CACert Signing Party
En un par de días, el próximo miércoles 14 de enero, tendrá lugar en el Medialab-Prado de Madrid una signing party organizada por la comunidad CACert. El objetivo de este tipo de reuniones es certificar presencialmente la identiddad de los propietarios de claves para de esta forma ir aumentando la red de confianza.
Para los que no lo conozcan, CACert es una CA gratuita, gestionada por la comunidad en vez de por una entidad pública, como podria ser la FNMT o por una empresa privada, como podría ser Verisign.
Estas signing parties, como la que he comentado del próximo miércoles, tienen el objetivo de darle validez a tu clave, ya que la identidad del propietario es comprobada presencialmente, por los denominados “notarios” al tener que presentar un par de documentos de identidad (por ejemplo, DNI y pasaporte).
Una vez que tu identidad ha sido validada, te conviertes en un usuario “de confianza” de la red de confianza de CACert. De esta forma, con el tiempo, puedes actuar como “notario” validando la identidad de otros usuarios.
Desde luego, este mecanismo de validación de identidades tiene numerosas ventajas desde el punto de vista del usuario que va a hacer uso de la clave pública de alguien para enviarle información privada, ya que si confia en el anillo de confianza de CACert, podrá hacer uso de la clave confiando en que pertenece al legítimo propietario.
Por otro lado, un certificado SSL validado de esta forma siempre será mucho mejor que un certificado auto-firmado, donde no se ha pasado ningún mecanismo de validación. La única pega, en este aspecto, es que los certificados raíz de CACert no han sido incorporados aún a los navegadores de uso común, es decir, Firefox, Safari, Opera, etc. La inclusión del certificado raíz de CACert en Mozilla no parece tarea sencilla y el cumplir con los requisitos de Mozilla puede llevar varios años, aunque entiendo que terminará siendo incluido, con lo que desde ese momento un certificado de este tipo será perfectamente válido y mucho mejor que un certificado auto-firmado.
My new lock pick set
This is my new pick set, the 13 pieces basic set from Majestic, by courtesy of lockpicking.org @ 25C3
The pack also includes a cool sticker :) a couple of plastic cards (more useful than you think) and a testing lock.
Let’s practice… ;)
25th Chaos Communication Congress (25C3) #4
We had a hard time getting up on last day morning, too much fun the previous night :) I didn’t want to miss Luciano’s talk about the infamous OpenSSL bug in Debian. We got there early so we took this opportunity to buy this year’s hoodie, why the hell the larger size was an L I need XL :( Please, take note for the next year! Get XL, we’re usually big men!!! ;)
Well, let’s focus… :) Luciano’s talk was awesome! We had a lot of fun regardless of the fact that all of us knew the details of the bug. All the case of use were explained with a live demo, even with the hostels booking site www.hostelworld.com that is currently using a vulnerable certificate as were showed using the SSL blacklist Firefox add-on (based on the modulusblacklist.org DNS check or the 60MB locally installed database file).
We made the mistake of going to the “crafting and hacking” talk, it’s not because the talk wasn’t fun, it’s because when we tried to go to the SSL talk, we found around 20 people waiting in the entrance doors to enter the hall, after a while the organizers told us that it was packed and no more people were allowed inside :(
It’s worth to watch the video as those people has demonstrated how to exploit the collisions in the MD5 hash algorithm used in the SSL certs to generate a rogue intermediate CA certificate and sign other certificates that are took as valid by the web browsers. As a curiosity fact, all the CA exploited was rapidssl and all the computing power for the MD5-collision magic was performed using a cluster of 300 PS3 during 2 full days. Read about it, it’s a must.
25C3 was over, I can say that it was the best of all years, I had a lot of fun! and I met a lot of new people not only from Spain, but from Portugal, Germany and Austria too. These 4 days spent really fast, I went back to home with a new picklock set and a DECT card to play with ;) as well as a new project for this new year, to set up monthly meetings in Madrid, to give short talks, participate in nice projects, exchange useful information, open some locks :) or just meet and talk with all the fellow hackers out there that fancy come along.
I’m just looking forward to the next CCC, but until then… Happy Hacking! :)
25th Chaos Communication Congress (25C3) #3
3rd day in Hacker’s Valhalla :)
There’s no doubt about the first talk we’ll attend, “Running your own GSM Network” by Harald Welter and Dieter Spaar. I’ve seen other Harald’s talks, and I’ve to say that he’s a serious hacker, and all his talks are really interesting. This year wasn’t the exception, and the talk about how to build your own GSM network was really cool. They had bought a GSM base station in ebay and during several months of reverse engineering they got all the hardware stuff working. After that, they started coding their own software to run a mini-GSM network with that BTS. The results were amazing. During the talk they performed short demo where we saw their “10101″ network name in our cell phones :) meanwhile they were able to monitor all the GSM traffic from/to our phones, as voice calls, text messages… simply cool!
The chances are endless, if you have the 5k-6k euros that all the hardware stuff cost, you can setup your own network. Think about MiTM attacks where you impersonate another GSM network using your our BTS, or SMS spam attacks, or simply the monitoring of the radio network to collect IMEIs.
At the end of their talk they proposed to build a private GSM network for the next CCC, using a temporary demo license, our own 26C3 GSM Network, isn’t cool? :)
Next talk was about the crypto methods used in the eVoting systems, their leaks and the viability of use them in general elections. It was very interesting, and I was surprised how easy would be to fake a vote or the entire election result if some of that crypto methods are used by the public. The conclusion is that maybe we haven’t the right crypto tools to insure the reliability of an elections right now. The paper ballots in the transparent ballot vox, and the manual vote counting with the volunteer witnesses is the best way… will be able to perform that process in a secure way in the near future? Let’s see…
More crypto stuff in the “An introduction to new stream ciphers designs”. This talk was a review of cypher algorithms participating in the eSTREAM contest.
After a short break to have a couple of beers ;) I attended the full malware session with to great talks, first “Sqeezing attack traces” and afterwards “Stormfucker: Owning the Storm Botnet”. I freaked out with the stormfucker talk, what these guys have done is awesome. They’ve analyzed the storm botnet trojan, figuring out how it works, breaking the crypto as the communication channels with the C&C servers… and once they have “owned” the trojan ;) they have thought up a plan to shutdown all the botnet using the update feature of the trojan software. They can impersonate a C&C server as they know how the trojan search for some file hashes in the P2P network, those files contains the IP addresses of the C&C servers, therefore they can force the clients to connect to their server, sending to them the update command, and delivering an executable that cleans up the malware from the infected client. The demoed the procedure using the calc.exe executable as the payload for the update command, and it worked as a charm. Nice work! now it remains to be seen who dare to shutdown one of the biggest botnet networks used by the underground mafia for banking fraud and spam sending.
After that I jumped to the DECT talk that was almost finished, but I was there when they talked about the next Kismet version that apparently will have DECT support and about their software project and its support for the COM-ON-AIR PCMCIA card. It was for sale there for 20 euros, so I got one to play a bit with it and make a DECT-SIP gateway with my Asterisk PBX at home.
Next talk was about NFC (Near Field Communications) phones. Here in Spain NFC is not a very popular technology yet to perform micro-payments in transports (metro, bus, taxi) or to small purchases, some initiatives based on text messages, as mobipay, were totally unsuccessful. NFC is an interesting technology, and some case of use were shown with snack machines or train tickets.
I wanted to have something to drink before going to the Cisco IOS talk, so I missed talk about how to embed malicious payloads on office documents. I was talk that the talk was great but the tools used to embed the malware aren’t released yet. If you have more information on this topic, please leave me a note.
The talk about Cisco IOS rootkits and exploits was awesome. If you’re interested on this topic you’ve to take a look at their blog. A must of all the lazy Cisco network admins out there together with the Defcon slides of FX (Phenolit) on the same topic.
Third day was over… dinner and beers until 4 AM, a short sleep and get ready again for the last day.