Masquerade: How a Helpful Man-in-the-Middle Can Help You Evade Monitoring

Presented at DEF CON 22 (2014), Aug. 9, 2014, 2 p.m. (60 minutes)

Sometimes, hiding the existence of a communication is as important as hiding the contents of that communication. While simple network tunneling such as Tor or a VPN can keep the contents of communications confidential, under active network monitoring or a restrictive IDS such tunnels are red flags which can subject the user to extreme scrutiny.Format-Transforming Encryption (FTE) can be used to tunnel traffic within otherwise innocuous protocols, keeping both the contents and existence of the sensitive traffic hidden. However, more advanced automated intrusion detection, or moderately sophisticated manual inspection, raise other red flags when a host reporting to be a laser printer starts browsing the web or opening IM sessions, or when a machine which appears to be a Mac laptop sends network traffic using Windows-specific network settings. We present Masquerade: a system which combines FTE and host OS profile selection to allow the user to emulate a user-selected operating system and application-set in network traffic and settings, evading both automated detection and frustrating after-the-fact analysis.

Presenters:

• The Grugq - Information Security Researcher
  The Grugq is a pioneering information security researcher with over a decade of professional experience. He has worked extensively with digital forensic analysis, binary reverse engineering, rootkits, Voice over IP, telecommunications and financial security. The Grugq's professional career has included Fortune 100 companies, leading information security firms and innovative start-ups. Claims to fame: - pioneered anti-forensics - developed "userland exec" - released voip attack software - decade of experience in infosec - long term liaison w/ digital underground - described as "extremely handsome" [by his mom] - 1992 sussex County 3-legged race, 2nd place The Grugq has spoken at dozens of conferences over the last 7 years; provided expert training courses to .gov, .mil, police and businesses; domain expertise on forensics, voip, telecommunications and financial systems.
• Marc Rogers / cyberjunky - Principal Security Researcher, Lookout   as Marc Rogers
  Marc Rogers is an English hacker, Director of SecOps for DEF CON, and works as Principal Security Researcher for Lookout.
• Ryan Lackey - Founder, CryptoSeal, Inc.
  Ryan Lackey, Founder of CryptoSeal, founded HavenCo, the world’s first offshore datahaven, and has worked as a defense contractor in Iraq and Afghanistan, at various technology startups, and is currently working on a secure hardware-based router for business travelers.

Links:

• https://defcon.org/html/defcon-22/dc-22-speakers.html#Lackey
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Ryan Lackey & Marc Rogers & theGrugq - Masquerade - How a Helpful Man-in-the-Middle Can Help You Evade Monitoring - Slides.mp4
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Ryan Lackey & Marc Rogers & theGrugq - Masquerade - How a Helpful Man-in-the-Middle Can Help You Evade Monitoring - Video.mp4
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Ryan Lackey & Marc Rogers & theGrugq - Masquerade - How a Helpful Man-in-the-Middle Can Help You Evade Monitoring - Slides.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 video and slides/DEF CON 22 - Ryan Lackey & Marc Rogers & theGrugq - Masquerade - How a Helpful Man-in-the-Middle Can Help You Evade Monitoring - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=_KyfJW2lHtk

Similar Presentations:

• BSidesDC 2015 / Network Reliability Monitoring for ICS – Going beyond NSM and SIEM
• Still Hacking Anyway (SHA2017) / Network Traffic Analysis using Deep Packet Inspection and Data Visualization: Eventpad: the Sublime editor for network traffic