1
00:00:02,370 --> 00:00:08,670
The next attacks targeted client computers and attacker aims to intercept user credentials and use them

2
00:00:08,670 --> 00:00:10,860
to control a computer.

3
00:00:10,860 --> 00:00:12,850
We're back in a familiar scenario.

4
00:00:14,360 --> 00:00:19,860
A user is connected to a Wi-Fi network an access point that supports the network is controlled by an

5
00:00:19,860 --> 00:00:28,640
attacker the AP which is at the same time a DHC server will then set up a default gateway a router and

6
00:00:28,640 --> 00:00:29,960
a DNS server.

7
00:00:31,070 --> 00:00:40,520
It doesn't configure a proxy server an intermediary.

8
00:00:40,640 --> 00:00:47,210
The key objective of the attacker is now to force a victim's computer to send all data through his device.

9
00:00:47,270 --> 00:00:54,460
For example a proxy server if this is achieved the attacker would be able to eavesdrop and modify the

10
00:00:54,460 --> 00:01:02,740
data sent by the victim on the fly to fly a modification of received and sent transmissions is a huge

11
00:01:02,740 --> 00:01:07,490
threat to computer security we'll soon learn exactly why

12
00:01:10,220 --> 00:01:15,650
an effective attack requires only to turn on the DNS server that was set for klank computers by an access

13
00:01:15,650 --> 00:01:23,720
point as the default DNS server the server has to be configured to return the IP address of your proxy

14
00:01:23,720 --> 00:01:27,020
server as an answer to all queries about names.

15
00:01:29,800 --> 00:01:37,240
Once it's configured you control the communications channel between a client and the requested website.

16
00:01:37,280 --> 00:01:42,710
You can modify send data on the fly in the simplest scenario.

17
00:01:43,030 --> 00:01:48,430
You can inject scripts into data exchange between the browser and the Web site.

18
00:01:48,650 --> 00:01:53,120
You can embed links to an invisible pixel stored on your computer disk on these sites.

19
00:01:54,800 --> 00:02:01,550
Displaying a page will also cause the browser to display the pixel to download it.

20
00:02:01,550 --> 00:02:07,900
The browser will have to connect to your computer while establishing a remote connection in windows

21
00:02:08,670 --> 00:02:10,670
before a logging page is displayed.

22
00:02:10,810 --> 00:02:19,370
The system sends user credentials to a given computer probably using the end TLM protocol over the next

23
00:02:19,370 --> 00:02:25,610
module will see that receiving and TLM challenge is equivalent with obtaining a user's password

24
00:02:29,380 --> 00:02:34,360
inserting the above code line into a web site means that the user will connect to the server number

25
00:02:34,390 --> 00:02:41,460
10 got 0 0 1 and his credentials will be automatically sent there.

26
00:02:45,500 --> 00:02:49,030
The send data won't authenticate the user and display the image.

27
00:02:49,190 --> 00:02:52,240
But we're quite satisfied with the information we've obtained.

28
00:02:53,980 --> 00:03:00,390
We've received a scent challenge message gaining control over a channel means that a person who set

29
00:03:00,390 --> 00:03:08,790
up an access point for example at an airport or at a restaurant knows our windows password this attack

30
00:03:08,790 --> 00:03:14,670
is still extremely popular and a number of variations exist depending on the prime target of the attacker

31
00:03:20,990 --> 00:03:26,660
attackers can attempt to steal our credentials to a given web site instead of an image.

32
00:03:26,900 --> 00:03:34,260
An attacker can inject a script that launches an app or a code that is stored on his server this code

33
00:03:34,260 --> 00:03:38,920
can be used for example to sniff out values submitted and log in and password fields.

34
00:03:46,000 --> 00:03:51,940
A relatively recent extremely vicious type of attack enables attackers to modify the data downloaded

35
00:03:51,940 --> 00:03:53,410
by users on the fly.

36
00:03:55,400 --> 00:04:02,350
If you connect to a web server using HTP to download the file the file is not protected in any way.

37
00:04:04,530 --> 00:04:10,270
The authenticity of HTP packets is not being verified.

38
00:04:10,400 --> 00:04:18,350
The packets are not encrypted they can easily be modified by attackers on the fly.

39
00:04:18,350 --> 00:04:27,830
Fortunately there aren't yet any openly available tools on the Internet that make these operations possible.

40
00:04:27,840 --> 00:04:35,500
It's obvious that before you launch a program a warning will be prompted do you want to run this program.

41
00:04:35,500 --> 00:04:38,590
It comes from the Internet and is potentially unsafe.

42
00:04:40,400 --> 00:04:48,810
Because we've grown used to messages like this we will automatically hit yes as proof of concept an

43
00:04:48,810 --> 00:04:54,750
attack consisting of downloaded and modified file being digitally signed on the fly with a valid certificate

44
00:04:54,810 --> 00:05:02,310
was shown a user was still prompted with a warning that the window had a different friend color and

45
00:05:02,310 --> 00:05:03,480
Windows systems.

46
00:05:03,600 --> 00:05:07,920
And additionally it came with the information that the file was from a trusted source.

47
00:05:11,260 --> 00:05:17,500
As far as client attacks are concerned as you've seen an attacker aims to convince users to connect

48
00:05:17,500 --> 00:05:21,240
to his fake access point.

49
00:05:21,310 --> 00:05:26,260
This can be achieved by setting up an access point that would establish connections to networks with

50
00:05:26,260 --> 00:05:33,850
an SS ID that a user wants to connect to the access point will listen to packets checking access points

51
00:05:33,850 --> 00:05:36,270
near their client.

52
00:05:36,310 --> 00:05:41,280
Then it will extract SS IDs and set up a network with a given society.

53
00:05:43,820 --> 00:05:48,380
This is another proof that turning off SS ID broadcasting is not a good idea.

54
00:05:50,300 --> 00:05:55,730
A better solution would have an access point broadcast itself and it would be up to the client to choose

55
00:05:55,730 --> 00:06:00,580
the appropriate connection despite all these threats to security.

56
00:06:00,700 --> 00:06:05,270
The advantages of wireless LANs outweigh the risks.

57
00:06:05,460 --> 00:06:08,520
What can be done to tighten up the security.

58
00:06:08,560 --> 00:06:11,430
There's only one solution.

59
00:06:11,590 --> 00:06:18,610
If you connect to an untrusted network don't log into any important services like your business mailbox

60
00:06:18,910 --> 00:06:20,110
or your bank account.

61
00:06:21,770 --> 00:06:28,100
Immediately after establishing an internet connection configure a secure VPN connection to an enterprise

62
00:06:28,100 --> 00:06:31,420
server.

63
00:06:31,650 --> 00:06:37,690
You need to make sure that all communications are really sent through the VPN channel.

64
00:06:37,700 --> 00:06:40,150
This doesn't always have to be the case.

65
00:06:40,280 --> 00:06:45,390
It's a matter of varying levels of routing detail.

66
00:06:45,470 --> 00:06:51,270
A person who controls a fake access point could have predicted that will connect to using a VPN and

67
00:06:51,290 --> 00:06:56,690
set specific points in such a way that will connect to some Web sites directly through the Rogie access

68
00:06:56,690 --> 00:06:57,360
point.