PG - Disabling Encryption to Access Confidential Data - Christopher Simon Hanlon

I might have to talk louder although this seems quite good so I'm Chris Hanna and I'm here to talk to you about how I requested password reset tokens bypassed email encryption intercepted the tokens X which my own confidence will data if you're planning to try this on machines please do it on your own machines because I don't want going to jail before I get into the details I'll cover a little bit about myself of being configuring and protecting servers since 1998 and yes that doesn't mean I took my first tech job when I was 60 I've been self-employed as an IT consultant since 2004 I found a few vulnerabilities purely through diligence for my clients

or my employers depending on the situation about liking the sound I'm not sure if it mic or not try it

okay let's see it this mic seems to be a little more consistent we're gonna stick with we get a little more volume on it okay okay I was since 2000 so I found a Linux kernel vulnerability that one was in filesystem module it has been removed after that some proprietary software we used to the University of British Columbia and then a couple Google Apps vulnerabilities where encryption was not being used properly fairly similar to what we're dealing with today so every single one of these vulnerabilities had to do with email encryption and the big fact the core history of email encryption was that we had a draft concept of doing secure smtp over TLS starting about 1998 by 2002 it became

official with request for comments 3207 and the specs really interesting leaves a lot of ownership and whoever sending the mail be that a client machine or a mail server so the mail servers have the choice to not send email if there's an encryption error but in all of my tests they were quite happy to send the password reset links without encryption if they ran into an error so there's been a Google paper with researchers from Google and a their universities involved in it and they have talked about four ways that they knew about to intercept supposedly encrypted emails and there's two that are tied to the TLS protocol you could do strip TLS and you

could also which means a man-in-the-middle which is really not a great term for it it's really a machine in the middle send back an error message saying sorry we don't support TLS and the mail server typically will send the email anyway you then have you can use a non matching certificate in my tests I own the domain name Kelowna divorce lawyer calm that I was thinking about selling and maybe making some money on it and I just used that certificate instead of the correct domain name and it happily every one happily sent the email things haven't improved since the Google paper on the situation there's also two ways to intercept emails using DNS attacks and

they might look like they're essentially the same thing but in practice it could be different name servers involved so different it's it's possible that number three will work in situations where number four weren't won't and the other way around so large scale as a large scale man-in-the-middle attacks at least with an active attacker who's intentionally intercepting the mail have been going on for about as long as most people have being using TLS this is only about 2014 where TLS started to become really popular on domain to domain email and that's when we started to see the two biggest ISPs in Thailand both got hit we're all their customers mail and in a lot of cases passwords were being

intercepted and then one us wireless provider also got hit with a similar attack these types of attacks aren't specific to SMTP the middle attacks happening for AWS and in that case it was someone who managed to redirect the route and therefore redirect DNS and they were able to intercept quite a few people's passwords and then steal about twenty million dollars for the cryptocurrency when it comes to TLS Chris kubecka who is another speaker here did a report back in last December about 11,000 different hosts across the internet they appear to be performing strip TLS attacks over 3,000 of them were here in the US and people might wonder why you'd want to do this and if

we look to the Google paper for advice a big part of that appears to be people who have configured firewalls to scan encrypted email and one of the challenges with that is a lot of the documentation for the firewalls doesn't tell people hey when you turn on the scanning encrypted email feature if you don't configure it perfectly which can be impossible to do in some cases you will disable encryption on all incoming emails so it could be someone spying there's definitely evidence that they're spying going on with that and it could be someone like me who's trying to intercept password reset links or someone a little more malicious the ultimate phishing attack would be to

take legitimate emails and inject malicious links where you could phone the person up and ask them hey did you send me this money transfer oh yeah I sent it to you you click the link it takes you to a fake site and then they steal your banking passwords and steal your money if they were really smart they would probably also steal the transfer at the same time so what do you need to launch an attack like this I used to say you needed to control a router but really if you control a switch that the router is connected to there's often ways to intercept the same traffic also if you control the DNS server or an email server you can do the

same thing and you also need something that will intercept email now I'm guessing there's at least one red teamer in the audience other any red teamers in the audience okay now I'm thinking any red teamers that we're trying to do this they wouldn't use Exim it it makes for nice easy examples but that probably use something I could script like maybe a proxy in Python that's where we start getting into more advanced attacks they also like the Amazon attack they can do a BGP which is a routing protocol to redirect emails to or any traffic to a different router I have personally also on my own networks used ARPA cache poisoning attacks which is fairly similar to

controlling the switch so I did a quick trace route from the Cisco Meraki mail servers which are actually on AWS and the route it would take to get to this hotel and most people don't think of Atlanta as on route from Seattle to Vegas but there's some very fast Network links that go east to west and that's why it goes now if you're looking at that map some people may notice that it's following interstates I'm betting that the real network routes don't follow interstates but I can't guarantee that most cases the interception would happen at several hosts that are close to Seattle or the Atlanta portion or the San Diego detour and that San Diego one

I'm a little uncertain different Geographic databases said that host was in different places so it could be in a lot of different places oh those BGP shortcuts those ones are kind of like if there was a router in Idaho they was saying send your network traffic here you don't need to go to Atlanta it'll be faster it'll be cheaper you won't use as much gas not the routers use gas and your traffic they then intercept that traffic that was probably supposed to go to Las Vegas and that's where they perform the attack even though they're normally not on route between those before I got into my test attacks I made sure that my mail server was configured

correctly a big part of this was that I figured some service providers might be smart enough to require encryption on when emailing domains that had already sent encrypted email to so we can see I've got a valid TLS certificate I've got a the name matches the hostname that we're sending to and everything meets the best practices for receiving email then I simulated an upstream router in this case it's acting as an upstream router it's a Ubuntu Linux box most routers aren't running Ubuntu Linux but I imagine an attacker would probably want to redirect the traffic when they're intercepting it to another machine rather than launching the actual attack right on the router so we install xm4 on

the upstream router I had to modify three lines of the config file I set it to work in Internet mode that internet mode just means hey it needs to accept incoming email I said to accept email for all host names I think a real attacker would want to do that but you could theoretically just accept email for the destination host name and I told it to list listen on all interfaces the 0.0.0.0 it effectively means no matter what interface I take over it will listen after saving those changes I had to do one command to activate the changes one ifconfig command to take over the other IP address and I had to restart exum before requesting the links I ran

another test using check TLS and we can see this server does not support TLS it doesn't have a valid certificate really doesn't meet modern security standards and I would hope that people sending Password Reset links would not send them so I went and requested some password reset links I started with Cisco Meraki firewalls because I thought those would be interesting this is an out on the internet based attack nowhere near your network and were able to get into the control panel for the Cisco Meraki firewall we start forwarding ports into the network from there we're also able to disable all the filtering features on the firewall so if you want wanted to stop other attacks that's getting

enabled we real able if the person uses a Microsoft account to reset their windows password we're also able to reset their LogMeIn password and we got into their Dropbox account their onedrive account their Amazon AWS and Oracle cloud accounts we managed to break into my medical records which could be kind of interesting all it showed in there was that I went for a sleep study that I snored really loud and that I was not breathing properly when I was sleeping but for someone else it could show something worse it could show maybe that it could be their STD tests it might be something you could blackmail someone on similarly we tried a Google Nest security camera because I had one

sitting in my office we reset the password for the Google Nest security camera I had the audio turned off because I didn't really want to record everything I said in my office and the music that I played in my office but we were able to remotely turn on that audio and I also share my office with a barbershop and part of why I found out about this was that one of the cameras is in the barber and he really didn't want his conversations with his customers being recorded so you can imagine I don't know if anyone's ever had a private conversation with the barber or their hairstylist I think it happens pretty often and the barber

wouldn't be getting any kind of notification until they he tried to use their password or went hey my password doesn't work so there are quite a few more things one of them what was interesting was BitLocker now prompts to upload your BitLocker key to onedrive so we were able to remotely reset the person's password we could either log on to the physical BitLocker encrypted machine or download the key and get into their external hard drives there's a little more of a list there the Skype ones can be interesting for impersonation Dropbox and onedrive those ones they often contain a lot of confidential data when we got over to the online backups you can see three major online backup

companies they're from carbonite to onedrive or so from carbonate to mozzie to Backblaze those ones were awesome because we had our mail client configured on the test machine so we were able to start downloading people's saved web passwords and saved email passwords out of the backup you might think while you were getting into this via email why would I care let's say your man-in-the-middle attack is close to the backup provider server rather than close to the destination mail server the backups really nice because now you can go into their main email account and start resetting all their other passwords I did a bit of a graph I'd love to have someone's good at graphing help me out with this graph but

