2. Introduc:ons
• Founder
and
Managing
Partner
@
SudoSecure
• Creden:als:
– 16+
Years
in
Informa:on
Security
– NASA,
DoD,
US
Army
– MS,
Informa:on
Security
– BS,
Computer
Science
and
Math
– 20+
Industry
Cer:fica:ons
3. The
true
sign
of
intelligence
is
not
knowledge
but
imagina9on.
Albert
Einstein
5. IDS/IPS
and
Correla:on
Engines
• Evading
an
IDS/IPS
requires
understanding
the
signature
(matching
paVern)
– Most
cases
it
is
TRIVIAL
at
BEST
to
evade!
• Correla:on
Engines
tend
to
use
simple
logic
– Evading
these
complex
and
expensive
devices
is
EASY
when
it
relies
on
Insecure
Protocols!
• Ge[ng
it
RIGHT!
– Understand
the
limita:ons
of
Signature
Detec:on
Engines
– Decompose
complex
rule
engines
and
correla:on
logic
to
iden:fy
possible
evasion
techniques
– Consider
adding
a
“TRUSTED”
metric
value
when
designing
a
Secured
Architecture
7. SSL
MiTM
• “YES”
SSL
can
be
MiTM’ed
• Encryp:on
does
not
imply
“No
Worries”!
• Ge[ng
it
right!
– Never
use
self-‐signed
Cer:ficates
– Never
allow
an
Exemp:on
– Be
OVERLY
Paranoid!
9. Outsourced
Trust
• The
Web
and
your
Browser
are
GREAT
at
CACHING
– Even
when
it
is
Malicious
Injected
Badness
• Two-‐Factor
Authen:ca:on
doesn’t
solve
EVERTHING!
• Ge[ng
it
Right!
– Never
include
content
you
don’t
control
on
a
Secure
Site!
11. WiFi
Hi-‐Jacking
• By
DEFAULT
most
Wireless
Devices
Probe
and
Connect
to
Preferred
Networks
• Ge[ng
it
Right
– Disable
Automa:c
Connec:ons
to
Preferred
Network
List
– Disable
WiFi
when
NOT
in
Use
13. LM
Passwords
•
•
•
•
Used
to
support
the
legacy
LAN
Manager
protocol
Disabled
by
default
on
Windows
star:ng
with
Vista
S:ll
found
enabled
everywhere
though!
Weaknesses:
– Password
truncated
at
14
Chars
– Split
into
2
halves
of
7
Char
passwords
– Password
is
converted
to
UPPERCASE
• PROTIPS:
– Crack
LM
hashes
then
use
Cracked
password
to
aVack
NTLM
password
– Free
Rainbow
Tables
(freerainbowtables.com)
will
crack
about
99%
of
LM
hashes
using
rcracki_mt
– John
the
ripper
use:
-‐-‐loopback
-‐-‐format=nt
-‐-‐rules=NT
– Hashcat
use
-‐a
to
toggle
case
of
LM
cracked
hashes