Chema Alonso "Hackeando a los malos con sus propias armas"

Name: Chema Alonso "Hackeando a los malos con sus propias armas"
Uploaded: 2016-04-20T08:44:53.000Z
Duration: 1 h 42 min 48 s

Exploring Cybercrime: The Allure of Botnets

Introduction to the Project

The speaker introduces a project titled "Bad Guys and Mafia with Bots in JavaScript," highlighting its intriguing nature for those in cybersecurity.

Acknowledges a common curiosity among tech enthusiasts about engaging in cybercrime, specifically mentioning experiences with trojans and botnets.

Understanding Botnets

Describes the concept of a botnet as a network of controlled computers used for malicious activities like stealing passwords or spying through webcams.

Emphasizes that even professionals in cybersecurity are drawn to the challenge of creating such systems, despite ethical concerns.

Challenges Faced by Developers

Discusses limitations faced by developers, including lack of funding and resources, which complicates the creation of effective malware.

Mentions the need for sophisticated tools like polymorphic systems to evade antivirus detection while managing botnet operations.

The Reality of Resources

Highlights the absence of financial resources and zero-day exploits (unpatched vulnerabilities), which are crucial for successful hacking endeavors.

Compares their situation to that of major organizations like the FBI or NSA, who have extensive resources at their disposal.

Innovative Approaches to Infection

Proposes an unconventional method: convincing users to willingly infect themselves rather than forcing installations.

Introduces social engineering tactics as a means to recruit individuals into their botnet without direct control over software or legal authority.

Exploiting Network Vulnerabilities

Man-in-the-Middle Attacks

Explains man-in-the-middle (MitM) attacks as a popular technique within local networks where attackers intercept communications between clients and routers.

Details how attackers can manipulate network traffic by altering MAC addresses, allowing them access to all transmitted data.

Security Implications

Stresses that MitM attacks exploit inherent security flaws in communication protocols, making them highly effective yet dangerous.

Warns about potential risks associated with IPv4 and IPv6 networks, emphasizing that many users remain unaware of these vulnerabilities.

Understanding IPv6 and Cybersecurity Attacks

The Shift from IPv4 to IPv6

Discussion on the transition from IPv4 to IPv6, emphasizing that many users are unaware of this shift. It is noted that by default, systems work with IPv6 if both devices support it.

Mention of tools like Evil Foca that exploit vulnerabilities in IPv6 networks through techniques such as Man-in-the-Middle (MitM) attacks.

Browser Vulnerabilities and Plugins

Explanation of how browser plugins, like the Google toolbar, can access all data within a web page's Document Object Model (DOM), including passwords.

Historical context provided about cybercrime using these methods since 2004, highlighting the rise of trojans disguised as browser helper objects (BHOs).

Techniques Used in Cyber Attacks

Description of how attackers modify HTML code on banking websites to redirect user credentials to their own servers instead of legitimate ones.

Introduction of the phrase "there's a Russian in my Internet Explorer," illustrating the prevalence and sophistication of these attacks.

Advanced JavaScript Exploits

Overview of how attackers create binaries for distribution but face challenges with antivirus signatures; thus, they explore alternative methods.

Introduction to a new attack method involving JavaScript injected into browser tabs rather than directly into the browser itself.

Persistence and Frameworks for Attacks

Explanation on how cached JavaScript can maintain persistence even after closing and reopening browsers unless cache is cleared.

Mention of frameworks like Browser Exploitation Framework (BeEF), which allows attackers to inject scripts into web pages for malicious purposes.

Creating Custom Attack Scripts

Discussion on creating custom JavaScript from scratch to bypass existing security measures put in place by antivirus companies.

Introduction to manipulating Tor nodes for anonymity while accessing user traffic, explaining onion routing principles.

Detection Challenges in Cyber Manipulation

Brief mention that detecting manipulation within communication channels can be straightforward but requires vigilance against sophisticated tactics used by hackers.

Understanding Proxy Servers and DNS Spoofing

Introduction to DNS Spoofing

The speaker discusses connecting to a site using a specific method, highlighting the potential for packet manipulation if responses differ.

An incident of being banned after conducting DNS spoofing is mentioned, leading to a shift in strategy towards using proxy servers.

Transition to Proxy Servers

The speaker notes that many people have used proxy servers, emphasizing their popularity among tech enthusiasts for anonymity.

Setting up a proxy server is described as straightforward, especially for those familiar with systems administration.

Legal Considerations in Server Location

The importance of choosing a server location with lenient laws is discussed; actions deemed illegal in one country may be legal in another.

Countries where phishing isn't considered a crime are highlighted as ideal locations for hosting servers.

Setting Up the Proxy Server

Recommendations include purchasing servers from providers like Amazon while avoiding jurisdictions with strict regulations.

Instructions on setting up a malicious squid proxy are provided, detailing how it interacts with client requests and original web pages.

JavaScript Injection Techniques

The process of injecting modified JavaScript into web pages through the proxy server is explained, focusing on stealthiness and evasion of detection by antivirus software.

A method for ensuring only one instance of injected code runs on multiple scripts is outlined, which reports back to the attacker’s server.

Ethical Considerations and User Warnings

To maintain an ethical facade, users are warned about data collection practices when using the proxy server.

A disclaimer regarding security research usage is suggested but noted that few read such policies.

Understanding Proxy Servers and Cybersecurity Tactics

Introduction to Insecure FTP and Proxy Servers

The discussion begins with a warning about insecure FTP servers, which are designated for temporary official government use only. The security measure was minimal, requiring just a click to access the FTP without any username or password.

Setting Up a Proxy Server

The speaker explains how they replicated the same security measures by creating their own proxy server. They sought ways to infect thousands of bots using common hacker resources like lists of proxy servers.

Rapid Spread of the Proxy Server

Within 24 hours, their proxy server's IP address appeared on over 1,100 different lists as an anonymous proxy server, showcasing the rapid dissemination of their setup.

Payload Creation and Cookie Theft

They developed payloads aimed at stealing cookies that were not marked as HTTP-only or secure. A program was created to capture these cookies through various methods including Java installations and exploiting unpatched Apache errors.

Intercepting Form Submissions

To enhance data collection, they injected JavaScript into form submissions that would send user input back to them in addition to its intended destination. This tactic allowed them to capture usernames and passwords effectively.

Overview of Botnet Activity

After disconnecting from the internet for safety reasons, they noted having over 5,000 infected bots from various countries around the world within just 24 hours.

Identifying Users of Their Proxy Server

The primary question arose: who was utilizing this type of proxy? They discovered a range of users including scammers who employed various fraudulent schemes online.

Scamming Techniques Encountered

Among those using their proxies were scammers employing classic tactics such as the Nigerian prince scheme—promising large rewards in exchange for small payments over time.

Example of a Specific Scam Operation

One identified scammer operated under the guise of British immigration lawyers offering work visas through spam campaigns linked to Green Card lotteries in the U.S., capitalizing on people's hopes for immigration opportunities.

Spam Campaign Details

The scam involved charging individuals £275 for visa services while many potential victims responded with requests for assurance before payment—highlighting common vulnerabilities exploited by scammers.

The Dangers of Online Identity Theft

Common Tactics in Online Scams

The speaker discusses typical behaviors in illegal online transactions, highlighting a common scenario where scammers demand money before providing any proof of legitimacy.

A specific case is mentioned where individuals sent sensitive personal information, including passports and fingerprints, to scammers, illustrating the ease of identity theft through phishing campaigns.

Identity Theft and Its Implications

The prevalence of identity theft is emphasized, noting that it has become so common that there are now insurance policies available against it.

An anecdote about a woman adept at using proxies for anonymity raises concerns about how easily people can misrepresent themselves online.

Profiles and Deceptive Practices

The discussion reveals multiple fake profiles created by one individual, showcasing their ability to manipulate identities across different locations (e.g., Texas, New Zealand).

Accessing the scammer's email revealed numerous conversations with potential victims, indicating a systematic approach to scamming.

Conversations and Manipulation Techniques

Examples of chat messages show how scammers initiate contact with flattery but quickly pivot to requesting money under various pretenses.

The complexity of managing multiple victims simultaneously is highlighted as scammers often mix up details from different conversations.

Financial Exploitation Strategies

Scammers use platforms like Western Union to request funds from victims while employing emotional manipulation tactics during chats.

A specific interaction illustrates how scammers pressure victims into sending money despite red flags raised by the victim’s bank regarding suspicious addresses.

Unusual Scams: Selling Nonexistent Pets

Bizarre Online Sales Tactics

Another case involves an individual selling a non-existent dog repeatedly online, raising questions about the motivations behind such scams.

A shocking description of the "dog" being sold highlights the absurdity and moral implications of exploiting people's emotions for profit.

Psychological Aspects of Scamming

The speaker notes that many individuals engaging in these scams exhibit psychopathic traits, emphasizing the need for vigilance when interacting with unknown parties online.

Understanding Proxy Connections and User Anonymity

The Nature of Proxy Connections

A user is identified by their IP address (7157), but the true IP is known to the server, indicating a direct connection.

Users often provide sensitive information like usernames and passwords on various services, highlighting potential security risks.

Unusual Business Models

One individual engaged in reading articles for profit, earning 24.38 over several months, raising questions about the sustainability of such a business model.

Users may resort to proxies when access to certain services is blocked at their workplace, which can lead to risky behavior.

Social Media Access in Restricted Regions

Notable patterns emerged with users from China and Egypt accessing Facebook through proxies due to regional restrictions.

Countries like Egypt have historically blocked social media platforms following political uprisings, leading citizens to seek alternative access methods.

Risks Associated with Proxy Use

Many proxy servers collect user data, posing significant privacy risks for individuals trying to bypass restrictions.

Users face dangers whether they use proxies or not; connecting through untrustworthy proxies can expose them further.

Hacking Activities and Vulnerabilities

Encounters with Hackers

A hacker was traced back to Turkey using a proxy; their activities included accessing vulnerable web directories indicative of system exploitation.

Exploiting Webshell Vulnerabilities

The hacker's webshell was compromised by an injected JavaScript that reported back upon successful hacks, demonstrating how hackers can be outsmarted.

Intrusion into Intranets

Accessing an intranet without proper credentials was achieved through malicious JavaScript embedded in legitimate sites, showcasing vulnerabilities in internal networks.

Conclusion on Security Practices

Understanding how common scripts can inadvertently introduce vulnerabilities emphasizes the need for robust security measures against such exploits.

Infecting JavaScript: A Deep Dive into Proxy Attacks

The Nature of Infection

The discussion begins with the concept of infecting JavaScript from the internet, highlighting that once infected, it remains compromised even after disconnecting from the proxy.

An example is given about discovering inappropriate content on various proxy servers, emphasizing how unexpected findings can occur in digital spaces.

Targeted Attacks and Intranet Vulnerabilities

The speaker proposes a method for executing targeted attacks by exploiting known intranet structures within large organizations like Bank of America.

If an attacker knows a specific internal JavaScript file, they can potentially infect users connecting from certain IP addresses to their proxy server.

Mechanism of Infection

By forcing users to visit a page that downloads the infected JavaScript, attackers can ensure that any subsequent connections to banking or social media sites will load this malicious script.

This approach allows attackers to gather sensitive information such as URLs when victims connect to their bank or social media accounts.

Payload Creation and Execution

The process involves creating payloads that force the download of infected scripts when users access various websites through the attacker's proxy.

By analyzing which JavaScripts are loaded by target sites, attackers can craft specific payloads for infection.

Practical Demonstration and Exploitation Techniques

A practical demonstration is mentioned involving a website (members.com), showcasing vulnerabilities in HTTP pages where user credentials are submitted before transitioning to HTTPS.

This bridging between HTTP and HTTPS allows attackers to capture login details without breaking secure channels.

Control Panel Functionality

The control panel used for managing these attacks is described as straightforward; it simply requires selecting a site and specifying which JavaScript files to download.

A simple document write command is highlighted as an effective method for initiating infections on targeted sites.

User Behavior Exploitation

Victims often connect through anonymous proxies due to workplace restrictions; this behavior is exploited by redirecting them through an attacker-controlled server.

Once connected, even if victims navigate away from malicious sites, they still download infected scripts that compromise their credentials later on.

This structured overview captures key insights into methods of exploiting web vulnerabilities through targeted attacks using proxies. Each point links back directly to its source timestamp for easy reference.

Security Concerns in Digital Certificates and HTTPS

The Vulnerability of Digital Certificates

Discussion on the potential for malicious objects to be downloaded, regardless of whether a device is updated or secure.

Reference to the Comodo incident where digital certificates were stolen, leading to significant security breaches and the eventual closure of Comodo as a certification authority in the Netherlands.

Government-Controlled Certification Authorities

Explanation of how government-controlled intermediate certification authorities can issue valid certificates that compromise user trust, particularly with examples from China.

Mention of malware like Flame that operated undetected for four years using forged digital certificates, highlighting weaknesses in Microsoft systems.

Recent Security Breaches and Attacks

Overview of Microsoft's advisory regarding compromised certificates and ongoing threats posed by sophisticated malware.

Introduction to attacks such as BEAST and CRIME that exploit vulnerabilities in HTTPS through man-in-the-middle techniques, emphasizing the risks even when using secure connections.

Limitations of Security Measures

Discussion on how tools like NoScript may not fully protect users from various attack vectors beyond JavaScript.

Insight into alternative protocols (WML, CSS, WAP) used by attackers to inject malicious code and steal sensitive information.

Mobile Device Security Challenges

Commentary on the obscure nature of mobile device security architectures, particularly Apple's delayed transparency regarding iOS security since 2006.

Emphasis on the need for engineers to understand mobile operating systems due to their prevalence over desktop systems today.

User Awareness and Device Management

Highlighting user challenges in managing browser cache across different mobile platforms (Blackberry, iOS), which complicates data privacy efforts.

Warning about automatic Wi-Fi connections potentially exposing users to rogue networks if they do not manage their settings properly.

Who is Using Anonymous Proxies on the Internet?

Understanding Proxy Manipulation

The speaker raises a critical question about who is creating anonymous proxies online and what deceptive activities they might be involved in. This prompts the audience to think deeply about the implications of proxy usage.

Following a presentation in Las Vegas, Websense conducted a test using a list of proxies. They discovered that 18% of these proxy servers were manipulating data, indicating significant risks associated with their use.

The concept of "Man in the Middle" (MitM) attacks is introduced, emphasizing that proxies can act as intermediaries that may compromise sensitive information. Users are cautioned against sending any sensitive data through such channels.

Best Practices for Proxy Usage

Users are advised not to send sensitive information even if they are using HTTPS or VPN services, highlighting the importance of being cautious when utilizing proxies.

After using proxies, it is recommended to clear all cache and potentially dismantle virtual machines or VPN connections to mitigate security risks.