Cатсн²² (in)sесuяitу / ChrisJohnRiley

It’s not often that I get up at 3:30am for anything. Sure I go to bed at 3:30am, but getting up is a whole different thing. Still today I found myself actually wanting to get up early so my kind (and generous) girlfriend could drive me and a work college to Vienna. A short flight (too short to do much on) and we’re in Berlin for day one of the 25C3.

11:00 CET
Arrival at BCC

Due to some late running (hotel issues) the opening ceremony was missed. However I managed to catch the Datenpannen talk, covering some of the data breaches in the last 12 months (Germany centric). Interesting the numbers and lack of overall media coverage on non-US breaches. Still, I guess that’s what happens when you don’t have data breach laws that say you need to announce the details. One of the breaches mentioned netted 21 Million records (that#s 3 in every 4 people in the country). Sad fact is, the timescale of the breach covers my time living in Munich, so I guess my information is once again out there. Like the constant British government data breaches (or data losses as they tend to be) wasn’t already enough. Time to grab some food and take a look around at the BCC and where things are.

14:00 CET
The Security Failures in Smart Card Payment Systems

The talk was better than I expected. Also a little different, as I was hoping for something a bit more in-depth on the software/backend side of the system. After all, that’s the kind of thing I work with. Still the hardware system looks like it’s worth a look. The way the banks lay down all the rules themselves and have the ability to decide who is to blame for fraudulent transactions is scary. I think some more regulation and emphasis on the banks being liable would really increase the security in this area. After all, why would banks spend thousands on securing terminals if they can just blame the user if things go wrong. They are the judge, jury and executioner in this area at the moment.

16:00 CET
On the Individuality of Active and Passive Devices

As hackerspaces, and wearable computing wasn’t high on my agenda (although wearables are the height of cool), I attended the surprise easter egg talk On the Individuality of Active and Passive Devices. I say it’s an easter egg, as it wasn’t listed on the Fahrplan and was only briefly announced in one other session as happening. Still, the room was quite full. I guess that will be the theme for the conference. The talk covered the basics of device biometrics, and the methods used to differentiate between communications based on differences in the components used. The components mentioned aren’t so much difference wireless cards (as an example) but the same card type, version and driver but different physical components (resisters for example vary even within a batch used by a single manufacturer). Examples where given for wireless devices as well as RFID. The information was very interesting, and the results are undeniable, but I can’t see it being useful in a real life scenario, at least not in the current day and age. Discussion of using this kind of device biometrics to prevent access by foreign devices (i.e. attackers) seems a little premature considering the external influences that could effect results. The level of accuracy would have to be very high to avoid device impersonation. The level of matching would then lead to false negatives (approved devices failing to gain access), or an easy denial of service by broadcasting interference and therefore knocking all users off the network. Then again DOSing a wireless LAN isn’t exactly hard at current standards anyway. Still, this is interesting stuff. The RFID concept was a little more out there. Let’s just say that the antenna polarity is an issue, frequency has to be exact (yes I do mean exact), oh and no metal please. Wood was used in the test for all mountings. I guess maybe this part needs some more work before going mainstream. Overall though, it’s something to keep an eye on for the future. Far future…

17:15 CET
Just Estonia and Georgia?

Next up was more on the Estonia incident handling, this time with some of the Georgia attacks mixed in to keep things current. I’ve seen the previous presentations by Gadi Evron on the Estonian incident, but the presentation mixed in some new topics not raised previously. Sometimes it’s easy to forget about the poor people who have to deal with the ISP abuse emails on a daily basis. I can only imagine the pain they feel. The biggest game of whack-a-mole ever 😉 Find a botnet C&C, whack it, repeat. Who really controls and polices the inter-tubes ? I think somebody said Paul Vixie, but I could be wrong. Interaction between ISP’s in different location around the world, language issues are an issue. It’s not always what you know, but who you know (and can speak with). The major trend appears to be, and will remain, communicating the problem. The technology and talent is there, but the communication infrastructure to get things cleaned up fast just isn’t where it needs to be. How much quicker could be take malicious links down if the right people knew at the right time. McColo, Intercage and ESTdomains were mentioned. If I can get some time with Gadi later I’ll ask him his opinion on the ESTdomains removal. I still think that this was a hollow victory personally. No real solutions here, just clarification of the issues.

18:30 CET
Chip Reverse Engineering

The place was packed for this one. A little light on technical detail, but an interesting look at how hardware reverse engineering is done. I knew the basics, but actually seeing the slides and progress makes things a little clearer. Maybe next year it’ll move beyond how to get a diagram of the gates and onto what to do as a next step in breaking the crypto, or finding flaws that could be used for the next generation of hardware rootkits. Of maybe that’s something we’ll have to figure out on our own.

20:30 CET
Hacking the iPhone

You know this one is going to be popular. It’s in the larger of the 3 rooms and at 20:00 it’s already looking packed out. Still, a few seats were left near the front, so time to sit for a few minutes and figure out the hibernation problems with my laptop. Uswsusp to the rescue 😉 Although interesting on many different levels, the talk dragged a bit. The overview of how the 1st gen and 2nd gen differ from a hacking standpoint was interesting to learn. Exploitation in the chain of trust allowed for almost total compromise of the iPhone. However Apple are learning and each new version of the iPhone corrects previous blunders. Give it about 5 years (4th gen iPhone ???) and maybe people will have to up their game to get total ownership of the device… which is sad. Why do companies have such a hard time accepting that if we pay for the device (and we do) it should do what we want and not ONLY what they allow. In this race, they’ll always loose.

21:45 CET
Locating Mobile Phones Using SS7

I’ll be the first to admit that I know almost nothing about mobile phone technology. This includes GSM and SS7. So this talk was something I really wanted to attend, and improve my knowledge in this area as much as possible. That is, if I can see through the crowd. I think maybe next year CCC is going to need some more room. From what I heard this technique was very interesting. I’ll have to review later to get the full extent on the content however.

23:00 CET
Why were we so vulnerable to the DNS Vulnerability ?

I had to go to Dan’s talk. After not seeing it on the first Fahrplan, it’s good to see Dan back in Berlin. It’s late, so the question is, how drunk is Dan already 😉 Nice to see the presentation has been totally changed since the Blackhat/Defcon one. Dan even seems sober, as there was non mention of drinking throughout the presentation. The content was greatly changed from the BH/DC one and is a must for people looking for some more info on “What’s next and why did this happen”

Word from Nick Farr is that the Congress is totally sold out… Not sure if this is a first, but it certainly feels sold out to me 😉 Managed to grab a few drinks with Security4All and a few others (sorry bad with names/faces). Fun to the max. Tomorrow is another day however.