the core idea is pretty much whatever we get into if we get into a router we can get into more that we can we've reset hosting account passwords at which point we could then change DNS records to intercept more password reset links we broke into from one router we were able to break into other routers because we got into the Cisco Meraki routers it kept going on and on and on and on [Music] what do I have so when I had reception server running it actually got even more interesting a lot of the service providers were sending us user names so we didn't have to know the user names we wanted to intercept passwords for we

just watched the email coming in and we found out what accounts different users whose email goes over that server get so we found out that adam at penn Dozie CA has a windows account so we can reset that we don't know what microsoft features they're using but there's an awful lot of them that store data there then the LinkedIn one was fun because LinkedIn actually recommended that my sample victim account add me as a connection and then also my friend Adam Bennet who was helping me out with their work so I'm guessing it was working based on IP ranges and maybe occupations because that Gordon Baldwin I don't know who that is but they're in our region

and they work in the same general field from my perspective a single compromised host shouldn't expose hundreds of key accounts and it doesn't seem to matter where that host is there's almost always password reset links transfer traveling over it or other ways to get an email to reset passwords after us-cert said we think your findings are valid but this is not the type of vulnerability that we will coordinate responses to I sent them a list of additional cwe's that it appeared to violate most of these cwe's are on current wasup top 10s or previous Oh awesome top 10s I would say that it doesn't seem like the send email server isn't ik a ting who they send to

they're happy to send to whoever it gets to that seems to meet cwe 287 it also seems to meet cwe 291 I would say this qualifies as missing encryption on sensitive data I I consider my password reset tokens pretty sensitive especially when I didn't ask for them and I would say the same thing about usernames is generally not something you want to post in public and that also fits in with clear text transmission of sensitive information I would also consider this a weak password recovery mechanism I mean they don't care who they send the link to it's purely whatever they're told either by DNS and whatever IP address it ends up at so there were some vendors

that were pretty awesome there's a shout out for Apple on this one Apple automatically did push notifications on phones and tablets to let people know their password was being reset even if the phone had been offline for weeks it would still send and send the password reset email at random timing this seems to be protecting from you let someone on your device for a couple minutes then they set your iCloud password and take your data from somewhere else there's only people that use that approach to protect people and I I would really like to see everyone use that approach if you've got an active session either on a desktop a laptop a tablet it doesn't really matter why not let the

user know someone's trying to reset their password Microsoft deserve they had mandatory two-factor authentication if you try to reset a password on a system that doesn't on an account that doesn't have to but it will just refused it says sorry we can't reset the password on this account talk to your system administrator and that was the only admin account on there so I didn't really have another option I'm getting a little low on time Gmail had some pretty awesome options too they asked when that count was created they also asked what was the last password you remember and if you got those wrong they would they would say you're gonna have to talk to support

we'll get back to you in about three days now what's really interesting about the Gmail approach if you try this from an IP address or a machine that's already logged into the account they actually let you reset pretty easily they only enforce the extra questions if you're on a new machine and a new IP address and I think that's a pretty cool balance between it's a pretty cool balance between usability and security so what else can people do to defend their applications we've covered a couple of them already like alerting the signed-in users and asking tough questions I would consider two-factor authentication on password resets users can also use that to defend themselves but not all the time

we've got logged me in over here you have the app set up beautifully to alert you on your phone that you're trying to login and you just hit get the token via email and we intercepted the two-factor token the exact same way that we intercepted the e password reset link that is not specific to log me in that we can has impacted other vendors as well so I've got a few people to thank my mentor John Seymour he was super helpful in getting this talk ready Adam Bennett who works with me in my office Jerry Dyson I'll be quite honest I tracked him down because he had a bunch of CBE's related to related to man-in-the-middle attacks and

some vendors were actually saying back to me we'll consider this if you resubmit it without a man-in-the-middle attack which there's been quite a few major man-in-the-middle attacks like poodle and those vendors that don't accept man-in-the-middle attacks as a legitimate vulnerability are missing out on real vulnerabilities and chris kubecka who's speaking here and it says stop now does anyone have any questions seeing none I'll just I'm also gonna be speaking at Def Con it's quite similar to this it'll be in the packet hacking village on Friday but it's much more applied so if you were wanting to see some real examples where there were some actual break-ins you might want to come to the packet hacking village at five

o'clock on Friday [Applause]