35C3 Intro music
Herald:
Welcome to the next talk
"You Can Hack Everything -
Just Don't Get Caught".
Quick survey:
How many of you
have found a security loophole
and thought:
"Oh shit, if I tell someone
then I am in deep
that could cause problems?"
Put your hands up
Who does that apply to?
Interjection from the audience: Camera off
Laughter
Herald: Another question: How many of you
would like to find a security
loophole, hands up
Laughter
Alright, I hereby declare you all
concerned parties and this talk
relevant for you, because many hackers
are at some point in their career
confronted with this problem or
are in the situation where they
have found something or got into
something or ran into it
and know that if the people affected
in this archictecture that they are inside
get wind of it, then there will be trouble
it will really stir up discontent.
And this talk is about
which worst case scenarios could be
in store for you, how to deal with it and
best of all, how to not let yourself
get caught. And our speakers,
Linus Neumann und Thorsten Schröder, are
experts in IT security. You probably
know them from the PC-Wahl hack.
They found security vulnerabilities
in the Bundestag voting software,
it's a very recommendable episode.
Alright, I'm talking rubbish,
nevertheless I recommend the
logbuch-netzpolitik.org episode.
It's really worth a listen,
especially number 228
"Interessierte Bürger". Now give
a round of applause for Linus
Neumann und Thorsten Schröder, have fun
Applause
Linus Neumann: Thank you all
for being here. Thank you very much for
the warm welcome. I also liked how
a few of you have already done your
first OpSec fail and outed yourself
at the beginning. We have never
hacked anything, we have nothing
to do with it. Our short talk is about
the topic everyone is talking about,
hacking. We're seeing over the years that
many fine, young hackers are ending up
in prison and there are a lot of risks
that come with hacking as a sport
and spoil its enjoyment
for example something like house searches
broken down doors, high legal fees,
this doesn't have to be. It's worth maybe
thinking about how you can continue
as free agents.
Because we know that hackers are
free agents, like artists, that get up
in the morning and when they
are in the mood, they sit down
and paint their pictures. And we want
you to be able to paint a lot more
beautiful pictures. The key: OpSec
And that's what we want to
talk to you about today.
Opsec is actually
easy to summarise,
here by the way...
beautiful, beautiful...
beautiful teaching material again
from Russia, it seems to be on their minds
for some reason. Let's start with a
perfectly normal, the first computer worm:
Pride comes before a fall,
that is one of the most important
teachings in your operational security
Because showng off and cockiness
will get you into trouble. And we have
known this since computer worms have
existed. The first big computer worm
that became so international
and incapacitated half of the internet
was the Morris worm,
that exploited weak points in
Sendmail, Finger, Remote SH and a few
weak passwords, in order to
spread itself, so a computer worm.
This lead to the internet outage
of 1988. And you're probably asking
yourselves: Why is the worm called
the Morris worm? Well, because the
creator was very proud of his worm
and liked telling everybody how it worked.
At one point he was even
at Harvard University, standing on the
table, preaching about how his worm
worked in full detail.
It was also obvious that
the original infection started there,
he told everybody about it.
At one point someone told a journalist
and he had to admit it. He got the
worm to be named after him to this day.
But also he got
3 years probation, 400 hours social work
and a 10,000 dollar fine, without
his need for admiration, he could have
possibly been spared. But
not only hackers have a small problem
with operational security and
a need for admiration, but also
bank robbers. And here we have a
young man, who has robbed a bank.
And what do you do when you have
experienced something exciting, and raked
in a lot of money: a selfie of course.
Yeah. If that's not enough, you can also
take another selfie.
Laughter
Or the accomplice. And also food. And then
you quickly go to Instajail. And
you might think, that was a one off,
no, you think: OK, nobody can actually
be that stupid, but when you
look on the internet, you really don't
need long to find experts
posting pictures like this. And
it always ends the same way: Here is
the young man with, he must have
really awful teeth, they're already
all gold, they were convicted,
because they bragged about
having money on Facebook.
Now, if we look at the pioneers
of car hacking, we have in principle
the same phenomenon. It must be added
that the first ventures in car hacking
were more of an analogue nature
and more brute force. And the pioneers in
this area were also these two
young men, who managed a really big hack,
that is breaking in the windscreen.
stole 5,000 dollars and an ipad
from a truck.
And what is the first thing you do, when
you have an iPad: Well, first go to
Burger King, because they have WiFi.
And play around a bit with the iPad.
And then they noticed: Hey, awesome
you can make videos with this.
[Video is played]
... This is my brother Dylan... This...
good night's hussle
L: And because they had connected
to the WiFi in Burger King with this
stolen iPad, that happened,
what had to happen...
Laughter
L: And the owner of the vehicle then
handed the video over to the police
and the police said, they're
actually already wanted.
And they took care of the young men.
Thorsten Schröder:
But let's get back
to the computer hacking corner, that
we actually wanted to talk about today,
now we have taken a short trip to
the analogue world. What could
go wrong if you, as
an interested surfer, played around
on online shopping portals.
Next you maybe want to
aquire some wares, then you start
clicking around in the online shop.
Suddenly you slip and click
the wrong thing, that happens sometimes,
you accidentally somehow
enter a wrong signal,
and what's important here is: We are
talking about a threat level for
the hacker,
so when you are on the online shopping
portal and there
your mouse accidentally slips, then
you have a certain threat scenario.
It of course increases if you have
actually entered some strange symbols
You're there
probably without an anonymisation service
because you wanted to
buy something. And now you think: Hmm,
I like playing and am
curious, I'll activate Tor or
something, and will visit this website
later with an anonymisation service.
And yes, over time
you might accidentally find
cross site scripting, the
threat level grows gradually, but
you've got Tor at the start. The
threat level continues to grow,
when perhaps you have found a
somewhat more critical weakness like
an SQL injection. And it continues to grow
when you have perhaps also found a
remote code execution, then
we're already pretty high. So if you
got caught now, it would be pretty
bad, because you've already proved
that you didn't directly go to the portal
after having found an xss exploit
or another trivial weak point
and told them about it.
Well, what happens then, when you
continue rummaging around. Depends
what you're looking for. Maybe you also
find a few credit cards. Now we're on
a really high threat level,
and it quickly sinks because
...it becomes more relaxed.
You don't need to be scared anymore
about ever getting caught again
for this hack. Yes,
why would anyone get caught there?
Because I thought of OpSec much too
late. At the moment where I
slipped with the mouse, I should have
basically already had an anonymisation
service, some kind of Tor service
or something, right at the start,
because at the moment where the
portal provider realises, that something
happened, they'll just look and see:
Alright, we'll follow this back,
it's a Tor session, bad,
but at some point they come across
this case where you said "oops". And then
they will find you.
L: It actually happens quite a lot that
people are like:
Oh, look, I found something
and now I'll go to Tor
No, guys, it's too late,
you have to do it beforehand.
T: Sorry, if you notice something
like that, you can of course
think about what the data protection
regulation looks like, then you can
look at what kind of data protection
guidelines they have, some companies
tell you how long they keep your
logfiles