Cатсн²² (in)sесuяitу / ChrisJohnRiley

Well, day two has begun. Surprisingly getting up wasn’t a big problem. Still I’m sire that’ll change over the next few days.

11:30 CET
Lightening talks
I’ll not cover all talks here, as the point of these lightening talks is that they’re not all interesting for you. A couple of interesting ones :

Anamos
An encrypted bit-torrent – the presentation was a little paranoid but made valid points on the unencrypted and dangerous nature of (certain) bit-torrent use. If you’re interested, check out http://anamos.info

GPF Crypto Chip
Like an OpenPGP card, but in USB form. This allows PGP keys to be in an easy USB interface. Currently in the final phase of planning prior to limited hardware rollout (circa 30 EUR per piece). The hardware specs and plans are opensource and full specs will be released soon. Version 2 with RSA support (up to 2048) is forthcoming. http://www.privacyfoundation.de

OLSR-NG
Mesh networking update from last year. Advances is speed and routing improvements.

CERT.at Botnets
CERT.at game a quick breakdown of a USB based bot discovered (and monitored) by the team. The malware team at CERT.at appears to be growing. As i’m based in Austria i’ll try and catch up with the speaker later for a chat. Some coverage of the DNS vuln on Austrian DNS traffic. Interesting metrics.

Hackable Devices
A quick overview of hardware that can be hacked (mostly to run linux). Openmoko freerunner running Debian, linksys routers, sharp zaraus etc… Interesting list, but nothing that new here. http://www.hackable1.org

Last talk of the morning was a no show. I guess nerves got him 😉

12:45 CET
Full-Disk Encryption crash course

A good intro to how full disk encryption really works under the hood. Good information on the Windows hooks and NTloader using int13 to interface. It’s interesting to learn about the various programs support for TPM chips. Looks like most companies aren’t using the TPM for storing the cryptographic keys, which is a little lazy. Good coverage of Truecrypt volume headers, and how it implements decoy operating systems and hidden volumes. Limitations of Truecrypt in an enterprise, such as lack of key and user management. There will be a workshop tomorrow at 19:00 (A03) for those at the BCC

14:00 CET
Attacking Rich Internet Applications

DOM based XSS, filter evasion, and some specific coverage on firefox / opera issues. This talk takes Amit Klein’s original attack premise and takes it one step further than simple XSS code execution. Using CSS injection to read and forward page data to an external source. This is a perfect way to bypass one-time tokens used against CSRF vulnerabilities. The explanation expects a certain amount of user knowledge, so i’ll be reviewing the stream when i get a chance. Pity some of the browser exploits are patched, for old versions (i.e firefox 2.x only) or for browsers that nobody uses (Chrome or Opera). Nice live demo of XSS’ing OWASP and Google 😉 check out the video if you get a chance.

16:00 CET
Vulnerability Discovery in Closed Source PHP Applications

Why do companies make closed source PHP applications…. To cover IP violations was on the list (laughable, but probably very true). How can you check your application is secure if you can’t audit the code. Standard white/grey box methods are not possible on closed source (usually). Encrypted PHP through something like Zendguard and into PHP Bytecode (not obfuscated PHP as this is easily bypassed). Newer methods of encryption also execute the code directly to avoid seeing the PHP code at execution (Anti-hooking techniques). The talk goes into some detail on PHP Bytecode. If your a PHP developer then this is probably interesting to learn about, however if you’re not deep into PHP, then things are likely to make little sense. Still, this is something I need to concentrate more time on over the next few months. Q1 2009 is IPv6 and Web-App testing period for me.

17:15 CET
Lockpicking Workshop

As the TCP DOS talk was packed out. It’s only a Denial of Service, right ? I headed down to the Lockpicking workshop for a quick check. Lots of people playing with handcuffs… sounds kinky, but I think you’ve got the wrong idea.

18:30 CET
Short Attention Span Security

All content at awgh.org

A compilation of short 5-7 minute talks about random hacks.

The first part covered using badly programmed password rest through email. Some references to Sarah Palin here, all in good humor. Mailinator scripts to scrape password rest mails straight from the site.

