BSidesMCR 2018: Side-Stepping DLP With Just A Browser by Trevor Watkins

hello everyone I'm Trevor this is how to bypass the LP with just a browser and how you can stop people from doing that and a little bit about why I spent so much time on this project there are two main aims I'm hoping to achieve today and that's to secure your help with one improving DLP which we're gonna do by breaking out past it and to driving innovation across all areas of security which might not necessarily otherwise get it which we're gonna do by encouraging you to break things we're gonna show a couple of proof of concept exploits today for vulnerabilities that let normal employees bypass the data leak protections that their companies put in place companies like to imagine

themselves in a bubble in a little snow globe if you will have protection they are a collection of employees users sometimes trusted third parties working together to create value and the company wants to protect this value this is to stop bad guys on the outside getting in but it's also to stop the value that they're creating often data from leaking out but sometimes one of those trusted insiders leaks that data they decide they weren't happy at having not been promoted or perhaps they were even influenced by an outsider in some way depending on who your company is so the rogue insider decides to leak your customer details your algo trading software even the secret recipe to your

product this is a bad news whether you're the company or the subject of the data leak up to three-quarters of companies think they've missed such a data leak already it's expensive Protomen says it's the most expensive type of cybercrime up to three and a half million dollars or over three and a half million dollars on average and that's not surprising when you consider that workers can access a lot of data I mean depending on your company but on average more than half of workers can access some kind of sensitive data this isn't especially a new problem though over 200 years ago engineers were coerced to divulge their designs back then the medium was blueprints and paper

over time we can see this evolve still paper for the most part across many industries we see the auto industry there we see various different industries and we see the evolution of the way that the data was leaked so from paper base in the 2000s we see the introduction of data being linked over USB sticks uploaded to the cloud manning famously used a CD with lady gaga written on it there's an interesting case where the hedge fund in the u.s. that wound up dredging hard drives from a river and banks in particular learned to scan outgoing emails towards the end even last year we see the evolution of stealthy extraction methods which is where I'm going so we can see over time

protections have evolved for the different ways in which insiders have tried to steal data you can think of this model of data leak prevention as hardened outer shell and then on the inside to the outer shell protects each channel that you're trying to link data through and on the inside you've got protections that rely on the law or contractual obligations and a new growing field of user behavior analysis there's a there's a more detailed version of this guy at the end but what we're interested in is cracks in the edge the new channels that people can try and leak data out of so to do this I thought well how can I find how to get

data out for my corporate PC without being detected I had a look at why is are there what connections are there and what every PC every corporate PC being used by a normal user has is a screen so

for this presentation laptops have to get pretty intimate with each other this is their preferred position for the webcam of the personal computer receiver on the right to see the screen of the corporate computer sender on the left of course the receiver could also just as easily be a phone but I guess I wouldn't get an amusing picture like that so this proof-of-concept to exploit it's published on our website the rogue insider is armed with a fairly straightforward webpage to output data through their corporate computer screen so let's find the tour there we go so screen sender we establish a working channel we'll start with some text and as you can see it's generating a QR code

right there in the browser so no data is going out over the network and DLP doesn't see anything strange going on you're just interacting with a webpage that's great now our insider looks for the file he wants to exfiltrate browsers going to read in the file what we're going to use is the secret recipe to coca-cola here we see that secret recipe so to any DLP system this just looks like a normal file read nothing strange going on here often files are opened in the browser it's generated a series of QR codes which we can scroll through or when there's a lot of them we can just click to auto scroll through so now we

move to the receiving computer we've got an empty downloads folder on the receiver and we open up the receive web app again just simple web app no special permissions needed we can see the web cam is pointing at the screen of our sender okay it's picked up that tiny QR code let's open the Downloads folder and if I just arrange the screen a little bit there okay let's move that to the right so you can see it the webcams pointing at that sender screen you can guess what we're gonna do we're gonna scroll through the different QR codes it's um it's picking up that empty text box one there you see the scan all right now we're on to the file

okay you can see oops if I avoid clicking on it sorry for that huh I'll give them away what's next I can I sorry I shouldn't arrest it on the keyboard should i okay let's try that again so we shifted out the Downloads folder over we have again the receiver looking at the screen of the sender it's gonna scan the QR codes so as we get to it you'll see the process can stream multiple files without needing any interaction with the user we're gonna go through now you can see the file name it identifies as a file it's got the section a portion of that file and some of the encoded data there so each of those being received

onto the receiving computer as the sender autoscrolls through the series of codes and so I think there were 26 or so codes we have just take a second to get through those you'll notice they're all the same size when we get to the last code it should be slightly smaller so it's just gonna be the remainder of the file at the end when we do get to the end keep an eye on the bottom left of the screen where you normally see files that you click to download and I've stealthily positioned the Downloads window on the right there

we're up to 20

yeah you type any text in you type any fixed and there we can see it as a file that's a binary file that with exfiltrated in this way so it's a binary channel I mean you saw from the picture there how how pleat that please the hem that it flew X I guess if the lady from the social engineering talk was earlier then perhaps surprised that's great we just took a file out of the corporate computer it could be any data it could be larger one if you're willing to wait and have it scroll through the file but I mean speeds not our aim there it's just to and it's just to press through the the file right doesn't matter if it

