Dear Internet, Tear Down This Wall!

Fidelis Cybersecurity is proud to support the Wall of Sheep (WoS) at Def Con 2016, but this Wall needs to come down.

Over the past several years, it’s been standing-room only for WoS participants. This year’s event promises to be even more spectacular. For those who need background, the ‘sheep’ on this wall are users whose internet traffic reveals their credentials (user names and passwords) passed in the clear, for prying eyes to see.

The exercise starts as users sign on to the conference’s free wireless network. A copy of that traffic is given to participants whose job is to analyze that traffic, spot those credentials and report them to WoS organizers. When they’re satisfied with the data presented, the credentials (with the passwords obscured) are posted to the ‘Wall’ – a giant screen in the Packet Hacking Village.

Aries Security runs this much-anticipated annual event. For the past four years, we have had the honor to sponsor ‘Packet Detective’, an exercise focused on network forensics techniques. Each year, we host a friendly team that competes using Fidelis Network® to look at and analyze traffic.

It’s been very interesting to see what traverses over the Wi-Fi network. Here are some key findings:

1. Protocols that inherently transfer credentials in the clear, like POP3, IMAP and telnet, continue to be used in volume. The practice appears to be trending downwards, mostly thanks to more awareness around this activity.
2. Some applications that use these protocols, particularly those built into mobile devices, have forced the adoption of SSL, supporting the positive downward trend cited above.
3. However, lots of users continue to use insecure applications to access sensitive data.
4. Users are often oblivious to the risks associated with such exposure, often using what are clearly credentials from their professional lives to connect on what should be considered a hostile network. Many professionals clearly transfer sensitive data –their own as well as data belonging to others– using insecure applications.
5. The proliferation of applications on mobile devices, as well as Internet-of-Things (IoT) devices, like wearables, is leading to massive data and credential leakage. Citizen Lab reported on this quite extensively and it’s certainly been noticed by our researchers.
6. Applications on mainstream devices also exfiltrate data, as we recently highlighted with the Maxthon browser.

While a user whose credentials are captured and displayed at the Wall might feel somewhat embarrassed, the exercise is aimed at drawing attention to the fact that this could happen to anyone, on any network – Wi-Fi at the coffee shop or airport, the university, businesses you visit and even on your home ISP.

The WoS event helps drive awareness of the dangers of credentials in the clear. It’s important to us, to get this message out. Our goal is to inform every user and secure every application so that all credentials and sensitive information are hidden from people intent on causing you harm. We look forward to the day when the systems and applications we use are safe. Our personal information and privacy is protected when transferring data. When that happens, and not a day before, we can take that wall down. Dear Internet, Let’s Tear Down This Wall!

Fidelis Cybersecurity will be at DEF CON 2016 and the Wall of Sheep! Come by and say hello. Meet our threat experts at the following sessions:

To Catch an APT: YARA
Saturday, 8/6, 10:10 am, Packet Hacking Village, 26th floor, Bally’s Indigo Tower

Jay Dimartino, senior threat research engineer, shows how to hunt for APT armed with the pattern matching Swiss knife called YARA. Learn how to author YARA rule signatures with techniques used by malware researchers to mercilessly hunt down elusive adversaries, and discover patterns in their code.

Mining Virus Total for Operational Data and Applying a Quality Control
Saturday, 8/6, 5:10 pm, Packet Hacking Village, 26th Floor, Bally’s Indigo Tower

Gita Ziabari, senior threat research engineer, will discuss techniques to achieve improved and actionable threat intelligence with VirusTotal. Her talk will cover how operational data sets can be obtained using specific APIs, algorithms and source code.

OPSEC Concerns in Using Encryption
Sunday, 8/7, 12:00 pm, Crypto & Privacy Village, Bally’s Bronze 2

John Bambenek, Fidelis Manager of Threat System, will cover OPSEC concerns with using crypto (and when not to use it). The talk will also provide an overview of a no-cost tool available to security researchers for random generation of self-signed certs.

See you at DEF CON!

-Fidelis VP of Threat Research Hardik Modi