Post-BruCON Experience – Running a Wall of Sheep in the Wild

The use of a Wall of Sheep is nice to raise the security awareness of your audience. A Wall of Sheep is a tool used to demonstrate what can happen when users connect to a wild network without a minimum level of security. The non-encrypted traffic is analyzed and evidence of bad behaviour is displayed publicly (mainly logins and passwords). To increase the impact, images can also be extracted from the TCP flows and displayed to everybody. During the BruCON security conference, we run a Wall of Sheep for a few years:

Most of the attendees are aware of it and, honestly, we collect fewer credentials for a few years. There are three reasons for this:

  1. People are more aware of the risks to connect to a “wild” network in a security conference. This is a very good news!
  2. People don’t connect to the wireless network. Most of our attendees are coming from Europe and, with the cancellation of data roaming costs, people aren’t afraid to use they 4G plan while abroad.
  3. Most of the online services are now encrypted. The rise of services like Let’s Encrypt is a key point here. Most of the traffic today is encrypted.

But the Wall of Sheep remains very popular because attendees like to play with it and try to display funny pictures on it. If some people are trying to promote their company by flooding the WoS with logos of there company, most of the people are trying to display p0rn0graphic pictures. Even if the biggest part of our attendees are men, we like to welcome women and encourage them to join security conferences. That’s why the goal of the network team is to not hurt them by fighting against p0rn on the WoS!

The first version of the WoS was written in Python and quickly we added a “skin colour filter“. The idea is simple: collected pictures are analyzed and the colour map extracted. If the picture has more than x % of skin colour, it is not displayed. Nice but what do hackers when you try to block them? They find new ways to flood the WoS with more funny pictures. So we started to see waves of:

  • Smurf or Avatar p0rn (images containing a lot of blue pixels)
  • Hulk p0rn (mainly green pixels)
  • … (name your preferred colour)

To be honest, the funniest was “furniture p0rn”… Just don’t ask how they find this…

Furniture p0rn

Later, the WoS was rewritten in Node.js. Don’t ask why but it was not easy to re-implement the “skin colour filter“.  We had to find an alternative. After some investigations, we found a project distributed as open source by Yahoo: “The Not Suitable for Work classification deep neural network” or, in short, “NSFW”. More information can be found in a blog post. The framework is based on CaffeOnSpark that brings deep learning to Hadoop and Spark clusters. 

The installation process is not very easy because the code relies on many libraries (I think that in total I had to install more than 1GB of dependencies). Once installed, NFSW can be started as a daemon and listen to a port waiting for some submissions. What it does?

  1. It receives pictures from the WoS
  2. Pictures are resized to a size that is relevant to the Yahoo! data
  3. Pictures are submitted to analyze
  4. The “score” is returned to the WoS

Here is a sample of the WoS log with a wave of bad pictures:

