25th Chaos Communication Congress (25C3) #2
Second day of congress, yesterday we stand until late and at 4 AM I didn’t feel like writing a long post on the blog about the day, so I’ve posted my first post this evening, sorry for the delay.
Wow! second day! it was cool! Unfortunately the Lightning Talks #1 agenda was empty! :( and I didn’t feel like going to the post-privacy talk, I am more a tech-talk than a social-talk guy :) so I skipped it and went a bit later to the full disk encryption crash course talk by Juergen Pabel. The talk was an introduction to full disk encryption tools as TrueCrypt, just a few ntes about the design of this kind of software but not much internals that was what I expected, so… just a review of products.
Next, attacking rich internet applications. A nice talk about google gears flaws, firefox extensions flaws and several XSS and JS injection tricks. This talk remembered me that I have to read more about all the current status of web development, mainly about all the firefox addons stuff since I’m not up to date of the latest attack techniques of web applications, and nowadays that’s the stuff that is everywhere, web, web, web… as Kaminsky said yesterday, there’s more applications that the web ones! there’s live beyond the web browser! :)
Short break for lunch, and we went straight to the talk about how to audit closed and encrypted PHP code. Stefan Esser talked about how to break encrypted bytecode, which techniques are used to ofuscate the bytecode and how can be reversed, how can this code be analyzed to find exploits without being able of reading the source code. Interesting talk for a person like me that isn’t a PHP coder but that it’s familiar with all that stuff, and it gave me some nice ideas for future challenges of our wargame Geek Puzzle :)
Now, the typical dilemma… which talk must I attend to when you have three interesting talks at the same time? I had to choose between smartphone hardware hacking, security of wireless sensor networks or TCP DoS vulnerabilities. OK, not so hard really… let’s go for the TCP one! :) as a network administrator, IP networks are “my world” so it’s worth to miss the other two, moreover I was really curious about the details of Outpost24 sockstress tool, the new devastating-low-band TCP DoS tactic, I already wrote about it, and it had been really interesting to attend a talk of Jack and/or Robert about their TCP stress tool so I attended the TCP DoS talk by Fabian Yamaguchi, but at the end the talk was a bit simplistic :(
I expected a high technical analysis of the last TCP DoS stuff half-disclosed by the Outpost24 guys but the talk was just a summary of old-school TCP DoS techniques (SYN flood, connect flood, rst attack, ACK messing to alter the RTT and the sending window…). Only one slide for the theoretical sockstress attack based on the size 0 sending window issue… well, I expected more :(
Despite I’m also interested in robotics, and the scalable swarm robotics talk sounds promising, I decided to attend the short attention span security, where Ben Kurtz talked about a lot of security issues that he finds working as a security consultant in Seattle. What a funny talk! He talked about an assorted set of subjects like WEP cracking with a small independent ITX board fully controlled through a web interface for the iPhone, FLEX code injection, EFI rootkits (nice topic this one, uh?)… check it out his site, lots of information about all thos subjects on his site.
Next, the talk banking malware by Thorsten Holz. It was a good summary of how a banking troyan works, which types are, which are the most common ones, and how the security researchers study those pieces of malware using sandboxes, to execute them without risks and know where they connect to and what protocols use to send the stolen data to the control servers. They got access to several central servers where the malware drops the stolen data, so they could generate some interesting statistics about which targets were more attacked, from which countries and how many users, passwords, credit cards numbers and that kind of private stuff were stored on those servers. He gave us some figures of how much money can a malware writer gain if they send all this information to mafias, a lot of money as you can imagine. Check it out the slides for the details, it’s worth it.
A new dilemma… funny pentesting techniques or Nintendo Wii hacking? My hacking side won again :) to finish the day, a funny talk by Francesco Ongaro, titled “tricks that makes you smile” :) well, a thing it’s true, that guy had make us smile :) the talk was funny despite of the Francesco’s “broken english” :) He revisited severa well known old-school tricks like icmp redirections and arp poisoning. Did a demo about extraction of a full database using sql injection tricks, some sudo tricks taking advantage of the password caching feature of sudo and a funny demo about how to hide information in html pages using silly tricks like foreground and background of the same color… it was funny, for sure :)
After that, we’ve dinner in our favorite italian restaurant, with a couple of new friends. Photos will be in flickr, be patient, I forgot my camera cable in $HOME :) We decided to create a mailing list to stay in contact after the con and maybe participate in some proyects.
