Presented at
DeepSec 2016 „Ten“,
Unknown date/time
(Unknown duration).
Malicious actors always try to abuse badly configured devices, since this is the "cheapest" solution. Day by day, more and more home devices become linked to the internet (IoT) such as feature-full routers and NAS systems providing their users, and maybe some others, with data sharing services.
Recently we found interesting threats which are useing FTP services to spread. Most users trust their own devices and the files on them. They don't think that their systems could host malware inside their private network, just because default settings and handy automatic services like UPnP are used. Typically users do not even know that they're running, using services like FTP, and especially they do not know that this protocol has a built-in anonymous account.
In other cases malicious actors just put server scripts into the shared folder, hoping that the FTP folder and the web root folder are the same, and so infect the system in this very easy way. Very often they succeed.
So, what is the current state of the (open) FTP services overall?
Recently I developed a very flexible testing framework (called ScanR) to be able to answer this question:
We tested 3 million IP addresses which were released to FTP services, to get a clear picture of the state of these services and the devices which are behind them. The results are quite shocking in some aspects, and worse then we expected.
In this lecture I will present the details of this test, where the initial data and IP addresses came from, what the test system looked like, and especially the threats and hacking activities we found.
As a teaser here are some of the results:
• more then 200.000 IP-adresses can be accessed via anonymous access (this means a huge amount of private data could possibly be accessed by anyone on earth),
• more than 7.000 FTP services provide access for anonymous users,
• and here's the worst result: more than 90% percent of FTP services are infected with at least one threat
In the lecture I will share the details and technical analysis of the threats we found as well as the statistical data. After this presentation you will have a word-wide view on how a network service could look like if you left it unlocked.
What can we gain from our findings?
• I will present our findings in detail about the current state of "things". How scary it is for home user devices and even for professional network devices
• In this presentation, we will inform you about the threats which are currently active and how malicious actors can (ab)use these services to infect user devices.
Technical level of the topic
Both the core professionals and the average IT user will be able to enjoy this talk: the tricky parts will be explained in detail, the more easily understood aspects just summarized.
Presenters:
-
Attila Marosi
- Sophos
Attila Marosi has always been working in the information security field since he started to work in IT. As a lieutenant of active duty he worked for almost a decade on special information security tasks occurring within the Special Service for National Security. Later he was transferred to the newly established GovCERT-Hungary, which is an additional national level in the internationally known system of CERT offices. Now he works for the SophosLab as a Senior Threat Researcher in the Emerging Thread Team to provide novel solutions to the newest threats.
Attila has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he is reading trade journals and does some teaching on different levels; on the top level he teaches white hat hackers. He has given talks at many security conferences including hack.lu, DeepSEC, AusCERT, Hacktivity, Troopers, HackerHalted and NullCon.
Links:
Similar Presentations: