Cатсн²² (in)sесuяitу / ChrisJohnRiley

Last day of the conference. Sorry to see it finish, but i’ll try and be back next year if I get the chance. The people here were so great, and I hope to stay in touch with as many as possible.

11:30 CET
Lightening Talks

E-Voting in Österreich
A quick overview of the planned e-voting scheme in Austria. Objections to the system and it’s links to a national ID card were raised.

Consumer B Gone
An overview of automatic locking wheels on shopping carts (yes supermarket ones). After reverse engineering the signal used to lock the wheels as they pass the boundary, they reproduced it. A fun demo using a mobile phone to play an mp3 and lock/unlock the wheel.

http://tmplab.org

Stop Software Patents
A bit of a rant on how software patents are wrong and unlawful. A bit of history on patent law and the debate on changing it to allow patents on software. 24th September is now world stop software patent day.

LBBroken
Details of the LandesBank Berlin data loss that happened earlier this month. 130,000 credit card numbers exposed.

WFESatellites
Workflow engine satellites -XML based protocol. An example of an AT&T WFE program was shown with documentation found in the Internet (google FTW). This document shows that the WFE includes a DMZ portion to minimise DMZ issues. This is achieved through simply forwarding the port to the secure network. No IP restrictions are in place, giving an attacker access to the internal LAN.

TBF to Brainf*ck
A quick overview of the esoteric brainf*ck programming language. The TBF is a compiler that compiles code to brainf*uck working code.

Slightly short on talks today due to some no shows. I’d love to have done a quick talk, but due to the circumstances I couldn’t release the details. Still, maybe next year.

12:45 CET
Predictable RNG in the vulnerable Debian OpenSSL package

I’ve seen the Debian PRNG problem discussed a few times, but what the hell. It was that or a talk on genetically modified food. The actual words from the OpenSSL dev team, when asked what effect commenting this line out would make, the reply was “not much”. Interesting review, but nothing to write home about. Demo of the problem were interesting to see.

14:00 CET
Wikileaks vs. The World

Brief overview of what Wikileaks stands for and aims to be. Wikileaks is a proof of concept that it works. Technical challenges – trusting other businesses to provide technology but also protect against possible compromise or censorship. After the congress last year Wikileaks had a major issue with a banks leaked documents. They attacked the only weak point and had the domain name revoked. This was short lived as a group of people helped to force the issue legally and the domain was moved. In the last year Wikileaks have released/hosted leaked Sarah Palin emails, the BNP (British Nationalist Party) member documents, BVOE, and T-systems. Some of the documents may be questionable however wikileaks cannot decide what is and is not relevant, else they will become a sensorship of shorts (which is what they fight against). The BNP documents alone resulted in over 2000 mainstream articles. Threats (mostly legal) have been made to try and force articles to be taken down. Documents on Kenya’s politcal assassinations were also made public (including names). Online archives of major newspapers are censored or removed. The only trusted source is the original printed version. Censorship in online content is all around us, and increasing. Many countries of the world have censorship lists already in place (whether public or private). As the number of media outlets shrink, censorship becomes easier to achieve. What about blogs ? These aren’t the cure to censorship. As individuals a blog owner isn’t able to stand up against legal or political pressure.

The service that wikileaks offers is in my mind invaluable. It’s good to know that somebody is policing the unpolicable. Documents and pictures supressed by governments, companies or other co-called news agencies can be made public through the wikileaks service.

15:15 CET
MD5 Considered Harmful Today “Creating a rogue CA certificte”

The first public exploit of the known weaknesses in MD5. Lots of research done on MD5, culminating in papers in 2004 and 2007 on theoretical attacks against MD5. However CA’s still use MD5 in the signing process. Cluster of 200 PS3’s to create the collision and perform that attack. Attack against all SSL based connections using the vulnerability in MD5 (not in SSL). Certificate revocation is a problem, as was seen with the Debian OpenSSL vulnerability. Some basic overview of how the certificate request process works, and the MD5 hashing process. Original MD5 hash collision was demonstrated in 2004. in 2007 this was improved upon to go beyond the 128 byte limit of the 2004 attack. Process is to create a collision on the “to be signed” section of the certificate. Get the certificate signed and use this on the other certificate using a different identity. Of 30,000 collected certificates, 9,000 of them were signed with MD5. 97% of these were issued by RapidSSL. RapidSSL were also an easy target due to the automated fashion of certificate creation. The time of certificate creation was easily calculated for use with the MD5 collision. Another factor was the certificate serial number (RapidSSL uses sequential numbers). Due to the length of time needed to recreate the MD5 collision (3 days) an estimate of the certificate serial number needs to be made (using statistical analysis and incrementing the number through certificate purchases). The certificate request then needs to be done at the exact time to meet with the time used in the create collision certificate. If the attack is sucessful an intermediary certificate authority was created. From this point you can sign your owns certs and they will be valid. Suceeded in creating the certificate on the 4th attempt. Cost of the certificates was only $657. The private key created in this talk will NOT be released (and was backdated so it expired in Aug 2004 anyway). This said not every software checks the certificate validation date. This certificate is not revocable as the certificate has a blank URL for revocation checking (nice feature). Even if revocation was possible Firefox 2.x and IE6 don’t check for revocation as default. EV (extended validation) certificates are immune to this attack vector as they are not allowed to use MD5 with these certificates. It’s estimated that with some optimisation this attack could be done in 1 day using the Amazon EC2 service at a cost of $2,000. If you disable current CA’s that sign with MD5 then 30% of SSL on the Internet would stop working. In a twist of the normal way things play out, both Microsoft and Mozilla were asked to sign NDA’s. Apparently both signed (although MS took a bit longer than Mozilla).

Breakdown… MD5 is and has been broken for a long time, move on use SHA-1 at least. The effected CA’s have been contacted to make this switch. The question outstanding is “Can we trust CA’s that have used MD5 to sign certificates in the past”. There is always a chance that somebody has already used this attack and we don’t know about it.

Publishing the theory and talking about it in papers wasn’t enough to prevent MD5 from being used. It took a valid, actionable attack and proof of concept to force the change. I can’t think of a better answer to the full-disclosure question. Sometimes you have to expose the security of a system to make it better. All the pieces are there to recreate this attack. The Internet is not broken….. Yet.

–> breakdown of attack available here: http://www.win.tue.nl/hashclash/rogue-ca/

Overall this has been a great conference… can’t wait for Hacking At Random next year.

It appears that the discussions about tomorrows 25C3 “Making the theoretical possible” talk by Alex Sotirov and Jake Appelbaum about critical infrastructure is reaching a peak. In a post on the Breakingpoint Systems blog, HD Moore talks about the possible repercussions of the talk and the research done to prove the attack. I’ll be at the talk tomorrow and hope to post some more information as it becomes available.

The blow is an excert from HD’s blog post .:

“First things first; the reason for secrecy. Their research combined a known weakness in one area with a massive resource investment in another to show that a third party was vulnerable to a practical attack that affects the security of all Internet users. Security researchers often release code and technical documentation to demonstrate a flaw, but in this case, they went a step further and used the attack in the real world to obtain proof that it works. This process required interaction with a third party that will likely do whatever they can to save face once the details become public.

To prepare for the fallout, Alexander and Jacob have been working with a legal team to review their work and advise them on the best way to disclose the issue without finding themselves at the receiving end of a lawsuit.”

Looks like the last day of 25C3 will be a good one…. reserve your seats early 😉

It’s already day three, and it’s hard to think that tomorrow is the last day. If you’re around at the conference, and see a man with red hair (lots of them) and a laptop covered in OpenBSD fish, then come over and say hi. I don’t bite… well not on the first date anyway.

11:30 CET
Running Your own GSM Network

Usual disclaimers… don’t try this at home. Something about it being illegal 😉 GSM documentation is all available online (except the encryption details). Lots and lots of documents (1,108 PDF’s). Parallels are drawn between the GSM and ISDN protocols. I never knew that GSM was based on original ISDN protocols. Some very good information here on how the protocols fit together. If you’re into GSM then this is information you will definitely want to see. Lots of hardware information on the Siemens BS-11, but interesting for anybody into mobile networks. Some testing at 25C3 shows it’s possible to skim peoples IMEI numbers, as well as checking which country people originate from. Not sure if this is based on the SIM country, or the phone country. Interesting attack vectors though. The demo was fun, too many people in the audience attaching to the network made things a little tricky. This work doesn’t yet allow true MitM attacks, but a MitM style attack could be done on a user in range of the Fake network and then routing it across an ISDN line to the original destination.

