This was a KILLER session by Laura Chappell, who is the author of Wireshark Network Analysis. I’ve never heard her present before, but she really rivals Mark Minasi in every way. Her presentation was filled with great tidbits of information including:
– Full duplex taps – These are much preferred over using spanning/mirroring ports on switches. Why? Spanning or mirrored ports will not pass MAC level malformed packets such as ones with CRC errors. A full duplex tap passes bit-for-bit data including any MAC errors. Best taps are by Netoptics.
– WireShark has a Geomapping function so you can see where a particular IP address is located in the world.
– Join HTCIA before your company or organization suffers a security breach. Become friendly with your local law enforcement people so you have contacts WHEN (not if) you are compromised.
– If you want to use a Netbook for Wireshark analysis, be extremely careful which model you chose. Most have special NICs that do NOT operate in promiscuous mode. The Asus Eee PC900 works perfectly with WireShark.
– Hurricane Search is a great tool for searching all the contents of the files on your computer for specific strings.
– Check out ettercap for creating man-in-the-middle attacks.
– On your home computer run a WireShark trace for a full 24 hours. Perform a careful traffic analysis to determine if there is any unusual traffic. Anti-virus software can be fooled pretty easily by malware, so just because you have a quality AV program doesn’t mean your machine is secure or hasn’t been compromised.
– Macof can be used to flood a switch’s MAC address table to turn it into a hub.
– The price of your personal information (DOB, SSN, mother’s maiden name, etc.) is approximately $3 on the black market. Your credit card number, security code, and billing address can go for as little as ten CENTS.
– Companies are being held hostage by hackers and are holding for ransom their intellectual property. In fact, some companies feel it is better to pay $10,000 a month or more to a hacker as insurance against them being hacked by that person. Yes, really!
– Be familiar with chain of custody, evidence preservation, and what to do when you realize you’ve been compromised. This is not IF, but WHEN. In fact, you may only detect sloppy hacking attempts. The good hackers go undetected. So you may already be compromised today but have no clue!
– You can download a plethora of Wireshark captures, filters, and other goodies that Laura has put together here. Even if you don’t buy her book, check out these downloads!
– Everyone should learn to use nmap and perform regular authorized scans on their networks.
She also had a lot of hacker stories and real-word examples of compromised systems and stolen data. She’s also working on a book called “Calling Tech support” that is a collection of extremely funny stories about people calling various tech support numbers (airlines, computer companies, etc.), asking off the wall questions, and getting back really weird responses. Look for it to come out later this year.
If you attended TechED 2010 North America, I urge you to download the recorded session and listen to it. The slide deck doesn’t begin to cover the material, so listen to the whole 75 minute presentation. You will get some great laughs and learn some great information.