Last day of the conference. Sorry to see it finish, but i’ll try and be back next year if I get the chance. The people here were so great, and I hope to stay in touch with as many as possible.

11:30 CET
Lightening Talks

E-Voting in Österreich
A quick overview of the planned e-voting scheme in Austria. Objections to the system and it’s links to a national ID card were raised.

Consumer B Gone
An overview of automatic locking wheels on shopping carts (yes supermarket ones). After reverse engineering the signal used to lock the wheels as they pass the boundary, they reproduced it. A fun demo using a mobile phone to play an mp3 and lock/unlock the wheel.

http://tmplab.org

Stop Software Patents
A bit of a rant on how software patents are wrong and unlawful. A bit of history on patent law and the debate on changing it to allow patents on software. 24th September is now world stop software patent day.

LBBroken
Details of the LandesBank Berlin data loss that happened earlier this month. 130,000 credit card numbers exposed.

WFESatellites
Workflow engine satellites -XML based protocol. An example of an AT&T WFE program was shown with documentation found in the Internet (google FTW). This document shows that the WFE includes a DMZ portion to minimise DMZ issues. This is achieved through simply forwarding the port to the secure network. No IP restrictions are in place, giving an attacker access to the internal LAN.

TBF to Brainf*ck
A quick overview of the esoteric brainf*ck programming language. The TBF is a compiler that compiles code to brainf*uck working code.

Slightly short on talks today due to some no shows. I’d love to have done a quick talk, but due to the circumstances I couldn’t release the details. Still, maybe next year.

12:45 CET
Predictable RNG in the vulnerable Debian OpenSSL package

I’ve seen the Debian PRNG problem discussed a few times, but what the hell. It was that or a talk on genetically modified food. The actual words from the OpenSSL dev team, when asked what effect commenting this line out would make, the reply was “not much”. Interesting review, but nothing to write home about. Demo of the problem were interesting to see.

14:00 CET
Wikileaks vs. The World

Brief overview of what Wikileaks stands for and aims to be. Wikileaks is a proof of concept that it works. Technical challenges – trusting other businesses to provide technology but also protect against possible compromise or censorship. After the congress last year Wikileaks had a major issue with a banks leaked documents. They attacked the only weak point and had the domain name revoked. This was short lived as a group of people helped to force the issue legally and the domain was moved. In the last year Wikileaks have released/hosted leaked Sarah Palin emails, the BNP (British Nationalist Party) member documents, BVOE, and T-systems. Some of the documents may be questionable however wikileaks cannot decide what is and is not relevant, else they will become a sensorship of shorts (which is what they fight against). The BNP documents alone resulted in over 2000 mainstream articles. Threats (mostly legal) have been made to try and force articles to be taken down. Documents on Kenya’s politcal assassinations were also made public (including names). Online archives of major newspapers are censored or removed. The only trusted source is the original printed version. Censorship in online content is all around us, and increasing. Many countries of the world have censorship lists already in place (whether public or private). As the number of media outlets shrink, censorship becomes easier to achieve. What about blogs ? These aren’t the cure to censorship. As individuals a blog owner isn’t able to stand up against legal or political pressure.

The service that wikileaks offers is in my mind invaluable. It’s good to know that somebody is policing the unpolicable. Documents and pictures supressed by governments, companies or other co-called news agencies can be made public through the wikileaks service.

15:15 CET
MD5 Considered Harmful Today “Creating a rogue CA certificte”

The first public exploit of the known weaknesses in MD5. Lots of research done on MD5, culminating in papers in 2004 and 2007 on theoretical attacks against MD5. However CA’s still use MD5 in the signing process. Cluster of 200 PS3’s to create the collision and perform that attack. Attack against all SSL based connections using the vulnerability in MD5 (not in SSL). Certificate revocation is a problem, as was seen with the Debian OpenSSL vulnerability. Some basic overview of how the certificate request process works, and the MD5 hashing process. Original MD5 hash collision was demonstrated in 2004. in 2007 this was improved upon to go beyond the 128 byte limit of the 2004 attack. Process is to create a collision on the “to be signed” section of the certificate. Get the certificate signed and use this on the other certificate using a different identity. Of 30,000 collected certificates, 9,000 of them were signed with MD5. 97% of these were issued by RapidSSL. RapidSSL were also an easy target due to the automated fashion of certificate creation. The time of certificate creation was easily calculated for use with the MD5 collision. Another factor was the certificate serial number (RapidSSL uses sequential numbers). Due to the length of time needed to recreate the MD5 collision (3 days) an estimate of the certificate serial number needs to be made (using statistical analysis and incrementing the number through certificate purchases). The certificate request then needs to be done at the exact time to meet with the time used in the create collision certificate. If the attack is sucessful an intermediary certificate authority was created. From this point you can sign your owns certs and they will be valid. Suceeded in creating the certificate on the 4th attempt. Cost of the certificates was only $657. The private key created in this talk will NOT be released (and was backdated so it expired in Aug 2004 anyway). This said not every software checks the certificate validation date. This certificate is not revocable as the certificate has a blank URL for revocation checking (nice feature). Even if revocation was possible Firefox 2.x and IE6 don’t check for revocation as default. EV (extended validation) certificates are immune to this attack vector as they are not allowed to use MD5 with these certificates. It’s estimated that with some optimisation this attack could be done in 1 day using the Amazon EC2 service at a cost of $2,000. If you disable current CA’s that sign with MD5 then 30% of SSL on the Internet would stop working. In a twist of the normal way things play out, both Microsoft and Mozilla were asked to sign NDA’s. Apparently both signed (although MS took a bit longer than Mozilla).

Breakdown… MD5 is and has been broken for a long time, move on use SHA-1 at least. The effected CA’s have been contacted to make this switch. The question outstanding is “Can we trust CA’s that have used MD5 to sign certificates in the past”. There is always a chance that somebody has already used this attack and we don’t know about it.

Publishing the theory and talking about it in papers wasn’t enough to prevent MD5 from being used. It took a valid, actionable attack and proof of concept to force the change. I can’t think of a better answer to the full-disclosure question. Sometimes you have to expose the security of a system to make it better. All the pieces are there to recreate this attack. The Internet is not broken….. Yet.

–> breakdown of attack available here: http://www.win.tue.nl/hashclash/rogue-ca/

Overall this has been a great conference… can’t wait for Hacking At Random next year.

It appears that the discussions about tomorrows 25C3 “Making the theoretical possible” talk by Alex Sotirov and Jake Appelbaum about critical infrastructure is reaching a peak. In a post on the Breakingpoint Systems blog, HD Moore talks about the possible repercussions of the talk and the research done to prove the attack. I’ll be at the talk tomorrow and hope to post some more information as it becomes available.

The blow is an excert from HD’s blog post .:

“First things first; the reason for secrecy. Their research combined a known weakness in one area with a massive resource investment in another to show that a third party was vulnerable to a practical attack that affects the security of all Internet users. Security researchers often release code and technical documentation to demonstrate a flaw, but in this case, they went a step further and used the attack in the real world to obtain proof that it works. This process required interaction with a third party that will likely do whatever they can to save face once the details become public.

To prepare for the fallout, Alexander and Jacob have been working with a legal team to review their work and advise them on the best way to disclose the issue without finding themselves at the receiving end of a lawsuit.”

Looks like the last day of 25C3 will be a good one…. reserve your seats early

It’s already day three, and it’s hard to think that tomorrow is the last day. If you’re around at the conference, and see a man with red hair (lots of them) and a laptop covered in OpenBSD fish, then come over and say hi. I don’t bite… well not on the first date anyway.

11:30 CET
Running Your own GSM Network

Usual disclaimers… don’t try this at home. Something about it being illegal GSM documentation is all available online (except the encryption details). Lots and lots of documents (1,108 PDF’s). Parallels are drawn between the GSM and ISDN protocols. I never knew that GSM was based on original ISDN protocols. Some very good information here on how the protocols fit together. If you’re into GSM then this is information you will definitely want to see. Lots of hardware information on the Siemens BS-11, but interesting for anybody into mobile networks. Some testing at 25C3 shows it’s possible to skim peoples IMEI numbers, as well as checking which country people originate from. Not sure if this is based on the SIM country, or the phone country. Interesting attack vectors though. The demo was fun, too many people in the audience attaching to the network made things a little tricky. This work doesn’t yet allow true MitM attacks, but a MitM style attack could be done on a user in range of the Fake network and then routing it across an ISDN line to the original destination.

Source code for the GSM full-rate codec is online at http://kbs.cs.tu-berlin.de/~jutta/toast.html

14:00 CET
An Introduction to new Stream Cipher Designs

This talk covered new algorithms for fast data encryption, in particular stream ciphers. The talk is based on information from the eStream project (part of the ECRYPT project). Although there was no groundbreaking stuff here, it was interesting to see the pro’s and con’s of what is currently in use (sich as RC4, AES-CTR, etc..) Some indepth overviews of the ciphers entered into the ECRYPT project was given. Mention of the new Cube Attacks released by Dinur and Shamir at this years CRYPTO 2008 conference. Is this attack method usable on existing hardware ciphers ? Finishing off discussion on the NIST Hash Function Competition was made. Currently 17 of the 64 proposal ciphers have been broken. Final decision is expected in Q2 2012. So nothing to be looking forward to for next year if in doubt, stick with AES(-CTR).

Checkout the eStream project at http://ecrypt.eu.org/stream/

16:00 CET
Hacking Botnets/Squeezing Attack Traces

Unfortunately, due to a serious case of the FAIL, my notes for this and all subsequent talks was lost. This just goes to show that I really need to get a decent netbook and never use my blackberry ever again

So, from memory. The analysis of the Storm worm was until now based purely on running in a virtual environment and tracking the traffic to see what occurs. However the team presenting have taken this a step further and reversed the code used to examine how the underlying bot works. The Storm bot is based on DHT traffic as used by eDonkey and other peer 2 peer sharing programs. By changing the traffic slightly, it was possible to use the same communications but avoid being intercepted by other eDonkey users using DHT. By reversing the code it was possible to find the hash codes used in the DHT communication and effectivly hijack the Storm botnet. A demo was given based on this attack method, showing that you can fool an infected Storm zombie into running code from a fake C&C. Although at the height of it’s rampage the Storm bot had over 1 million zombies, the number is thought to be around 100,000 at present. With this research it may be possible to take over the whole botnet and force the infected machines to run disinfection code. However the researchers are naturally not allowed legally to do this. Some of the code developed will be released in the coming weeks, but not all of it due to Germany’s 202C anti-hacking laws

18:30 CET
SWF and the Malware Tragedy

Where to start. I think the best reaction I had to this was that it was interesting research, but nady presented. Using statistical analysis it was possible to diagram similarities in malicious SWF files. However personally I’d like to have seen charting of both malicious and non-malicious SWF’s to see if this method could be used in IDS/IPS typ protections. Other than that, the talk wasn’t anything to call home about

20:30 CET
Methods for understanding targeted attacks with Office Documents

It was good to see a Microsoft employee talking at this kind of conference. He gave props to the OpenOffice team for a variety of things, and it made for a fun presentation. Any presenter that can describe things with “bla bla bla” is a winner in my book. Plus the parting words of “I’ve never seen so man mac users in one place before” just made my day. I should have asked him to say “I’m a pc” just once for the camera. That aside, content of the presentation was good. Overview of the new Office 2007 XML based files was very interesting. Especially as I’ve just seen Larry’s Pauldotcom video on Office 2007 Metadata. The file is a filesystem in a file, allowing for more than just a single piece of data. A majority of attacks are now also resulting in a valid document being loaded instead of a typical crash in office that we were seeing some years back. This leaves very little evidence that you’ve been exploited at all. Demo on exploitation was good, but I’d love to have seen some more code.

21:45 CET
Cisco IOS attack and defense

Packed out presentation, and who can blame the people. Lots of good information here. Mostly concentrated in Cisco as they hold 92% of the router market, and Juniper (second in line) is just FreeBSD under the hood. All processes share the same HEAP in IOS, making it easy to overwrite other processes memory. There are over 100,000 different IOS images (15,000 supported by Cisco) making reliable exploitation hard to achieve. This variation in IOS gives a poor mans ASLR (Address Space Layout Randomisation) so makes things hard. However as with ASLR, return to libC style attacks still do the trick. However in IOS this means writing code to the now unused ROMMON location and going from there. Some information was given on IOS forensics and memory dumps. Hard to get working, but once it is, you can get lots of information. As different memory locations are used for small, medium, large packets, older packets can still be found in memory and are not overwritten in a reliable way. This leads to good forensic ability, as you can read the packets straight from a RAM dump and output them into a PCAP format. A simple demo was performed using a malformed ping packet to display text in the router screen. However this was enough to prove the attack vector.

—————-

Tonight is the bloggers/security-twits meetup outside the BCC (by the rocket) at 24:00. I’ll be there, hope to see you there too

Well, day two has begun. Surprisingly getting up wasn’t a big problem. Still I’m sire that’ll change over the next few days.

11:30 CET
Lightening talks
I’ll not cover all talks here, as the point of these lightening talks is that they’re not all interesting for you. A couple of interesting ones :

Anamos
An encrypted bit-torrent – the presentation was a little paranoid but made valid points on the unencrypted and dangerous nature of (certain) bit-torrent use. If you’re interested, check out http://anamos.info

GPF Crypto Chip
Like an OpenPGP card, but in USB form. This allows PGP keys to be in an easy USB interface. Currently in the final phase of planning prior to limited hardware rollout (circa 30 EUR per piece). The hardware specs and plans are opensource and full specs will be released soon. Version 2 with RSA support (up to 2048) is forthcoming. www.privacyfoundation.de

OLSR-NG
Mesh networking update from last year. Advances is speed and routing improvements.

CERT.at Botnets
CERT.at game a quick breakdown of a USB based bot discovered (and monitored) by the team. The malware team at CERT.at appears to be growing. As i’m based in Austria i’ll try and catch up with the speaker later for a chat. Some coverage of the DNS vuln on Austrian DNS traffic. Interesting metrics.

Hackable Devices
A quick overview of hardware that can be hacked (mostly to run linux). Openmoko freerunner running Debian, linksys routers, sharp zaraus etc… Interesting list, but nothing that new here. www.hackable1.org

Last talk of the morning was a no show. I guess nerves got him

12:45 CET
Full-Disk Encryption crash course

A good intro to how full disk encryption really works under the hood. Good information on the Windows hooks and NTloader using int13 to interface. It’s interesting to learn about the various programs support for TPM chips. Looks like most companies aren’t using the TPM for storing the cryptographic keys, which is a little lazy. Good coverage of Truecrypt volume headers, and how it implements decoy operating systems and hidden volumes. Limitations of Truecrypt in an enterprise, such as lack of key and user management. There will be a workshop tomorrow at 19:00 (A03) for those at the BCC

14:00 CET
Attacking Rich Internet Applications

DOM based XSS, filter evasion, and some specific coverage on firefox / opera issues. This talk takes Amit Klein’s original attack premise and takes it one step further than simple XSS code execution. Using CSS injection to read and forward page data to an external source. This is a perfect way to bypass one-time tokens used against CSRF vulnerabilities. The explanation expects a certain amount of user knowledge, so i’ll be reviewing the stream when i get a chance. Pity some of the browser exploits are patched, for old versions (i.e firefox 2.x only) or for browsers that nobody uses (Chrome or Opera). Nice live demo of XSS’ing OWASP and Google check out the video if you get a chance.

16:00 CET
Vulnerability Discovery in Closed Source PHP Applications

Why do companies make closed source PHP applications…. To cover IP violations was on the list (laughable, but probably very true). How can you check your application is secure if you can’t audit the code. Standard white/grey box methods are not possible on closed source (usually). Encrypted PHP through something like Zendguard and into PHP Bytecode (not obfuscated PHP as this is easily bypassed). Newer methods of encryption also execute the code directly to avoid seeing the PHP code at execution (Anti-hooking techniques). The talk goes into some detail on PHP Bytecode. If your a PHP developer then this is probably interesting to learn about, however if you’re not deep into PHP, then things are likely to make little sense. Still, this is something I need to concentrate more time on over the next few months. Q1 2009 is IPv6 and Web-App testing period for me.

17:15 CET
Lockpicking Workshop

As the TCP DOS talk was packed out. It’s only a Denial of Service, right ? I headed down to the Lockpicking workshop for a quick check. Lots of people playing with handcuffs… sounds kinky, but I think you’ve got the wrong idea.

18:30 CET
Short Attention Span Security

All content at awgh.org

A compilation of short 5-7 minute talks about random hacks.

The first part covered using badly programmed password rest through email. Some references to Sarah Palin here, all in good humor. Mailinator scripts to scrape password rest mails straight from the site.

Next on the agenda, BIOS rootkits. Attacks on hardware appear to be on the rise (USB picture frames, and Catalysts’s sold on eBay with malicious BIOS installed). Exploit code can be inserted into the PCI option ROM. EFI bioses seems to make things easier on many fronts. With built in support for PXE, TCP/IP and filesystems (as well as a development kit), things will become easier to attack on EFI machines. Mainboards supporting EFI bios will be taking over in 2009. TPM wont help currently against this attack vector (due to the range of possible PCI option roms).
A short couple of slides on bypassing Microsoft’s anti-xss ISAPI filter. Fixed in the latest release. (Responsible disclosure).

Topic change, Script Injection in Flex. Solved in IE8, as long as the remote server sets a response header X-Downloader-options=noopen (which turns off the Open option on this link). A laughable solution.

C/C++ code auditing. Grep’ing for strcpy using the GCC-Dehydra to do static analysis through the spidermonkey javascript engine. The project is in need of common scripts for checking.

Last topic, Groo. A web front-end for aircrack. Basic automatic WEP hacking program running on a mini ITX box. Are people still using WEP ??? Please stop.

20:30 CET
Banking Malware 101

Last one of the night for me. Gadi said this would be basic, but i’m not really a malware analyst, so nothing is too basic for me in this arena. Coverage of Nethell, Limbo (browser object helpers) and ZeuS, (also referred to as Wsnpoem or Zbot), these all seem to work through control of the DOM. Some other minor types are discussed, but nothing in-depth. The example log files were interesting, but as Gadi said, nothing majorly new here. Moving into the second portion of the talk “Finding Dropzones”, the typical solution of honeypots are proposed for this purpose. Closing out some overview data was shown on the analysed malware, victim numbers and dropzone information as well as some basic protections. Good overview in all, but nothing ground breaking. Status update. http://honeypot.org

Finishing up early for the day. Looking to chat to a few people and grab a little sleep tonight.

It’s not often that I get up at 3:30am for anything. Sure I go to bed at 3:30am, but getting up is a whole different thing. Still today I found myself actually wanting to get up early so my kind (and generous) girlfriend could drive me and a work college to Vienna. A short flight (too short to do much on) and we’re in Berlin for day one of the 25C3.

11:00 CET
Arrival at BCC

Due to some late running (hotel issues) the opening ceremony was missed. However I managed to catch the Datenpannen talk, covering some of the data breaches in the last 12 months (Germany centric). Interesting the numbers and lack of overall media coverage on non-US breaches. Still, I guess that’s what happens when you don’t have data breach laws that say you need to announce the details. One of the breaches mentioned netted 21 Million records (that#s 3 in every 4 people in the country). Sad fact is, the timescale of the breach covers my time living in Munich, so I guess my information is once again out there. Like the constant British government data breaches (or data losses as they tend to be) wasn’t already enough. Time to grab some food and take a look around at the BCC and where things are.

14:00 CET
The Security Failures in Smart Card Payment Systems

The talk was better than I expected. Also a little different, as I was hoping for something a bit more in-depth on the software/backend side of the system. After all, that’s the kind of thing I work with. Still the hardware system looks like it’s worth a look. The way the banks lay down all the rules themselves and have the ability to decide who is to blame for fraudulent transactions is scary. I think some more regulation and emphasis on the banks being liable would really increase the security in this area. After all, why would banks spend thousands on securing terminals if they can just blame the user if things go wrong. They are the judge, jury and executioner in this area at the moment.

16:00 CET
On the Individuality of Active and Passive Devices

As hackerspaces, and wearable computing wasn’t high on my agenda (although wearables are the height of cool), I attended the surprise easter egg talk On the Individuality of Active and Passive Devices. I say it’s an easter egg, as it wasn’t listed on the Fahrplan and was only briefly announced in one other session as happening. Still, the room was quite full. I guess that will be the theme for the conference. The talk covered the basics of device biometrics, and the methods used to differentiate between communications based on differences in the components used. The components mentioned aren’t so much difference wireless cards (as an example) but the same card type, version and driver but different physical components (resisters for example vary even within a batch used by a single manufacturer). Examples where given for wireless devices as well as RFID. The information was very interesting, and the results are undeniable, but I can’t see it being useful in a real life scenario, at least not in the current day and age. Discussion of using this kind of device biometrics to prevent access by foreign devices (i.e. attackers) seems a little premature considering the external influences that could effect results. The level of accuracy would have to be very high to avoid device impersonation. The level of matching would then lead to false negatives (approved devices failing to gain access), or an easy denial of service by broadcasting interference and therefore knocking all users off the network. Then again DOSing a wireless LAN isn’t exactly hard at current standards anyway. Still, this is interesting stuff. The RFID concept was a little more out there. Let’s just say that the antenna polarity is an issue, frequency has to be exact (yes I do mean exact), oh and no metal please. Wood was used in the test for all mountings. I guess maybe this part needs some more work before going mainstream. Overall though, it’s something to keep an eye on for the future. Far future…

17:15 CET
Just Estonia and Georgia?

Next up was more on the Estonia incident handling, this time with some of the Georgia attacks mixed in to keep things current. I’ve seen the previous presentations by Gadi Evron on the Estonian incident, but the presentation mixed in some new topics not raised previously. Sometimes it’s easy to forget about the poor people who have to deal with the ISP abuse emails on a daily basis. I can only imagine the pain they feel. The biggest game of whack-a-mole ever Find a botnet C&C, whack it, repeat. Who really controls and polices the inter-tubes ? I think somebody said Paul Vixie, but I could be wrong. Interaction between ISP’s in different location around the world, language issues are an issue. It’s not always what you know, but who you know (and can speak with). The major trend appears to be, and will remain, communicating the problem. The technology and talent is there, but the communication infrastructure to get things cleaned up fast just isn’t where it needs to be. How much quicker could be take malicious links down if the right people knew at the right time. McColo, Intercage and ESTdomains were mentioned. If I can get some time with Gadi later I’ll ask him his opinion on the ESTdomains removal. I still think that this was a hollow victory personally. No real solutions here, just clarification of the issues.

18:30 CET
Chip Reverse Engineering

The place was packed for this one. A little light on technical detail, but an interesting look at how hardware reverse engineering is done. I knew the basics, but actually seeing the slides and progress makes things a little clearer. Maybe next year it’ll move beyond how to get a diagram of the gates and onto what to do as a next step in breaking the crypto, or finding flaws that could be used for the next generation of hardware rootkits. Of maybe that’s something we’ll have to figure out on our own.

20:30 CET
Hacking the iPhone

You know this one is going to be popular. It’s in the larger of the 3 rooms and at 20:00 it’s already looking packed out. Still, a few seats were left near the front, so time to sit for a few minutes and figure out the hibernation problems with my laptop. Uswsusp to the rescue Although interesting on many different levels, the talk dragged a bit. The overview of how the 1st gen and 2nd gen differ from a hacking standpoint was interesting to learn. Exploitation in the chain of trust allowed for almost total compromise of the iPhone. However Apple are learning and each new version of the iPhone corrects previous blunders. Give it about 5 years (4th gen iPhone ???) and maybe people will have to up their game to get total ownership of the device… which is sad. Why do companies have such a hard time accepting that if we pay for the device (and we do) it should do what we want and not ONLY what they allow. In this race, they’ll always loose.

21:45 CET
Locating Mobile Phones Using SS7

I’ll be the first to admit that I know almost nothing about mobile phone technology. This includes GSM and SS7. So this talk was something I really wanted to attend, and improve my knowledge in this area as much as possible. That is, if I can see through the crowd. I think maybe next year CCC is going to need some more room. From what I heard this technique was very interesting. I’ll have to review later to get the full extent on the content however.

23:00 CET
Why were we so vulnerable to the DNS Vulnerability ?

I had to go to Dan’s talk. After not seeing it on the first Fahrplan, it’s good to see Dan back in Berlin. It’s late, so the question is, how drunk is Dan already Nice to see the presentation has been totally changed since the Blackhat/Defcon one. Dan even seems sober, as there was non mention of drinking throughout the presentation. The content was greatly changed from the BH/DC one and is a must for people looking for some more info on “What’s next and why did this happen”

Word from Nick Farr is that the Congress is totally sold out… Not sure if this is a first, but it certainly feels sold out to me Managed to grab a few drinks with Security4All and a few others (sorry bad with names/faces). Fun to the max. Tomorrow is another day however.