Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

25C3 Day two

Well, day two has begun. Surprisingly getting up wasn’t a big problem. Still I’m sire that’ll change over the next few days.

11:30 CET
Lightening talks
I’ll not cover all talks here, as the point of these lightening talks is that they’re not all interesting for you. A couple of interesting ones :

An encrypted bit-torrent – the presentation was a little paranoid but made valid points on the unencrypted and dangerous nature of (certain) bit-torrent use. If you’re interested, check out http://anamos.info

GPF Crypto Chip
Like an OpenPGP card, but in USB form. This allows PGP keys to be in an easy USB interface. Currently in the final phase of planning prior to limited hardware rollout (circa 30 EUR per piece). The hardware specs and plans are opensource and full specs will be released soon. Version 2 with RSA support (up to 2048) is forthcoming. http://www.privacyfoundation.de

Mesh networking update from last year. Advances is speed and routing improvements.

CERT.at Botnets
CERT.at game a quick breakdown of a USB based bot discovered (and monitored) by the team. The malware team at CERT.at appears to be growing. As i’m based in Austria i’ll try and catch up with the speaker later for a chat. Some coverage of the DNS vuln on Austrian DNS traffic. Interesting metrics.

Hackable Devices
A quick overview of hardware that can be hacked (mostly to run linux). Openmoko freerunner running Debian, linksys routers, sharp zaraus etc… Interesting list, but nothing that new here. http://www.hackable1.org

Last talk of the morning was a no show. I guess nerves got him 😉

12:45 CET
Full-Disk Encryption crash course

A good intro to how full disk encryption really works under the hood. Good information on the Windows hooks and NTloader using int13 to interface. It’s interesting to learn about the various programs support for TPM chips. Looks like most companies aren’t using the TPM for storing the cryptographic keys, which is a little lazy. Good coverage of Truecrypt volume headers, and how it implements decoy operating systems and hidden volumes. Limitations of Truecrypt in an enterprise, such as lack of key and user management. There will be a workshop tomorrow at 19:00 (A03) for those at the BCC

14:00 CET
Attacking Rich Internet Applications

DOM based XSS, filter evasion, and some specific coverage on firefox / opera issues. This talk takes Amit Klein’s original attack premise and takes it one step further than simple XSS code execution. Using CSS injection to read and forward page data to an external source. This is a perfect way to bypass one-time tokens used against CSRF vulnerabilities. The explanation expects a certain amount of user knowledge, so i’ll be reviewing the stream when i get a chance. Pity some of the browser exploits are patched, for old versions (i.e firefox 2.x only) or for browsers that nobody uses (Chrome or Opera). Nice live demo of XSS’ing OWASP and Google 😉 check out the video if you get a chance.

16:00 CET
Vulnerability Discovery in Closed Source PHP Applications

Why do companies make closed source PHP applications…. To cover IP violations was on the list (laughable, but probably very true). How can you check your application is secure if you can’t audit the code. Standard white/grey box methods are not possible on closed source (usually). Encrypted PHP through something like Zendguard and into PHP Bytecode (not obfuscated PHP as this is easily bypassed). Newer methods of encryption also execute the code directly to avoid seeing the PHP code at execution (Anti-hooking techniques). The talk goes into some detail on PHP Bytecode. If your a PHP developer then this is probably interesting to learn about, however if you’re not deep into PHP, then things are likely to make little sense. Still, this is something I need to concentrate more time on over the next few months. Q1 2009 is IPv6 and Web-App testing period for me.

17:15 CET
Lockpicking Workshop

As the TCP DOS talk was packed out. It’s only a Denial of Service, right ? I headed down to the Lockpicking workshop for a quick check. Lots of people playing with handcuffs… sounds kinky, but I think you’ve got the wrong idea.

18:30 CET
Short Attention Span Security

All content at awgh.org

A compilation of short 5-7 minute talks about random hacks.

The first part covered using badly programmed password rest through email. Some references to Sarah Palin here, all in good humor. Mailinator scripts to scrape password rest mails straight from the site.

Next on the agenda, BIOS rootkits. Attacks on hardware appear to be on the rise (USB picture frames, and Catalysts’s sold on eBay with malicious BIOS installed). Exploit code can be inserted into the PCI option ROM. EFI bioses seems to make things easier on many fronts. With built in support for PXE, TCP/IP and filesystems (as well as a development kit), things will become easier to attack on EFI machines. Mainboards supporting EFI bios will be taking over in 2009. TPM wont help currently against this attack vector (due to the range of possible PCI option roms).
A short couple of slides on bypassing Microsoft’s anti-xss ISAPI filter. Fixed in the latest release. (Responsible disclosure).

Topic change, Script Injection in Flex. Solved in IE8, as long as the remote server sets a response header X-Downloader-options=noopen (which turns off the Open option on this link). A laughable solution.

C/C++ code auditing. Grep’ing for strcpy 😉 using the GCC-Dehydra to do static analysis through the spidermonkey javascript engine. The project is in need of common scripts for checking.

Last topic, Groo. A web front-end for aircrack. Basic automatic WEP hacking program running on a mini ITX box. Are people still using WEP ??? Please stop.

20:30 CET
Banking Malware 101

Last one of the night for me. Gadi said this would be basic, but i’m not really a malware analyst, so nothing is too basic for me in this arena. Coverage of Nethell, Limbo (browser object helpers) and ZeuS, (also referred to as Wsnpoem or Zbot), these all seem to work through control of the DOM. Some other minor types are discussed, but nothing in-depth. The example log files were interesting, but as Gadi said, nothing majorly new here. Moving into the second portion of the talk “Finding Dropzones”, the typical solution of honeypots are proposed for this purpose. Closing out some overview data was shown on the analysed malware, victim numbers and dropzone information as well as some basic protections. Good overview in all, but nothing ground breaking. Status update. http://honeypot.org

Finishing up early for the day. Looking to chat to a few people and grab a little sleep tonight.

Comments are closed.

%d bloggers like this: