use alternative methods to pay like um you know app based payments um
I'm paying with my watch um in that case no one can prompt me to reenter my pin or to get my CVV data well theoretically they may be able to do that but it's just worth additional research we're just skipping some stuff to the next year of besides so in summary um It's relatively easy to exploit point of interactions just because of the regular flow that we have there and um we can secure the point of interactions it's just a matter of um knowing what to ask from the vendors and that's the time for I don't think we have enough question enough time for questions but we can at least address the fellow ear we actually have
time for maybe one or two questions so so first talking to the guy that mentioned earlier about cvb2 remember when you're doing an EMV transaction if your card's in the slot and you pull the card out it'll cancel the transaction I think that's what he's probably referring to because you need to look at the back of the card for the cvv2 but because this is an active man in the middle and it can prompt whatever it wants it can do it whenever it wants so it can prompt for that before you actually swipe your card the average consumer may not even realize that it's not supposed to be happening so there you go hold on hold
on hi uh L constan gen new service I wanted to ask when you mentioned about uh prompting CVV data you you me you said that it sends an AP call and this is buil-in functionality is this particularly for the CVV or what you talking about inserting a screen in general because if it's about CVV why why is this functionality there doesn't so go ahead it's actually kind of both so the question was when we were asking for cvv2 and we said that was a built-in API call call where we talking about the prompt itself or specifically cvv2 so what's actually going on there is we use a a screen or form or input method whatever you want to call it called get
numeric and that allows you to provide a set of text to prompt with so we can just ask for basic whatever we want there it's customable it's customizable yes what n had mentioned at part in part of the talk was there is in some pin pads a white list of allowable prompts inner cvv2 is one of those allowed prompts in some cases you just need to uh to perform a card not present transaction so it's just one of the acceptable flows across the industry okay one more question one more question
thank you very thank you very much for the demos awesome uh if the bank issuer uh of the card and the acquire and the terminal Implement full EMV all these demos you just so showed are protected this is full EMV all of them full EMV this is full EMV yes yes okay okay thank you thank you all right round of applause please thank you up next in this track is beyond the tip of the iceberg fuzzing binary protocols for deeper code coverage thanks so I'm curious you were talking about like people physically hooked to a POI have you analyzed this at all in terms of manal Wireless attacks well we let me turn it off
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e e
Al uh both of them are with the product Security Group at Citrix uh and they'll be talking to you today about beyond the tip of the iceburg um fuzzing binary protocols for deeper code coverage uh let's welcome our SP our speakers please thank you well let's uh let's jump into the talk directly so uh who are we um I'm rtin he Alex we work with the product security team in Citrix and uh we do not have you know interest in very high level stuff we are pretty much down to the ground at the grassroot level so we like breaking into Network protocols we like playing with systems we like playing with applied crypto that's pretty much all what we do right
uh one critical disclaimer I would like to put any comments or U anything that I have to say or Alex has to say is all our personal comments nothing to do with CX so please don't blame them for that and uh I sometimes wonder why do organizations do that because it also means that the research is not belong to Citrix right that's kind of but anyway so so today the agenda is going to be roughly like this we going to start with uh where the fuzzing technology and its state is right we'll move on to talking about uh some of the modern code coverage based fuzzers AFL being like the top of the list so we'll
roughly touch AFL we'll talk about where what are the what are some of the issues we see in AFL and specifically when you try and apply that on the network fuzzing domain and uh how do we handle this problem in uh in this research so one of the things we'll be talking about is the definition of gate functions uh we'll come to that when we will talk about it how can a tracing be done at a runtime and that can feed directly to the fuzzer and we could use that for optimization so this creation of a feedback loop which we'll talk about we'll we will try and demo you guys a small PC with a toy example and then
we'll try and move into a real world example uh that's I I'll just just keep that as a surprise you know when that comes so fuz thing as we knew it right so this is where the whole world of fuzzing started so um a lot of people when we started fuzzing you know uh I started fuzzing uh something like a decade back uh when I used to be a semantic and it seemed always like you know this was the easy thing to do all you have to do is to generate a bunch of random packets send it across to the demon hopefully it will crash hang something will happen magically and you will not believe it
but that time it used to happen things have changed a lot so fuzzing used to be easy it's not that easy now specifically if you are targeting to do a more uh targeted attacks you know you want to explore certain code pass which is not guaranteed to be covered by just a randomly generated string or just adding like 1024 A's that's not going to happen now so as in as in when we are trying to Target specific functions like these days uh we have seen there are a lot of modular programming people are doing generated code so there's already uh there's already a framework in place and I need to add a new functionality I
would just go ahead and uh you know use that framework and generate some additional code and add it there now if I want to do a targeted fuzzing for this thing it's kind of difficult for me to do that just by you know random package generation so another challenge which we face is that uh during random package generation of by using generation or mutation or whatever you end up having a lot of test cases lot of packets which just get dropped you know really doesn't cross the basic threshold so doing effective fuzzing which could actually test the product or Target the vulnerabilities which we actually want to be Target it is not trivial it's it's uh well in the world
of fuzzing I think one of the first things that started happening was uh when we when people started researching was look into file fuzzing and there is a lot of focus which actually went into it so AFL hongus from Google some of these are like pretty strong examples of this area and I think AFL I think I'm personally very very impressed with now the ideas which these guys used was pretty pretty good unfortunately using them on the network world is getting a little tricky we tried doing that we not very successful there was there were some hacks you could try not so I think I'll I'll let Alex talk about some of those hacks but uh it's It's
tricky in the network fuzzing world we were still stuck with uh modeling of protocols you know so if I really want to write a very exhaustive good quality in-depth fuzzer first thing I have to do is I need to go through a documentation of that protocol if it's available if at all it's available and the documentation would be like some 200 pages of PDF file right and at bunch of places they will refer to another document which is another 200 pages right frankly I an engineer and I don't have the patients to read through documents okay it's a it's a weakness I have sorry I'm sure many of you share my weaknesses so it's really difficult for
me to go through and analyze all these documents write the uh fuzzer accordingly and even if I do that you know I don't have the guarantee that I'm really covering what I'm expecting to cover am I really unting the vulnerabilities so modeling of the protocols this is still and the network fuzzing in itself is quite slow because we tend to face some very practical problems like synchronization right how do we know that when we sent a packet to the server should we be expecting a packet back should we not be expecting a packet back not getting a packet doesn't mean the server has crashed you know there's a lot of uncertainty so inherently network fuzzing doesn't go as fast as file
fuzzing another thing is that we have all we always have a need for setting up an agent which sits on the server side which can keep detecting the crashes do some sort of a logging to identify what crashed where what happened it's so that is also another challenge we always Face bottom line when it comes to a 600 page of documentation of the protocol we always end up doing a blind fuzzing at best we will take stuff from the wi shark we'll take the packet we'll do some mutation and we'll send it across little less blind all right but not not very great so it's like with some some specs I don't know what is interesting to know to see
is that Network stack still happens to be the target of choice there are still so many Network protocols out there so many ports open on so many places and we still want to break that right so what we are looking for is a little more balance on the network side and not just on the file side so uh just trying to sum up things so historically what we have seen is there have been uh usually two kind of approaches which have been most successful you either do random bite FP bite flips with uh some sort of mutation like what Peach does or you could do some modeling of the actual protocol again what you can use any other the
Frameworks to do bottom line you end up running millions of packets and all you feel is that yes I have run like say uh 100,000 test cases and I could go and tell my VP that you know what I did this my my VP feels good about it that yes you have you have with 24 hours of fuzzing without crashing and yes the product is secure is it really well we'll see so I'll I'll let Alex take over from here and talk about some of the recent advances and what we are doing thanj so yeah I'll be talking a bit uh about how we do fuzzing today um mostly can you guys hear me yeah I think it just turned
on sure
here so yeah um so I'll talk about how we do you know fuzzing today and the you know the improvements which have been made over you know what MJ was talking about uh you know the blind protocol fuzzing just flipping bits so you know today um you know there's been some Concepts introduced in fuzzing you know through genetic algorithms basically where you know the idea is you want to retain only the best input and you want to be able to measure uh how much impact an input has on your target right so today we're capable of knowing that when you send a particular input you're going to know the effect it has on your target
binary right you're going to know if it's valuable or not and you know through these uh genetic algorithms basically you're going to elect basically a bunch of of species of inputs which are you know the best portions uh of inputs that you have to play against your targets so you know the general idea is that you mutate your best set of inputs you send them to the Target and then you measure you know what's called Fitness based on some heuristic I'll talk about soon which basically gives you feedback is this input valuable yes no and basically you take a decision further based on this right and then you discard or prioritize the input so now we live
in a world for you know file format fuzzing and and you know to some extent Network simple Network fuzzing where you know basically how valuable your input is to the Target right which is fantastic basically because you're not blind fuzzing anymore so generally what what Fitness function can you use um you know the general used one is is code coverage right so why why because basically you know code coverage tells you exactly you know what are the extra paths that you've triggered based on your input right so basically it tells you how good it is or bad it is for for your Target how much code it has executed based on that input right and so most of the
tools out there are able to measure code coverage right and that heuristic allows you basically to take a good or bad decision you know based on historical data so you know you can achieve this you know by doing uh by binary instrumentation through pin or Dynamo Aro uh we took the option of using pin for this you can do a bunch of static rewriting kernel proving or to some extent even the hardware can do it now today so how does this work so the the May the general idea is that you're going to model control flow uh using basic blocks right so if you guys have opened ID Pro or ID uh you know you're going to have a graph with a
bunch of blocks right so the idea is you do exactly the same thing at runtime right so you're going to disassemble and know and basically you know have all blocks of code which do not modify control flow uh segregated right so this tells you and then what you want to do is count the number of edges you have between those basic blocks right so if you see the orange arrow I put there that's a transition from one basic block to another meaning there was a change in control flow which means that you know in a programming language an if statement has been taken or something like this right and so the thing is when you retain The Edge count between basic
blocks uh it gives you a big set of unordered code coverage map right and the thing is with sets it's that they can easily be compared so you've got this gigantic set based on your input of what Cod coverage has been achieved and that's in a set which you can easily compare right so most of these Evolutions come from way back but all this was kind of industrialized through through AFL right so again AFL is amazing right uh an amazing Tool uh you know it's a battery included fuzer so it takes care of all the building all the you know instruments ation the minimization of the Corpus and all this kind of stuff so it's just brilliant right because it's
got this perfect balance between you know using the power of the build system you know through make or cmake or whatever you want uh you know speed you know through the fork server and all this stuff and through functionality the only cavat it has is that basically AFL by Design is meant to compare traces across runs right so it means that you run your target once twice you know until end times and the map comparison happens when the target exits right so the comparison happens across XX so this means that for Network demons it's a bit more complicated right and I'll talk about it a bit later also AFL has to get its data uh off STD in or off
a file descriptor right which is directly passed into the target so again I I'll talk about the limitations we try to address but you know if if you understand what I was just talking about a second ago you know the requirement that your target has to exit can be complicated basically for Network demons so again if you've got source code you know again we're not trying to replace what AFL has done uh because it's still the best option out there right if you have source code just get it to work on Packers right you can do it it's a lot of work you basically have to write some code write some rappers right handle most of the State uh you
know make it make sure it exits after its main event Loop and all this kind of stuff it's not pretty but but it can work right the problem is if you've got very tight coupling between the code basically which handles Network packets and pausing you're going to have to stub out a whole bunch of stuff right by stubbing out I mean that all the network calls you're going to have to mock in a sense right meaning that you have you're going to have to LD preload stuff which means redefine the way that Rec V for example Works read and write and accept and all this kind of stuff and this is you know prey does that if you guys have
have worked with it or you can use a bunch of linker uh of linker uh trips Bas tricks so all this basically to say that like you know for Network demons what we'd like is you know to keep the successful AFL Concepts or the Gen genetic algorithm Concepts you know as well as the code coverage feedback but avoid restarting the Target right because this would allow to get these Maps um at runtime right the thing is it breaks the deterministic nature of AFL so again uh you know we want to improve upon the traditional fuzzer you know so break the cycle of like I'm going to send a packet and I'm going to then probe to know if my target has
crashed or I'm going to ask my agent to know it's crashed which is quite slow and you know by borrowing all the advanced features uh from from feedback driven fuzzers again you want to do this during runtime and without the responding the target between inputs right so our approach uh we did a bit of work around this and we tried to at least start working on this problem um so it comes basically we we you know we observed and just uh thought about how you know Network demons work right so generally they're going to do a whole bunch of of startup stuff which you don't really care about right it's going to read a config file it's going to
isize a bunch of stuff and all these things right and then it's just going to wait uh for a con right so it's going to hang on an accept call or you know something different for UDP and then it's going to basically read uh read an input and from there it's going to get a buffer of btes he going to want to work on and pause it to make sense of the protocol and what's happening right and based on that paing is going to take a decision you know write back something out to the socket uh you know an error or some some validation so in this context basically you know what code coverage do you exactly care
about well you can kind of simplify this and discard everything all the initialization stuff just Chuck it out the door right it doesn't matter but the interesting stuff generally happens between the first read on the network and the right right so the whole idea here we're going to talk about is can you get those code coverage maps triggered during those specific cises so to generalize this you can call you know you can call these read and write CIS calls uh you know Gates right when when you enter a gate ciso you'll start the tracing right and when you exit the gate you stop the trace so the idea is that you're going to monitor a
bunch of CIS calls at runtime and when you hit one you start the trace when you exit one you stop the trace and the idea is you're going to dump that trace and give it back to whoever consumes it you know fuzer reverse engineering stuff or whatever it doesn't matter right and you transfer that code coverage back to the decision maker right which can take then an intelligent decision based on this code coverage data so again you can you can generalize this bit further right you can so the idea again is all this is only about code coverage right we don't bother about all the fuzzing stuff because the the mutation can be done by anyone at
any time and so so based on a defined gate ciso you know say X or Y you can again when you hit X trigger code coverage when you when you hit Y stop it and then dump the trace so this can be achieved pretty much for any CIS out there which has a relation right so this thousand feet view of this is you want to only track uh file descriptors right uh because they're the ones who tell you when the data is valuable you want to ignore right all the io happening so you don't want to care you don't want to start tracing when something reads a file or when something's like that you want to
generate the hit map at runtime only when the gate ciser are hits right and again as I said dump it to the fuzzer further so so I'll take the example of TCP here and how you can filter file descriptors for TCP right uh so you know the accept cull uh it it basically returns a file descriptor right that is then going to be used further for read and writes Etc uh the ciso layer so if you hook into the CIS calls and just look for anything for the accept and instrument it and get the return value of accept basically you can build a list of f scripts you're interested in without polluting that list with stuff
from IO the io layer right and so then you've got that list of file descriptors which you know are from the network and which you're probably going to be interested in and then you also instrument read and write and you figure out when read you know receives the argument of the file scriptor which is in your list then start the trace and when you hit right just ditch the trace right so here I've got a silly example right where file descriptor six is good for tracing and nine probably comes from the O you know the io layer and we just junk it right so so another interesting point about this kind of gated uh ciso
analysis is that your coverage maps are per read write gate all right so if you've got a connection which has you know many gates which is generally the case right you have a bunch of exchange and you're going to have a read and then a right back and then a ping pong kind of you know exchange for the protocol to happen well you can get the coverage map for each gate meaning that you can enter the protocol at different layers at different points in time and get the coverage map for that specific packet but it also has if you remember what I said is that you know those code coverage maps they're sets basically right so you can also aggregate them if
you want to have a macro view across multiple
Gates so this is the the 1,000 you know feet view of how the how the pin tool works so as I said you know it hooks a bunch of CIS skols right um basically all the networking cisal so you know accept read write close receive from send from send to all this stuff send message um and so on accept add the file descriptor to some list of stuff you're interested in a white list of file descriptors and track it across the furthest cisal right and then you can see my little heat map there which is basically what I was talking about before which is the edge count per basic block right and you can see that on the final
right or the Final close basically that heat map is flush out to something so for UDP um you can do basically exactly the same thing but track receive from track different CIS calls right this worked exactly the same and again I just want to say this that it's generalized you know you can generalize this to any possible sequence of CIS calls and you could come up you know as something you know a grammar basically to describe this and have runtime code coverage information based on some whatever runtime criteria you believe in so um so we wrote a simple a simple pin tool um called netv uh so its only job in the world is to do exactly what I
said uh is basically to generate the code coverage map based on the runtime data right and all it does it is that it waits you know it does exactly what I said and it will write the output to to a pipe right so it will flush out the code coverage map to a pipe where it can be consumed by something else and so basically you know it's it's the reverse kind of of the the fuzzing talks right right where you know before people used to say instrumentation is up to you right all this stuff well here basically the fuzzing is up to you all you get is that when you send an input you know the code coverage which
happened um it's got a sidekick called net call graph uh basically which just generates a runtime call graph so on the same principle of this uh you know those gated CIS calls you can generate a runtime call graph of what's happening so it can give you some interesting insight for reversing all this kind of stuff and I've got a really simple dummy you know fuzzing example that I'll go through a bit later which which uh shows this so again you know the point of all this is is just to to get people you know trying to think about Network fuzzing and get interest basically in it so you know it's a PC uh it works
relatively well but again it's got a bunch of of limitations right so it doesn't work uh for select poles um even though it could be adaptable uh there's no crash DET detection but I mean that again is a solved problem in the pin world so it's it's wouldn't be very hard to achieve the other the more complicated one is there's no uh address sanitizer right to catch out of- bound reads or rights so that's a bit more of a problem there's some work you know in the pin Community to get uh address and as I like tools within within pin tools which could be adapted here and right now the the heat map or the hit map uh
format is basically text based it's completely not optimal at all but it's it kind of works what it works very well with is multi-threaded demons right because uh it will work across Forks uh it will works with P thread and all this stuff uh you know because you know file descriptors happily are shared between parent and child so all this stuff works for multi-threaded applications the interesting thing also is that heat map is is per file descriptor right so it allows a form of concurrent fuzzing meaning that you can track you can have multiple instances of those guys and just uh do selection based on the file descript that it happened and well you know by Design its
mutation independent since it doesn't doesn't do any and since it's a pin tool it's source code uh independent right you don't need to to build anything it just you just dump a binary in it and it just runs it and does some stuff and it's slow because it's pin so again the net C flow so you've got a client which is a fuzzer and you can see the orange uh lines basically show you know the protocol exchange with a demon and then the red stuff is the coverage map return by net COV back to your client so I'll do a super quick demo here so I wrote a super you know a silly silly uh demon basically which if you
can see the code uh it just looks up for magic you know characters inside a buffer right so it's a bunch of nested branches just to show my point that code coverage uh increases right when you send the right the right value at the right spot I'll try and put this here
so sorry oh yeah would see it right
all right so here um I just started it on on you know the dummy program I was talking
about and here I'm just going to listen out on the pipe right and see what happens um so if you just Echo something back into it right um right if you just Echo something back in you'll see that here it spit out some stuff right so this is the code coverage uh information when you send this particular packet
right no I need that no I need it
all right so again if you just send the same thing here you can visually see basically that the code coverage doesn't change right the Ed count Edge count is constant right so uh if this was a fuzzer basically I'm a manual fuzzer here just doing some stuff you know if I if I add an a you know randomly by having lock of bite flipping stuff you know here I should take an extra Branch as I was saying and basically see the code coverage increases right um so the whole point of this is just to show that here you get feedback at runtime uh for this kind of stuff based on network connections so again if I if I put a b
I'm going to take a new Branch Etc and all this stuff right right so here it's just you know to give an example to visualize what's happening uh and to see the to see the code coverage map increasing one other interesting thing I want to show you is that um I added one parameter which basically is used as a loop boundary
um so here the last parameter three basically is used as a loop an upper Loop boundary right and what happens is that you're going to see that inside the coverage map you're going to see that that edge count increases so you can know also when you're covering when you're controlling the upper bound of a loop boundary right so if you look at this uh I know this is a bit abstract but basically here you're going to see this number three which will probably change meaning that you're controlling a [Music] loop so if I change this to 15 for example it should do more iterations on that edge oops so again you can see here that
that H count increased right so it's just to show that you can also have uh fine grain control and and view actually that that edge count increase and when you control the top of a loop boundary right let me get back to the slides
so I just wanted to show a quick example of um of the net call graph stuff I was talking about so this again is is something which was drawn at runtime so if you s if you look basically this is um a view of that dummy demon uh between a read and a write right so these are the operations it does so you can actually visualize this stuff and and dump it out if if you're interested in doing this so I wanted to show the process basically you know I showed you the manual uh you know manual fuzzing stuff so I wrote a very very simple fuzzer based on this where you know it's just
the Charlie Miller algorithm where you just basically bite flip random stuff and you want to see it increase in the code coverage right and start finding the correct inputs so I'll just show this very quickly um
so this is my very simple fuzer which she basically which is going to get some feedback uh right so what's happening here is that uh the fuzzer is just trying a bunch of random
mutations right and it will take its time but eventually it should be able to bite flip the bite we're interested in and start finding code coverage entries if this takes too much time I'll just skip it but basically you should see this guy um suddenly when it finds the right input that will start uh basically finding that the hit count has changed and
increased all right so since we're running a bit out of time I'll just uh skip
this okay so all this to show that like we can have probably better tools uh for code coverage and you know for fuzzing Network protocols there's probably some Evolution we can work on here to get similar technologies that are used for file paing can be applied in the networking world and uh you know hopefully that that can help us uh find bugs quicker and mostly be more efficient at fuzzing this kind of stuff so now I'll I'll um I'll pass it over to MJ who'll talk about a real world example basically based on the on the RDP protocol and he'll quickly discuss you know how you know reverse engineering and the fuzzing portion of this you know tightly integrated and and
can work together thanks a lot thanks Alex all right guys um so uh referring to something I mentioned earlier if I Could Just Kill Kill the whole idea of reading my documentation to assess what the package structure looks like and I could get a fuzzing ready information about the packet I think that's good enough for me to write a fuzzer so what uh what we were trying to do was to see that for the RDP protocol and RDP I think everybody knows about it right so for the RDP protocol uh is it possible for me to extract the packet structure using the feedback loop and come to a level where I may not know what each bite
represents but I should have a fair idea how to First that bite right so that's the kind of demo I'm going to try and do here hopefully hopefully this will work so all right so RDP is the uh is our regular Windows remote desktop protocol and uh that runs on 3389 uh it has lot of variants on the Linux world now there's a xrdp which you can find on the Unix environment and RDP clients are available practically everywhere so it's kind of a nice protocol and frankly uh you know some point I want to hit a CV on this one but let's wait on that one for a moment so uh this is what I did uh from
uh this this is a small uh PC around Net COV how it can be used so at a high level uh what Alex was telling was how the net COV Bly tracing works on the server and it puts all the data in the pipe the the pipe name over here is uh temp net COV and uh from there the binary Trace which is basically between the receive and the send system calls this is given to a fitness function like any genetic algorithm you will have some heris stics around it so the heris stics that right now is being used is just the count of the number of edges which is being covered so yeah it's not the
perfect one but then it just gives an idea of how many edges have we been able to cover now that is a fitness function which kind of sends back the feedback to my client side so this this dotted line basically divides what's on the server and what's on the client on the client side I get this information based on that we modify the mutation strategy and the packets will be muted accordingly so everything uh which you see here the rest of it is pretty obvious except the input is something which uh uh which is read from a wire shockk Trace so just to make life simpler you can put a wi shark somewhere take RDP connection dump put it in this
tool and it will automatically generate the back structure and give it back to you so if I have to use this whole tool a little differently you know maybe to do fuzzing to uh improve on some heuristics it's the green boxes which I need to play with you know a better Fitness function will typically give you a better result on something similarly based on that the mediation strategy will have to change right now all I want to do is to understand the structure of the packet so it's basically reverse engineering the protocol uh the packet structure if I want to do fuzzing the strategy has to change a little bit one of the biggest challenge that uh
usually you know I faced with this whole Automation and you know we were we were struggling with that a little bit was a synchronization problem because you know uh you send some packet you don't know what what packets to receive sometimes it just goes out of sync packet drops all kind of things so I'm not going to go in details on how to solve that that's more triv engineering so let me just quickly do a small demo and let's try and see what we are looking at
all right so I have set up a small shell script which
basically so all that this guy does is that it uh kills off any RDP which is running and then just attaches the the net the net COV uh client that we were talking about here this tool it attaches this thing to our xrdp binary and there is a flag to it with a minus M here which basically marks out which is the module you want to trace for fuzzing so usually in the real world they're going to be like uh you know 10 20 modules which are dynamically linked and if you start tracking each one of them you could actually end up with a lot of graphs which you really don't want to analyze that me may not even be the code which
you're looking into right so you can actually choose which is the binary you want to uh look into the trace for over here it is lib xrdp which is the one I'm looking at and that's what's it's going to
do all right so the attach has been done that's good now all right the server program basically over here collects the data from uh the from this pipe where the output will be written from the trace and it's going to analyze with the fitness function and this is the guy who's going to send the trace back so that is fine and the final part of it is our so this is the analyzer so what we have done is that this is the PF File which it takes as input and typically you know the the pkf file can be taken anywhere uh between any client and server and you might want to Target something else so a small thing I added
was to just have to mark which is the IP address which is acting as a server in the pkf file and what's the Target right so they can potentially two different IPS so what this basically does is the small uh thing which we are doing here is that for each bite so this is the first packet which you are seeing here and if you see uh the bite which is being flipped right now just serly goes from uh one bite to another and what it does is that for each bite it takes the value as 0x01 and in the next iteration it takes 0x FF so what we want to do is to enable all the bits or disable the bits and uh
see if that changes the control flow somewhere what also if you see a little bit here is that at Offset you know over here the control flow changed we were able to go deeper into the code and so after all so uh so let's say if you have a 30 by payload what we are talking about is 60 iterations of that packet so two iterations per bite and we get an idea of what it looks like and then it's all about a little bit of massaging but the final result that it it so the packet structure that it looks like is something like this what does this really mean let's just try and look at that for a moment
so coming back to the so yeah so when I send this base packet this is roughly what our Baseline looks like and uh this is something I forgot to show you guys so if you see in the in the trace here you know for each packet this is the trace which is coming in so if we go right at the top we will as you let me just show you that one Trace so if you see here the first bite bite zero is a control bite a control bite basically implies that this is something which is changing the control flow somewhere and we are probably expecting a different code coverage than what was there earlier so and that's
pretty obvious based on the coverage length here this is the coverage length where usually the next bite which is a data bite so you can just see the size of it right how different is this just basic just you know visual inspection can tell you that there's a code FL difference so coming back to the slides yeah so at a high level this is something uh you know we using the same text based format on identifying the code coverage the results which uh actually we got is something like this so what I wanted to do was to take a look at the xrdp protocol specification I didn't go through the whole 200 Page document but yeah a few pages is okay
right so uh what's inter thing is that if I have to understand if I'm getting the results properly or not I wanted to verify that with the first you know first five six for the first six to seven bytes that should give me a fair idea whether we are going in the right direction right the rest of it is Data so the uh this is the X the RDP specification so what I'm primarily interested in is in the T packet her which is a 4 byte thing and then there's x24 C RQ which is 7 by after which there's a lot of variable field so that all goes in data I'm not too worried about that but primarily it's the first
11 bytes which I want to look at so let's take a look at the first four bytes for a moment so this is the T packet uh uh herror the first octet which is the first bite it basically talks about the version number and uh the protocol is different based on this binary value which makes sense because our first bite did actually turn out as a control bite and it was actually changing the direction of the flow B based on what this value was right logically makes sense the second octet is basically a reserved bite nobody really uses it today so it kind of just goes off as data it doesn't change the control flow
which is exactly what we found the next uh two bytes turns out as the packet length it's interesting because what we are doing right now is just a simple mutation of the packet and therefore the length of the packet really doesn't change and also it's interesting to see that this these two bytes is turned out as a magic here so when I say something is a magic bite it just implies that if you flip this bite the packet will be dropped right so basically if I have to make a rough assessment of what I have learned till here is that there's a very strict verification of these two bytes and they verify whether the packet
length is exactly matching this value or not right something that I could learn just from this much let's move ahead the next set the next set is uh the first bite which is the bite number uh four here actually bite five offset four that's the length indicator field that's another one by length thing but interestingly uh this is the length for this header only and it could potentially change because there's a uh there are a lot of data after that so this still acts as a data it doesn't change the control flow anywhere the next uh bite two is basically broken into two uh you know so the bite is broken into four bits each it it has two
different control structures in it so that specific bite is still control bite and the rest of the thing is set to zero or it is referenced in something but eventually that is not something which is changing the control flow well uh I feel good about it after doing this analysis so because now at this stage I know that from the first packet the mutation of the first bite is going to lead to a change of control flow three and four are going to be a length field which should not be played with unless you know you actually going to change the length and it is also sure that they are verifying this length now bite five is something which
is also length but they are not really you know enforcing it somehow so this is a place which could actually potentially lead to some kind of overread or underr or something I would like to play with with this one frankly and by 6 is another control flow and by 7 to 38 is all data what this implies for me is that now I don't have to fuzz this in a linear way where I could fuz one by at a time but I could differentiate all the control bytes together and all the data bytes together and this is basically the product of the number of use cases which I want to F so for each control bite mutation I could
choose all the mutations of the data bite and I could potentially reach to a different location make sense so with this kind of information who in the room cannot write a fuzzer right so I'm not going to do that so just for a conclusion let's take a look uh there's a lot to do in the network fuzzing world and what we have just talked about is just a glimpse of what can potentially be achieved by this technique this is just to invite the community to start playing with this and uh yeah that's that's pretty much it thank you I'm open for [Applause] questions few questions yeah does anybody have any questions for our speakers if you do come on up and get
the mic not having questions is never a good sign so I was really in a bad accent today all right thank you gentlemen thank you thanks a l [Applause] the sessions will pick back up here at
4:30
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e e
we have two minutes then if you want we can take extra minute see com yeah start as yeah know I I I'm I'm okay with waiting for a couple of minutes to let people come in yeah know you're call you will be getting 2 minutes L that's the only thing it's fine if I get more people in yeah they not miss the yeah
okay for
how are we on time so we uh the topic which I have is different than what you have mentioned yeah um it's actually the same thing right we're going to talk about should I read out the slide what I have where is it uh there we go programs are evolving um yeah know whichever I mean you can while we have this on the uh on the on the projector here we might as well use this but we're going to talk about the exact same thing it's the escalation processes that commodity malare in which commodity malware converts into targeted operation then I will mix both of these sorry I mix both of these that's fine that's
fine
let's go for it yeah let's go for it
check hello good evening everybody welcome back you are at Florentine a for a breaking ground session next we have is Operation escalation how commodity programs are evolving and uh getting into advanced threat we have our speaker Israel Barak uh please put your hands together and welcome our speaker thank you for good afternoon guys my name is uh Israel it kind of gives away my uh country of origin um you know I uh I I come from Boston and when I landed here in uh in Vegas I got out of the out of the airplane I felt the nice breeze outside it kind of get gave me a good feel of home so um you know it's great to be uh
to be here um today we're going to talk a little bit about um processes in which we see uh commodity malware or low-level threats that we are usually used to uh thinking of as untargeted convert and convert very fast actually to highly targeted operations and we're going to discuss a little bit the question of whether or not we should classify incidents or threats that we see into targeted versus untargeted as part of our instant response methodology specifically specifically we're going to talk about how black market trafficking of compromised Enterprise Computing resources actually affects our instant detection and response procedures right this phenomena is actually what supports this rapid conversion of many so-called untargeted threats into targeted ones
and we'll drill down into that aspect of the industry uh as much as our time
permits so generally when new incident is detected traditionally before we were used to using the term targeted um typically uh security Executives the ciso or the U stock manager would try to estimate what the impact of the incident is on uh availability of services on uh uh data organizational data and based on this try to gauge the importance of the response to that incident now at some point generally pretty much every piece of malware in the market including uh uh click fraud uh and adware kind of converted into something that is a full-blown remote access tool and so the general question of what is the potential impact of the piece of malare that we're seeing here
on the availability of services or potential data loss in the organization the answer was well there's definitely a potential right the tool is capable of doing that but that answer was not something that organizations could manage their prioritization processes with and so people kind of tended to adopt the term targeted right and the question became is this a targeted threat or an untargeted threat that we're seeing here I.E trying to gauge the level of of of probab ability that the attacker actually intends right to steal data off of the organization uh organizational capabilities as opposed to something that a user kind of quote unquote randomly caught as they were browsing the web or reading their
email but what we're going to see is and we're going to talk about is how commodity Mal right can quickly transform into a very targeted operation which can happen well based on some processes that we'll see here between hours and days from the moment of of
infection to address this topic we would first talk about the uh Black Market machine machine trading industry and we'll drill down into that and get a good feel for what a black market for machine trading is how it works the exact methods of operation and what the targeted attacker can find in one of those platforms we'll look at the uh processes for valuation how do sellers valuate machines and as a result of that what would be the characteristics of what they would do when they offer machines for sale we would see uh what kind of tool sets these sort of marketplaces offer their sellers and buyers as they transact and we'll talk about some of
the tools techniques and practices that are common to this triangle of sellers marketplaces and buyers right as they transact we review a specific case a specific threat that we've analyzed from the attacked organization's perspective in which the commodity malware operator actually offered it for sale and and went through the process of being sold to a a targeted actor and we'll see how that looks from the attacks organization's perspective and we'll kind of summarize all that information all that data in a few uh maybe conclusions on how security operations centers can actually detect that these processes are taking place within their
networks um a few words about uh my background um I originally started my career with cyber security in the Israeli Defense Forces I head of the Israeli Defense Forces red team I then uh went on to uh found a cyber security Consulting Group which was uh kind of gave me a much more interesting perspective about both nation state type threats and organized s uh cyber crime groups we incorporated that into City Group at a layer stage and I'm currently the Chief Information Security Officer of cyber reason let me uh before we kind of progress let me uh direct the question to you guys have um have you guys had a chance any of you guys
to buy or sell compromised servers or endpoints online anyone let's go with buy you know it's the more uh it's a less less less problematic position to be in so no okay so I'll devote a substantial amount of our conversation here to understand EX exactly how these marketplaces work and what you would see both as a buyer and as a seller when you transact with these marketplaces one of you know in my in my perspective one of the uh most uh interesting uh marketplaces for um for the uh trading of compromised uh compromis servers and endpoints today is called ecstatic have you heard the uh term the word the name so one thing I would suggest before
we drill down deeper into this I would advise every security professional to get very acquainted with these platforms just like we're getting very equin with attack tools and pin testing platforms going into these platforms and understanding how people put servers and endpoints for sale and how does the tool set work how does the process of transacting between buyer or sell buyer and a seller works I think it's it's fundamental to the understanding of how attackers can get a direct line into the organization without going through fishing attacks right or Watering Hole or malicious attachments they can just get a server in the data center with five minutes of work we'll see exactly how that works but I would advise every
one of you to you know that takes interest in this to uh try the platform for you can also see the URL there ecstatic. Biz it's not even a tour uh domain it's right out there right so the business has commoditized people like ecstatic have really commoditized the business of transacting on compromised Enterprise resources uh and we'll see exactly how how much they've commoditized this Market as we uh as we go in so um one uh note here before we go in some terminology compromised machines on these platforms are typically not referred to as machines they're typically referred to as rdps or SSH is I'm selling and buying rdps right typically it's because these are the
most common communication protocols that you would find with these machines and we'll talk about the reasons for that okay so let's uh look at what we have here at
athetic I don't know how well you can see uh and especially in the back lines there but there's a legal notice here at the bottom can you see it right here resolution is not so great but let me uh read it for you it says warning if you're a company representative and one check you can really kind of hear the thick Russian accent there and one check your uh firm IPS for uh existence in our database send email to provide your firm IP etc etc so what guys say basically if you want to check if you're part of our database just send us an email what do you think by the way would happen if if
you sent them an email sorry of course you're part of the database right there are 15,000 us machines on that uh platform every day of the week of course you're in their database by the way um but what else would happen so let me tell you something and I think it's something interesting and you kind of get to learn this as you work with those guys there's such a thing as honor between thieves right if they say something they mean it right if they say that they're going to get you off their data set or off their database they are going to get you off their database but that doesn't mean that a second after you don't appear on one of
their 12 other databases that appear under a different name and not athetic that exact that actually is exactly what's happening right so they will take you off and they have this sort of creative interpretation of the legal reality of what would make them not be liable for these transactions anyway just an anecdote Let's uh try to register an account well it says you're a worrying to get the access in the shop after registration need to load 500 bucks and only after this You' be able to use a site whatever so one of the things that you see here is they uh you know they they like to use uh uh tools like jabber for uh for
communication typically it's perceived as a relatively private or relatively privacy oriented tool and here on the bottom there's a reference part right as part of the registration process the question is how did you find us who recommends it's kind of a remnant of the old days of of compromised resource trading in actuality there so many people involved in this operation it doesn't take any effort right to find someone that fits this profile of someone who recommends you it's pretty easily you can uh you can go in and so we're in um so one of the things that we can do here is we can uh scroll through the list of compromised machines here and and kind of pick and choose what we want
to buy on an average day worldwide you'd find between 30 and 40,000 machines on this platform on athetic similar number you would find on platforms like uas like uh black cash so couple hundred machines they're pretty unique by the way and they don't interchange right they don't uh they don't contain the same the same machines on on multiple platforms they're pretty synchronized so a few hundred machine 100,000 machines worldwide on something like this between 30 and 40,000 a day um but before we and you obviously you can search for the platformer of choice based on the type of Provider that you're looking to uh to gain access into region etc etc but maybe before we kind of sink our teeth
into this uh into the actual meat that we have here that's the tool set that they offer and the uh actual machines there are for sale uh let's look at a few words of wisdom for this uh from this Marketplace operator and the idea again is to figure out understand the state of mind understand the ttps the methods of operation that will help us at the end to figure out how we can detect these processes happening in an Enterprise environment so let's uh look at a few uh words of wisdom code of conduct right there is such a thing even with with a black market like this um essentially what you see here is a
set of simple rules but I think uh in uh an in it's it's they basically Define here the value proposition of why would you buy rdps and why specifically would you buy rdps from ecstatic think it's uh interesting to to see that last line here just as a an anecdote of stolen info from rdps yes many rdps have a lot useful info about people and companies and can be sold at Black markets at a big price again a thick Russian accent there uh you can kind of uh imagine the the writer there um but um but that's the first part right a value proposition
so next thing when people get rdps is using rdps legal all rdps what can be found in Internet forums is not legal right but what they're saying is they give you this this sort of tips right and they say you must be careful with an RDP using main rules is if possible patch RDP will look at those tools in uh in a moment these marketplaces and athetic specifically offer a specific set of value added built built uh independently built tools to increase the value of transacting through them we'll look at the uh these tools the patch RDP and create your own account at it and uh etc etc uh not really using your real IP when you
connect to your bought
rdps another uh set of uh of interesting uh words of wisdom here basically saying we're not the owners of those rdps we don't know where they came from and who they are right and you'll see these translate into the search processes right when you s when you search SE for specific targets you don't necessarily search by name of the organization because they don't want to be perceived as knowing who this asset originally belonged to
right fair price trading of course you buy and sell at a fair price based on their understanding of what a fair price is interesting concept they've actually introduced this concept into the market you can be become a reseller right so if you buy a set of rtps and you don't need them anymore you can go back to the platform and sell them this uh Bud obviously you can see here but don't be so happy yet right there are a bunch of caveats here caveat number one 80% commission and there are a bunch of other ones right but it's actually a growing Market reselling of of purchase idps is is is a growing market and and e
static is really pioneering that market okay next piece of code of conduct and that's what I love about this is really they've taken read the manual procedure into really where it should be right and you can see in the middle we checked your requests typically my credentials don't work or my IP doesn't work I can't connect to the the RDP that I bought so if we check if we checked it and it turned out to be false and user just user is stupid or too lazy to read this right by this the FAQ right first uh First Strike Warning Second strike we deduct money off of your account third strike we take all the remaining balance in your account
and you're out of here so they've really taken the uh read the manual into the uh the appropriate level right think what would happen if you try to implement this this method in your organizations okay last piece of the code of conduct and that kind of gives us an idea on what you actually buy from the platform what you actually buy is an IP address a port number a username and a password so that's what you buy the seller is really responsible to set up whatever is required in the background for you as a buyer to connect to this to an RDP based on these connection parameters and be able to connect to your Bot machines and we'll talk about
the implication of this as we model our detection strategy right because it's very now that we've seen this we can assume a lot on how the command and control infrastructure would look like whether it's going to be tasking base or it's going to be a heavyweight protocol and we'll talk about this uh a little later on in more details okay let's talk a little bit about the tool sets that a platform like athetic there by the way the different platforms are pretty similar in the type of tools that they typically offer so a platform like athetic offers tools that would ease the transaction of buying an RDP and increase the value that the buyer can get out of a bot asset so this
tool specifically is a tool to convert a bot RDP into an anonymous proxy a socks a socks uh service basically wrapped up into a fairly uh fairly straightforward UI um next one is RDP log cleaner so if you bought an RDP you want to make sure that you cover Your Tracks after each session then you get this nice tool here but really the uh uh more interesting stuff are the next two tools this tool actually helps you evaluate um if your the server or endpoint that you're about to buy was blacklisted by someone right so you wouldn't want to buy an RTP that you wouldn't be able to use and so they run it through thrw detection mechanism to
see if anyone had actually blacklisted that IP whether it is for spam or financial fraud or credit card related fraud or anything else so that's a obviously it's a paid service where you pay per uh per transaction in this case not a big deal 25 cents another tool they offer is to make the most out of endpoint uh rdps the thing about RDP obviously with a Windows uh endpoint machine is that you can't have concurrent connections of the same user right so when you look at you know two users trying to log in as administrator they would kick each other out and so the question is how do I buy an RDP into a Windows 10 machine and when I connect
as in the administrator that I am after all I bought it I don't connect the legitimate administrator so they would notice that someone else is using that machine and when they connect they don't kick me out and so these guys as at athetic they both a patch for RDP that's for the sellers typically to install what it does it it basically patches the RDP service so multiple connections of the same user can exist on that machine and these are the type of tools that you would find in a large in a large Marketplace like uh like ecstatic any questions cool
okay so let's look at the uh at the actual server list right and and see how that works the first thing you do you know the typical targeted attacker is is kind of like a kid in a candy store here right a lot of targeted attackers don't necessarily come into that store looking for a specific organization organization X many of them come into that store because they look for intellectual property or they look for credit card information or they look for Social Security numbers or they look for healthcare related informations or uh um medical insurance information and a variety of targets would fit their profile they just need to see what opportunities exist here and so they go
into this platform and they start looking around so if you start looking at you know I want machines in specific organizations you know I just put in us here but you can find guys like T-Mobile us you want a machine with T-Mobile it's not a problem that's on their list um if you uh let's keep going if you're interested in uh in uh in Verizon it's also not a problem um if you're interested in the variety of BS there's a long list here when you look at kind of filter all the machines that they have worldwide into US machines only well about a week ago this filtered to about 15,000 machines in the US and
it's a combination of servers and endpoints endpoints are about 15 to 20% of that the rest are servers um a big mess of that would be on cloud uh Cloud providers AWS azure IBM Rackspace other would be physical servers distributed all around the country and again you can check it out I invite you to uh take a look at the list and see if you want to buy something uh but let's look at specific examples and see how simple that is we have here um a machine actually being uh resold by someone for $30 uh in Washington Seattle University of Washington I if if anyone's interested it has an added value feature here right and you can see how they build a value
right in this case they tell you listen it's not only in the University of Washington so if you're looking in at stealing intellectual property that's probably a good base for you to start in we also tell you which software which software tools are deployed on this machine which websites they visited and you can probably find credentials cached on this machines for these uh websites in this case they tell you it's a point of sale machine in the University of Washington maybe in the student registration office so you can kind of enjoy all worlds right you can try to take this machine for intellectual property right and for data breach or you can try to just steal credit cards
off of that machine and um let's take a look at another example in this case uh a server from uh Phoenix sold for $14 E Suite any want know who's who these guys are credit card processing Services if you want to buy a server in their processing service it's sold for $14 right now
so here's another one Bristo word Virginia have you heard about this company it's a server in their server Farm M Microsoft Informatica so if you're interested in intellectual property from those guys if you're interested to potentially change uh change their product and propagate malare into the customer base it's right there for sale how much was it $14 that's not a big deal it's not a big deal for the targeted attacker a platform like this is just they just go in then they Click byy byy by byy by an attractive machine would disappear from this platform within two to three hours and when we go back to the uh the security operations center organization that the detected an
incident of an adware running on one of their machines and deprioritized that incident to the bottom of the list to be taken care of maybe next week and you consider the fact that if that machine exists in an interesting platform and the organization that operates this ad is sophisticated enough to have a server or machine reselling operation and most of them do especially the sophisticated ones it's going to be sold for a much more targeted actor than that adwar operator in less than three hours and what that buyer is going to do is it's a different question and when they're going to decide to
operate Oregon $13 Intel Corporation anyone interested in that in some of their intellectual property maybe modifying some of their security software why fish someone right when you can just buy uh 2008 R2 server in your data center in in Oregon for $13 it's not even worth the uh the the minute you spend thinking about it you just buy it and it the list goes on and on it's an endless list right in this case University of South Florida pennsylv if you're not interested in South Florida what's that here Washington DC a Windows 10 machine sold by our dear seller Mr Obama here uh for 850 bucks that's a big number that is a big number for a
machine this guy has a reason to believe this machine is extremely valuable this platform is a very powerful social network you can communicate directly with the sellers you can book servers Reserve servers from sellers you can have the first right of purchase from a specific seller if you believe that this guy is providing quality content right or quality access so a person or a hand Mr Obama here would not price a machine would not overprice a machine if they want to continue to be in that business again it's the honor between thieves type thing so Washington DC an interesting machine when Windows 10 being serviced in this case by Comcast business anyone said maybe uh a machine at the
DNC good question maybe it's actually in on the Trump side of the
business any questions on what we've seen here before we move on sorry are you can pay in different currencies you can pay in Bitcoins if you want but the thing is uh when you charge your account everything gets converted to dollars whichever currency you pay it gets converted to dollars in your wallet and then you use whatever you have in your wallet to buy those resources what was the question the question was why is the currency here dollars and not stuff like Bitcoin
um interestingly enough these platforms adopt a lot of the e-commerce practices as it relates to identifying fraud so if you'd want to use anonymous proxies to pay those guys you would see that in most cases they would block you because they're concerned as anyone else that they're the money that they've given you or the credit that they've given you is going to be rejected by the credit company so they they actually take you through a lot of the traditional e-commerce payment method verification processes uh and the uh fraud uh analysis any other questions on what we see here
okay so a few uh a few uh statistics right just to get a feel for what the numbers are and you've you've already got a sense for what the numbers are but let's talk about what aspects of the resource that's being sold impact the price that would impact the actions that we would see the sellers doing as they prepare a machine for sale because they want to up the value as much as possible so the most basic features that would up the price by approximately 50% um on the commodity price which is5 to $10 per machine admin privileges that's that saves a little time public IP that means I can use that I can use that machine for setting up
proxies VPN gateways I don't have to use T specialized tunnels or C2 channels to get to it I can use it from anywhere in the world and network bandwidth it has to be a significant amount of Network bandwidth to actually impact that price Next Level which would add between 50% and a th% to the sales price is the type of software that's installed on the machine and the applications are typically websites that they had accessed actually suggesting the type of usage right if it's point of sale there's something I can grab off of it if I see access to multiple uh banking applications there's something I can grab off of it right so these have a
nice impact on the price the jackpot just like we've seen with our friend there Mr Obama is Enterprise affiliation that would have a massive impact on the sales price and that is why you would see uh crime organizations like the one that uh operate adware or click fraud tools devote a specific part of their operation just to go go over the machines that they have under their control figure out what is worth what every one of them is worth especially the Enterprise Associated ones and putting them out for a sale because in a typical click fraud from a typical click fraud machine across its lifetime you would make somewhere between $5 and $20 per machine but if you can sell it here
for $1,000 or $1,500 some some machines are sold for three5 S then that's a major difference in your Revenue
stream so just a kind of a last anecdote on the data that we've seen off of this uh off of this platform uh the top five states in the country that host compromised machines for sale I'll give you the first four and I'll be happy to take gases for the fifth number one is the state of California 21% of the us-based machines offer for sale are actually based in California New Jersey continues the list New York and Texas who would you say is the fifth state sorry nope nope nope it's gonna be amazing I I found it amazing
no go figure go figure it but it is what it is they have the exact same percentage as Texas and New York so I don't know why that is
yeah microft dat well there you go I just thought it was kind of the stubborn approach to cyber
security okay how does that look like when this process is actually happening in an Enterprise Network from the attack organization point of view so we're going to talk a little bit about a set of incidents that we've seen uh that happened uh with a specific type of of Click fraud organization so typically in in in an incident like this and we've seen multiple cases of of the same of the same uh the same uh process driven by the same actor we typically start with an untargeted in this case it was an unknown Fess click fraud tool that affects several several machines in the Enterprise Network uh typically the detection here was based on malicious use of of
Powershell and uh Mal work communicating with known let's just see2 domains or or IPS almost instantly right when you see this sort of characteristic it gets deprioritized by uh by a typical sock right there are you know there are worse types of of malware there more targeted operations this is just a click fraud tool you can see the communication pattern there it communicates with a variety of ad uh add platforms it you know really goes to the bottom of the list but then in the organizations that we've uh that we've worked with on these uh on these cases the stock typically continued to monitor the compromised machines uh automatically and they also in parallel blocked access to that known
C2 address that they found the uh The Click fraud tool communicating with but on average about five days after that first infection one of those machines right typically the operational profile was take one and start with one of the one of the sets right one of those machines stopped uh to stopped attempting to communicate with the known C2 and was detected performing domain generation to establish its next uh next version of command and control and after that it communicated with an unknown C2 uh infrastructure now the second upgrade that we saw here as the organization here the the operator here of the click fraud tool converted that machine and prepared it for a sale process the
second process was to um change the profile of the C2 Communications so it only occurred when the machine was apparently outside the corporate Network so if before that the C2 communication would happen all the time obviously get blocked by the organizational setting of BL of blocking the uh C2 uh the the C2 IP address now communication only happened when the local IP address started with 192 168 or 10 right typic that happened when that mobile machine was out of the corporate Network and so the C2 communication went un interrupted and that is typically not something that you see from a broad uh broad uh completely automated operation that's typically something that you see as a
result of a certain analysis that's done on the attach side on the machine that they're working on
next stage would typically happen within the next 24 hours during which the C2 communication profile started including downloading and uploading significantly more data from the uh from the compromised endpoint tool and included escalated uh privileges to local system if beforehand The Click fraud tool didn't require those privileges in this part of the operation the uh tool escalated its privileges to local system so if before we saw communication profile that kind of match the average click fraud in terms of web traffic regular web traffic of hitting web pages and clicking clicking uh buttons or links afterwards we saw very significant bursts in the communication profile and that could indicate obviously downloading of additional modules onto that endpoint a heavier protocol than
just a simple tasking protocol call or uh or exfiltration of broader system information from the client side towards the uh towards the attacker Next Step that we've identified on these machines is that the attack tool injected code and migrated itself into a specific process in this case msdtc um we see here an example of one of these processes after being migrated into communicate Ates with the command and new command and control infrastructure that was established by the DGA one of the reasons by the way to migrate into a process like this is uh is dumping credentials in under certain platforms you need to operate in the context of a built-in system service to be able to extract credentials out of
that machines that's in many cases the reason to migrate into a process like this
so let's try to summarize what we've seen into a set of uh of uh let's let's call them uh uh uh um rules or or um or uh or characteristics of how a seller Marketplace buyo relationship would look like right and see how we can dve detection mechanisms based on that so in terms of the command and control most of these marketplaces would actually work with protocols like RDP and SSH for the command and control or for the transactions that take place the transfer control from the seller to the buyer they're continuous you typically don't risk losing access they're very reliable they're Auto verifiable which is extremely important because the marketplace wants to make sure
that the command and control Channel works well before they transfer the ownership to the buyer so the buyer would not go back to the marketplace and say well that doesn't work it's I've tried it it's not working that way the marketplace can always say I've tried that right before you and it worked great so at tasking based C2 command and control especially proprietary ones that are built by the attackers are not necessarily a great fit for this type of offering right even the attack the uh uh uh thread actors that have custom ba custom uh uh tasking C2 uh packages typically add RDP based or ssh-based functionality prior to transacting on these machines to make the transaction a
lot more smooth obviously once the buyer goes in the C2 communication profile is changes to whatever the buyer wants it to be unless they resell and then it goes back privilege escalation it's important to get to that first level of value an admin access is worth more than an unprivileged account so even if you don't require access for your adware if you don't require admin access for your adware if you want to put it up for sale you want to maximize the value on it you should probably escalate your privileges to uh to local systems enumeration of of installed pieces of software and browsing history so you can populate your value proposition on these marketplaces saying how valuable this
machine is is something that you want to go through as a seller so given these characteristics we can put in place a few detection mechanisms that can help us surface right that these processes are taking place right obviously as security operations can prioritize everything especially not threats that are perceived to be very low risk to start with we want to have a mechanism in place that allows us to revisit a deprioritized incident and understand that what we've de prioritized a week ago is now something very different or is going through a very different process process and we should probably reconsider its prioritization for uh for remediation so obviously changes of uh of uh in the command
control right any changes from a known infrastructure to an unknown infrastructure is definitely an indicator right it means it it means that it's worth more to the seller converting from straight IP to domain generation any connections that are to uh RDP service especially on already compromised machines right and connections to RDP processes are not necessarily on Port 3389 right connections to RDP processes are connections into the RDP process regardless of the port on which they work and regardless if they're coming in or if they're communicating with something that sent out that request changes in the RDP configuration the modules that are loaded by RDP
Services changes in privileges we talked about it in uh identifying enumeration processes of browser history and installed pieces of software right as an indicator again on machines that we've already seen a malicious process running on so we know that they have the potential of going through this process and we now want to identify these indicators that would tell us that something is potentially going on and something that was a little bit interesting um kind of to us is we imagin that when a seller prepares a machine for sale they would stop the thing that their use of that machine so if they were using it for click fraud they would stop that click fraud prior
to transacting apparently it's almost never the case the seller continues their operation and in many cases buyers buy the asset when the previous operation is actually still in process so the Assumption of we're going to see a cessation of the previous Behavior prior to that transaction is actually not a very good indicator any
questions okay so either it was uh very good or very bad either I was very clear or very unclear what do you think
yeah so uh so you focused on Windows obviously but uh what about Macs is there a Mac Marketplace or how is how is that specific a platform marketed and sold yeah so the uh uh Mac marketplaces are actually a lot less common than the windows marketplaces the uh marketplaces like aesthetic that have commoditized this this Market are almost solely based on on Windows machines uh there are smaller Niche uh marketplaces for Linux machines and sometimes you would find Max but they're pre rare I would imagine it's uh it's uh it's potentially a a um a demand perhaps an issue of demand uh but it's it's just what you see in the marketplace
yeah from the point of view of a hacker It Strike me that uptime would be an important aspect of a machine especially given you can you pivot or hide behind it uh I didn't notice that on there I may not have seen it but I was wondering if if that was a metric that was readily available yep so um if you want we can take a look at it afterwards on my machine but on every every listing on the marketplace has an indication of an uptime right so you can get a clear understanding of how available this machine is yep
so I think what what we're seeing right now is first and foremost a strong transition into the Endo so traditionally these marketplaces would focus on servers and in the past couple of years you see an Ever growing percentage of endpoints these would typically be Windows machines but I think at the more that The Reason by the way was that the traditional actors in these marketplaces were people that would do server scanning IP scanning right they would find a server right and they would try to you know brute Forest it and then list it for sale and then new players came into this Market which are the commodity malware players right the adware players The Click fraud players
that and their assets are mostly endpoints but they've seen that they can transact on these endpoints and make you know and monetize them significantly more than they do with regular click fraud and that's why you see an increasing percentage of end points I think given this situation and the more we see these types of commodity malor going into Mobile the more mobile endpoints we'll see in these platforms sure any other questions is cool we have to stop it here so thank you thank you friends thank you Israel so we have next speaker coming
in
e
e
e
e
e
e
e e
good evening uh we are at the last Talk of the day uh this is breaking ground track and you are in Florentine a we would like to thank our sponsors supporters donors who have made this uh besides possible uh do go to your booth say them hello and thanks for making this wonderful uh convention possible uh next we have Andrew brand Andrew brand is director at threat research at Blue Cod systems uh and the topic which we are having is ingra eg the emerging threats posed by the augmented reality gaming for all the Pokemon go lovers uh this could be a interesting talk can you guys hear me great all right give me one second because this
thing crashed my uh graphics driver
come on PowerPoint all
right all right great so um thanks very much for coming um I'm Andrew BR I'm the director of at research at blue coat um my normal day job involves me running a lot of malware in a lab in which I uh not only record the behavior of the malware but I'm also recording the um the network traffic of the malware communicating with its command and control servers downloading payloads and to do that we have a bunch of appliances that the company makes and I just use those products in my research um but I'm also a gamer and I I found as I got a little older that playing uh twitch games on a on a screen uh actually
started to give me migraines and make me feel sick and and it was a really depressing experience until I discovered augmented reality gaming and so I I got into this game called Ingress um in in a pretty big way is this going to work right so in this talk I'm going to talk a little bit about the fundamentals of the game itself but I'm also going to talk about how I use some of the tools in my lab to uh decrypt and um decode some of the communications in the game just to learn a little bit more about how that game worked um now a lot of you know that Niantic the company that makes
Pokemon go is the same company that makes uh Ingress and Ingress in a lot of ways uh is both a precursor of and a supporter of the Pokemon Universe so there's a lot of cross-pollination involved in both games and it what I see here as being a number of different problems some of them have been addressed by Niantic in Pokémon go but a lot of them persist uh especially those uh involving personal safety privacy and we're going to talk about all of those things uh but we're also going to talk about what nitic has done and and what I'd like to do because this is the breaking ground track and they're asking that this be a very uh interactive uh
back and forth is I'm hoping that the audience will come forth with suggestions I know there's a number of Ingress players who are here in the room um as as well as just people who are interested in privacy and security so uh I'm hoping that you'll have good suggestions at the end I have a lot of slides to get through so I'm just going to whip through it as quickly as possible all right so so what is ingress so Ingress is this very interesting science fiction themed game with a very paranoid uh backstory involving uh aliens making a kind of covert uh intrusion into this world From Another Dimension and as they're doing that um
the some of their technology is leaking into this Dimension and only people with special things called scanners I.E the Ingress app are able to see this techn ology uh for what it is think of it as um as they live for like the year 2016 you've got these goggles where you can see all kinds of stuff that isn't there that normal people can't see you can interact with these things and you use that to advance within the game attack other teams uh and just uh have a lot of fun out in the real world um everything that happens in the game takes place uh in or around these things called portals portals are basically User submitted
physical locations in the real world they have to be human creat created things with some kind of artistic or creative or cultural social value that users have submitted to Niantic and Niantic has had a human uh basically approve these as being locations that can be portals and everything happens with these portals um the only way that you can interact with portals is to be standing 40 m or less from the portal itself so a lot of the interaction within the game at least the legitimate interaction that's done by players who aren't cheating and doing other kinds of goofy stuff is to be walking around in the world going to these portals and interacting with them but that's not
always the case so the correlation between Pokémon go and Ingress is really really obvious to people who've been playing Ingress even for a little while um these are just two screenshots of um on the left side are the uh the screen for a portal and on the right side are the screen for a poké stop or a gym and basically in smaller towns where there aren't a lot of places to play these things it is a pretty much a one toone correlation but in places like Las Vegas where there are absolutely tons of portals crowding the entire city what you see is that there's sort of a a one out of every three or one out of every four portals has been
removed from Pokémon go and is not a poké stoper a gym uh just because the density is too high um so the other thing that uh is kind of key to understand in the in the background is just sort of how you play the game a little bit um everything that you do in the game in involves you using this stuff called exotic matter this is the stuff from the science fiction universe that is leaking into our universe essentially it's uh energy that you get by walking around in the world and it's in the game it's represented as these little like floating blobs that as you walk along they they kind of get sucked into your players's uh Avatar in
the game and when you have enough of this energy you can do things in the game um the other thing about it that's kind of cool and appeals to me as a security guy is that your primary way of interacting with these portals is to hack them it is actually there is a button that says hack in the game and that that hacking the portals is the primary way in which you gather gear and collect keys and do other things that that involve Gathering resources to do stuff within the game um now there's two scoring methods there's a personal scoring method for each individual player where they get points based on how far they walk how many portals they
hack how many unique ports portal they hack or capture the length of links between them the fields the size of fields that they make out of linking triangles of these uh portals together are all contribute to an individual score um but then there is a separate scoring me to factions or teams within the game that is purely based on the um the the area that is captured on the planet Earth uh by your team so in the game uh for people who play the game uh there is this other sort of web resource that you can use on a laptop that's called the Ingress intel map and essentially it is Google Earth with a view into the Ingress world and
and what this is showing is kind of a a really widely zoomed out worldview of the the biggest uh links and the biggest areas in which uh different teams have captured these uh colored areas are called fields and um but if you zoom in the closer you get to any physical location you actually discover that you know such as like right here at the at the Tuscany there are six portals Within Reach and I took this screenshot uh about an hour ago but I just killed this green portal that's here in the middle and turned turned it gray so uh so if you're playing in here and you you want to capture a free portal like just you
know drop a couple resonators on it right now what's that resistance exactly so if you didn't notice I'm actually wearing uh the key of the resistance faction uh that's the faction that I play for so uh just other elements that I wanted to just sort of mention in passing just because it's such a rich game and there's so many ways that you can play it um there's a puzzle game within the game that called glyph where you instead of hacking you hold down the hack button for a long time and you kind of draw little patterns on the screen it's it's a little bit of like a memorization game because it does these little uh symbols called glyphs and you
have to repeat them and you get more gear if you do them accurately and fast um again there's these badges that you can get for different accomplishments within the game that's kind of among players and then every once in a while um players will get together in cities in events organized by Niantic called an anomaly uh for example the nearest next one is going to be in two weeks in Denver and what happens in those places is the the company sets out certain portals as being uh critical uh capture points for one faction or the other to either hold or to take away from the other faction and the the winners of these anomalies actually decide key
decision points within this the uh fictional storyline of the game and and help Drive the story in one way or another so the anomalies are actually pretty key to the uh to the sort of ongoing uh backstory that happens within the game um and also just uh as another thing people who are uh at this event especially will really appreciate the fact that there are these things called passcodes which are 10 character codes that when you enter them into your scanner app on your phone uh will give you extra gear and one of the ways that people discover these passcodes well some of them are leaked by Niantic and some of them are handed around by teams
to their friends but what is actually very interesting is that um the the company puts out these videos and screenshots and other interesting art uh on their website and on their Google+ Page and if you search through these images often in the metadata or sometimes just buried in the image uh almost as a steganographic exercise they will put these passcodes in there there are teams of people who just do steganography and image analysis to find these things um it is just kind of a cool side game there's just some screens from the game showing uh for instance the the guardian badge which is one of the the rarest and most difficult badges to obtained because it involves
maintaining control of a portal that you captured for a certain number of days and the highest level badge is 150 it's it is by far the hardest badge in the game to get and keep uh just because of the nature of the game all right so let's talk a little bit about the communications within Ingress so there are basically there is this mechanism in Ingress to send messages back and forth between players uh as well as the game itself will send game messages involving uh say like when one person attacks a portal that's controlled by another person or the other faction uh that person will receive a little alert message in their scanner app that says soand and so is
attacking this portal at this location um and all of this stuff is basically broadcast to everybody who's within a certain Geographic radius of uh the location where the event is happening uh and is has the game on or is looking at the uh intel map so um this chat window uh the one on the left is the one from the game and the one on the right is the one from uh Intel but essentially they are showing you the same thing which is little text messages that people are sending back and forth to each other or mostly actions that happen within the game that involve the change over between one uh faction or attacks that
are happening in real time or captures um and actually it's worth pointing out um just to go back here this one on the left and I know it's hard to see in this Lightroom but the the the text that's in white is a broadcast message that was sent out by a player who is advertising a uh a black market gear store so there are people who are playing this game Gathering gear specifically so they can sell it for real money out outside of Niantic purview to other players and we'll talk about that in a minute so to do the capturing that I did is really fairly rudimentary and it doesn't require all the gear that I have
in my in my lab it was it just makes it easier um I have a wireless access point that I use to connect the phones that I'm using and the other mobile devices I'm using and I use them all the time to uh capture uh malicious traffic on Infected Android devices but I'm in this case I was using it to capture the traffic from my phone and other phones that I was using to play the game um I'm using something that sniffs that traffic and and and allows me to save it and uh manipulated in a lot of ways it's called security analytics and uh the box that's pictured here is called the SSL visibility Appliance and it is
essentially a standalone man-in-the-middle SSL decryptor box that is sold to corporations who want to use it for data loss prevention or policy enforcement on their internal networks and I'm giving a talk about the SSL visibility Appliance at Defcon at the crypto and privacy Village on Saturday morning if you want to hear more about that and that's all I'm going to say about it is that this is what I was using so and when you're when you're uh running SSL decryption uh in an Android device and you have to add the certificates the resigning inserts into the device uh there are some persistent warnings that appear in the device and I just thought I'd show these because it's
worth noting that you can't just do this SSL decryption without the person who's being monitored knowing about it first of all you have to manually install these ser which is an a non-trivial exercise to get them on the phone and install them and then secondly it then pops up these warning messages pretty persistently um almost all the time in the not notification bar and then when you hit the notification it pops up this bigger window that says you really could be being monitored right now by someone you don't know um except you probably do know who it is all right so um this is the UI from the SSL visibility Appliance and it's just showing a log of the sessions that
were decrypted during during a um a bunch of uh Communications uh you this one in particular of the startup of Ingress and what it's showing you here is on the left is a column of the uh IP addresses and the ports the then the names of the domain the domain names that we we were doing the communication the cipher Suite that was being used and then it says it was using the resign certificate decryption and most of them it says success but on the the second and last one it says alert bad record Mac and that just means that there was a mismatch in the MAC address on that particular um that particular session so when the when the app starts
up the first thing it does because and and and again I don't know if you're aware of this but Niantic is actually a spin-off of Google at the time when Ingress was launched it was a part of Google it was one of their divisions and now it is a separate company but they still share a lot of the same ecosystem and the first and most important is that they are using Google oaf you are ti your game account is tied to your Google address and your other Google information that's in uh that's on your phone and uh this became you know pretty well known in the first week of Pokémon Go's release because there was a big
hoo-ha about the fact that Pokemon was basically getting all permissions to everything tied to your uh Google account that is now been fixed but this is basically what is happening is that they are just validating that your account is properly owned by you it's on a phone that you have used before for this account and they're just doing this check and you can actually see um in the circled in red it says com Niantic pro. Ingress that's the name of the app the internal name uh uh of the APK in in Android um so the next thing it does and and this is kind of interesting is it connects to and gets a positive uh
connection from uh something called Google Cloud to device uh messaging now this is it's interesting because Cloud to device messaging was actually discontinued last October by Google they actually put out a big notification that says we're stopping using this don't incorporate this into any of your apps anymore we're going to shut the service down and yet c2dm is actually working and every time you start up Ingress there's a little c2m uh session that goes back and forth we know for sure because security analytics was able to show us once again com. Niantic pro. Ingress was the source of that communication and that was what was being sent as an HTV post uh up to Niantic or I should say up to
Google so then once you've gone through the authentication process there's these um uh there's an initial setup that happens in which the game uh receives uh a bunch of initial data just so that when the UI pops up it's populated with information um it uh it is first you send it up your uh latitude and longitude using the location services on the phone it queries the phone it says Where Are You it sends that back to Niantic and Niantic does some stuff on their end where they figure out within a certain radius 5 km 10 km however you've got it configured in the phone itself um it will then send back chat messages that have been sent within that radius
as well as the event messages and that's what sent that's what's sent in this very first packet the back and forth is the geotagging information about where you are and then all of the messaging stuff and stuff that would happen in the comm's window uh that you would see as soon as you started the app up um the next thing that happens is that it is it then transmits to you um a lot more of that chat messaging going back uh quite a ways for like the last two or three hours previously uh as well as pretty much all of the configuration information that is used to define for instance uh what are the various values
that are used by the game to determine whether you're within a certain range or have a certain level of weapon to defeat a thing that is of this other level within the game all of that configuration data is s every single time you start the game so there is this this back and forth and handoff of the um the rules of the game that that are sent to the phone now it's an academic exercise to understand that if you are receiving all of this configuration information that decides how the game is going to work that why would someone not just interact inter interface with the network card between the game and Niantic and just tweak those values a
little bit for their own benefit oh and by the way is worth mentioning that uh the two factions in the game one is called the resistance one is called the enlightened the resistance are the humans who believe that this alien technology thank you very much uh that this alien technology is something that is we should be a little wary of we don't understand the motives of these aliens maybe we should take a step back and not quite accept it so rapidly the enlightened are the team whose philosophy is we should embrace this they are just nothing but beneficial everything is good the the the all this the the the benefits of this technology are good for everyone
why not just embrace it right it is worth noting that in the internal messaging of the system the enlightened team is referred to as aliens so be warned you are working for the aliens so um so the next thing that happens is that uh the uh nitic app sends a little handshake that's called Su and when that comes back here here is is all of our configuration data that comes back to the device right so as I mentioned you're got you've got all the rules for uh what are the glyphs that can do things when you are trying to do glyph uh to make the glyphs happen faster give you more keys um the action
cost for different actions within the game the weapons radius for different weapons within the games the badge tiers all of this stuff is transmitted every single time in the handshake it's not really clear to me why this isn't just hardcoded into the app but I guess if they wanted to change the game uh on the Fly they could literally just change some settings on the server and then everyone's game would work in the different way but it just seems to me like it's just opportunity for uh for a lot of messing around so in addition to the app itself um the app has several analytics tools that are built into it one of them is upsite API and upsite API
is a very common widely used completely legitimate um uh Android app analytics company and Niantic is using it for doing inapp purchases there are some things that you can buy for real money using your Google account um in the game that will help you um you know accumulate more gear or do other things within the game that are fun nothing that gives you a huge Advantage but some stuff that gives you a little Advantage um and so they're using upside API to do all this payment uh management and and to control uh how that happens within the game um when you first log in though upsite sends a huge amount of data about your device itself self the make model
number the geolocation of it what mobile network it's on what version of Android it's running whether or not it's rooted what's the localization what language is it using um how many days have you been active in the game have you has there been a a gap of several days since you played it or or have you played it in the last 24 hours and all of this stuff is sent to upsite at the same time as you're logging into the game and then there is a third a second analytics or a third set of information that's sent to a different company called criticism and that is also sending information about the version of the app the version of uh
Android that you're running the name and the making model of the phone that you're using the country code of the country to which your sim card is tied and a bunch of other information including like the the build date of the app um and its version and and localization so so already you've got um you know two thirdparty companies that are receiving an enormous amount of device data about the device that you're running the game on then what happens is as you play the game there are all these API calls that happen and they they again uh like most of the other ones that are happening throughout the game it's an httv post up to Niantic with some data and then a
response back and they have names like this and they're involved in doing things like updating the inventory of your gear that you have updating the map that's shown on the screen updating the chat messages that are shown in comms and they're basically happening constantly and it's one of the reasons why when you run uh Ingress for an extended period of time and if you know people who play Ingress you always see them carrying these giant ass external battery packs and giant like plugs and wires and things like this thank you very much um we are all carrying these battery packs because all of this data and all of this using of the GPS constantly is just chewing through the
power in our phones but we are pushing the envelope on what you can do with these things so it's kind of interesting to see it all happening the most interesting uh API call that I see is this one that's called get paginated Plex and the get paginated Plex is interesting because it contains all of the rich juicy detail about everything that's happening by other people as well as yourself within the game it's all those text messages that I mentioned earlier plus all the action messages but in addition to the texts and the actions and which is not displayed by the client itself in the UI but is shown is shown to the API but not displayed in the UI
is things like uh unique user IDs for all the players unique IDs for all of the portals and locations in which you're playing as well as all of the geolocation data for all of these events that are happening whether they're done by you or by someone else so all of this information is constantly being fed to your phone and because you can receive it all and can man in the middle it you then have access to a lot of shenanigans that you can do if you say collect it all we'll talk about that in a minute what else is interesting so there was this one session that we decrypted at the at the end the one that had the
weird Mac address problem and it was on this strange port 7275 and I had to do a little research on this and I discovered that there is this tool called ulp user plane location protocol it's a protocol that is basically used by apps that use GPS they go out and they receive Telemetry about where in the sky are The Satellites lights that are above you right now and it's a way to more quickly get your GPS to sync and get the location faster and it was just interesting to see it's TLS over this weird port and if you if you look at the packet itself because it's not an HTTP packet um and it's really hard to see
because it's so tiny but like right up here it says degrees of latitude degrees of longitude it's very very precise uh satellite data with uh uh N9 or 10 uh degrees of uh accuracy so it's very very precise geolocation data plus all the error code values so that you can uh do the calculation and get your your location down as as precisely as possible um it's also worth noting uh at this point that the ooth stuff that Pokemon go is doing is very similar to what we see um but we're also seeing um we also see that they have made some improvements now one of the as I mentioned earlier one of the improvements that they've made uh is
that they're they're doing a little bit less of the um it's a little less obvious uh they're not using a user agent string that is uh directly connectable to Pokémon go uh the user agent in in Ingress as I mentioned is Nemesis and they're using the the sort of standard delic uh user agent string that's used by apps that that hook the network device um you'll also see that there's no chat messaging uh but there's a lot of binary data that's being passed back and forth however the few things that they are doing that are similar is because they're using the same location database and they've already built an infrastructure involving uu IDs for the
locations the U those hash values and the names of the locations as well as their pictures are are being transmitted in the clear in this uh in this stuff but is essentially doing the same thing where it's doing this API HTTP post stuff back to the server getting a response back it just doesn't have nearly as much data in it right oh this is just the this is the uh Pokémon go ooth so so if you if you didn't know this for people are under 16 I think if your kid playing Pokémon go you have to sign instead of having a go a Google account you have to sign up through um uh Nintendo has this thing
called the Pokemon trainers club and so you have to create an account on Pokemon trainers club and then when you log in instead of going through Google ooth it goes through Nintendo's uh separate ooth and then this is just the header stuff um boy it's a really fuzzy picture I'm sorry is there any way you could focus the projector a little bit um it's just really blurry but like yeah this is all the header data that shows um they're sending things um including it's really hard to see but birth date of the player um in that ooth uh session data so um as well as um there's actually parents email in there because you have to tie a
Pokemon uh go kids account to a parents account um so it has uuid stuff and then there's uh something called date of consent and I and I didn't really understand what that was but in the in the kids account that I created I noticed that uh age or the date of consent is exactly 13 after birth date so apparently 13 is the age of consent as far as Pokémon go is concerned that's okay all right so let's talk a little bit about what what you can do when you can scrape this data and you can suck it all down so there are some very clever people who have figured out all of this stuff that I've shown you so far and
they have built data collection systems that are using the they're using um uh bogus accounts that are fake geolocated all over the world to collect all of these player action things from everywhere in the world simultaneously and they're databasing this stuff and they've been databasing it for years um they're capturing decrypting and and parsing all of this stuff and making it searchable with really nice UI um there are at least three of these for each faction and it's been kind of an Open Secret among the Ingress community that this exists for some time because um it does violate the uh the Niantic terms of service to be doing this um but more importantly and the reason that I'm
talking about it is that it opens up a lot of opportunity for people to do some really bad things so um so I just got back from the UK and one of the things I did and of course I was playing Ingress when I was there because it was exciting and one of the badges you can get is for capturing the a a portal that you've never captured before for the first time so I was trying to get all these uniques and uh I was very proud of the fact that when I went to North Wales I captured every world heritage site Castle in North Wales that was that was my big victory and I was and I was so proud I
took screenshots of it um so it was uh Conway karvin and and B marus are the three world heritage sites and the coolest thing about gitter castle is it's known as the most haunted castle in England or in the UK so uh so I got the most haunted castle and the three world heritage sites but little did I know that while I was doing this one of these player trackers was monitoring mine and every other player in the world's use of the game and created this heat map that shows exactly where I was and how long I spent in using the game at these different locations in North Wales and when I saw this it scared the crap out
of me because again it's only an academic exercise to understand that what these player trackers are able to do is keep track of an enormous amount of location data let you view by time slice where that location data is and then even further you can slice it down to morning afternoon evening like what is the propensity of a certain player to be in a certain place at between 8:00 and 10:00 in the morning well you might find the neighborhood where the person lives you might find where their office is where they frequent where they go shopping where they drop their kids off from school and then hack the portal at the church down the street there's a lot
of ways that this can be abused so um here's another view of a different player tracker this this one shows um some of the players that are that are located in in Northern Colorado where I live and it was used by the players in on my faction to monitor players on on on our faction who we knew were doing bad stuff and so there the ones that are in in Gray are real players and the ones sorry the ones that are light colored are real players and the ones that are highlighted in kind of this green gray uh shading are the players who were using what we think our spoof accounts or bot accounts to uh conduct themselves
in ways that are not befitting a player who is responsible and respectable um here's a different view of a different player tracker showing the details of a particular spoofer who we know was doing some really bad stuff and um again it's really hard to see but I'll just show you that it's it's got the the names the days owned and the datee of of each captured portal that this guy had under his control and there's a there is a little button here that says add to threat watch so there if there were players who were on this green faction um who were causing problems for other people uh the members of the blue faction who run this
particular tracker were able to put this person on a watch list so they could keep a closer eye on them and collect more data about them and get alerts on when they were doing certain things and you know again it was it lead could lead to Shenanigans um so this is this is a yet a different player uh indexing service and this is data about my account um it shows that uh my region is Utah for some reason it shows the region that I'm in as being the place where I hacked my very first portal which happens to be near uh blue coat's offices in Draper Utah but that is not my my physical location it's just where where I started
the game um it also shows that I started the game on uh July 1st 2015 at uh 934 or 9:24 in the evening while I was out for dinner with some of my co-workers um and it has all of my Badges and and how long I've been playing and what is the longest uh continuous number of days I've been playing how long is the the number of days that I've had my guardian for ETC um here's more details about my account and it actually shows so these are some of the portals in the UK that I visited while I was on my trip but then there's some of these ones that are from uh Colorado and then the one that is
gray out with the name Buzz is my guardian portal and it's hard to see but it says it's 262 days um it turns out that while I was in the UK um I made the uh I made a grave error I I had met with a couple of people who are on my faction who I thought were friendly players and we had hung out and had a few beers and played a little bit and and gotten together a few times and I told and they the guy said like hey you know do you have any you have good got good uh Guardians you know there's a couple portals around here that have some good Guardians and I sent the guy a
screenshot that showed that my guardian list was up to over 250 days and um within 48 Hours of having that conversation my guardian got taken down my guardian by the way is somewhere in Texas so whoever it was that that information got to used a system that was just like this used a bot to go to Texas and killed my guardian with a bot not cool of course I'd already gotten the badge so I didn't really care at that point it was just you know gravy that's not a guardian that's a pet exactly it was a pet so uh so these are the issues right so it allows people to um to find track and observe the
behavior of other people very very easily this is a tracking service that you are willingly carrying around with you in your pocket and feeding with data about where you like to go um and it has been implicated in a number of um real player-to-player negative interactions involving stalking and harassment in the real world um so in the course of doing the research for this talk um I put out a a question and answer uh thing on uh Reddit as well as I kind of interviewed a bunch of of players that I know and there have been experiences that I've had with other players in my community and other communities in which we know for a fact that there are players out
there who are hostile aggressive and have followed people around found their houses and then deliberately done things to harass them as a way to um make it make it harder for them to play the game or to drive them out of the game this is a problem that is not going to go away unless we solve the problem of this scraping all right let's talk a little bit about what these Bots can do so GPS spoofing and Bots has been a problem within the game pretty much since it started as you can imagine we're in a game in which hacking is part of the sort of thematic storyline of the game it attracts a certain audience of
people who are interested in exploration of the Digital Universe um myself included but but not limited to me and people discovered fairly early on that there are these JPS spoofing apps that you can use for development purposes of course just to uh force your phone to say that it is in a different location and then every everything that kind of pulls that location data um uh from the phone thinks it's in a different place and then it it can you know it will let you do things like Google maps of a different town uh without having to zoom in there um what the guys who are doing this are doing it for is sort of two
purposes um but we'll get into those in a minute for definition of purposes spoofers are just people who are using uh these tools to forge their GPS and make themselves appear to be in a different location Bots are automated systems that are using spoofing to do actions automatically without human interaction in those spoofed locations so one of the things that is really important to note is that spoofing is something that uh Niantic is trying very very hard to thwart and all of the common things if you just go and you look for GPS spoof thing on Google Play Market uh there are a bunch of apps in there none of them will work on uh
Ingress without getting you banned pretty quickly um the the purpose of having all of these analytics communicating with the with the device is because they're looking specifically for these apps running in the background and um the way that you hide these in the information about these apps from Niantic itself one way to do it is to run this thing called the exposed framework so it's it's on this website repo os. info and it is um it comes as both an APK and a zip and it it does have a kind of a high barriered entry because you have to sideload it using uh Android uh desktop bus um you have to ADB flash it onto the device and so it
is probably beyond the Ken of most mortal people who have Android phones however I believe everyone in the room here is probably capable of doing it themselves um and it is a very effective method of doing GPS spoofing so that you avoid getting getting banned and kicked out of the game and losing all the gear that you illicitly got um so some of the things that the Bots can do um are basically everything that you can do within the game so they're they can hack or glyph the portals they can retrieve keys and get gear they follow certain tracks you can record a GPS track and then have your Bot follow that track um almost like a
like a your playing back a video um they can attack enemy portals as they walk past them uh they can also just uh t Port jump from place to place in a ridiculously short amount of time an amount of time that a human would notice very quickly is far too rapidly so for instance I flew between uh Denver and Las Vegas it's about a 90-minute flight and yet you know I could if I wanted to um be in Boulder where I live teleport back to Vegas do some stuff teleport off to some other place and for the most part that kind of stuff doesn't get noticed um when you when this exposed framework is kind of tied in um these
Bots can do basically everything and what they are being used for is they are using them for harvesting huge amounts of the highest level gear which is a um mentally and physically taxing effort as you can imagine you don't just go to these portals um and hack them one time if you want to farm gear say for an anomaly that's coming up you will often find that one faction or the other will get to together they'll find a park that has five or six or 10 portals that are really close to each other they will then level those portals up so that they give the highest level of gear and then people will walk around and glyph them
for hours and this is this takes a lot of work and takes a lot of effort and you have to be good at the glyphic puzzle game which is not I I can tell you from my own experience is not a trivial exercise it is something that takes a lot of work and yet these Bots can basically glyph everything as fast as possible and the only way that you can uh the the the only consideration that you need to have when you're running one of these Bots is that you got to dial it back a little bit because the bot is so good it's going to attract notice and so a lot of these sliders
that are in these Bots are to control just how accurate like how often will it fail and how often will it will it Meander off this GPS track and look like you're just kind of walking across the street instead of following a straight line and then taking a left turn making a 45 degree turn and going across a field that normally is blocked off with a chain link fence all of this stuff is basically just to make the bot work faster right and we have these uh infographics and again it's really hard to read but this is an infographic about how a bot works and what these Farm Bots can do this was one uh that was produced
by the people who I work who I play with specifically to um to teach people about how these Bots are doing farming and how you identify the farming Bots as opposed to the Bots that are being used to spoof and and attack people so the the most popular one the one that everybody knows about uh again it's an Open Secret within the Ingress Community is this bot called ganess it's $12 to use it for three months and it is shamelessly advertising itself as being the bot to do everything bad within the game now um it's it's a very uh uh it's a very paranoid guy who's in Eastern Europe who makes the bot when you buy it
it they make they make a build that is just for you and the bot itself does some command and control back to the guy's web servers so that he knows that your license key is only being used for your account and if he sees you using it for any other account or if he sees you using it in a way that he doesn't like he will just ban you forever for for life from ever being able to get his bot again and it calls itself internally bad logic now um and this is just some internals of ganess and showing you the UI um and and then for example this is the the walk mode where you can you can
either have it walk in a straight line or walk and then loop back um and this is the uh I I've done a little bit of uh reversing of the app and showing some of the source code and this is just the drop down of the code and all of the code is pretty heavily obfuscated with all this um there's a lot of this sort of junk text that's all through all the variables and stuff it just makes it a little harder to read but for somebody who's an experienced reverser it's just sort of rudimentary but you don't have to do ganess you can actually there are some commercial emulators out there that you can use to uh to get into these
things uh one of them is this one that's called the nox app player and it's worth noting in the text at the bottom here it says location required by app the virtual location feature will pin you to wherever you want now this one I showed because they're actually advertising a particular build that you can get of this app that's called Pokemon go desktop and the idea was of it was you could play Pokemon on your desktop without ever having to walk out into the real world well guess what it still works it was advertised as something that you could use during the beta and now it still works with the real Pokemon now and as far as I can tell I've been
using it for weeks and it hasn't gotten me banned so so it is still functional now um there's another company that does a similar app called Jenny motion um but you do need to use the exposed framework on these software Android devices or else eventually you will get caught banned and you'll lose all your lovely Pokemon and balls and everything else so this is just a screenshot showing a a famous location in Boulder the Duan Bay tea house and uh you just use this little uh map window within the app to pin wherever you want the game to say that you are and then all of a sudden within the game I'm standing at the DU tea house and I'm griffing it and
I'm doing all the bad stuff that I want to do and it and it also has these like helpful features for people who want to do this kind of hacking fake imeis you can create your own phone number and phone network that you're on all of it is basically uh just forgery that allows these apps to work uh again for development purpos purp is haha not really um but um everything about this just really sucks and what this does is it feeds this market for Black Market gear um both factions are responsible for running these ganet spots they give out the gear in huge amounts to their buddies because it really is Trivial for them to be able to collect massive
amounts of gear but then they turn around and sell it for dollars on the web and these guys are advertising this stuff on the chat window to all the players the one I like the most is this one here it says for 10 bucks we'll give you four keys to any one portal that you want anywhere in the world and to me that's amazing because you know if I wanted to I could pay this guy 10 bucks he sends his bot down to McMurdo Station in Antarctica where the two portals that are the rarest portals in the world are because only the 50 scientists that go to the South Pole and are there can hack
those portals and this guy will give me four of those keys for 10 bucks woohoo what an achievement I haven't actually been to McMurdo that sucks that ruins the game for everyone and and honestly that is that is exactly the problem with all of this stuff it violates the spirit and the letter of the rules and it just makes everyone in the game pissed off at each other both factions accuse the other side of cheating it's true both sides are cheating it's become an arms race and the problem is that it's not going to go away away as long as the game allows it to happen so let's talk about how we address these problems because the real
problem is that Niantic is a company with great intentions and who has two hit games on their hands but does not have more than 50 employees and is basically lost at trying to solve these problems they're overwhelmed by the amount of people who are playing Pokémon go the the you know when I pitched this talk to the conference it was all just um a lot of these discussions about the problems that were going to happen with augmented reality games were hypothetical or there have been you know a couple of instances here and there of people you know falling off their bikes or getting into car crashes but it wasn't on the scale of today where the
police departments in New York San Francisco Los Angeles and Boston are sending out Pokemon go player tips like don't walk into really bad neighborhoods late at night all by yourself with your really expensive phone and big battery out hanging out you know you're going to get mugged you know and stuff like this was all hypothetical two months ago now it's happening every day so we got to solve this so one of the biggest problems is this data scraping issue where that basically you're walking around with a GPS tracker and your pocket that shows everyone where you are all the time these are my suggestions we got to stop broadcasting the player data with the actions in the
game so when it says Andy Brandt hacked portal X or Andy Brandt attacked this portal and captured it from player y you should never have names associated with that it should just be portal X is under attack portal X has been captured by the other side that would eliminate all of this player tracking stuff in which this data is being sent out and people are scraping it and show the heat map thing that shows where you are would be gone everything has to be encrypted right we it is a watch word of of all of what we do in infos you encrypt everything you possibly can now it's inside TLS and that's great because the transport layer
is an important thing to encrypt but why is the data in plain text why is this all Json ins in plain text inside of the TLs they learn this lesson with Pokemon go that's a good thing they need to then revert and put that stuff into Ingress it needs to be encrypting that data so that all that we're seeing across the wire is a big binary data blob that we cannot read and of course Ingress and Niantic needs to be monitoring the players and their activity a little more closely location service stuff is another issue right so when in all my malware research stuff I'm always looking for metadata attribute combinations that will lead me to find
interesting traffic well here's a metadata attribute that I love check the goip of the IP address you're using and does that correlate to anywhere near or even in the same country as the G the IP address the geolocation data that's coming from the GPS if you're if you're in the UK and your phone says you're in Texas but you're on a UK network connection something is wrong and the fact that Niantic isn't seeing this is also wrong it has to be pointed out to them by the players that's the biggest problem is that there are communities of likeminded you know interested players who want to stop these guys but they have to report all of this stuff up to
Niantic Niantic has the data all right and then player Behavior right so one of the biggest issues with Pokémon go has been that players are now showing up at you know austere locations like the national Holocaust Museum and Veterans memorials and other place and graveyards and other places where you don't just go and set up a bunch of folding chairs and bust out the boom box and start having a party at 2 in the morning and capturing Pokemon we we as as Ingress players need to bring them into the fold of what is the appropriate behavioral Moray of using augmented reality and it is not making a goddamn nuisance of yourself and leaving trash and making it so that the Ingress
players as well as the the Pokemon players are all demonized because we're nuisances do you have a
comment so I don't know so so in Ingress so the question was um are are you not limited to how many many times you can spin a poké stop in in six hours so in in Pokemon the way that you gather gear is you go to these locations which are portals and some of them are going to be called Poké stops and when you go to them there's like a circular thing and you drag your finger across it and it spins and then little like stuff will fall out of it um there is a delay so you can do it once and then you have to wait five minutes just like when you hack a portal you have to wait
approximately 5 minutes for it to cool down and then you can hack it again I don't know because I've actually not I have not um done enough work on Pokémon go I've only been playing it for a couple weeks does anyone know can you keep spinning it every 5 minutes forever my information says that pokop do
not right yeah so so that is a good point so so in in Ingress you can hack four times short of putting special gear on the portals to allow you to do it more um you can hack something four times there's a 5 minute gap between each time and then the portal becomes burned out and you can't use it for about 6 hours so it forces people to move on um but yes it is my understanding that you can't do this this isn't the case in Pokemon go and yeah that's that's a problem like there needs to be Port you know Poké stop burnout um so people will just leave um one of the suggestions that a colleague
of mine made was that maybe Niantic should create a a very low cost but a paid um private Ingress Universe which is parallel to the existing Ingress Universe for free use users but where they have a payment method and a and a way of contacting you that ties you to a real person's information and if that account is found to be doing bad stuff with Bots or spoofing or doing other goofy stuff that that account can be banned and that account can be banned permanently across anybody uh anybody's game that Niantic is running in in which they're using you know the same payment information so basically ban the credit card that you're using to pay and then
they can never log into any other Niantic game with an account that has tied to that credit card I mean that's one suggestion but I'd like to hear more and I don't know do we have a mic that we can pass around to people um come on up and and if you've got comments I'm here to hear your suggestions and I'll just type them in as you guys are talking about them so one of one of the ones that was suggested was the uh portal burnout on Poké stops are there any others yeah speak out credit cards cred card usually track where you make your payments so if you make a payment at uh uh somewhere in Vegas but then you make
a payment somewhere somewhere in the UK you can't like they have they have some mechanism for knowing that you can't physically make that that distance in the time so they could Implement something like that in terms of their the users interest action so it would it would stop Bots from teleporting right well it's an it's an interesting suggestion so the one the one thing that um that you should note is that the people who are using Bots create they create completely separate accounts to play the game that are not tied to their their real uh Ingress player account and they do that because they're afraid that at any time Niantic Could Just Kill that could kill that account and they lose
everything that's in that account so they don't usually use those with any of the payment stuff but yes this does come down to you know is this person habitually playing in the US and is this credit card habitually used in the US like maybe they can do that but I don't know whether they have that payment card information I would suggest that the credit card companies would not share that yeah they they might not they might not share it sorry go ahead so so so I don't necessarily mean the credit card information but they have they have a mechanism of knowing that okay there's a transaction here right the card the card companies have this mechanism for
knowing where the card gets used but I don't know that they share that with the vendors who are who are using that sorry go ahead yeah in the back okay
so so for example follow the money if you've got a bot account what is the bot generating you're not going to have a bot account without it generating some value to you and if it's generating a value all of the stuff you want to give away look at who it's giving it to right so um one of the things that happens in the game is that there are these items called capsules and capsules can hold a 100 other items and the capsules when they're filled get a unique uh is it 10 or 12 car heximal character code that uniquely identifies that capsule it should be rudimentary for Ingress for for Niantic to be able to track player
one created this value put it in a capsule dropped it on the ground player two came and picked up that capsule and benefited from it why are they not looking at that that is a that is also one of the very good questions and one of the one of the weak points in the game is that they're not looking at this interaction the way that those um Farm sites work where you buy the black market gear is they tell you um you know you pay you pay for the gear and then they say let us know when you're going to be online and then you need to give us your very accurate GPS information and then they do some test drops of gear
they'll drop a low value item on the ground and if you see that appear on your scanner then they drop a capsule full of the stuff that you paid for on the ground they're doing that with Bots and the reason they need your location is because they need to type it into the Bots little address bar and then it sends it it just teleports to that location drops the gear and then logs out so again you know if you if you are able to track when capsule a goes to player from player one to player two you know know player one is the purveyor of this gear store and you lock them out of the game or at least make it harder for
them sorry the person who's behind you had a question um there may be a way to isolate assisted GPS from GPS data and correlate the two so if if say your assisted GPS data say says you're somewhere in Las Vegas and your GPS data being spoed suddenly says you're in you know somewhere in east Southeast Asia um that would be a a direct red flag um so if there was some way of requiring the phone to have a true assisted GPS because if you're going to be connected to a cell tower you're going to be getting that data anyway yes so the this is actually an interesting point and this is one of the metadata attributes
that the analytics tools within Ingress are collecting they're they are collecting information about Wi-Fi access points that are in your area and they're using Google's ability to search for uh uh location by uh Network to correlate are you where the GPS says you are do you see the Wi-Fi APS that should be in this same location and it's why exposed works because exposed prevents the app from being able to see what are the nearby Wi-Fi access points so so they are doing that to a certain extent whether or not it's it's effective is another thing sorry uh person in green yes hi um I wanted to bring up the credit card verification and then thinking about um a couple of
points um I've experienced using credit card verification uh upping the anti so then you have to deal with fraudulent credit card numbers because by using a credit card you're creating a situation where uh those who really want to do bad things will do it but by also stealing credit cards um just a factor and the other one being uh I was thinking about with credit card verification granted there's already the barrier of Entry to having a a handheld device but if we want more people to be able to play to play the game uh a credit card requires a a level of privilege or or financial and how old you are and all of those
things that also make it more complicated so my challenge is and generally for the internet how can we create a um verification that isn't tied to credit cards which are kind of us-based not everywhere in the world and like all the other things I don't have any good answers but I would love that to be a thing those are those are really good suggestions and good questions and yeah I think you know as I do more research on this and I'm going to be presenting updates to this talk at other conferences I'll look into that and that's a very good suggestion thank you so we'll be taking the last question yeah so we're running out of
time there's drinking to be done so last question and then you guys can all go but I really but I want to say before I get this question I want to thank you all for sticking it out right to the end I really appreciate this this is a a a topic that I'm very passionate about and I just appreciate the the attendance and information and the and the uh interest level from everyone who's here so thank you all right what's your question all right so um I think that the GPS data is a perfect candidate for applying machine learning to train a model to differentiate between real GPS versus uh these POS that seem to be pretty
rudimentary U I don't think there's any advanced programming techniques or anything in them you you may be right so machine learning is probably one of the tools that they're they're trying to develop internally at Niantic from my understanding it's very limited because I tried to reach out to Niantic to I I tried to contact uh John hanky their CEO several times uh in the weeks leading up to this and um and they're just really busy with this other game that they're dealing with and all the issues so they didn't have time to talk to me but I'm hoping I get an opportunity to talk to them they've been receptive in the past to suggestions from the community and
that's a good one is there way for the application to detect the explo frame so the question is is there any way for the app to detect tact whether it's running the exposed framework and no the answer is no because the exposed framework R uh the way you install it it installs as root and you have to install it using like a third- party um uh uh uh sorry yes you have to have a third party bootloader right so so you flat you flash it at the lower level than the operating system and nothing on the operating system can see it unless it lets it so yeah it's It's Tricky so I guess we're out of time so
thank you so much but uh I'll be around here for questions afterwards and then by the way there's a researcher party that blue coat is throwing and if you're interested and you want to kind of come and have some drinks just follow me and I'm your ticket in so thank you thank you [Applause] Andrew it's been
done
e
e
e
e
e for
Related talks
51:51
32:48
33:48
54:33
31:06
20:51