Source code for the GSM full-rate codec is online at http://kbs.cs.tu-berlin.de/~jutta/toast.html

14:00 CET
An Introduction to new Stream Cipher Designs

This talk covered new algorithms for fast data encryption, in particular stream ciphers. The talk is based on information from the eStream project (part of the ECRYPT project). Although there was no groundbreaking stuff here, it was interesting to see the pro’s and con’s of what is currently in use (sich as RC4, AES-CTR, etc..) Some indepth overviews of the ciphers entered into the ECRYPT project was given. Mention of the new Cube Attacks released by Dinur and Shamir at this years CRYPTO 2008 conference. Is this attack method usable on existing hardware ciphers ? Finishing off discussion on the NIST Hash Function Competition was made. Currently 17 of the 64 proposal ciphers have been broken. Final decision is expected in Q2 2012. So nothing to be looking forward to for next year 😉 if in doubt, stick with AES(-CTR).

Checkout the eStream project at http://ecrypt.eu.org/stream/

16:00 CET
Hacking Botnets/Squeezing Attack Traces

Unfortunately, due to a serious case of the FAIL, my notes for this and all subsequent talks was lost. This just goes to show that I really need to get a decent netbook and never use my blackberry ever again

So, from memory. The analysis of the Storm worm was until now based purely on running in a virtual environment and tracking the traffic to see what occurs. However the team presenting have taken this a step further and reversed the code used to examine how the underlying bot works. The Storm bot is based on DHT traffic as used by eDonkey and other peer 2 peer sharing programs. By changing the traffic slightly, it was possible to use the same communications but avoid being intercepted by other eDonkey users using DHT. By reversing the code it was possible to find the hash codes used in the DHT communication and effectivly hijack the Storm botnet. A demo was given based on this attack method, showing that you can fool an infected Storm zombie into running code from a fake C&C. Although at the height of it’s rampage the Storm bot had over 1 million zombies, the number is thought to be around 100,000 at present. With this research it may be possible to take over the whole botnet and force the infected machines to run disinfection code. However the researchers are naturally not allowed legally to do this. Some of the code developed will be released in the coming weeks, but not all of it due to Germany’s 202C anti-hacking laws

18:30 CET
SWF and the Malware Tragedy

Where to start. I think the best reaction I had to this was that it was interesting research, but nady presented. Using statistical analysis it was possible to diagram similarities in malicious SWF files. However personally I’d like to have seen charting of both malicious and non-malicious SWF’s to see if this method could be used in IDS/IPS typ protections. Other than that, the talk wasn’t anything to call home about

20:30 CET
Methods for understanding targeted attacks with Office Documents

It was good to see a Microsoft employee talking at this kind of conference. He gave props to the OpenOffice team for a variety of things, and it made for a fun presentation. Any presenter that can describe things with “bla bla bla” is a winner in my book. Plus the parting words of “I’ve never seen so man mac users in one place before” just made my day. I should have asked him to say “I’m a pc” just once for the camera. That aside, content of the presentation was good. Overview of the new Office 2007 XML based files was very interesting. Especially as I’ve just seen Larry’s Pauldotcom video on Office 2007 Metadata. The file is a filesystem in a file, allowing for more than just a single piece of data. A majority of attacks are now also resulting in a valid document being loaded instead of a typical crash in office that we were seeing some years back. This leaves very little evidence that you’ve been exploited at all. Demo on exploitation was good, but I’d love to have seen some more code.

21:45 CET
Cisco IOS attack and defense

Packed out presentation, and who can blame the people. Lots of good information here. Mostly concentrated in Cisco as they hold 92% of the router market, and Juniper (second in line) is just FreeBSD under the hood. All processes share the same HEAP in IOS, making it easy to overwrite other processes memory. There are over 100,000 different IOS images (15,000 supported by Cisco) making reliable exploitation hard to achieve. This variation in IOS gives a poor mans ASLR (Address Space Layout Randomisation) so makes things hard. However as with ASLR, return to libC style attacks still do the trick. However in IOS this means writing code to the now unused ROMMON location and going from there. Some information was given on IOS forensics and memory dumps. Hard to get working, but once it is, you can get lots of information. As different memory locations are used for small, medium, large packets, older packets can still be found in memory and are not overwritten in a reliable way. This leads to good forensic ability, as you can read the packets straight from a RAM dump and output them into a PCAP format. A simple demo was performed using a malformed ping packet to display text in the router screen. However this was enough to prove the attack vector.

—————-

Tonight is the bloggers/security-twits meetup outside the BCC (by the rocket) at 24:00. I’ll be there, hope to see you there too 😉