By the way, I got a tool set from the people of lockpicking.org, more about this in future posts.
The second day is over :( the time here pass so fast, tomorrow is the third day of congress, and there’s a lot of interesting talks scheduled… more info tomorrow.
Happy Hacking!
25th Chaos Communication Congress (25C3) #1
First day in Hacker’s Paradise :)
This year CCC has just begun, a lot of people in the main conference room, John Gilmore on the stage. He talks about the title of the conference of this year… “nothing to hide”, well everyone has something to hide, he says that is just “bullshit” :)
He threw out some interesting questions to the people, what are you doing to be free? what are you doing to protect your privacy? what are you doing to prevent governments and big sites like google from spying you, from recollect all kind of information about you and track all our movements on the net and on the real world? some people types the URLs on the search box of google instead of using the url bar of the browser, is that the way? are you aware of the tracking techniques that telcos use on their customers? what about the RFID issue?
We know and understand the technology to protect ourselves, the tools to protect our privacy, but we don’t use it. Why the most of internet traffic is still in clear text? why crypto is not a well known subject and its use isn’t as widespread as it should be between all computer users? We’ve crypto that NSA can’t break, but we still send mails in cleartext… that’s the point.
It was a nice talk about privacy, cryptography and about what a single citizen has to do to remain anonymous, to remain unknown from the big brother eyes.
Next, jump to the PLC talk. It didn’t go as deeply as I had liked, it was a brief introduction to PLC technology, a review of available PLC hardware and their features, as to the FAIFA software. I expected a live demo of the tools, maybe some traffic sniffing and injecting, some hands-on demo about the crypto stuff, or a demo of how to use the tool for PLC security audit in the wild, but none of this happened, so I was a bit disappointed with this talk. Interesting, but not as technical as I expected, apart from that the vulnerabilities based on a unique “broadcast domain” of the electrical network in the houses, is not widely applicable because, at least in Spain, the power networks of the houses are isolated one each other, from the electricity meters located in the house basement, to the inner electrical installation in each apartment. Anyway, nice talk as an introduction to all the PLC stuff, maybe I’ll write a longer post about the FAIFA tool when I have the time to download and play a bit with it.
Here in Spain, where I live, the PLC was actively deployed and tested 2 or 3 years ago, but it never was a winner in the high competitive broadband Internet access market, DSL and cable were, and currently are, the mainly options, PLC died silently after several months of tests between selected groups of users.
The talk about the payment systems in UK using the pin&chip cards by Steven J. Murdoch was very interesting too. I attended last year talk about the relay attack, and this was a sort of continuation. This time the talk was focused on how to tamper with the PED (Pin Entry Devices) to record all the customer information. I recommend you to watch the BBC video… it’s really funny :)
I had liked to attend the hackerspaces talk, as I’m very interested in arrange a kind of geek meetings in Madrid, maybe in a cool place like the Medialab, and the feedback from the people of hackerspaces all around the world is very valuable.
After that, my first thought was to attend the wearable computing talk, but when I arrived there after lunch, it was jam-packed with people, and it was completely impossible to stand there and just hear the talk, so I decided to go to the fingerprinting of RFID talk. Well, I’m not a hardware guy, so I’ve to admit that this talk was a bit tough for me as it was focused in the techniques used to attack the RFID systems present in passports and driver licenses, but only at the physical level, ignoring all the cryptographic complexity built at higher levels. The work presented were focused on sniffing, cloning and emulation of RFID devices… well to much for me at this time :)
From there, we jumped to the talk of Gadi Evron, about the Estonia and Georgia security incidents, and other worm related incidents, as the facebook one. How a global incident has to be handled? are we ready to handle global attacks? are local CERTs really useful? Well, the talk was very informational, and Gadi made it very funny, regardless somehow he was a bit rude with some of the people that asked him questions :)
The chip reverse engineering talk was cool, the procedures to reverse engineer a chip from beginning to end were explained, and if you are not a hardware guy, talks like this one are pretty enlightening since the way these guys break the crypto algorithms are awesome. They begin polishing the chip from the outside to the inside, layer after layer, until they get all the logic in front of their eyes. With the help of microscopes, they take photos of all the components, and get the routes between them automagically with specialized software tools. With all this info they can get how the chip works and break the crypto algorithms that are implemented on it, seeing how they are built from the logic gates and basic electronic components. Those crypto algorithms, specially if they are private and non-standard obscurity-based crypto algoritms, are broken from this point, seeing the low-level implementation in the chip. The security by obscurity thing is not a good idea when you have these guys messing around with your chips, a great talk that had to last at least 2 more hours :)
Then a short break, and severals beers after, we attended three cool talks in a row. First the idev-team explained all the path that they follow since the release of the iPhone until they broke it completely. All the reverse engineering and analysis of the device is amazing, how they found all the design flaws that allowed them to own the iPhone ;) Hey! that guys are my heroes, thanks for the pwonage tool ;) Unfortunately I don’t have the superpower of ubiquity :) so I coudn’t atend the MSP430BSL cracking talk, the documentation about this talk looks very interesting, I’ve to watch the video, there’s no doubt about it.
Next, Jacob Appelbaum talked about the cold boot attacks. When they published their work some months ago, I tested it in several systems, and found all this stuff really interesting, mainly the possibility of force the reboot of a remote system using a malformed WoL frame, for example, then the system will boot using a minimal PXE image that you can provide from another system in the network, the target will dump the memory to the network, from where you can get it sniffing the broadcast frames, and after that it’s time to apply the crypto-key searching algorthms that they implemented too. The talk was all about that, not new info just the well known info that it’s published, but really cool and very funny as Jacob told the audience some really funny anecdotes. It’s worth to watch the video too :)
After that, the so expected talk of Dan Kaminsky, the showman of the security cons… all the DNS stuff on the very pure Kaminsky style :) the talk was not the same from the blackhat or the defcon, was about all the DNS bug thing and how an incident like this was coordinated and handled by Kaminsky, Vixie and all the ISPs and companies involved in this wide-scale patching effort. The talk was focused on the SSL X.509 certs problems and the Debian OpenSSL bug, the SNMPv3 bug and… wait for it… how to make a covert channel using the size parameter in the IMG HTML tag… Kaminsky, the covert-channel-man strikes again! :) Not more to say, a funny and tech talk to finish the day.
A fast dinner in the train station and back to the hostel, where I am now writing this post and having a beer… more in a few hors :)
Merry Christmas!
I wish you a Merry Christmas my fellow geeks!
Berlin, the Hacker’s Paradise for a week
In a week’s time I’ll be flying to Berlin, as in the last four years, to attend the Chaos Computer Congress. The CCC is one of the most important hacker events in Europe, an obligatory appointment for all the geeks & hackers out there. It’s holded, every year, from 27th to 30th of december on the BCC.
Four days of hacking in a highly stimulant atmosphere, a lot of mind-blowing talks, fellow hackers from all around the world…
I’ve noted down my personal schedule for those days, and I’ve just registered my phone ext. on the local PBX, so give me a ring if you’re from Spain and want to meet us there!
As I did last year, I’ll post (ccc and 25c3 tags) my point of view about the talks that I attend or maybe about the interesting things that I see in the hackerspace. I’ll do my best to post it at the end of the day, before the sleep() but no promises here ;) If I take some pics, I’ll upload them to the 25C3 photo set on my flickr account.
See you at CCC, happy hacking! ;)
Seguridad en aplicaciones web
Hace un par de semanas publiqué una entrada comentando mis impresiones sobre las II Jornadas STIC CCN-CERT.
