$home sweet $home sansfire edition
TRANSCRIPT
![Page 1: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/1.jpg)
$HOME Sweet $HOME
SANSFIRE 2016 - Xavier Mertens
![Page 2: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/2.jpg)
$ cat ~/whoami.xml<profile> <real_name>Xavier Mertens</real_name> <day_job>Freelance Security Guy</day_job> <night_job>Hacker, Blogger</night_job> <![CDATA[ www.truesec.be blog.rootshell.be isc.sans.edu www.brucon.org ]]></profile>
![Page 3: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/3.jpg)
$ cat ~/.profile
• I like (your) data
• Playing “Active Defense”
• I prefer t-shirts than ties
• Geek and gadgets over!
![Page 4: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/4.jpg)
$ cat ~/disclaimer.txt
“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
![Page 5: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/5.jpg)
$HOME Sweet $HOME
![Page 6: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/6.jpg)
$HOME Sweet $HOME
![Page 7: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/7.jpg)
Agenda
• A Revolution Entered Our Homes
• Internet of Nightmares
• Mitigations
• Conclusions
![Page 8: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/8.jpg)
![Page 9: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/9.jpg)
![Page 10: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/10.jpg)
![Page 11: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/11.jpg)
Fidonet: 2:291/715.9
Aminet: 39:120/201.9
![Page 12: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/12.jpg)
BBS Fidonet UUCP IP (SLIP) “Broadband” Mobile
What’s next?
![Page 13: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/13.jpg)
Today?
• More bandwidth at home that when I started to work for ISP’s (1996)
• SLA @ home (Kids complaint when offline)
![Page 14: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/14.jpg)
Today?
![Page 15: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/15.jpg)
Today?
![Page 16: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/16.jpg)
$DATA
• Family pictures
• Administrative docs (taxes, insurances, invoices)
• Medias (MP3, movies, books)
• $YOU
![Page 17: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/17.jpg)
Before:
Internet LAN
Fire
wal
l
Ingress Traffic
![Page 18: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/18.jpg)
Today:
Internet LAN
Fire
wal
l
Egress Traffic
![Page 19: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/19.jpg)
IoT Botnet
![Page 20: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/20.jpg)
IoT Botnet
Source: https://www.emaze.com/@AIFFFTIO/IoT-Health-ppt
![Page 21: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/21.jpg)
![Page 22: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/22.jpg)
![Page 23: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/23.jpg)
![Page 24: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/24.jpg)
Google Too!
More info: https://developers.google.com/brillo/
![Page 25: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/25.jpg)
Agenda
• A Revolution Entered Our Homes
• Internet of Terrors
• Mitigations
• Conclusions
![Page 26: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/26.jpg)
Resistance is Futile!
![Page 27: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/27.jpg)
Growing Attack Surface
![Page 28: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/28.jpg)
![Page 29: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/29.jpg)
“Smart”?
“having or showing a quick-witted intelligence”
![Page 30: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/30.jpg)
TrueSec 30
Smart Devices? Really?
![Page 31: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/31.jpg)
Smart-ization…
Adding a communication module to an objectdoesn’t make it “smart”…
![Page 32: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/32.jpg)
TrueSec 32
![Page 33: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/33.jpg)
TrueSec 33
![Page 34: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/34.jpg)
What is the differencebetween…
![Page 35: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/35.jpg)
![Page 36: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/36.jpg)
![Page 37: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/37.jpg)
![Page 38: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/38.jpg)
![Page 39: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/39.jpg)
Sensors Software Connectivity Bigdata
VulnerabilityExploit MitM PrivacyAbuse
![Page 40: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/40.jpg)
OWASP
• Insecure Web Interface
• Insufficient Authentication/Authorization
• Insecure Network Services
• Lack of Transport Encryption
• Privacy Concerns
• Insecure Cloud Interface
• Insecure Mobile Interface
• Insufficient Security Configurability
• Insecure Software/Firmware
• Poor Physical Security
![Page 41: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/41.jpg)
Developers…
![Page 42: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/42.jpg)
![Page 43: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/43.jpg)
We already fail to patch regular computers…
… what about IoT devices?
![Page 44: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/44.jpg)
TrueSec 44
SecurityFeatures
Ease of Use
![Page 45: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/45.jpg)
TrueSec
Agenda
• A Revolution Entered Our Homes
• Internet of Terrors
• Mitigations
• Conclusions
45
![Page 46: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/46.jpg)
![Page 47: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/47.jpg)
<warning> This section focuses on devices connected
to your IP home network </warning>
![Page 48: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/48.jpg)
Rule #0
• Think twice: “Do you really need this device?”
• Agreed… very difficult for the most of us!
![Page 49: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/49.jpg)
• What is the MAC address of the device?
• What are the network requirement? (DNS, NTP, SNMP, Syslog)
• What are the open ports required? To which IP address(es)?
• Can the device be upgraded?
• Are firmwares signed?
• Can we backup/restore the config?
Rule #1
![Page 50: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/50.jpg)
Rule #2
• Assign a fixed DHCP lease to known devices
host myflattv { hardware ethernet aa:bb:cc:dd:ee:ff; fixed-address 192.168.1.100; option routers 192.168.1.1; default-lease-time 3600; }
![Page 51: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/51.jpg)
Rule #3
• Implement an egress filter
• Any:Any to Any:Any, Drop & Log
• Allow only required traffic (see rule #1)
![Page 52: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/52.jpg)
Rule #4
• Segmentation
![Page 53: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/53.jpg)
Rule #5
• Use a local resolvers (DNS queries) and log
![Page 54: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/54.jpg)
Rule #6
• Disable unsafe protocols like SSDP/UPnP
• Risk of DDoS (amplification attack)
![Page 55: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/55.jpg)
Rule #7
• Capture the traffic from unknown devices(http://blog.rootshell.be/2015/03/17/the-lack-of-network-documentation/)
![Page 56: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/56.jpg)
Rule #8
• Be offensive!
• Know your enemy
![Page 57: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/57.jpg)
Hardware
![Page 58: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/58.jpg)
Hardware
![Page 59: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/59.jpg)
TrueSec
Topology
59
Ethernet Switch
Router
Server
Device1 Device2
Firewall
![Page 60: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/60.jpg)
Software Shopping
![Page 61: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/61.jpg)
Commercial $olution$
PA200, Sophos UTM Home Edition, <insert your preferred $VENDOR>
![Page 62: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/62.jpg)
TrueSec
Virtualize!
62
KVM (“Kernel-based Virtual Machine”), VirtualBox,ESX, XenServer, …
![Page 63: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/63.jpg)
Security Onion
Security Onion is a Linux distro for intrusiondetection, network security monitoring, and log
management. Core components are: Snort,Suricata, Bro, OSSEC, Sguil,
Squert, Snorby, ELSA, Xplico, NetworkMiner, andmany other security tools.
![Page 64: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/64.jpg)
Security Onion
![Page 65: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/65.jpg)
Security Onion
![Page 66: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/66.jpg)
Security Onion
![Page 67: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/67.jpg)
pfSense
The pfSense project is a free networkfirewall distribution, based on the FreeBSDoperating system with a custom kernel and
including third party free software packages foradditional functionality.
pfSense software, with the help of the packagesystem, is able to provide the same functionality
or more of common commercial firewalls
![Page 68: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/68.jpg)
pfSense
![Page 69: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/69.jpg)
Keep an Eye on ARP
• arpwatch is a nice tool to track new/changing MAC addresses
Apr 17 11:36:03 shiva arpwatch: new station 10.90.14.85 34:a3:95:c5:d2:e5 eth0
![Page 70: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/70.jpg)
Keep an Eye on ARP
![Page 71: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/71.jpg)
Next Level…
Detecting Suspicious Devices On-The-Fly!
(https://isc.sans.edu/forums/diary/Guest+diary+Detecting+Suspicious+Devices+OnTheFly/18993)
![Page 72: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/72.jpg)
Next Level…
• Inspect HTTP(S) traffic for suspicious data, vulnerabilities (who said “hacking”?)
• MitM, ettercap, sslstrip, BurpSuite
![Page 73: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/73.jpg)
Agenda
• A Revolution Entered Our Homes
• Internet of Terrors
• Mitigations
• Conclusions
![Page 74: $HOME Sweet $HOME SANSFIRE Edition](https://reader031.vdocument.in/reader031/viewer/2022030303/587c38891a28ab5a1d8b47c5/html5/thumbnails/74.jpg)
5 Tips to Keep in Mind
• IoT is there and will(is) invade(ing) our homes
• Think “IoT” == “Computers” (same issues)
• Smart != Safe
• Tools exists to control them
• Ask yourself: “Do I need it?”