A Major New Trend in the Enterprise is Whitelisted Proxies

Presented at THOTCON 0x7 (2016), May 6, 2016, 2 p.m. (25 minutes)

Enterprises (and by enterprise we mean large companies, not java) love their perimeter because, well, let’s face it, everything’s broken inside. However they still want their employees to have internet access as it is critical but they have a flat network. The current trend is whitelisting all traffic and doing an SSL Man-In-The-Middle. Our goal is to show that that does absolutely nothing by exfilling through commonly whitelisted platforms and using steganography to hide all the data. We have written tools that allow covert communication through youtube and twitter to establish a reverse shell. Using the steganography from the exfil toolkit (which will be released under the GPL) we will incorporate steganography into youtube comments so that even with ssl decryption it just looks like a drunk youtube commenter. With twitter there is text stego but also images can contain steganography. We will also discuss polymorphism in stego algorithms to evade heuristics.

Presenters:

• Matt Dyas
  Matthew is a student at the Illinois Math and Science Academy. He likes red-teaming and participating in CTFs, and he has somehow managed to stay out of trouble so far. In addition to breaking things, he likes making things that fly as well.
• Parker Schmitt
  Parker was the guy who nearly hit you with a drone at thotcon for the past couple years. He also likes fun ways to defeat blinky boxes.
• John Valin
  John enjoys Security and is currently studying at Illinois Mathematics and Science Academy. When he gets free time from the academic rigour of IMSA, his other interests include triathlons, building and flying drones, the drums and video games.

Similar Presentations:

• HOPE X (2014) / Skeuomorphic Steganography
• DEF CON 12 (2004) / Steganography, Steganalysis & Cryptanalysis
• BSidesLV 2015 / When steganography stops being cool