takes some time to do so and can take the question at the end if that's the right please thank you so that's great right we found a hole we found a way of getting the file out but it's no good breaking things unless you're gonna fix them so let's have a go at doing that um except I've clicked the wrong place let's go next all right so let's find a way to fix this so here we're going to run exactly the same thing with a protection system I've created for it running a data border we're gonna call it I think and so I'll enable the screen protection um we're gonna we're gonna tell it we're gonna block QR codes above

twenty characters so as we start to type here it again creates our little QR code in the screen just for the text that we're typing and excellent camera work by me and as we get past twenty characters you can see it's detected the leakage is told the user it's blocked the screen it's written an event to the Windows Event log and optionally sent details of that event over to the sim and the guy can't get around it by trying to move the QR code out the way you can't interact for that blocking panel it just stops you from doing it so of course now if I try and exfiltrate the secret recipe of coca-cola again

it's going to create those QR codes but then as it shows them on the screen blocked sorry a secret recipe for coca-cola is once again safe you can but so that the 20 was just a configuration like should you wish to allow less than 20 through I mean you could just type in if you're willing to wait an awful long time right so it's just it's just an optional setting that you can use now you can disable it and just block all all codes completely if you'd like so let's explore another Avenue we've used the screen to take data out but most corporate computers also support sound that's needed for Skype conference calls training courses but can we use it to

exfiltrate data so here we have the laptop on the left is the corporate PC no strange position this time the one on the right is the personal laptop so the one our let's gonna open up the sound sender again a proof of concept to exploit on our website this guy is going to play some sounds and you guess that the one on the right is going to listen to those sounds so there's a visualization here which gives you an illustration of what sounds the receiver is hearing this lets you tweak the frequency range we're going to use so depending on what audio equipment you've got what background noise so that peak over on the left the low pitch will

avoid that that's the hum of the air conditioning in my office there is a there is sound actually do we know if we can I just pause a second do we know if we can get the sound from from okay what we'll do I will attempt to turn up the volume it's going to be a bit rubbish without sound let me see if I can get sound up high it's up high right sorry carry on okay so we've chosen a frequency range we set the same frequency range on the sender and the receiver so this is a frequency range that just suits the hardware we've got just the little microphone that's built into the top of

my laptop here I'm not sure if you can hear since it seems to be only coming out of here okay yes sir so as I told the corporate PC to send the data is turn that into sound which has ever been listened to and decoded back to data on the receiving computer so we've got another channel to get the data out and once we've established a txt channel of course we can do some additional encoding on that okay here comes my data

on the receiving end is receiving each tone doing a fast Fourier transform converting that back to the original data let's go for a file though rather than the secret recipe of coca-cola something a bit more representative so we're going to use an AWS SSH encryption key so here we go the corporate PC is outputting that as sounds and personal PC is listening in on those converting it back to data and it's recognise that as a file if I just get the Downloads folder ready again it knows the file name it's received that bit of a message you can see the percentage increasing as you get towards the end again keep an eye on the bottom left of the screen

where we should see the download and it should magically appear in the downloads folder

it's very melodic isn't it I'll tell you get some funny looks when you're setting this up that people are like anyways those beeps coming from okay so there's the there's the file downloaded and it's appeared into the Downloads folder so lost over a couple of it all a couple of little tricky complexities there like managing the timing given it's a one-way channel a few other interesting facts so there's there's it's a bit blurry there's a couple of presets for the frequency ranges which include just outside of human hearing so near ultrasonic sound so if you want to do this a little bit more discreetly and especially as it takes some time then yeah as I was recording the demo

actually had a cleaner come into the office you know the strangest look and okay so that's great but what if there's some other ways that you might want to encode sound frequency modulation is one way but it will feel only want to use one frequency you've got rubbish equipment you haven't even got a frequency range they're all you can hear is one tone we'll get to that well so good old Morse code can be our proof of concept exploit for amplitude modulation again corporate PC you'll notice by the way that I've moved offices here now to try and avoid annoying people with it those beeps so the PC on the left is going to send the

data PC on the right is gonna receive it

okay don't enter let's get the receiver open

so here we can set the frequency that we're going to output with Morse code you can control how quickly it outputs it okay hopefully you can hear so we've got a visualization showing when it detects the messages the first few characters are a bit jumbled as it's on it's automatically detecting how fast the message is coming so the first few first few it receives it's just figuring out the sequencing on the receiving end so we're just looping output there let's change the message I don't think we're going to trouble the fiber-optic providers with our speed but again the the idea is just to show how you would exfiltrate data in this way okay let's move on alright now we're going to

quickly show the same thing with the protection that you're asking about oh actually no that was trying to a file let's skip on past this one we know we can do that or get to the protection you asked about so this time we've got put the LPE system running again we'll turn on sound protection there's a few settings for where to send the alert to when we try to exfiltrate the data and detects the output of the pattern of audio which doesn't seem to be for human hearing raises the alert to the security team the same as plot so users optionally notified and blocked here we've just muted them which gives them the ability to unmute in case it's

a false positive maybe they're listening to music so they can unmute themselves but the system again quickly detects it and mutes them so obviously we can escalate the alert lock the users account and send someone to clear is desk at this point but this is this is no good a nest normal sounds work ok so this is the news from yesterday just to show the systems running and it's normal sounds get through unhindered is effectively the same same thing if you you build the algorithm that knows that the data coming out isn't something that represents normal voice normal speaking so we're looking to detect sounds that you can predict if you can predict the sound coming out this what is a

systematic sound rather than voice well I'm not trying to we just tried to explore how you would take a date I mean the many other ways through I guess this is just trying to show ways that you could get a smooth data stream in an American accent or an English one okay so that's great we've done we're done Morse code and but while we're on Morse code while I was younger my dad and my granddad watching films where old warships signaled to each other by flashing a light opening and closing shutters so that gave me this next idea and so again the computers adopt their preferred position of cowboy style so flash sender and flash receive not

the sound the sound receive the wonders screen flashing here and here's me doing some expert filming so I rode I rode at Aleta leakers corporate computer is a modern version of the ship's strobe by changing the color of part of the screen the receivers going to see that on its webcam sense this and you guessed it convert it back to the data beautiful hands okay there we go we've got the screen flashing and we're picking that up on the webcam that's looking at that screen hello b-sides down at the bottom there okay so if we had time we could exfiltrate the file in this way but it's not going to be very quick but the point

the point shows really there's numerous ways of encoding data on unusual covert channels which traditional DLP systems just aren't gonna pick up so now that they've blocked us be printing uploading files via the web really determined insiders are going to turn to channels like these which we need to protect that doesn't stop us here right we've got a few things through the screen let me try and quickly segue this rather than trying to send a file let's take it through to system components because there's a lot of other ways to emit a signal from your computer system so here's one of them and we're gonna look at the humble caps lock key now all the caps lock key has

which the other keys or not all of them on your on your people I knew people that have is a little LED and which yeah um a little thing but if we can manipulate that led then that can serve exactly the same purpose as the ship's strobe as the screen in our last demo so this little LED there we go if we zoom right in served exactly the same purpose let's whizz on let's whizz on so with so many different components you can conjure a signal from we need to find misuse of the computers subsystems that are trying to produce output signals and I have got a demo of protecting this but it looks like real

little short on time can I can show or should we just whiz past okay let's quickly show that it's the life's very quick it's very thick so here we turn on the system protection though you can choose what components of the system you want to track and protect so it's looking for patterns of usage which aren't normal so normal usage of the system should work fine much like we saw the sound that went through no problem when you're just watching the news here someone's manipulating the caps lock key and so it spots that raises the alert sticks into the event log notifies the security team and so now now super determine insider risk we've tried to do it through the screen

he's tried to do it through the sound he's resorted to other strange ways of emitting a signal he's now still going to get spotted and there's no way to leek coca-cola's secret recipe anymore so in conclusion we've taken a quick look at DLP in its current state how it got to there we found a couple of other ways to leak data out to the organization and written a couple of quick proof of concept exploits to show that they work but then we've used these as tools to develop protection to stop people taking data in that way so I hope that's helpful please please use this knowledge for good the idea of breaking through DLP was to improve it rather than just

bundle your company's data out of the door thank you very much for listening [Applause]

it was it was on one of the tests he did say I was it yeah oh really okay oh I see I see yeah so a lot of the ideas actually have been done in some way before so I should I should mention there's a lot of other research I did in the early stages of this project to find the different ways that you could could leave data and LEDs is one of them there's there's other people who are outputting signals through the wires in inside a computer so let's say manipulating the graphics card to produce GSM frequencies but what I tried to do is develop a new use case here where you don't have to exploit the

machine to start with it's the use case focused on a determined insider who just wants to link data out bypassing the protections are firms put in place so that's why it's a browser-based tool right I mean you're right there's quite a few other similar systems like sending data through heat even between two different pcs so I was thinking of developing a version of the exploit that just blast CPU it's kind of Morse code coming out as as either heat I've even even heard a blackhat last week there's someone talking about doing the same with power the power consumed by a PC so interestingly we could try and track power usage and if there's a pattern in

the output then we can hypothesize that someone's manipulating that to output a signal that someone looking at the power consumption is trying to trying to read [Music]

I've done a little it's not fast I mean the point was to proof-of-concept the exploit rather than write an effective communications protocol the fastest one of those was the QR codes on the screen partly because it's a little bit more reliable to automate it through as I mentioned with the salmon the timings tricky but it's not it's not so that the largest the largest file I've moved through this is about to make through this through the screen one this is small yeah there's I mean there's probably a lot you can do to improve this so for instance you've got your led exploit you could multiplex the scroll lock the num lock the caps lock and

you've got three channels that gives you a lot a lot more bandwidth