Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: plumbercon

NinjaCon round-up

I had a great time this past weekend in Vienna attending NinjaCon (formerly known as PlumberCon). Alongside a whole pile of interesting presentations, there was a great deal going on alongside the main talks. Day 0 included a number of workshops including one covering penetration testing. It was interesting to sit in and talk to others in Vienna interested in the topic. It was unfortunate that Joe McCray was unable to run the training, but Oliver from ERNW stepped in to save the day, and had some good tips to offer.

As usual I was “speed blogging'” from the event, so there are a few blog posts covering the main points of the talks I attended. I hope you find them entertaining, and at least mildly useful. The talks where streamed live and recorded, so if you get the chance to see the video or view the slides of these presentations I’m sure you’ll appreciate them.

My good friend fish_ (no jokes about chips please), took some great panoramic photos at the conference and was nice enough to let me post a couple here. WerkzeugH is a great venue, so even these pictures don’t do it full justice. Extra points if you can spot me in either picture!

Here’s to NinjaCon 2011…. bigger, better… more Ninja than ever before!

Day 1 :

Day 2 :

[Plumbercon/Ninjacon] How to stay invisible (still using cellphones)

How to stay invisible (still using cellphones)



It is a well known fact that cell phones are the most common way of pinpointing identity, to position and set up a social diagram of an individual under investigation. In this talk, we will learn how to position cell phones using SMS-submit messages from an SMSC and how to position cell-IDs using a phone. These are known methods of positioning. Also, the audience will gain knowledge on how to stay anonymous and avoid getting your MSISDN (cell phone number) identified in the first place. ETSI standards of lawful interception tell half the story on how IMEI, IMSI and MSISDN are logged and tracked together with a position to find out your location. You will learn how to change an IMEI number on your phone as you change IMSI by switching between different low-cost prepaid SIM cards to be able to fly under the radar.

GSM Phone Privacy

7 Attacks that everybody could perform against GSM

ETSI Lawful Interception

Standard private, but working draft can be found at http://eu.sabotage.org

Establishes a form for Lawful Interception requests. The 4 main pieces of information that can be requested are :

  • IMSI (Unique SIM identifier)
  • IMEI (Mobile Phone manufacturer, model, and unique identifier)
  • Time

ICCID is made up of 5 parts: System code, MCC, MNC, Subscriber number, check digit

In some cases (such as the recent AT&T hack) it’s possible to transform the ICCID information into an IMSI number.

ETSI LI SMS Interception

Normally the agency performing the interception will receive copies of all SMS sent and received. This however isn’t always possible when the phone is roaming. Arrangements are not in place between countries to share this kind of LI information.

HLR (Home Location Register) Lookups

As presented at CCC in recent years, it’s possible to track a user using a number of online services. These services cost less than €10 to provide tracking services.

One possible service is http://routomessaging.com/

IMSI and IMEI Database

IMSI and IMEI information get associated and stored in a database. Switching SIMS isn’t enough, as once an IMSI and IMEI are linked, you can track the phone even when a new SIM is put into it. Changing the SIM and the Phone is one method of defeating this. Unless you can change the IMEI on a phone.

Nokia had a tool to change the IMEI and other settings on older phones (3310). This isn’t always legal however. Check your local laws.

Sim Card scanning/cloning

Older attack (used by Mitnick, way back).

Simcard cracking/ scanning is used to create a simcard clone

Simcard clones can be used in regular handsets

Operator settings are exposed (and can be modified in the clone)

Older Simcards are prone to this attack using tools like SIMeasy

You can crack the encryption and write the cloned simcard information to a wafercards (Phoenix or smartmouse).

If you clone a sim, the last person to register on the network gets incoming calls, the other is ignored.

Prepaid simcards

Some operators need to see ID (and photocopy the ID) before buying a sim. This ID can then be provided to any agency when requested.

50% of all simcards are pre-paid

Hacked Firmware

Nokia 3310 hacked firmware (Nokia 3310 spyphone).

When activated, the phone will accept any inbound call without notifying the user. This could be used to spy on people and record conversations. As the firmware is available on Rapidshare, it can be modified for other uses.

UEA LI Blackberry –> http://news.bbc.co.uk/2/hi/8161190.stm

The UAE also rolled out a hacked Blackberry firmware that caused issues on people’s Blackberry phones.

Hijacking Mobile Data Connections

Changing the http proxy settings of a user. See http://www.mseclab.com/?p=146

Use IMSI to figure out the operator and correct settings

Possible methods of deployment

  • OTA – Over The Air provisioning
  • iPhone .mobileconfig
  • Possible on Android also

Protecting yourself – Solutions

Make your own rules

  • Who are you giving your number to?
    • They can track you
  • When do you change your IMSI/IMEI?
    • You need to change them at the same time to avoid a trail
  • What number do you give to your mother?
    • Easy to find a link between your family and you using simple checks

Giving out your number is giving out your location

Acceptance of updates may lead to data eavesdropping

Pre-paid cards from abroad make things more complex for legal interception

Links :

eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis -–> http://plumbercon.org/schedule/50
  • UEA LI Blackberry –> http://news.bbc.co.uk/2/hi/8161190.stm
  • ETSI Lawful Interception –> http://eu.sabotage.org
  • Hacking Mobile Data Connections –> http://www.mseclab.com/?p=146
  • HLR Lookups –> http://routomessaging.com/
  • http://routomessaging.com/SMS-services/sms-hlrlookup.pmx
  • [Plumbercon/Ninjacon] Visualization for IT-Security

    Visualization for IT-Security

    L. Aaron Kaplan


    This talk will present visualization techniques for IT-security events and incidents.

    Conficker demonstrated that sinkholing botnets and logging relevant IT-security events on a massive scale is a powerful weapon for mitigation and remediation. However, naturally these data collections quickly grow to sizes too large to understand or handle. Visualization can prove to be an invaluable tool for the IT security handler to gain insights into the dimensions of a problem as well as for management and even politicians.

    Therefore this presentation will show – based on a concrete example – how we can extract understandable information out of a multitude of data sources. The concrete example will deal with DNS, DNScap and NFSen/NFDump visualizations. Since DNS is a hidden treasure box for IT Security and since DNS requests can hint to lots of problems (misconfiguration as well as abuse), visualizing DNS is in our opinion a promising fresh approach.

    Finally, a list of practical tools will be presented, which participants can use in their own organizations and thus improve their own incident handling.

    Talk from the recent FIRST.org conference in Miami, FL

    “This talk is about making nice pictures….. any why we need that”

    Last year CERT.AT did some work on tracking Conficker by sinkholing traffic heading to certain .AT domains and tracking them. The information was easy to gather, but the visualization effects presented was something people thought was amazing.

    Google Spreadsheets now offers visualization tools to track and display information over time.


    “A picture is worth 1000 log records” (R. Marty)

    We have too much data, info explosion

    Visualization can explain it all to your Grandpa/father/mother/partner…

    Target Groups

    • Users
    • Management, Sales, Politicians
    • Operational Staff
    • Researchers

    These users have different needs depending on what they need to do with the information

    Visualization isn’t new however. Otto Neurath was doing it long before most of us where alive.

    There’s not enough of this kind of visualization going on. Things need to improve.


    • Graphviz
    • Maxmind GeoIP
    • Logster
    • Gapminder (Google Gadget)
    • Google Earth
      • Import XML data to show placemarks
    • Unix Filters
      • (cut, sort, uniq -c, sort, gnuplot)
    • processing.org
    • DAVIX CD

    Sometimes using a simple line graph shows nothing but a few large key spikes. Using other visualization techniques helps to show the full picture.

    Do more visualization!

    Links :

    eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis -–> http://plumbercon.org/schedule/57
  • CERT.AT –> http://cert.at
  • Otoo Neurath –> http://en.wikipedia.org/wiki/Otto_Neurath
  • ISOTYPE –> http://en.wikipedia.org/wiki/Isotype
  • processing.org –> http://processing.org
  • DAVIX –> http://www.secviz.org/node/89
  • [Plumbercon/Ninjacon] CSN.OR.AT Community Sense Net – Honeypot+

    CSN.OR.AT Community Sense Net – Honeypot+

    Florian Eichelberger


    Since Clifford Stoll created the first honeypots in 1989 to safely investigate attacks to computer systems, honeypots have been all around. Although they have been refined and extended, fundamental problems in either attack coverage or visual representation have been plaguing those systems. CSN.OR.AT was an ISPA funded project to address those two issues and provide the necessary information and software to build the honeypot+ discussed in this talk.

    Project is now renamed to Honeypot++

    Project was started and sponsored by ISPA (Internet Service Provider Austria)

    The project tries to be more user friendly and business friendly using open sources reporting engines to allow for more graphical representation of the information.

    The infrastructure uses VPN to communication back from the Honeypot to a central station.

    100% based on open-source software

    • Amun Honeypot
    • Python
    • Debian
    • Snort IDS
    • Surfnet IDS

    Includes an SMTP honeypot. The domain exists, but not listed anywhere. This means that any incoming email is considered malicious. The SMTP honeypot is written in Python.

    Many of the attacks seen are VERY outdated (e.g. Symantec buffer overflows). Most examples provide links to malicious websites instead of sending actual exploits through emails (which are usually filtered).

    Most attacks originate from :

    • China
    • Russia
    • Ukraine
    • Malta
    • Bulgaria
    • Austria
    • ….

    Statistically, the top 3 attacks seen are :

    • TR/Crypt.XPACK.Gen
    • TR/Dropper.Gen
    • WORM/RBot.147456.27

    Most exploits are for DCOM/LSASS/ASN.1 failures in Windows systems. Most of these flaws have been patched by Microsoft for years, but are still being exploited.

    Statistical and Top-Lists are provided in XML format from the homepage.

    Malware samples are available on request, for research purposes

    Newly added service


    Provides a search for IP of MD5… more searches comming

    • MD5 of malware sample checks against the CSN database of seen malware
    • IP search provides a check if attacks against the honeypot have been seen from this address

    Future Outlook

    • More sensors
    • Integration of high interaction honeypots
    • Install a sensor, get the reports for free –> take part in the project
    • Possible interaction with DShield

    Links :

    eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis –> http://plumbercon.org/schedule/57
  • Twitter – Florian Eichelberger –> http://twitter.com/florensik
  • Community Sense Net –> http://csn.or.at
  • Community Sense Net Search –> http://search.csn.or.at
  • Eurotrash MicroTRASH interview –> MP3
  • Amun Honeypot project –> http://amunhoney.sourceforge.net/
  • SURFids –> http://ids.surfnet.nl