Next on the agenda, BIOS rootkits. Attacks on hardware appear to be on the rise (USB picture frames, and Catalysts’s sold on eBay with malicious BIOS installed). Exploit code can be inserted into the PCI option ROM. EFI bioses seems to make things easier on many fronts. With built in support for PXE, TCP/IP and filesystems (as well as a development kit), things will become easier to attack on EFI machines. Mainboards supporting EFI bios will be taking over in 2009. TPM wont help currently against this attack vector (due to the range of possible PCI option roms).
A short couple of slides on bypassing Microsoft’s anti-xss ISAPI filter. Fixed in the latest release. (Responsible disclosure).

Topic change, Script Injection in Flex. Solved in IE8, as long as the remote server sets a response header X-Downloader-options=noopen (which turns off the Open option on this link). A laughable solution.

C/C++ code auditing. Grep’ing for strcpy 😉 using the GCC-Dehydra to do static analysis through the spidermonkey javascript engine. The project is in need of common scripts for checking.

Last topic, Groo. A web front-end for aircrack. Basic automatic WEP hacking program running on a mini ITX box. Are people still using WEP ??? Please stop.

20:30 CET
Banking Malware 101

Last one of the night for me. Gadi said this would be basic, but i’m not really a malware analyst, so nothing is too basic for me in this arena. Coverage of Nethell, Limbo (browser object helpers) and ZeuS, (also referred to as Wsnpoem or Zbot), these all seem to work through control of the DOM. Some other minor types are discussed, but nothing in-depth. The example log files were interesting, but as Gadi said, nothing majorly new here. Moving into the second portion of the talk “Finding Dropzones”, the typical solution of honeypots are proposed for this purpose. Closing out some overview data was shown on the analysed malware, victim numbers and dropzone information as well as some basic protections. Good overview in all, but nothing ground breaking. Status update. http://honeypot.org

Finishing up early for the day. Looking to chat to a few people and grab a little sleep tonight.

It’s not often that I get up at 3:30am for anything. Sure I go to bed at 3:30am, but getting up is a whole different thing. Still today I found myself actually wanting to get up early so my kind (and generous) girlfriend could drive me and a work college to Vienna. A short flight (too short to do much on) and we’re in Berlin for day one of the 25C3.

11:00 CET
Arrival at BCC

Due to some late running (hotel issues) the opening ceremony was missed. However I managed to catch the Datenpannen talk, covering some of the data breaches in the last 12 months (Germany centric). Interesting the numbers and lack of overall media coverage on non-US breaches. Still, I guess that’s what happens when you don’t have data breach laws that say you need to announce the details. One of the breaches mentioned netted 21 Million records (that#s 3 in every 4 people in the country). Sad fact is, the timescale of the breach covers my time living in Munich, so I guess my information is once again out there. Like the constant British government data breaches (or data losses as they tend to be) wasn’t already enough. Time to grab some food and take a look around at the BCC and where things are.

14:00 CET
The Security Failures in Smart Card Payment Systems

The talk was better than I expected. Also a little different, as I was hoping for something a bit more in-depth on the software/backend side of the system. After all, that’s the kind of thing I work with. Still the hardware system looks like it’s worth a look. The way the banks lay down all the rules themselves and have the ability to decide who is to blame for fraudulent transactions is scary. I think some more regulation and emphasis on the banks being liable would really increase the security in this area. After all, why would banks spend thousands on securing terminals if they can just blame the user if things go wrong. They are the judge, jury and executioner in this area at the moment.

16:00 CET
On the Individuality of Active and Passive Devices

As hackerspaces, and wearable computing wasn’t high on my agenda (although wearables are the height of cool), I attended the surprise easter egg talk On the Individuality of Active and Passive Devices. I say it’s an easter egg, as it wasn’t listed on the Fahrplan and was only briefly announced in one other session as happening. Still, the room was quite full. I guess that will be the theme for the conference. The talk covered the basics of device biometrics, and the methods used to differentiate between communications based on differences in the components used. The components mentioned aren’t so much difference wireless cards (as an example) but the same card type, version and driver but different physical components (resisters for example vary even within a batch used by a single manufacturer). Examples where given for wireless devices as well as RFID. The information was very interesting, and the results are undeniable, but I can’t see it being useful in a real life scenario, at least not in the current day and age. Discussion of using this kind of device biometrics to prevent access by foreign devices (i.e. attackers) seems a little premature considering the external influences that could effect results. The level of accuracy would have to be very high to avoid device impersonation. The level of matching would then lead to false negatives (approved devices failing to gain access), or an easy denial of service by broadcasting interference and therefore knocking all users off the network. Then again DOSing a wireless LAN isn’t exactly hard at current standards anyway. Still, this is interesting stuff. The RFID concept was a little more out there. Let’s just say that the antenna polarity is an issue, frequency has to be exact (yes I do mean exact), oh and no metal please. Wood was used in the test for all mountings. I guess maybe this part needs some more work before going mainstream. Overall though, it’s something to keep an eye on for the future. Far future…

17:15 CET
Just Estonia and Georgia?

Next up was more on the Estonia incident handling, this time with some of the Georgia attacks mixed in to keep things current. I’ve seen the previous presentations by Gadi Evron on the Estonian incident, but the presentation mixed in some new topics not raised previously. Sometimes it’s easy to forget about the poor people who have to deal with the ISP abuse emails on a daily basis. I can only imagine the pain they feel. The biggest game of whack-a-mole ever 😉 Find a botnet C&C, whack it, repeat. Who really controls and polices the inter-tubes ? I think somebody said Paul Vixie, but I could be wrong. Interaction between ISP’s in different location around the world, language issues are an issue. It’s not always what you know, but who you know (and can speak with). The major trend appears to be, and will remain, communicating the problem. The technology and talent is there, but the communication infrastructure to get things cleaned up fast just isn’t where it needs to be. How much quicker could be take malicious links down if the right people knew at the right time. McColo, Intercage and ESTdomains were mentioned. If I can get some time with Gadi later I’ll ask him his opinion on the ESTdomains removal. I still think that this was a hollow victory personally. No real solutions here, just clarification of the issues.

18:30 CET
Chip Reverse Engineering

The place was packed for this one. A little light on technical detail, but an interesting look at how hardware reverse engineering is done. I knew the basics, but actually seeing the slides and progress makes things a little clearer. Maybe next year it’ll move beyond how to get a diagram of the gates and onto what to do as a next step in breaking the crypto, or finding flaws that could be used for the next generation of hardware rootkits. Of maybe that’s something we’ll have to figure out on our own.

20:30 CET
Hacking the iPhone

You know this one is going to be popular. It’s in the larger of the 3 rooms and at 20:00 it’s already looking packed out. Still, a few seats were left near the front, so time to sit for a few minutes and figure out the hibernation problems with my laptop. Uswsusp to the rescue 😉 Although interesting on many different levels, the talk dragged a bit. The overview of how the 1st gen and 2nd gen differ from a hacking standpoint was interesting to learn. Exploitation in the chain of trust allowed for almost total compromise of the iPhone. However Apple are learning and each new version of the iPhone corrects previous blunders. Give it about 5 years (4th gen iPhone ???) and maybe people will have to up their game to get total ownership of the device… which is sad. Why do companies have such a hard time accepting that if we pay for the device (and we do) it should do what we want and not ONLY what they allow. In this race, they’ll always loose.

21:45 CET
Locating Mobile Phones Using SS7

I’ll be the first to admit that I know almost nothing about mobile phone technology. This includes GSM and SS7. So this talk was something I really wanted to attend, and improve my knowledge in this area as much as possible. That is, if I can see through the crowd. I think maybe next year CCC is going to need some more room. From what I heard this technique was very interesting. I’ll have to review later to get the full extent on the content however.

23:00 CET
Why were we so vulnerable to the DNS Vulnerability ?

I had to go to Dan’s talk. After not seeing it on the first Fahrplan, it’s good to see Dan back in Berlin. It’s late, so the question is, how drunk is Dan already 😉 Nice to see the presentation has been totally changed since the Blackhat/Defcon one. Dan even seems sober, as there was non mention of drinking throughout the presentation. The content was greatly changed from the BH/DC one and is a must for people looking for some more info on “What’s next and why did this happen”

Word from Nick Farr is that the Congress is totally sold out… Not sure if this is a first, but it certainly feels sold out to me 😉 Managed to grab a few drinks with Security4All and a few others (sorry bad with names/faces). Fun to the max. Tomorrow is another day however.