-
35C3 Intro music
-
Herald:
Welcome to the next talk
-
"You Can Hack Everything -
Just Don't Get Caught".
-
Quick survey:
How many of you
-
have found a security loophole
-
and thought:
"Oh shit, if I tell someone
-
then I am in deep
that could cause problems?"
-
Put your hands up
Who does that apply to?
-
Interjection from the audience: Camera off
Laughter
-
Herald: Another question: How many of you
would like to find a security
-
loophole, hands up
Laughter
-
Alright, I hereby declare you all
concerned parties and this talk
-
relevant for you, because many hackers
are at some point in their career
-
confronted with this problem or
are in the situation where they
-
have found something or got into
something or ran into it
-
and know that if the people affected
in this archictecture that they are inside
-
get wind of it, then there will be trouble
it will really stir up discontent.
-
And this talk is about
which worst case scenarios could be
-
in store for you, how to deal with it and
best of all, how to not let yourself
-
get caught. And our speakers,
Linus Neumann und Thorsten Schröder, are
-
experts in IT security. You probably
know them from the PC-Wahl hack.
-
They found security vulnerabilities
in the Bundestag voting software,
-
it's a very recommendable episode.
-
Alright, I'm talking rubbish,
nevertheless I recommend the
-
logbuch-netzpolitik.org episode.
-
It's really worth a listen,
especially number 228
-
"Interessierte Bürger". Now give
a round of applause for Linus
-
Neumann und Thorsten Schröder, have fun
Applause
-
Linus Neumann: Thank you all
for being here. Thank you very much for
-
the warm welcome. I also liked how
a few of you have already done your
-
first OpSec fail and outed yourself
at the beginning. We have never
-
hacked anything, we have nothing
to do with it. Our short talk is about
-
the topic everyone is talking about,
hacking. We're seeing over the years that
-
many fine, young hackers are ending up
in prison and there are a lot of risks
-
that come with hacking as a sport
and spoil its enjoyment
-
for example something like house searches
broken down doors, high legal fees,
-
this doesn't have to be. It's worth maybe
thinking about how you can continue
-
as free agents.
Because we know that hackers are
-
free agents, like artists, that get up
in the morning and when they
-
are in the mood, they sit down
and paint their pictures. And we want
-
you to be able to paint a lot more
beautiful pictures. The key: OpSec
-
And that's what we want to
talk to you about today.
-
Opsec is actually
easy to summarise,
-
here by the way...
beautiful, beautiful...
-
beautiful teaching material again
-
from Russia, it seems to be on their minds
for some reason. Let's start with a
-
perfectly normal, the first computer worm:
Pride comes before a fall,
-
that is one of the most important
teachings in your operational security
-
Because showng off and cockiness
will get you into trouble. And we have
-
known this since computer worms have
existed. The first big computer worm
-
that became so international
and incapacitated half of the internet
-
was the Morris worm,
that exploited weak points in
-
Sendmail, Finger, Remote SH and a few
weak passwords, in order to
-
spread itself, so a computer worm.
This lead to the internet outage
-
of 1988. And you're probably asking
yourselves: Why is the worm called
-
the Morris worm? Well, because the
creator was very proud of his worm
-
and liked telling everybody how it worked.
At one point he was even
-
at Harvard University, standing on the
table, preaching about how his worm
-
worked in full detail.
It was also obvious that
-
the original infection started there,
he told everybody about it.
-
At one point someone told a journalist
and he had to admit it. He got the
-
worm to be named after him to this day.
But also he got
-
3 years probation, 400 hours social work
and a 10,000 dollar fine, without
-
his need for admiration, he could have
possibly been spared. But
-
not only hackers have a small problem
with operational security and
-
a need for admiration, but also
bank robbers. And here we have a
-
young man, who has robbed a bank.
And what do you do when you have
-
experienced something exciting, and raked
in a lot of money: a selfie of course.
-
Yeah. If that's not enough, you can also
take another selfie.
-
Laughter
-
Or the accomplice. And also food. And then
you quickly go to Instajail. And
-
you might think, that was a one off,
no, you think: OK, nobody can actually
-
be that stupid, but when you
look on the internet, you really don't
-
need long to find experts
posting pictures like this. And
-
it always ends the same way: Here is
the young man with, he must have
-
really awful teeth, they're already
all gold, they were convicted,
-
because they bragged about
having money on Facebook.
-
Now, if we look at the pioneers
of car hacking, we have in principle
-
the same phenomenon. It must be added
that the first ventures in car hacking
-
were more of an analogue nature
and more brute force. And the pioneers in
-
this area were also these two
young men, who managed a really big hack,
-
that is breaking in the windscreen.
stole 5,000 dollars and an ipad
-
from a truck.
And what is the first thing you do, when
-
you have an iPad: Well, first go to
Burger King, because they have WiFi.
-
And play around a bit with the iPad.
And then they noticed: Hey, awesome
-
you can make videos with this.
-
[Video is played]
-
... This is my brother Dylan... This...
good night's hussle
-
L: And because they had connected
to the WiFi in Burger King with this
-
stolen iPad, that happened,
what had to happen...
-
Laughter
-
L: And the owner of the vehicle then
-
handed the video over to the police
and the police said, they're
-
actually already wanted.
And they took care of the young men.
-
Thorsten Schröder:
But let's get back
-
to the computer hacking corner, that
we actually wanted to talk about today,
-
now we have taken a short trip to
the analogue world. What could
-
go wrong if you, as
an interested surfer, played around
-
on online shopping portals.
Next you maybe want to
-
aquire some wares, then you start
clicking around in the online shop.
-
Suddenly you slip and click
the wrong thing, that happens sometimes,
-
you accidentally somehow
enter a wrong signal,
-
and what's important here is: We are
talking about a threat level for
-
the hacker,
so when you are on the online shopping
-
portal and there
your mouse accidentally slips, then
-
you have a certain threat scenario.
It of course increases if you have
-
actually entered some strange symbols
-
You're there
-
probably without an anonymisation service
because you wanted to
-
buy something. And now you think: Hmm,
I like playing and am
-
curious, I'll activate Tor or
something, and will visit this website
-
later with an anonymisation service.
And yes, over time
-
you might accidentally find
cross site scripting, the
-
threat level grows gradually, but
you've got Tor at the start. The
-
threat level continues to grow,
when perhaps you have found a
-
somewhat more critical weakness like
an SQL injection. And it continues to grow
-
when you have perhaps also found a
remote code execution, then
-
we're already pretty high. So if you
got caught now, it would be pretty
-
bad, because you've already proved
that you didn't directly go to the portal
-
after having found an xss exploit
or another trivial weak point
-
and told them about it.
Well, what happens then, when you
-
continue rummaging around. Depends
what you're looking for. Maybe you also
-
find a few credit cards. Now we're on
a really high threat level,
-
and it quickly sinks because
...it becomes more relaxed.
-
You don't need to be scared anymore
about ever getting caught again
-
for this hack. Yes,
why would anyone get caught there?
-
Because I thought of OpSec much too
late. At the moment where I
-
slipped with the mouse, I should have
basically already had an anonymisation
-
service, some kind of Tor service
or something, right at the start,
-
because at the moment where the
portal provider realises, that something
-
happened, they'll just look and see:
Alright, we'll follow this back,
-
it's a Tor session, bad,
but at some point they come across
-
this case where you said "oops". And then
they will find you.
-
L: It actually happens quite a lot that
people are like:
-
Oh, look, I found something
and now I'll go to Tor
-
No, guys, it's too late,
you have to do it beforehand.
-
T: Sorry, if you notice something
like that, you can of course
-
think about what the data protection
regulation looks like, then you can
-
look at what kind of data protection
guidelines they have, some companies
-
tell you how long they keep your
logfiles
-
for example, and it should be...
-
L: Maybe you have a right to be forgotten.
-
T: Yeah, there are companies
storing log data only for 7 days, then
-
then you maybe just need to wait
for a week.
-
L: So, exercise general caution when
doing data travels, here for our friend
-
Alberto from Uruguay, who naively
sat down with his girlfriend
-
on an afternoon at the computer, and she
entered some health data in some kind of
-
cloud, because: modern. And Alberto said:
Oh, health data, please do show me!
-
admin:admin.
[Laughter]
-
T: Oops.
L: Oops. There was the oops. And he wrote
-
a mail to the CERT Uruguay, so the central
reporting point of the country, since
-
it's about sensitive patient data here,
and health data in specific, and he
-
received in few hours an answer
from the CERT leader, so this was
-
very clearly a serious case,
which was also taken seriously.
-
T: This "oops" case is maybe not that
-
dramatic, one would think,
because the hacker wasn't malicious,
-
he didn't want to dig deeper, he
simply said: "Oh, I need to
-
alert them quick"
L: For him, the case was also finished
-
as he told the CERT about it, the
CERT took care of it, took responsibility,
-
they'll do things from now on.
Disable the platform,
-
whatever. Alberto continues in his life
entirely normally, until one year later
-
he notices: Oh, uuuh, they
did close the admin:admin
-
in the meantime, that's good, but
now they have unauthenticated
-
file access, not good, will report
to the CERT. Once more,
-
a long time passes, in this case
2 years of radio silence
-
He forgot all this long ago,
then the affected
-
company with the health data
suddenly gets an email from someone:
-
"Give me bitcoin."
[Laughter]
-
L: He wanted "give me bitcoin", because
the attacker or extortioner said,
-
he has that health data,
leaked by that platform. And if
-
15 bitcoin aren't sent during $duration,
then he'd
-
tell the press about everyone
in that dataset who's infected with HIV.
-
T: Which would have interested the press
quite heavily.
-
L: I don't know if the press
would be interested, but definitely
-
the police cared about it. You
always need to think about the police...
-
T: You can spot them
via these clothes
-
L: They can be spot using these hats...
[Laughter and applause]
-
L: They also have a star on the front.
Just so you don't forget them.
-
So, somebody wants Bitcoin. Once more,
nothing happens for a longer time, until
-
Alberto's door is kicked in.
House search,
-
again via brute force. And, now
this happens: The police
-
doesn't trust their eyes as they enter
the flat, and finds so many interesting
-
things that they display their findings
on a separate press conference
-
arranged a bit specially, showing off.
Looked like this: So we have a whole stack
-
of credit and blank credit cards.
Blank credit cards leave
-
a rather bad impression in general.
[Laughter]
-
T: Usually not.
L: Applies to the supermarket as well as
-
the shelf when the police looks inside.
They also find card readers and
-
a few wallet fails.
T: Allo nedos
-
L: Arranged everything very prettily.
Card readers, payment methods, the like.
-
T: Tough point here is if the police
thought about OpSec and
-
if the card numbers might've been
valid when they published
-
the photos. One doesn't know,
one will never find out.
-
L: And they find something every hacker has,
with every
-
criminal, what does one need?
[Mumbling in the room]
-
L: An Anonymous mask of course!
[Laughter]
-
L: The Anonymous mask is also arranged,
we also have one with us... no,
-
we don't have an Anonymous mask.
A few strategical cash reserves. And,
-
that was very telling of course,
they find Bitcoin.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Not Synced
