At the end of day 1 of the congress, I hooked up with some fellow security people from Belgium to grab some beers. Most of them turned in early, but I decided to get some club mate and blog about day 1 down from the Hackcenter. The only major blog update I managed to make during the conference.
Despite staying up somewhat late, I managed to pick up myself to go to the lightning talks day2 after grabbing some club mate. The first presentation was someone with a poem (in German) about data retention. Not really what I needed to keep awake early in the morning. Quickly followed by the www.LXDE.org project which aims at speeding up OS boottime. Cool! We can always need that.
Third lightning talk was from the privacyfoundation.de project. They have several things going on, like helping people with running Tor servers. A lot of people stopped doing this due to possible legal concerns. They can help you in several ways. Another cool thing was the USB stick they mentioned that people could use tor protect their privacy. Plug&go... I don't remember the name but it was very similar to Freedomstick (ccc.de). Also check out Ubuntu Privacy Remix.
The next lightning talk was about OLSR-ng the most scalable and usable (mesh) routing daemon routing wirelessand fixed line segments.
Last relevant lightning talk for me was one of the Austrian CERTs talking about an infected USB, they bought which came from China. The pre-installed Trojan got a low detection rate by AV and connected to a C&C server in China and seemed to be part of a very large botnet. It's not the first time that new datastorage equipment came with Trojans. Scan it, even if it's new!!
The next talk was about full disk encryption. It gave a good overview and introduction of the several possibilities out there (bitlocker, truecrypt ,...). I didn't learn much new as I'm familiar with the basic concepts and also the hidden partition capabilities of Truecrypt. Still no miracle solutions against the coldboot attack.
My third attented talk of the day was about Exploiting Symbian. Very cool and a little bit frightning (since Symbian has 50% of smarthphone market). Most of the (smartphone) attacks I have seen in the last years all need some kind of user interaction. Like opening a link, saving a electronic business card etc.....
But the proof of concept I saw during the talk, they just needed to send an SMS to block any further incoming messages. You will get no indication of this malicious messages and the problem can only be resolved by factory resetting the device. The details of the advisory are here and you can see a demonstration video here. This affects different varieties of S60 phones and currently no fix is known.
After skipping a session to observe some of the activities like the hackerspaces soldering workshop, I headed to the TCP Denial of Service Vulnerabilities talk. There has been a lot of recent discussion about TCP DoS attacks based on the partial disclosure of Outpost24 (sockstress). This talk aimed at trying to fill in the blanks and current issues with potential TCP DoS techniques.
Denial of service means to make the service or the network unavailable. The TCP/IP suite focusses on robustness but fails to specify security mechanisms to counter attacks from within the network. One of the protocol features discussed was Source port randomnization. Which is meant for multiplexing but is not a security feature. (TCP reset attack scenario from 2004, pdf).
Resources have always a limit in the number of connections it can handle. In some implementations, a "backlog" is introduced which defines the upper bound on number of existing connections. This is not a part of the TCP/IP stacks. Even without completing connections, slot of classical backlog could be held.
Now a connection based flooding compared to syn flooding, aims to exhaust the queue of established connections. The impact is highly dependent on the application and is the responsability of the developpers. Layer 5 does not have specifications for time-out values. So connections are placed into FIN_WAIT1 and based on the implementation reset of the connections can become ridiculously long. The timing is related to the RTO (Retransmission Timmer) which the client (attacker) controls. Tip: also google for the Fefe’s TCP_DEFER_ACCEPT Bug.
To hit the sweet spot and finish this talk, it's possible to use the target's bandwith against himself. Trick 1: lazy optack. Trick 2: optacking.
Solution are to modify TCP (which will break the internet) or mitigating patches might break some applications. So it needs to go through an RFC process which can take a long time. *sigh*
The next talk was Short Attention Span Security and was like a lightning talk (several topics) by one person in one presentation. A lot of small tidbits:
- EFI Rootkits
- Bypassing MS anti-XSS libraries
- Script injection in Flex
- Pattern-matching hex editors
- Static analysis with Dehydra
- Auto-WEP key cracking with ITX
- Porting Network Security Tools to the iPhone
The second part was Groo: a series of scripts that autocrack WEP keys with a terminal gui or webfrontends ! Uses 2 wifi cards, one for sniffing, one for administration. All the details and code about the entire presentation can be found at http://awgh.org/.
One additional mention of interest was some video hack with face recognition where his face would be replaced by the Laughing Man logo from the Ghost in the Shell manga/anime. You can find the code here.
The last presentation of the day was Banking Malware 101. It was a really cool presentation but as an avid reader on this topic and a fan of the honeynet project not much new under the sun. It is worth mentioning that they released a new feature to cwsandbox.org:
It is now also possible to upload suspicious PDF files that are then analyzed with the help of CWSandbox. Basically we open the submitted file with Acrobat Reader 8.1.1 since that version has several vulnerabilities. During runtime, we then observe the behavior of Acrobat and can detect suspicious changes such as new files on the hard disk or modified registry keys. Based on the generated report, it is then possible to detect malicious PDF files.After this, I hooked up with some fellow peeps and headed to the Phonoelit party @ c-base. I did not managed to go to cbase last year and I really had a great time there!
Bonus: pictures from Day 2 (Entire 25C3 photostream here)
If you want to read another review of day 2 (of some of the other presentations), check out hypatia's blog on day 2.
Related posts:
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment