0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/1188 Thanks! 1 00:00:18,740 --> 00:00:20,809 Now we have 2 00:00:20,810 --> 00:00:23,179 the next talk introduction to network 3 00:00:23,180 --> 00:00:25,849 security by no master. 4 00:00:25,850 --> 00:00:28,579 No master is part of the 5 00:00:28,580 --> 00:00:29,869 staff here. 6 00:00:29,870 --> 00:00:32,629 And he also is active 7 00:00:32,630 --> 00:00:34,879 member of the fray from Community. 8 00:00:34,880 --> 00:00:37,249 And he likes to take a proactive 9 00:00:37,250 --> 00:00:38,179 approach to things. 10 00:00:38,180 --> 00:00:40,189 And so I think we all have a very 11 00:00:40,190 --> 00:00:42,589 practical introduction 12 00:00:42,590 --> 00:00:45,529 to network security now. 13 00:00:45,530 --> 00:00:46,729 Beckham, no master. 14 00:00:51,220 --> 00:00:52,809 Well, thank you. 15 00:00:52,810 --> 00:00:54,579 This is my very first talk at the 16 00:00:54,580 --> 00:00:56,799 Congress, I'm so excited, I'm 17 00:00:56,800 --> 00:00:58,929 I hope I'm not to 18 00:00:58,930 --> 00:01:00,609 solving myself somewhere in the middle. 19 00:01:01,690 --> 00:01:03,879 Also, I'm glad you're all 20 00:01:03,880 --> 00:01:05,318 here. 21 00:01:05,319 --> 00:01:07,689 I've been asked to give some introduction 22 00:01:07,690 --> 00:01:09,549 that is probably more for the beginners, 23 00:01:09,550 --> 00:01:11,709 so I hope that you can enjoy 24 00:01:11,710 --> 00:01:12,909 what I'm speaking about. 25 00:01:12,910 --> 00:01:15,099 That's neither the problem 26 00:01:15,100 --> 00:01:17,229 that you don't get what I'm talking about 27 00:01:17,230 --> 00:01:19,689 or that you all heard of that before. 28 00:01:20,890 --> 00:01:23,079 So let's see where we can take this 29 00:01:23,080 --> 00:01:24,080 here. 30 00:01:25,360 --> 00:01:27,609 So my idea was like, I'm 31 00:01:27,610 --> 00:01:30,249 practical. As you said, how can I 32 00:01:30,250 --> 00:01:32,649 get you some idea about 33 00:01:32,650 --> 00:01:34,959 what the actual issue about network 34 00:01:34,960 --> 00:01:35,960 security is? 35 00:01:36,790 --> 00:01:38,889 We get it, not we get question 36 00:01:38,890 --> 00:01:41,229 a lot about if this network really 37 00:01:41,230 --> 00:01:43,299 secured to connect to. 38 00:01:43,300 --> 00:01:45,489 And the usual answer is 39 00:01:45,490 --> 00:01:47,589 the network is in itself 40 00:01:47,590 --> 00:01:48,529 not secure. 41 00:01:48,530 --> 00:01:50,619 It's your system, your laptop 42 00:01:50,620 --> 00:01:51,999 that should be secure. 43 00:01:52,000 --> 00:01:53,949 But what is actually 44 00:01:55,120 --> 00:01:57,369 a realistic thing that can happen here? 45 00:01:57,370 --> 00:01:59,169 So that's the what I'm wanting to show 46 00:01:59,170 --> 00:02:01,539 you. I have brought to you three 47 00:02:01,540 --> 00:02:03,519 examples for that. 48 00:02:03,520 --> 00:02:05,319 I hope that gives us some insight. 49 00:02:06,680 --> 00:02:09,138 So but first, before we start, 50 00:02:09,139 --> 00:02:11,329 because we need some mindset 51 00:02:11,330 --> 00:02:13,849 for that, the networks stack we have, 52 00:02:13,850 --> 00:02:15,979 here's a totally oversimplified 53 00:02:15,980 --> 00:02:18,289 version of that relies 54 00:02:18,290 --> 00:02:21,079 on different layers as if it hurts. 55 00:02:21,080 --> 00:02:23,329 So every computer has some 56 00:02:23,330 --> 00:02:24,529 media access control. 57 00:02:24,530 --> 00:02:26,119 Address the Mac address. 58 00:02:26,120 --> 00:02:27,529 It's not about Apple computers. 59 00:02:28,970 --> 00:02:31,819 We have the Internet Protocol address, 60 00:02:31,820 --> 00:02:34,219 which is additional to that. 61 00:02:34,220 --> 00:02:36,529 And on top of this, we have 62 00:02:36,530 --> 00:02:38,839 the application that uses some TCP 63 00:02:38,840 --> 00:02:41,179 or UDP socket and the protocol defined 64 00:02:41,180 --> 00:02:42,180 for that. You know, that's 65 00:02:43,520 --> 00:02:45,589 OK. So what really matters to 66 00:02:45,590 --> 00:02:47,749 us is the two layers here, 67 00:02:47,750 --> 00:02:49,639 because this is the network that you're 68 00:02:49,640 --> 00:02:51,709 using, this is the protocols that 69 00:02:51,710 --> 00:02:53,209 are involved with it. 70 00:02:53,210 --> 00:02:55,489 The other stuff is on the systems, 71 00:02:55,490 --> 00:02:57,679 the client on the server. 72 00:02:57,680 --> 00:02:59,749 And this is where the 73 00:02:59,750 --> 00:03:00,750 data goes. 74 00:03:01,820 --> 00:03:03,650 Of course, what we want to 75 00:03:05,210 --> 00:03:07,429 accomplish here is that no one 76 00:03:07,430 --> 00:03:10,279 can look into the application 77 00:03:10,280 --> 00:03:12,859 other than the client and the server. 78 00:03:12,860 --> 00:03:15,589 So your privacy is compromised 79 00:03:15,590 --> 00:03:17,569 when third parties have access to that. 80 00:03:19,490 --> 00:03:21,529 You probably see the SCA in the end. 81 00:03:21,530 --> 00:03:22,759 We would talk about that later. 82 00:03:24,860 --> 00:03:27,019 So first, that we know what 83 00:03:27,020 --> 00:03:28,069 we're talking about. 84 00:03:28,070 --> 00:03:30,949 The easy example to your IP address 85 00:03:30,950 --> 00:03:33,109 have seen that IP before, which 86 00:03:33,110 --> 00:03:35,179 is typically your home routers address 87 00:03:35,180 --> 00:03:36,829 maybe and IPV six. 88 00:03:36,830 --> 00:03:38,989 I have brought you a very simple example 89 00:03:38,990 --> 00:03:41,119 of that, which is just a longer 90 00:03:41,120 --> 00:03:43,429 version, usually written on hexadecimal. 91 00:03:43,430 --> 00:03:44,959 So that's the IP address. 92 00:03:44,960 --> 00:03:47,060 And then we have to make dress. 93 00:03:48,230 --> 00:03:50,299 This is a very unique address 94 00:03:50,300 --> 00:03:52,249 that every computer has on the network. 95 00:03:52,250 --> 00:03:54,409 So this is usually 96 00:03:54,410 --> 00:03:55,879 burns in on your device. 97 00:03:55,880 --> 00:03:57,019 You just started up. 98 00:03:57,020 --> 00:03:59,269 It has the Mac address and uses that 99 00:03:59,270 --> 00:04:01,069 make address to communicate on the 100 00:04:01,070 --> 00:04:03,259 network. So, for example, to get an 101 00:04:03,260 --> 00:04:05,599 IP address and this is where 102 00:04:05,600 --> 00:04:06,949 the bad things can happen then. 103 00:04:07,970 --> 00:04:10,249 So my first example is 104 00:04:10,250 --> 00:04:12,409 our spoofing who 105 00:04:12,410 --> 00:04:13,819 has heard of IP spoofing? 106 00:04:16,149 --> 00:04:17,589 So no one can explain them, 107 00:04:19,180 --> 00:04:21,429 but I guess the rows in the back 108 00:04:21,430 --> 00:04:23,619 didn't raise their hand, so I get to 109 00:04:23,620 --> 00:04:24,620 that and 110 00:04:25,930 --> 00:04:28,899 I usually like using whiteboards. 111 00:04:28,900 --> 00:04:30,489 I don't have one here, so I used my 112 00:04:30,490 --> 00:04:32,319 computer last night to to make some 113 00:04:32,320 --> 00:04:33,219 whiteboard notes. 114 00:04:33,220 --> 00:04:34,839 I hope you can read that my my 115 00:04:34,840 --> 00:04:36,100 handwriting is really bad. 116 00:04:37,270 --> 00:04:40,059 So what we use here for 117 00:04:40,060 --> 00:04:42,189 the resolution of our 118 00:04:42,190 --> 00:04:44,349 addresses of Mac 119 00:04:44,350 --> 00:04:46,239 addresses two IP addresses is the our 120 00:04:46,240 --> 00:04:47,240 protocol. 121 00:04:47,980 --> 00:04:50,049 As you know, as I told you, the Mac 122 00:04:50,050 --> 00:04:52,299 addresses burned in on your device and 123 00:04:52,300 --> 00:04:54,519 the IP address, which uses the 124 00:04:54,520 --> 00:04:56,439 computer uses to communicate on the 125 00:04:56,440 --> 00:04:58,539 internet, is then assigned to 126 00:04:58,540 --> 00:05:00,099 the computer. 127 00:05:00,100 --> 00:05:02,199 We need this address to 128 00:05:03,280 --> 00:05:05,319 be able to know Typekit through to your 129 00:05:05,320 --> 00:05:07,719 computer. It needs to travel probably 130 00:05:07,720 --> 00:05:09,789 all over the world and reach 131 00:05:09,790 --> 00:05:11,349 its destination. 132 00:05:11,350 --> 00:05:13,209 So this is why we have totally two 133 00:05:13,210 --> 00:05:15,609 different address spaces, 134 00:05:15,610 --> 00:05:17,909 one which just gives your computer 135 00:05:17,910 --> 00:05:20,499 a unique address which is always used 136 00:05:20,500 --> 00:05:22,689 and the which is the Mac address and 137 00:05:22,690 --> 00:05:24,759 the other one, the IP address 138 00:05:24,760 --> 00:05:27,009 to which is always 139 00:05:27,010 --> 00:05:28,599 individual for the location. 140 00:05:28,600 --> 00:05:29,600 Your own 141 00:05:30,790 --> 00:05:32,889 smart people know that the IPv4 142 00:05:32,890 --> 00:05:34,329 address I showed you is not really 143 00:05:34,330 --> 00:05:36,549 unique, but we are simplifying 144 00:05:36,550 --> 00:05:38,319 things here. OK. 145 00:05:38,320 --> 00:05:40,539 So on 146 00:05:40,540 --> 00:05:42,879 the other Nokia network, your router 147 00:05:42,880 --> 00:05:45,039 has to give the 148 00:05:45,040 --> 00:05:47,259 network packets to your clients, 149 00:05:47,260 --> 00:05:49,389 to your computer and to be 150 00:05:49,390 --> 00:05:50,959 able to do that. 151 00:05:50,960 --> 00:05:53,079 It's each one 152 00:05:53,080 --> 00:05:55,179 of these needs to know the address 153 00:05:55,180 --> 00:05:57,249 of the computer that has the 154 00:05:57,250 --> 00:05:59,349 IP address for which the 155 00:05:59,350 --> 00:06:01,029 packet intestines. 156 00:06:01,030 --> 00:06:03,219 In this case, here are the client asks 157 00:06:03,220 --> 00:06:05,619 for the IP address of the root 158 00:06:05,620 --> 00:06:07,179 of the router. 159 00:06:07,180 --> 00:06:08,859 It sends the broadcast frame to the 160 00:06:08,860 --> 00:06:11,469 network, which is an up 161 00:06:11,470 --> 00:06:13,629 frame, and asks for 162 00:06:13,630 --> 00:06:15,699 who has the IP address 163 00:06:15,700 --> 00:06:18,109 and the road to answers the IP address. 164 00:06:18,110 --> 00:06:20,469 It's my Mac address. 165 00:06:20,470 --> 00:06:22,809 So what happens here if you look closely? 166 00:06:22,810 --> 00:06:25,539 Is this the router sends the pickets? 167 00:06:25,540 --> 00:06:27,789 It says this IP 168 00:06:27,790 --> 00:06:29,919 address is it's this Mac 169 00:06:29,920 --> 00:06:31,239 address. 170 00:06:31,240 --> 00:06:32,240 They're getting that you. 171 00:06:35,390 --> 00:06:37,749 So what happens if someone tries 172 00:06:37,750 --> 00:06:39,769 to to steal your traffic? 173 00:06:39,770 --> 00:06:40,770 They can 174 00:06:42,200 --> 00:06:44,569 sense a reply, 175 00:06:44,570 --> 00:06:46,969 saying someone asks for 176 00:06:46,970 --> 00:06:49,219 the mega address of the router and 177 00:06:49,220 --> 00:06:52,129 the mega address is their address. 178 00:06:52,130 --> 00:06:54,319 And what they do is they send a false 179 00:06:54,320 --> 00:06:56,269 mega address, which is their address and 180 00:06:56,270 --> 00:06:58,369 not really the routers through into 181 00:06:58,370 --> 00:07:00,649 the network so that your client 182 00:07:00,650 --> 00:07:02,989 learns the address and says, OK, 183 00:07:02,990 --> 00:07:04,969 well, then the router has to address this 184 00:07:04,970 --> 00:07:07,699 and that and sends its packets 185 00:07:07,700 --> 00:07:09,139 through to you. 186 00:07:09,140 --> 00:07:10,939 So the attacker, you're looking at this 187 00:07:10,940 --> 00:07:12,259 from a tax perspective. 188 00:07:12,260 --> 00:07:13,279 Yeah. 189 00:07:13,280 --> 00:07:15,769 So then the problem is 190 00:07:15,770 --> 00:07:17,899 for the clients you don't see 191 00:07:17,900 --> 00:07:20,059 on the client anything happening 192 00:07:20,060 --> 00:07:22,129 other than the user 193 00:07:22,130 --> 00:07:24,049 data flow is commencing. 194 00:07:24,050 --> 00:07:26,119 The clients sends the traffic through 195 00:07:26,120 --> 00:07:28,789 to the attacker, which just for once 196 00:07:28,790 --> 00:07:30,889 that gets through to the router 197 00:07:30,890 --> 00:07:32,359 and back. 198 00:07:32,360 --> 00:07:34,579 So it's able, then, if it 199 00:07:34,580 --> 00:07:36,709 has compromised, they also the address 200 00:07:36,710 --> 00:07:38,989 of the client to observe any 201 00:07:38,990 --> 00:07:40,729 traffic that happens on the network 202 00:07:40,730 --> 00:07:42,859 transparently by just piping 203 00:07:42,860 --> 00:07:45,109 it through. Yeah, and looking at it. 204 00:07:45,110 --> 00:07:47,959 And I wrote, I guess observing, 205 00:07:47,960 --> 00:07:50,069 of course, if you get hold of the packet, 206 00:07:50,070 --> 00:07:52,369 you can also modify that. 207 00:07:52,370 --> 00:07:53,839 So this is one very 208 00:07:54,920 --> 00:07:56,689 old-school type of network. 209 00:07:56,690 --> 00:07:57,860 Take him 210 00:07:59,330 --> 00:08:01,429 and you getting on the impression 211 00:08:01,430 --> 00:08:02,569 how that works. 212 00:08:02,570 --> 00:08:04,939 Hopefully, you can then get also 213 00:08:04,940 --> 00:08:06,740 an idea how to prevent that. 214 00:08:08,870 --> 00:08:11,329 What we have on our networks nowadays 215 00:08:11,330 --> 00:08:13,909 is switches that have security 216 00:08:13,910 --> 00:08:16,279 features, but you must be aware 217 00:08:16,280 --> 00:08:18,229 that on the usual network, this is not 218 00:08:18,230 --> 00:08:19,519 always the case. 219 00:08:19,520 --> 00:08:21,709 So every network you encounter 220 00:08:21,710 --> 00:08:23,809 is probably vulnerable to that kind 221 00:08:23,810 --> 00:08:24,810 of attack. 222 00:08:28,400 --> 00:08:30,499 So the next thing would 223 00:08:30,500 --> 00:08:32,090 be then the DNS hijacking, 224 00:08:33,590 --> 00:08:35,839 this attack is 225 00:08:35,840 --> 00:08:37,849 on a site on a somewhat different layer 226 00:08:37,850 --> 00:08:39,379 of the protocol. 227 00:08:39,380 --> 00:08:41,808 It uses the DNS system. 228 00:08:41,809 --> 00:08:44,029 The DNS system is, of course, 229 00:08:44,030 --> 00:08:46,999 for the resolution of a hostname 230 00:08:47,000 --> 00:08:48,349 to an IP address. 231 00:08:48,350 --> 00:08:50,779 So we have another layer here. 232 00:08:50,780 --> 00:08:52,219 It's not the IP address, the mega 233 00:08:52,220 --> 00:08:53,659 address, but the hostname to the IP 234 00:08:53,660 --> 00:08:56,089 address that enables us to 235 00:08:56,090 --> 00:08:58,249 do a similar attack, but not 236 00:08:58,250 --> 00:09:00,499 only on our local network 237 00:09:00,500 --> 00:09:02,629 but also on 238 00:09:02,630 --> 00:09:04,039 every horse on the internet. 239 00:09:05,210 --> 00:09:07,469 What we then do is we try 240 00:09:07,470 --> 00:09:09,739 to get hold of the IP address of 241 00:09:09,740 --> 00:09:11,599 the DNS server. 242 00:09:11,600 --> 00:09:14,059 Usually the clandestine server 243 00:09:14,060 --> 00:09:15,060 for its address 244 00:09:16,220 --> 00:09:18,469 of the of the of the real server 245 00:09:18,470 --> 00:09:20,779 it tries to connect to in this case, 246 00:09:20,780 --> 00:09:23,509 and a record which is for IPv4 addresses 247 00:09:23,510 --> 00:09:25,789 and the DNS server returns the IP 248 00:09:25,790 --> 00:09:27,739 address of the server in question. 249 00:09:27,740 --> 00:09:30,349 Then the client connects to the server 250 00:09:30,350 --> 00:09:32,449 and gets the answer back. 251 00:09:32,450 --> 00:09:34,519 Obviously, if we can get hold 252 00:09:34,520 --> 00:09:36,889 somehow of the DNS 253 00:09:36,890 --> 00:09:39,199 service address we can do, then 254 00:09:39,200 --> 00:09:41,809 the same thing as before we can return 255 00:09:41,810 --> 00:09:43,789 nodes or make address because we are not 256 00:09:43,790 --> 00:09:46,099 on the same network. We can return our IP 257 00:09:46,100 --> 00:09:47,959 address, which the clients connects to 258 00:09:47,960 --> 00:09:50,149 its can be of any hosts on the internet. 259 00:09:50,150 --> 00:09:52,279 Yeah. And then 260 00:09:52,280 --> 00:09:54,679 the client since we returned 261 00:09:54,680 --> 00:09:57,109 the IP address of ourselves instead, 262 00:09:57,110 --> 00:09:58,549 and the client sends the traffic to 263 00:09:58,550 --> 00:10:00,799 through us and we then again 264 00:10:00,800 --> 00:10:03,019 transparently forward that traffic 265 00:10:03,020 --> 00:10:05,179 through to the server and we see 266 00:10:05,180 --> 00:10:07,849 every request happening there. 267 00:10:07,850 --> 00:10:10,249 In that case, we don't observe 268 00:10:10,250 --> 00:10:12,349 the traffic coming back from the server 269 00:10:12,350 --> 00:10:13,549 to the client. 270 00:10:13,550 --> 00:10:15,529 We should also attack the server for 271 00:10:15,530 --> 00:10:16,700 that, but 272 00:10:17,930 --> 00:10:20,419 always keep in mind that the payload 273 00:10:20,420 --> 00:10:23,119 of the traffic is not very 274 00:10:23,120 --> 00:10:24,739 interesting for an attacker. 275 00:10:24,740 --> 00:10:27,019 Maybe they just want to know which 276 00:10:27,020 --> 00:10:28,969 address you're really requesting. 277 00:10:28,970 --> 00:10:31,519 So very much of the privacy 278 00:10:31,520 --> 00:10:33,679 issues come for the metadata of 279 00:10:33,680 --> 00:10:35,839 the packets, not 280 00:10:35,840 --> 00:10:38,599 the with the metadata, and that kids see, 281 00:10:38,600 --> 00:10:40,039 it's the additional data. 282 00:10:40,040 --> 00:10:42,859 So which hostname are we requesting 283 00:10:42,860 --> 00:10:43,759 him? 284 00:10:43,760 --> 00:10:46,009 You can imagine some host names are worse 285 00:10:46,010 --> 00:10:47,849 than others to to disclose. 286 00:10:47,850 --> 00:10:48,850 Yeah. 287 00:10:52,680 --> 00:10:54,749 So, yeah, that would 288 00:10:54,750 --> 00:10:57,159 be two examples on the. 289 00:10:57,160 --> 00:10:58,919 Networks, what we also have at the 290 00:10:58,920 --> 00:11:01,739 Congress, what we get questions about is 291 00:11:01,740 --> 00:11:03,689 how about the access points? 292 00:11:03,690 --> 00:11:05,849 That is the more complicated thing 293 00:11:05,850 --> 00:11:06,850 here. 294 00:11:07,560 --> 00:11:09,779 Of course we have when 295 00:11:09,780 --> 00:11:12,419 we connect to a computers to us, which 296 00:11:12,420 --> 00:11:14,519 we see that we just took a 297 00:11:14,520 --> 00:11:16,829 cable and just plug it into a switch 298 00:11:16,830 --> 00:11:18,659 so the computer is connected to that 299 00:11:18,660 --> 00:11:19,660 switch. 300 00:11:20,430 --> 00:11:23,039 Very similar to the way our system works, 301 00:11:23,040 --> 00:11:25,379 the engineers designs 302 00:11:25,380 --> 00:11:27,539 wireless traffic, the the 303 00:11:27,540 --> 00:11:28,979 Wi-Fi system to work. 304 00:11:28,980 --> 00:11:30,839 It's a wireless ethernet. 305 00:11:30,840 --> 00:11:33,059 So it's it's it works 306 00:11:33,060 --> 00:11:35,489 as if I would plug in my computer 307 00:11:35,490 --> 00:11:37,889 into a switch, but other wires, 308 00:11:37,890 --> 00:11:40,269 it's connected to the access point. 309 00:11:40,270 --> 00:11:42,569 So what 310 00:11:42,570 --> 00:11:44,729 I have on my computer system 311 00:11:44,730 --> 00:11:46,949 that chooses the access point 312 00:11:46,950 --> 00:11:48,959 to connect to and does that 313 00:11:48,960 --> 00:11:50,579 automatically. 314 00:11:50,580 --> 00:11:53,099 So it works just like 315 00:11:53,100 --> 00:11:55,979 if I had an assistant, that's 316 00:11:55,980 --> 00:11:58,219 when you move. My computer takes 317 00:11:58,220 --> 00:12:00,449 the cable from one smit's and plugs 318 00:12:00,450 --> 00:12:02,729 into it another so 319 00:12:02,730 --> 00:12:04,619 that I don't have to care about that. 320 00:12:04,620 --> 00:12:06,929 It just makes sure that the connection 321 00:12:06,930 --> 00:12:07,930 stays up. 322 00:12:09,910 --> 00:12:11,559 When we think about this like that, 323 00:12:12,730 --> 00:12:14,949 we can see that there are 324 00:12:14,950 --> 00:12:16,479 issues. 325 00:12:16,480 --> 00:12:18,039 What do we do? 326 00:12:18,040 --> 00:12:20,199 What we need to know first is that the 327 00:12:20,200 --> 00:12:22,779 network is identified by an 328 00:12:22,780 --> 00:12:23,679 idea. 329 00:12:23,680 --> 00:12:26,769 This just means that I know 330 00:12:26,770 --> 00:12:28,959 which group of switches I 331 00:12:28,960 --> 00:12:31,089 want to connect to on this 332 00:12:31,090 --> 00:12:33,219 conference is the 35th C3 333 00:12:33,220 --> 00:12:34,809 network and your home. 334 00:12:34,810 --> 00:12:36,999 You have probably chosen your own cool 335 00:12:37,000 --> 00:12:38,110 network name for that. 336 00:12:39,490 --> 00:12:41,889 But you may not have thought about 337 00:12:41,890 --> 00:12:44,109 that. See, at your home, you have 338 00:12:44,110 --> 00:12:45,159 one access point. 339 00:12:46,300 --> 00:12:48,519 Otherwise, we have here hundreds 340 00:12:48,520 --> 00:12:51,069 of them and your computer changes 341 00:12:51,070 --> 00:12:52,989 the connection to the access point all 342 00:12:52,990 --> 00:12:54,069 the time. 343 00:12:54,070 --> 00:12:56,469 So what would we have 344 00:12:56,470 --> 00:12:58,209 to do to prevent that? 345 00:12:58,210 --> 00:12:59,469 Your neighbors are connecting to your 346 00:12:59,470 --> 00:13:02,049 network. We have this encryption 347 00:13:02,050 --> 00:13:03,069 protocol. 348 00:13:03,070 --> 00:13:05,319 In the past, that's been W 349 00:13:05,320 --> 00:13:07,360 EP, which is just broken 350 00:13:08,710 --> 00:13:09,729 and obsolete. 351 00:13:09,730 --> 00:13:11,919 So we now have the WPA 352 00:13:11,920 --> 00:13:14,679 protocol, and 353 00:13:14,680 --> 00:13:17,019 for that we use appreciate key the 354 00:13:17,020 --> 00:13:18,729 Wi-Fi passwords here. 355 00:13:18,730 --> 00:13:21,129 So the usual thing you go to, it's 356 00:13:21,130 --> 00:13:22,479 through your neighbor, to your friends, 357 00:13:22,480 --> 00:13:25,089 to a cafe, and 358 00:13:25,090 --> 00:13:27,369 you ask for them, what is the Wi-Fi 359 00:13:27,370 --> 00:13:28,779 password? You just use that. 360 00:13:30,340 --> 00:13:32,439 One issue here is that it's 361 00:13:32,440 --> 00:13:34,689 only for preventing other 362 00:13:34,690 --> 00:13:36,849 parties from using 363 00:13:36,850 --> 00:13:38,319 your network. 364 00:13:38,320 --> 00:13:40,929 Everyone who has hold of the preset, 365 00:13:40,930 --> 00:13:43,059 he is able to connect 366 00:13:43,060 --> 00:13:46,149 not only to your network, but potentially 367 00:13:46,150 --> 00:13:48,249 able to decrypt all the traffic 368 00:13:48,250 --> 00:13:50,020 that is running through it. 369 00:13:52,430 --> 00:13:54,979 Then another problem is 370 00:13:54,980 --> 00:13:57,559 that I can say 371 00:13:57,560 --> 00:14:00,139 I place another access points, 372 00:14:00,140 --> 00:14:02,239 which has the same society 373 00:14:02,240 --> 00:14:04,309 as the currently existing 374 00:14:04,310 --> 00:14:06,379 network, but it's not an official 375 00:14:06,380 --> 00:14:07,519 access point. 376 00:14:07,520 --> 00:14:09,259 But my own. 377 00:14:09,260 --> 00:14:12,109 What then happens at this is the clients 378 00:14:12,110 --> 00:14:14,209 just connect to that access 379 00:14:14,210 --> 00:14:16,459 point, for example, because it's just 380 00:14:16,460 --> 00:14:18,589 it's it's the reception of the 381 00:14:18,590 --> 00:14:19,999 signals just stronger. 382 00:14:20,000 --> 00:14:22,219 You can move it towards your 383 00:14:22,220 --> 00:14:23,220 your 384 00:14:24,290 --> 00:14:27,469 computer and then 385 00:14:27,470 --> 00:14:30,079 send out just the same beacon 386 00:14:30,080 --> 00:14:32,479 with the same SSD as the 387 00:14:32,480 --> 00:14:34,609 attack network to the kind the client 388 00:14:34,610 --> 00:14:36,859 connects to the access points 389 00:14:36,860 --> 00:14:38,929 and sends the traffic through to 390 00:14:38,930 --> 00:14:39,889 it. 391 00:14:39,890 --> 00:14:41,179 And of course, the way back, 392 00:14:42,770 --> 00:14:45,619 you could do that on the network here, 393 00:14:45,620 --> 00:14:47,839 which strongly asks you not to do 394 00:14:47,840 --> 00:14:48,840 that. 395 00:14:49,340 --> 00:14:51,439 Just one reason is we don't 396 00:14:51,440 --> 00:14:53,029 want too many access points running 397 00:14:53,030 --> 00:14:54,919 around here with too many channels they 398 00:14:54,920 --> 00:14:56,959 use. The other thing is, of course, 399 00:14:56,960 --> 00:14:59,149 students shouldn't attack 400 00:14:59,150 --> 00:15:01,339 other people computers and just 401 00:15:01,340 --> 00:15:03,469 explaining here how that works 402 00:15:03,470 --> 00:15:05,749 so that you get an idea how to prevent 403 00:15:05,750 --> 00:15:06,750 that, OK? 404 00:15:11,500 --> 00:15:12,500 We have 405 00:15:13,750 --> 00:15:15,969 at this Congress, we have a system 406 00:15:15,970 --> 00:15:18,399 that is used in enterprise environments 407 00:15:18,400 --> 00:15:20,619 to prevent you from doing that, which 408 00:15:20,620 --> 00:15:23,779 uses another layer of encryption. 409 00:15:23,780 --> 00:15:25,929 It's that it works like that. 410 00:15:25,930 --> 00:15:28,179 The access point needs a certificate 411 00:15:28,180 --> 00:15:30,549 to make sure that there's no official 412 00:15:30,550 --> 00:15:32,499 access point you connect to. 413 00:15:32,500 --> 00:15:34,479 So what happens then is that in the 414 00:15:34,480 --> 00:15:37,149 beacon, there are some encryption stuff, 415 00:15:37,150 --> 00:15:39,519 and your computer can check out whether 416 00:15:39,520 --> 00:15:41,469 the access point is really valid 417 00:15:42,550 --> 00:15:44,889 when you set up with the Android 418 00:15:44,890 --> 00:15:47,499 app, your wireless connection here. 419 00:15:47,500 --> 00:15:49,029 There is some Android app in the Play 420 00:15:49,030 --> 00:15:50,229 Store. 421 00:15:50,230 --> 00:15:52,419 This one generates 422 00:15:52,420 --> 00:15:54,519 a configuration in which a 423 00:15:54,520 --> 00:15:56,889 certificate is written 424 00:15:56,890 --> 00:15:59,199 down and only 425 00:15:59,200 --> 00:16:01,299 the official access point here 426 00:16:01,300 --> 00:16:03,549 on hold of the key for their connections 427 00:16:03,550 --> 00:16:05,779 then. So your computer, which 428 00:16:05,780 --> 00:16:07,929 just in that case, your smartphone can 429 00:16:07,930 --> 00:16:09,939 make sure that the access point is 430 00:16:09,940 --> 00:16:12,019 official on your laptop. 431 00:16:12,020 --> 00:16:14,199 You have to configure it by hands 432 00:16:14,200 --> 00:16:16,359 on. I would like you to to try 433 00:16:16,360 --> 00:16:18,219 that out, skilled forward and look into 434 00:16:18,220 --> 00:16:20,319 the wiki. There are details 435 00:16:20,320 --> 00:16:22,509 how to configure that there's some 436 00:16:22,510 --> 00:16:25,149 handshake protocol, some encryption 437 00:16:25,150 --> 00:16:26,049 tunnel. 438 00:16:26,050 --> 00:16:28,209 There's a domain name, a 439 00:16:28,210 --> 00:16:30,309 fingerprint for the certificate 440 00:16:30,310 --> 00:16:32,919 and you can say, please 441 00:16:32,920 --> 00:16:35,109 make sure that the certificate is 442 00:16:35,110 --> 00:16:36,009 valid. 443 00:16:36,010 --> 00:16:38,409 Only then this attack doesn't work 444 00:16:38,410 --> 00:16:41,559 anymore at your home. 445 00:16:41,560 --> 00:16:44,559 You probably don't have these 446 00:16:44,560 --> 00:16:46,689 enterprise authentication system, 447 00:16:46,690 --> 00:16:49,239 which needs another server which needs 448 00:16:49,240 --> 00:16:51,969 to be configured and running 449 00:16:51,970 --> 00:16:53,869 and using the home networks don't have 450 00:16:53,870 --> 00:16:56,499 that in the future with WPA 451 00:16:56,500 --> 00:16:57,399 three. 452 00:16:57,400 --> 00:16:59,529 There comes an extension which which 453 00:16:59,530 --> 00:17:01,809 introduces that 454 00:17:01,810 --> 00:17:03,850 kind of protection. 455 00:17:05,470 --> 00:17:07,568 So what can you do about 456 00:17:07,569 --> 00:17:08,569 that? 457 00:17:09,319 --> 00:17:12,318 I would recommend to you to 458 00:17:12,319 --> 00:17:14,389 make sure that you have a 459 00:17:14,390 --> 00:17:16,729 basic knowledge about protocol 460 00:17:16,730 --> 00:17:19,098 definition and the standards. 461 00:17:19,099 --> 00:17:20,959 Just look at the internet. 462 00:17:20,960 --> 00:17:23,209 There are cease the requests 463 00:17:23,210 --> 00:17:26,149 for comment protocol 464 00:17:26,150 --> 00:17:28,368 documents. You can read how that 465 00:17:28,369 --> 00:17:30,439 stuff really works and you see 466 00:17:30,440 --> 00:17:32,929 it when you when you read really 467 00:17:32,930 --> 00:17:34,369 how it works and you get your 468 00:17:34,370 --> 00:17:36,109 understanding of it, you're also getting 469 00:17:36,110 --> 00:17:38,899 an imagination of everything 470 00:17:38,900 --> 00:17:40,999 that can go wrong there. 471 00:17:41,000 --> 00:17:43,459 So also 472 00:17:43,460 --> 00:17:45,589 from the other side approaching that's 473 00:17:45,590 --> 00:17:47,509 read through the internet, there's plenty 474 00:17:47,510 --> 00:17:49,699 full of documentation, not 475 00:17:49,700 --> 00:17:51,809 only more precisely 476 00:17:51,810 --> 00:17:53,689 and more clearly explaining what I did to 477 00:17:53,690 --> 00:17:55,789 you here, but also all kinds 478 00:17:55,790 --> 00:17:57,349 of different other attacks. 479 00:17:57,350 --> 00:17:59,869 And also, these give you a broader 480 00:17:59,870 --> 00:18:02,089 imagination of how stuff works. 481 00:18:03,620 --> 00:18:05,869 This also gives an inside how to really 482 00:18:05,870 --> 00:18:07,429 protect yourself. 483 00:18:07,430 --> 00:18:09,649 And I mean, if you only 484 00:18:09,650 --> 00:18:11,869 want to do that, as I said, use 485 00:18:11,870 --> 00:18:14,029 it's TDPs, 486 00:18:14,030 --> 00:18:15,859 which is a secure protocol for the 487 00:18:15,860 --> 00:18:16,939 application. 488 00:18:16,940 --> 00:18:19,069 So the application Lyons makes 489 00:18:19,070 --> 00:18:20,989 sure that it connects to a valid server 490 00:18:20,990 --> 00:18:22,699 and encrypts all of the traffic between 491 00:18:22,700 --> 00:18:23,700 that. 492 00:18:24,140 --> 00:18:26,629 So the most of your traffic is not 493 00:18:26,630 --> 00:18:29,059 observable even if these 494 00:18:29,060 --> 00:18:30,229 attacks are in place 495 00:18:31,670 --> 00:18:33,589 and that that is very important. 496 00:18:33,590 --> 00:18:35,659 We have, 497 00:18:35,660 --> 00:18:38,179 fortunately, a big increase of encrypted 498 00:18:38,180 --> 00:18:40,339 FTP traffic in the past thanks 499 00:18:40,340 --> 00:18:42,499 to the Let's Encrypt organization, 500 00:18:42,500 --> 00:18:43,879 and they're always very grateful for 501 00:18:43,880 --> 00:18:44,880 that. 502 00:18:45,740 --> 00:18:48,049 Yeah, and if you want, you can try 503 00:18:48,050 --> 00:18:49,009 that out. 504 00:18:49,010 --> 00:18:52,189 Put your own WPA ERP 505 00:18:52,190 --> 00:18:53,929 enterprise authentication protocol 506 00:18:53,930 --> 00:18:54,930 system. 507 00:18:55,520 --> 00:18:57,799 But that's, of course, also only 508 00:18:57,800 --> 00:18:58,800 limited. 509 00:19:00,880 --> 00:19:03,159 What you can do more practical, even 510 00:19:03,160 --> 00:19:05,319 if just with your laptop 511 00:19:05,320 --> 00:19:06,519 on your Congress network, 512 00:19:07,720 --> 00:19:09,789 look at the traffic 513 00:19:09,790 --> 00:19:12,109 type zero tcpdump, this, 514 00:19:12,110 --> 00:19:14,109 this that and and you just see the 515 00:19:14,110 --> 00:19:15,789 packets flowing in and out from your 516 00:19:15,790 --> 00:19:16,790 computer. 517 00:19:17,740 --> 00:19:19,839 You can check out the road 518 00:19:19,840 --> 00:19:21,789 packets you're taking with the Trace Road 519 00:19:21,790 --> 00:19:24,099 software, the simple trace road protocol 520 00:19:24,100 --> 00:19:26,199 or the more sophisticated 521 00:19:26,200 --> 00:19:28,020 program marketers helping with it. 522 00:19:29,500 --> 00:19:31,629 And you can learn a lot by 523 00:19:31,630 --> 00:19:34,029 using a program like Skype. 524 00:19:34,030 --> 00:19:35,979 I can recommend that to you. 525 00:19:35,980 --> 00:19:38,169 It's a simple Python 526 00:19:38,170 --> 00:19:40,579 cell that enables you to forge packets. 527 00:19:40,580 --> 00:19:42,399 You can say like, I want a packet that 528 00:19:42,400 --> 00:19:45,159 has this source address this destination 529 00:19:45,160 --> 00:19:46,900 address and looks like that. 530 00:19:48,520 --> 00:19:50,589 Please be always respectful 531 00:19:50,590 --> 00:19:52,809 to others. Be excellent to each other. 532 00:19:52,810 --> 00:19:54,999 Use these tools to learn for 533 00:19:55,000 --> 00:19:57,069 yourself and to learn how 534 00:19:57,070 --> 00:19:59,289 traffic between your system 535 00:19:59,290 --> 00:20:00,999 and maybe your other system or your 536 00:20:01,000 --> 00:20:02,679 friends' system is working. 537 00:20:02,680 --> 00:20:04,389 Maybe you can pair with another person 538 00:20:04,390 --> 00:20:06,279 here with their computer and try that 539 00:20:06,280 --> 00:20:07,280 out. 540 00:20:07,660 --> 00:20:09,939 Yeah. So I hope I could spark 541 00:20:09,940 --> 00:20:10,940 new interest. 542 00:20:12,340 --> 00:20:15,159 And I guess my time is over now. 543 00:20:15,160 --> 00:20:16,429 So no reaction. 544 00:20:16,430 --> 00:20:17,430 I'm sorry. 545 00:20:18,550 --> 00:20:19,550 Thank you. 546 00:20:24,180 --> 00:20:26,159 Thank you for this very good 547 00:20:26,160 --> 00:20:27,479 introduction. 548 00:20:27,480 --> 00:20:29,829 And you were exactly in time, but 549 00:20:29,830 --> 00:20:31,889 sorry, no time left for Q&A, but 550 00:20:31,890 --> 00:20:34,019 I'm sure they can find you and 551 00:20:34,020 --> 00:20:35,309 ask 552 00:20:35,310 --> 00:20:36,959 you whether it's crossed off. 553 00:20:36,960 --> 00:20:39,449 Everyone's OK, so 554 00:20:39,450 --> 00:20:41,879 let's have a nice, warm 555 00:20:41,880 --> 00:20:43,409 thank you. APPLAUSE for a.m. 556 00:20:43,410 --> 00:20:44,410 again.