Driftnet: 8545fee5449bfbb62910c2f17a226aba.jpg created from DRIFTNET with nsfw score of 21.743951737880707
Driftnet: c169deab61a6f2b01aaacd0902456cb6.jpg created from DRIFTNET with nsfw score of 0.06645353860221803
Driftnet: 5e8e9e369b4d3de92924cd8f9d7754af.jpg created from DRIFTNET with nsfw score of 1.8503639847040176
Driftnet: 8fbf475267bdcb6557996fa6a58172e2.jpg created from DRIFTNET with nsfw score of 2.0092489197850227
Driftnet: ffee8ded38319084341fb2631a866161.jpg created from DRIFTNET with nsfw score of 2.17214897274971
Driftnet: 9b106349f6f1dbf128f8ab2bb76ad2d6.jpg created from DRIFTNET with nsfw score of 1.8500618636608124
Driftnet: 24326cdd7e0785960befc0594c6b2195.jpg created from DRIFTNET with nsfw score of 32.450902462005615
Driftnet: dfb5a1ac2537fe29b46c7376b1ae1307.png created from DRIFTNET with nsfw score of 0.38929139263927937
Driftnet: ed7671a42d45c58382a1274002768692.jpg created from DRIFTNET with nsfw score of 1.3844704255461693
Driftnet: 0f409595e35e42c76fdafcdc607f70e8.jpg created from DRIFTNET with nsfw score of 30.140525102615356
Driftnet: da44c46c99d2bb2c17fb85041769e638.jpg created from DRIFTNET with nsfw score of 61.361753940582275
Driftnet: 225524f6d09e7b76bfb3538c23b17754.jpg created from DRIFTNET with nsfw score of 1.0479548946022987
Driftnet: 49c46d62651ebd15a320e26c2feeb678.jpg created from DRIFTNET with nsfw score of 46.900102496147156
Driftnet: f5859183fc621cdacc2d323eae7503a3.jpg created from DRIFTNET with nsfw score of 11.838868260383606
Driftnet: 64e526cdf2bea9c80c95c39cdc20e654.jpg created from DRIFTNET with nsfw score of 61.6860032081604
Driftnet: b35c23ae6c6ded481f68a9759e4ce2fa.jpg created from DRIFTNET with nsfw score of 42.94847548007965
Driftnet: 3effdac3157fcd0fcd9e71679f248f5f.jpg created from DRIFTNET with nsfw score of 88.63767981529236
Driftnet: 9f01e91aae2b17e1ca755beeb5dfd5e2.jpg created from DRIFTNET with nsfw score of 99.12621974945068
Driftnet: 609164070904483972de4b75f3239c29.jpg created from DRIFTNET with nsfw score of 88.15133571624756
Driftnet: 97e4f04647c601ecfeb449304d545ebb.jpg created from DRIFTNET with nsfw score of 99.12621974945068
Driftnet: df13ced5cc054addcd9448e78cf2415a.jpg created from DRIFTNET with nsfw score of 5.358363315463066
Driftnet: db022beb1d447d56f21aa93dd4335bd5.jpg created from DRIFTNET with nsfw score of 68.98346543312073
Driftnet: a32821c97bf4563ad8db5cf20903ea5b.jpg created from DRIFTNET with nsfw score of 97.75400161743164
Driftnet: 8a47b1a56916db2cb79d0d43f09c26b5.jpg created from DRIFTNET with nsfw score of 62.90503144264221
Driftnet: 8b78d63137a9e141c36eceb2b61e3c6d.jpg created from DRIFTNET with nsfw score of 39.26731050014496
Driftnet: 0f45686ff31a8b58764635948665a5d5.jpg created from DRIFTNET with nsfw score of 0.6589059717953205
Driftnet: bd39aab8ee9112c773a6863ab59e8a1e.jpg created from DRIFTNET with nsfw score of 99.40871000289917
Driftnet: 7a1a95f4fa4511f202f19a6410d44d1c.jpg created from DRIFTNET with nsfw score of 1.829291507601738
Driftnet: 131b3701695a9c0e04d900b0c06373ba.jpg created from DRIFTNET with nsfw score of 0.6589059717953205
Driftnet: ac18617d741377f18a4c8978f0f085de.jpg created from DRIFTNET with nsfw score of 2.146361581981182
Driftnet: 61d3c8aa05b275774f4cead727bf8bb6.jpg created from DRIFTNET with nsfw score of 35.02090573310852

We made some tests to finetune the threshold and finally fixed it at 20 (Most of the pictures with a score >20 were indeed very bad). The filter was quite effective and some people were disappointed by the new filter (especially Zoz ;-))Tweets

About the network, here are some statistics based on the 3 days:

  • 112784 pictures collected (only via clear-text protocols)
  • 403 Gigabytes of traffic was inspected
  • 880 unique devices connected to the network (MAC addresses)
  • 1 rogue access point spoofed the WiFi during a few minutes (security incident)

For the fun, we detected that a lot of people were using browsers configured with proxy auto-configuration and performing DNS requests for ‘wpad’, ‘wpad.local’ or ‘wpad.<company>’. As we are kind people, when you ask us for something, we are happy to provide it to you. We delivered a wpad.dat file:

function FindProxyForURL(url, host) {
  if (isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") ||
      isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
      isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) {
    return "DIRECT";
  }
  if (isInNet(host,"192.168.0.0", "255.255.0.0") ||
      isInNet(host,"172.16.0.0", "255.255.240.0") {
    return "DIRECT";
  }
  return "PROXY 192.168.10.20:3128";
}

The HTTP traffic was proxied by us  (nothing malicious). 120K+ pages were requested via our proxy.

See you again next year at BruCON with our Wall of Sheep!

[The post Post-BruCON Experience – Running a Wall of Sheep in the Wild has been first published on /dev/random]

Leave a Reply