An introduction to Pinworm : Man In The Middle for your metadata
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 93 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36221 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2484 / 93
4
6
7
11
15
20
26
33
34
35
36
39
40
46
49
53
58
62
63
66
68
72
79
90
92
93
00:00
Type colorWordExistenceLevel (video gaming)CausalityMereologyHidden Markov modelCategory of beingKernel (computing)TwitterHacker (term)Multiplication signBitWeb pageMeeting/Interview
02:18
Tape driveEmailDigital photographyClient (computing)Game theoryLevel (video gaming)TwitterClient (computing)Information privacyTape driveCyberspaceEmailComputer-assisted translation
03:36
TouchscreenComputer hardwareLarge eddy simulationNeuroinformatikProcess (computing)Game controllerSoftware framework
04:36
AuthorizationSlide ruleCodeLevel (video gaming)Software frameworkSource codeView (database)Physical systemLink (knot theory)BitComputer animation
05:31
Sign (mathematics)Error messageError messageHookingDifferent (Kate Ryan album)Physical systemWindowMessage passingSource codeXMLComputer animation
06:02
Statement (computer science)Event horizonInformationElectronic signatureComputer fileRevision controlService PackProduct (business)Asynchronous Transfer ModeSoftware testingWindowBitFamilyNeuroinformatik
06:30
SoftwareRow (database)TrailCuboidTap (transformer)Interface (computing)Computer animation
06:55
Data storage deviceVideoconferencingMoment (mathematics)TrailElectronic mailing listConnected spaceInternetworkingGreatest elementComputer fileMultiplication signFirewall (computing)Core dumpResolvent formalismWeb browserTouchscreenDirect numerical simulationVideoconferencingWeb 2.0Computer animation
08:43
Link (knot theory)Process (computing)System callTrailInformationRead-only memoryPhysical systemoutputOperations researchService (economics)VideoconferencingKeyboard shortcutComputer networkSource codeObject (grammar)Table (information)Graphical user interfaceSoftware frameworkData integrityLevel (video gaming)Information privacyAsynchronous Transfer ModeTracing (software)Slide ruleBitBuildingProcess (computing)DampingWindowTerm (mathematics)Data storage deviceInformationPlug-in (computing)Metropolitan area networkSystem callAbstractionProjective planeInformation privacyOperating systemPoint (geometry)Level (video gaming)GodSoftware frameworkElectronic mailing listVideoconferencingKeyboard shortcutPoint cloudTouchscreenWeb browserResultantBlock (periodic table)MultiplicationConnected spaceDecision theoryPhysical systemIntercept theoremSemiconductor memoryComputer animation
12:29
InformationTerm (mathematics)Computer configurationWikiMenu (computing)SoftwareHacker (term)Web pageLecture/ConferenceComputer animation
13:08
Core dumpAddress spaceElectric currentProcess (computing)Control flowPrincipal ideal domainAuthorizationProcess (computing)SoftwareElectronic mailing listOperating systemDampingCodeInformation privacyLevel (video gaming)Web page
14:26
Computer fileGraph (mathematics)Alpha (investment)Data streamDemo (music)Expert systemNeuroinformatikClient (computing)Right angleAssembly languageCode
15:07
EmpennageClient (computing)Variable (mathematics)OvalResource allocationRead-only memoryDigital filterMoving averageSystem callPhysical systemSoftware frameworkDemo (music)Software development kitInterface (computing)WindowCodePlastikkarteSlide ruleInternetworkingBitConnected spaceMetropolitan area networkSystem callClient (computing)Programmer (hardware)Process (computing)SatelliteFunctional (mathematics)Web pageProjective planeWeb browserSoftwareMultiplication signFigurate numberOperating systemUniform resource locatorWebsiteMereologyWeightReal numberCausality
18:44
Motion captureTask (computing)Variety (linguistics)Streaming mediaDrum memoryVideoconferencingWeb browserPointer (computer programming)WebsiteCuboidSoftware frameworkCartesian coordinate systemBitFeedbackCodeWeb 2.0Key (cryptography)Computer animation
20:10
Software frameworkDemo (music)Client (computing)Alpha (investment)Radio-frequency identificationLevel (video gaming)Inclusion mapComputer hardwareSource codeDigital filterStandard deviationImplementationInformation securityKeyboard shortcutPhysical systemInternet service providerOvalGame controllerQueue (abstract data type)System callFunction (mathematics)Event horizonHill differential equationCodeWeightWindowSocial classKeyboard shortcutBitRight angleBus (computing)Software frameworkGame controllerInformation privacyFunctional (mathematics)Group actionClient (computing)PlanningAlpha (investment)Type theoryOperating systemInternetworkingConnected spaceSlide ruleWordNeuroinformatikInjektivitätLevel (video gaming)Decision theorySystem callCategory of beingEvent horizonSource codeWebsiteData structureComputer fileHard disk driveFile formatIntercept theoremGoodness of fitOperator (mathematics)Physical systemJSONXML
25:25
User interfaceComputer wormCodeClient (computing)Multiplication signVisualization (computer graphics)Process (computing)HookingUniverse (mathematics)AuthorizationPresentation of a groupSoftware frameworkComputer animationProgram flowchart
26:33
OvalGame controllerFunction (mathematics)System callEvent horizonKeyboard shortcutCodeInformationServer (computing)Electronic visual displayMetadataInclusion mapDevice driverCodeWeißes RauschenIntercept theoremFilm editingServer (computing)BitWebsiteMetropolitan area networkData structureSystem callInformation privacyMetadataSoftware frameworkNeuroinformatikExistenceDevice driverComputer animationJSONXML
27:53
InjektivitätSource codeMereologyNeuroinformatikGoodness of fitDemo (music)State observerLevel (video gaming)Multiplication signSoftwareWebdesignDifferent (Kate Ryan album)Keyboard shortcutOpen setInformation privacySlide ruleCodeOpen sourceSet (mathematics)Meeting/Interview
Transcript: English(auto-generated)
00:00
I guess some of you weren't out last night with me at Hacker Jeopardy cause you were very quiet um hmm well maybe a maybe later this is being filmed for posterity so I'm gonna
00:25
try to be a little bit politically correct as far as nudity is concerned in this talk. So I'm Big Easy um Sashi is an interesting story because he does a lot of stuff that doesn't exist. Um I put in previously 15 CFPs for DefCon and they've been rejected
00:46
every year for the last 16 years and this year they said oh we really encourage people to put their handles in and be anonymous when they do the talks. I used my handle that I've
01:01
been using for a very long time and then I invented Sashi because I thought it'd be cool to see if Sashi could get a talk at DefCon even though he's only a webpage. So I've done talks before about different parts of what this has been coming into um going all the way
01:21
back to Black Hat 2 years ago and our kernel work that we released at uh B-Sides last year and I apologize if my voice is a little rough but I did win Hacker Jeopardy last night. We didn't fuck it up. But I want to say a word about that because apparently there
01:50
was a shit storm in Twitter over Hacker Jeopardy and the dick category and I would like to say that I'm a hacker. I've been coming to DefCon for longer than I'd like to
02:00
admit and I'm an introvert and DefCon has always given me a charge to do things and I hope that I can help get you guys to get a charge too and all I want to say about Hacker Jeopardy is when you get completely humiliated on stage in front of thousands of
02:23
people how can we say that this is a male dominated game when I'm being beaten by women and painted green on the stage. But I'm not here to talk about that. I want to talk about this mother fucker. So like I said when I wanted to do this talk and I put it in
02:49
just like every other good CFP uh we had the idea that uh it would be really cool if we could do some things because I was concerned about my privacy and um you know I got this
03:01
from Chris Olsen I don't know if he's in the audience I want to give him a shout out if he is if he's out in the in the uh cyberspace what an awesome uh uh uh uh uh tweet and there's old sock camera covered with tape mic chat covered with tape and his email client is Thunderbird and this really summarizes what I'd like to say about this idea of um
03:28
I want my privacy back keep your code out of my stack and you know everybody says I
03:41
want my privacy back. So we put the talk in and um I thought I was going to get rejected and shockingly the talk was accepted and that means that we then had to do a shitload of work because we actually had to do what we said we were going to do in this CFP. So we looked at a bunch of tools I kind of included these uh slides in as you navigate through
04:03
the framework that uh we're releasing today because we really looked at all the tools that were available uh regarding what's happening inside the computer because I became very interested in what exactly happens when data is generated by peripheral devices such as your keyboard and mouse and then what's happening to your camera and microphone when
04:24
you aren't aware that perhaps some processes are using those devices. So we looked at a lot of the tools that were available including the Nirasoft tools and um I used to have a slide with the author of these tools but um I kind of like maybe deleted it accidentally
04:44
when the speaker goons were yelling at me to get on stage. Um is the author of Nirasoft tools in the audience? Okay so his tools are awesome and then we all know TCP view from Microsoft and I looked at these tools and said these tools are really all
05:04
cool but what we want to do is write these tools from source codes that when you compile and run these things you know exactly what's in the code. So the framework has these things and I'll get on I'll get on that later. We also looked uh previously at uh
05:21
IRP tracker which is a really great tool that works in 32 bit systems and IRP monitor and I included the links to that in this talk just so you can have some background as you work and rock through some of the code. But and here's a screenshot of that. Um and then we began to research looking at RFPmon and one of the things that was really irritating
05:44
about uh not irritating but you know it's always frustrating when you're on the command line is about you know lots of different errors that happen when you start to hook every driver that you have in your Windows operating system to try and see what's going on and then
06:02
you get a lot of weird messages because uh IRPmon doesn't last very long and then the other thing is you have to have your computer in test mode to even work this and it's kind of like a scary mode to be in in Windows. Um but I got a little bit ahead of myself
06:21
because uh this all started from some of the badger research we did where um I'm a really paranoid bastard. Um my family can tell you that I record everything at my house. I have multiple taps running in my house so that I can track everything that's happening on my
06:43
network and um I know everybody else has a Unix box at home with 8 ethernet interfaces. Um and um we use those I use those interfaces to keep an eye on some data and like um we were doing some research and I accidentally left a uh TCP dump running and captured 1 billion
07:06
packets in one file and um we looked at things from the inside and the outside. I call the inside because it's inside my protection device and outside. It's very interesting to
07:20
me that you see more traffic outside of your firewall than than inside and um it's covered up in my screen but not yours. I observed um 29,829 destinations outside the firewall 20 woops 29,525 reserve resolve via reserve look up. So they had good DNS. Um
07:49
so a couple years later I looked back at this again and I noticed that the traffic coming out of my web um connections was up you know up 4 times and um it was very disturbing
08:04
because you'll be opening a web browser and uh moving around the mouse inside the screen and then you've got TCP connections opening all over the internet and the data's secured and you have no idea what it is this data is and where is it going and then I
08:26
forgot to remove the bullet at the bottom. So but is it 1984 because you know our mouse movements are being tracked. What about keystrokes? I started thinking what
08:40
about the microphone and video because there's just a huge amount of bloat. Everything in the traces that I'm running now is just a bit bloated. And um somehow this slide got popped into here. You know the IR looking at IRP and then previous projects like IRP tracker and uh was limited because it didn't have 64 bits. But there's a great start in this with
09:06
uh Martin Drab thank god I wrote his name in the slides because I couldn't remember it. I I burned all of my remembering points last night. Um so Martin has done a great job with uh IRPmon starting this but it's got a couple of things that um were a bit
09:24
of a some some downfalls if you actually wanted to inject data between say the keyboard and the browser. Uh because the idea is if I'm not using my keyboard and I want to send keystrokes to the browser anyway uh and if somebody wants to collect that
09:43
and fill up their cloud with it that's their own business because it shouldn't be peeking inside my window anyway. And um we needed more precise data and information um and then this is really irritating. There's a little screen popping up in front of my slide
10:03
here. Device calls needed we needed to have an in memory data store of device calls and IRPmon was a great start but then we went on and we we've been writing things from scratch just like everything else that we're gonna be releasing. Um so we wanted to
10:24
instrument the process um the process list. And then we were specifically interested initially in the keyboard, mouse, microphone and video. Um some of these are easier than others though. Especially the microphone and video are a little more complicated.
10:43
But um what processes are actually interested in your mouse movements and then um what network traffic is then generated as a result of those calls? Um and then we wanted to be able to correlate those calls back into the IRP request just to find out where does the
11:03
forking occur? Because a lot of the forking occurs inside the browser. Um and um so that's gonna that would require something like a browser plugin and we really didn't want to support multiple browser plugins because there are many many different browsers. So it
11:21
was a very it's been a very difficult challenge making a decision about where you actually want to put a man in the middle. And then we always we also had the big question about you know why do we start in Windows 7, 8 when there's Windows 10? Um
11:40
right now it's just fuck Windows 10. Uh because it's very scary to me what Windows 10 is doing especially in terms of how much data is coming out. How much of my personal data is coming out in Windows 10? Um and then we really wanted to meet our adversary at his own level of abstraction because it it really helps us find making breaches of
12:03
privacy uh easier to look at and and intercept. Because we have you know two goals with the project is we want to maybe inject false data into our um from our devices into the cloud and we also wanted to assert our privacy and block certain connections inside
12:22
our operating system. So peeling back this level of abstraction proved to be very challenging to us. As we became very familiar with the screen over and over again working on this software including until about 15 minutes ago and we just kept trying over
12:44
and over again to come up with some things that would actually compile and run. And in the meantime I got sucked into playing Happer Haggard Jeopardy this weekend which uh which was it's been a very interesting weekend for me to say the least. But you
13:03
didn't come here to necessarily see me talk about this stuff and I really wanted to take a page back from old school DefCon and uh anybody remember the GTE door? So um I talked about pulling the processes and so the code for that kind of looks like this. Um I want
13:25
to say 90% at least for the code I'm showing today is already included in the CD. Um this is pulling the process list um so this is the code that uh we wrote from scratch to get the processes like you would see from um process explorer. And the reason again like I
13:46
said we do this is because we wanted to provide two things to users of our software is that there was some kind of assurance there was nothing in the software that um you didn't know about and um it's not necessarily anything groundbreaking but it just gives you a
14:06
level of assurance because you want to be able to assert things with some kind of authority inside your own operating system that you have some modicum of privacy so that you don't have to tape up your your mic your microphone jack and your and your
14:20
camera like um like uh paranoid people do from the beginning of our talk. But don't panic. There is a UI uh so the team is bigger than me and um one of my uh co-researchers Kate Davis happens to be a UI expert and we're um in alpha right now with a UI that will
14:45
take all of our um code and allow you to um we're gonna visualize the data streams and allow you to click on individual data streams in a UI and not know anything about assembly programming for example. But um if the demo works out we will see the client actually
15:05
have it running in my computer right now. But more code first. Um so so there's a command line client that's gonna be included in the release and this is kind of like the
15:23
code from that uh to pull up the what we we built a net filter. Since we don't know where the data forks inside the browser and we didn't want to spend a lot of we didn't have
15:40
the time to go into every browser and figure out where this was this summer. Um and then if anybody wants to help I'd welcome them in the project. So we built a net filter that sat between everything and the um network interface cards. And then um if you're a command line kind of guy this is kind of like the the code that pulls up the the
16:04
uh the net filter so that you can shunt um the uh the processes that you deem undesirable or the TCP connections that um for example if you're going to foo.com or sample.com and then you notice there's 4 other TCP connections going to 3rd party um site
16:25
collection um companies uh you can just choose to shunt those connections and your connection to foo.com will work just fine. Um so some of this was written by Sashi who
16:49
by the way there Sashi is a collection of folks that helped me um cause this is a project that's bigger than one person and uh shout out goes to Sashi you know who you are um but um we uh we wanted to make sure that we were providing you with clear and
17:09
concise code that had a lot of um comments in it so you knew what exactly all of this stuff was doing so you understood at least perfectly even if you're not a programmer what
17:23
the code was doing if you were interested in that kind of thing because hiding um and over using privileges is rampant inside the operating system right now. So um this is a call out function from the from the net filter um and again it's probably a a wall of text
17:47
or a real eye chart here I really just included this in the CD so that uh you could get a chance to see what was in the code and maybe actually show up to the talk so apparently I didn't do very well because there's not a lot of people here but oops look at me I
18:04
went too far. So if you wanted to add a filter that references a call out as documented in the Windows driver kit you need to do some things we need to call to the register and um do some other calls and then I've got some slides later that go into a
18:20
little more detail on this but I do want to introduce Sashi a little bit if you actually go to this web address right now you can see this web page so when you get the code and you want to try it out you can actually see how the man in the middle works and due to some internet difficulties because we are at Def Con I'm not actually going to
18:41
move this part uh there's a lot of risk involved in that but I do have some screenshots of what the site kind of looks like uh so in the upper left hand corner you see uh x y coordinates um and that would be where your mouse pointer is and the box underneath that is a frame for keystrokes and then uh you can turn on the video and
19:04
microphone but I suggest that you mute your device because it's a bit of feedback involved but you didn't get that worked out in the code before the release but if you hit the mute button you can see the the little blue in the bottom left hand corner um with with strobe to let you know that um the microphone is still being streamed to
19:24
the application and you can actually put the website in the background and notice that the video and mouse are still being streamed to the application even though you moved an application to the foreground and the web browser is in the background um and then the
19:42
website's just out there so that when I've used a lot of tools that were released at Def Con over the years and wanted to really provide something that you could go to and then we're also going to release the code for this webpage so that you can just run it locally but it kind of looks like um when you intercept keystrokes it'll they'll appear in
20:02
the little box as shown showed up there in the upper left hand corner um and then um I'm going to flash back for a second it's www.cadago.com slash sashi so um and again I'm
20:22
talking really fast so that's good. So the toolchain um completely consists of a UI client and something we call the Kona Silas and they're both still in alpha they kind of work maybe on my computer but they're not ready to be released yet and then um there's
20:40
been uh you know as always in the in the talk the last minute circumstances um I'd hope that the UI client would be a little further ahead in especially pulling up a lot of the pieces of code and we were going to compile everything so that we had a nice binary but um there was an unfortunate um accident that prevented one of the coders from
21:01
finishing their code so we're just going to move right past that but the framework will be released when it's ready and I imagine it'll be ready in a you know soon TM but uh a lot the source code is ready to go and it's probably going to go whenever I can find a safe internet connection again and then you'll need your reading glasses for the wall of text that
21:25
um describes how you would actually do um the injection and then what we do or what we decided on is the best place to put uh for injection right now because it's cool is um
21:42
is to build a net filter not a net a filter in the driver and um this is a lot of explanation about exactly what's going on in the code um these slides are literally uh 32 minutes old um the people that were helping me we were we were awake all night uh and
22:06
actually split up across the property so um I apologize for the formatting of these slides um and I'm going to we'll put the slides into the release which is probably going to happen later today so that you can get an idea I don't want to see you read this
22:21
but this comes straight out of the Microsoft site they have very good instructions on how to actually write these filter drivers and the structure for it kind of looks like this and at least this is a little bit less of an eye chart here at the top we have the upper level class filter drivers and the upper level device filter drivers as we push down towards the bus driver and um whoops the code for how you read the
22:47
filter driver you would want to um either intercept the calls that are going out into the operating system and then perhaps inject into them uh kind of looks like this where and then I didn't bring my glasses either so um I'm a little bit older now and this code is
23:05
really a wall of text to me too but I'm going to be releasing this code with everything else later on today hopefully this code that we're looking at right here is building the net filter and then being able to from here we can manipulate all of the
23:24
data from the keyboard to the upper layer of Windows the callback function that we show here can intercept um as we have already described but then we can also create an
23:40
event in the OS to call and pass fake data so the idea is this is a user driven action so from the UI or from the command line if your kung fu is that way you can um direct the keyboard to type things either from a flat file or just randomly uh for anyone who's
24:02
interested in listening and the way I feel about this is if somebody wants to listen to what I'm typing on my keyboard and I fill up their hard drives or if we all get together and fill up their hard drives or and and monkey with what I'm typing on my keyboard with their grand plan for advertising and making us forget about the things that are
24:24
important um, fuck them. We all need to do something about this because it's running out of control I want my privacy back I don't wanna have to worry about going into a word document and um having other people see what I'm typing into that document or even notepad
24:47
or something like that or if I type into a chat window uh having a company decide that they would like to keep what was in the chat window even though I deleted it and never sent it to anybody. I think that's something that's personal and I'd like that to stay inside.
25:02
And we wanna really try to provide you tools that helps you do that and just one guy, one paranoid guy like me doing this is not gonna be enough. Um and um we need everybody to really sit and do this which is why we're developing the UI and um kinda
25:23
it's been a very long successful weekend for me and let's see what happens when I do this. So the problem really is um in the visualization the client is kind of all there but there's no no compiled code hooked to it yet and uh this is one of the things where I need to apologize
25:44
for not finishing in time but there was unfortunate circumstances that prevented the finishing of this code uh and it will be finished. Um the visualizations um what we see is approximately um 60 to 150 processes that can be easily visualized and then uh the
26:06
primary author of the UI is uh one of my co-researchers her name is Kate Davis she's also at the University of Illinois. I work at the University of Illinois during the day as well. This talk is not uh and uh pinworm framework is not anything to do with my day
26:23
job. Uh this is a hobby that I do at night like I've always done and uh the university has nothing involved with this presentation whatsoever and as I accidentally said where I worked. Not that it's a big deal people know where I work. But um so the UI is there there's the code is not compiled into it yet and Kate can get to
26:44
that when uh the crisis uh abates. So what's in the release? So um you know we rely on IRP a little bit for a sniffer instruments and device driver calls so we can understand how to build a structure around anything that you might be
27:02
interested in getting in the middle. Provide a framework for um cut and pasting code and writing your own uh customized injectors for data and anything that you might see fit inside the computer. The HTTP server code uh to display the metadata so that you can like mess around and you can until somebody maybe hacks my uh Sashi website out of
27:25
existence it'll be online for you to look at or you can just run it locally and um hack away at uh injecting metadata into the little website. And then we included the man in the middle code for the interception of this data so that you can assert your privacy
27:45
or perhaps um send white noise out when you're not using a particular device. So um I'm gonna take the tinfoil hat off now and I thank I thank uh Weird Al for being so
28:02
gracious and letting me steal this picture and I wanna thank you. So did I make it in 45 minutes? Good. So it might be questions I don't know but um there was uh there was a demo
28:28
of the actual injection and the movie was made an hour ago and it was gonna be sent to me but I was intercepted by by by these guys who wanted to make sure I was gonna make it stage on time so I'll get the the movie of the actual injection out as soon as possible. I
28:46
know that it exists I just didn't get to it in time. I don't know I asked for questions I think I I don't see it anybody standing so. So did it suck? I mean holy
29:05
shit. It seemed that it was I I don't need my voice anymore. What where do you see the most pernicious um exfiltration of data? Is it from your keyboard? Is it from
29:27
the observations of the mic of the cameras and things that are hidden in the mouse that you don't really realize you're giving away? What what bothers you most about the privacy in the computer? Well that's an interesting question. Two things first off the thing that was really alarming to me and it took the slides out for it you can easily google this
29:45
there are many companies that commercially provide the heat map of where all the users mouse strokes go and this is this is a tool that is being commercially offered by a lot of different companies to say oh these are these are the places where everybody goes.
30:00
And I can understand that functionally as a website designer they may think that that data is interesting but as a user it really creeps me out because I don't want anybody to know where my mouse is I don't want anybody to know that it's not their business. But I think the answer to the question is the microphone. Um to be
30:21
frank the microphone is so scary I had to redact parts of my talk. There is a lot going on there and it will be very eye opening when you run the code what is going on inside your computer especially with the microphone. Thanks for the question. And again either I
30:46
sucked or everybody's like what the fuck just happened? This guy now I want to say I released a different set of open source software. I sat next to Dan Kaminsky Friday
31:03
night. I drank 8 beers in 30 minutes. I sat next to Banshee last night. Drank 10 beers. I was up all night last night. And I think I made it through at least 31 minutes of talk without sucking too bad. And but holy shit it's Sunday I know everybody's
31:27
laughing. Um I think I survived it. So I want to thank you guys. It has been a pleasure to be at Def Con for the last 16 years as a user and I would like to thank every goon that
31:43
has made this possible. They are the true stars of the show. And and um just as a party shot I want who can be louder? You guys or me? No contest? My question is how
32:08
long? I'll see you at the award ceremony.