De todas las presentaciones que hubo, merece atención especial la que ofreció Gonzalo Alvarez sobre seguridad en aplicaciones web.
Para todos aquellos que no asistieron a estas jornadas, ni han tenido la oportunidad de ver alguna presentación similar de Gonzalo en los los FIST o en alguna otra jornada/reunión de temática similar, les dejo los enlaces al video de la presentación:
- Seguridad en aplicaciones web (1/8): Introducción.
- Seguridad en aplicaciones web (2/8): La historia de Julián Moreno.
- Seguridad en aplicaciones web (3/8): La tienda electrónica.
- Seguridad en aplicaciones web (4/8): XSS.
- Seguridad en aplicaciones web (5/8): Phising.
- Seguridad en aplicaciones web (6/8): Cookies.
- Seguridad en aplicaciones web (7/8): Inyección de SQL.
- Seguridad en aplicaciones web (8/8): Conclusiones.
MAOW Madrid
Yesterday evening my geeky-pal Mega and me dropped by Medialab-Prado to attend the Mozilla Add-Ons Workshop organized by Pascal Chevrel and Paul Rouget both from Mozilla Europe and some guys from the GSyC department of Rey Juan Carlos University.
After a short introduction from Pascal, Paul give us a very interesting talk about how to develop an extension for Mozilla Firefox, from the basics of XUL to more complicated stuff as the several classes outside the gecko rendering engine that can be used to handle files, sockets and that kind of stuff.
As a non professional developer, since I’m more a system engineer, the talk seemed very interesting to me, and let me know the tools to continue exploring the Mozilla extensions development world, since I’ve some ideas that I want to carry out.
After the talk, the event organizers brought some drinks and pizzas for those of us that stayed there having a nice hacker-chat.
What else can be asked for? nice hacker chat in a nice place, pizza… well, a nice evening :) Some pics at flickr if you’re curious on how it was like.
GeekPuzzle II – Reto 0×07 “Barcode Privacy”
Ya tenéis publicado el último reto de esta segunda edición de Geek Puzzle, le hemos llamado Barcode Privacy y esperamos que os quite al menos las mismas horas de sueño, sino más, que los anteriores ;)
A falta de que el concurso finalice oficialmente el próximo domingo a las 23:59 GMT+1 ;) podemos decir que se encuentran en cabeza, ambos con 16 puntos, Kachakil y Metalamin.
Si Metalamin saca esta ultima prueba y Kachakil no logra resolverla, tendriamos como ganador a Metalamin. En caso contrario el ganador sería Kachakil ya que acumula menos tiempo total invertido en la resolución de los anteriores retos.
En cualquier caso, esta edición ha sido mucho más emocionante que la anterior, estando muy reñido a nivel de puntuación entre Kachakil, Metalamin y Juanan, quien por desgracia parece haberse quedado descolgado con 13 puntos por culpa del reto 0×06 que os propusimos la semana pasada y que parece habérsele atravesado ;)
De aquí a un par de semanas intentaremos ir publicando nuestra propuesta de solución a cada uno de los retos planteados, si bien cada uno de vosotros habéis tenido vuestros propios procedimientos que pueden o no parecerse a nuestra solución “oficial”. En cualquier caso, sirvan de guía para aquellos que se quedaron atascados. Por supuesto, espero que a raíz de la publicación de nuestras soluciones se genere debate en torno a cómo se podrían haber resuelto de otra manera, herramientas útiles para ello, etc. De esta forma podemos aprender los unos de los otros, que al fin y al cabo es uno de los objetivos del concurso, divertirse y aprender. Todo ello por supuesto, en el blog oficial del concurso.
Con esta prueba finalizamos por el momento, aunque os podemos decir que ya estamos preparando retos para el Geek Puzzle III, que esperamos poner en marcha dentro de unos meses, para abril-mayo de 2.009. Nos encantaría que colaboráseis con nosotros preparando algún reto para el próximo Geek Puzzle, así que no dudes en contactar con nosotros si tienes alguna idea que quieras implementar y ver transformada en un reto para la próxima edición de Geek Puzzle.