What else does a geek do when he’s got the day off work…. yes, that’s right, he goes to a Linux conference of course. I found out about the Linuxwochen event in Vienna a little late (about a day before the event), but as I’d already booked the day off (I hate working on my birthday) I decided to pop down to Vienna and take a look.
Although most of the talks weren’t security related, there were a few interesting topics discussed. The opening talk on the upcoming release of PostgresSQL 9.0 (was a good overview of the new functionality being implemented. It’s easy to forget as security professionals, that we need to keep up with “normal” technology as well, so this served as a good update, and provided some good information for the next time I come across a PostgresSQL database when testing.
The first “real” security talk was presented by Sebastian Graf (@naxxatoe) talking about “Security vs Usability”. Sebastian left us with some interesting things to think about when it comes to usability effecting security of sites… as well as some interesting screenshots of websites that really shouldn’t be vulnerable to SQL Injection, but are. You can’t fill out a web form nowadays without stumbling over a SQLi it seems. Sebastian also discussed briefly the Apache compromise and the fact that attacks against the infrastructure are using flaws in the web application to gain access.
Following that, Florian Eichelberger (@Florensik) talked about the new honeypot project, Community Sense Net (CSN.OR.AT). The project was originally sponsored by ISPA in 2008, and is designed to deal with the issues of attack coverage and visual representation that other honeypot systems suffer from. CSN is based on Debian, and programmed in Python. It also integrated SNORT as it’s signature base. It also offers an SMTP based sensor that scans incoming emails for attachments or links to content/malicious code hosted on the web. In testing, there have been between 600-900 attacks per day, with a large number of these (~400) being repeats of the same attack. Of those that are “new”, a number are still detected using generic AV signatures due to commonalities with previous versions/revisions of the Virus/Bot. Since 2008, more than 100,000 individual Virus/Bots/Attacks have been registered. The majority of attacks focus on DCOM/LSASS/ASN.1 exploits, with Microsoft being the number 1 target (with Linux as the second most popular target). More statistics are present on the website. A new service being opened up to the public now is the IP/MD5 search feature, which allows you to search on IP or MD5 values to see if they are known to the honeypot. The project is currently looking for additional sensors if people are interested in assisting with the project.
Finishing up the security theme, Christian Amsüss talked about “Reverse Engineering von Smartcards am Beispeil von Bankomatkarten“. More information and applications can be found on Christian’s homepage. Nice overview of the communication channels used by the Quick e-purse system (Austrian System), as well as an overview of the project and software developed by Christian to interact with the smartcards. Using Linux it’s possible to sniff the USB communications when using a USB card reader. By simply catting the data from /dev/usbmon0, it’s possible to capture and decode the communication. The data on the card is encoded using Big Endian (e.g 02 00 = 512), other information is stored in simple binary coded decimal (e.g. the Bank code, BLZ). There are also a range of other encodings in use for dates, including the use of a “days since the start of the year” counter alongside the 2-digit year. Alongside sniffing, it is also possible to send some commands to the card to read specific data from the card.
The carddecoders tools offer a decoder for the card communication to provide a more readable output from the device. The tool also offers the ability to search for common numbers using various encoding types.
More information on Sniffing the smartcard protocol can be found here.
Overall I really enjoyed my day in Vienna. The whole event runs for 3 days, but I was only able to attend today. If you’re around in Vienna in the next few days, go and check it out, it’s free and that’s the best price there is ;)