Security musings (reflectorium)
Security musings (reflectorium)
Monday, January 03, 2005
  Notes from the 21C03 conference

Here are my notes from the 21C03 conference held by the German Chaos Communication Club (CCC) from Dec 27-29 2004 in Berlin.

The official sites of the event are at
http://www.ccc.de/congress/2004/index.en.html
https://21c3.ccc.de/wiki/index.php/Main_Page
http://21c3.ccc.de/weblog/

The CCC promised to make videos of most sessions available on the web. (Should be up in January 2005).

The annual conference had a record participation (around 3,500 participants) and appeared much more professional than earlier events.
The organisators had to choose from around 200 submissions to fill the session tracks. The trick was really which session to choose.

__Things that really struck me__

_Passive covert channels in the Linux kernel_
- Very interesting talk focused on getting covert messages out as part of the Sequence number in packets. The speaker introduced a tool (nushu.c), which hides this communication. This could have various uses e.g. in bot networks and applications that "want to phone home" and hide additional data.
See http://www.invisiblethings.org/

_Bluetooth vulnerabilities_
- There was a full-disclosure presentation (incl. tools) on the bluetooth vulnerabilities mentioned in 2004 by trifinite.
See http://www.trifinite.org/
- This is really bad. This is about reading and manipulating address books from afar. This is also - on some phones - about using someone else's phone to make phone calls and to redirect phones to someone else's phone to yours.
- People need to get their vulnerable phones updated in a shop. (And most people probably won't.)

_Security nightmares_
- SSH will probably be exploited again in a big way in 2005. (Rumours of another upcoming exploit). -> This makes me think that people should start to look at "port knocking" (or restricting access to certain IPs) to add a level of security for internet facing systems, i.e. you can only connect to your SSH server if you come from a pre-defined IP or after you did some magic ping/connection pattern.
- There might be trouble with cars turning into mobile computers ahead. It appears that some car systems use RDS data (via the car radio) as input. There are rumours that the RDS parsers in some car radios might be exploitable.
- People should really, really patch their mobile phones...

_MD5 insecurities_
- there are collisions in MD5. (Which also means that people should start to use other hash algorithms instead)
- a Chinese researcher has released two proof of concept test vectors that cause a collision. (It is unclear how these vectors were found!)
- these two test vectors can already be used to carry out attacks today
- MD5 operates on blocks, i.e. if you find two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash.
(These two files could be e.g. the two test vectors above)
- David Kaminsky's tool "stripwire" produces two binary packages. Both contain an arbitrary payload, but the payload is encrypted with AES. Only one of the packages ("Fire") is decryptable and thus dangerous; the other ("Ice") shields its data behind AES. Both files share the same MD5 hash.
- According to doxpara.com: "This is an excellent vector for malicious developers to get unsafe code past a group of auditors, perhaps to acquire a required third party signature. Alternatively, build tools themselves could be compromised to embed safe versions of dangerous payloads in each build. At some later point, the embedded payload could be safely "activated", without the MD5 changing. This has implications for Tripwire, DRM, and several package management architectures.[..] Very interesting possibilities open up once the full attack is made available -- among other things, we can create self-decrypting executables (fire.exe and ice.exe) that exhibit differential behavior based on their internal colliding payloads. They'll still have the same MD5 hash."
- this also allows for covert channels
- there's also a real hole posed by the MD5 variant used in KaZaa
- -> You can read it all at http://www.doxpara.com

_Instant Messaging security holes_
- Apparently there were/are quite a few bugs in IM clients. This is bad as more and more people use them for "serious" communications.
-> http://www.stonedcoder.org/

_DNS_
- nice talk on how one can use the DNS system with its mind-boggling number of servers to tunnel data and store data
- this included a demonstration of SSH via DNS and webradio (caching)
- NTSX old tool
- droute new tool
- also google for "grr", "nomede" and "miname"
- -> or read it all at http://www.doxpara.com

_physical security_
- They explained how "bump keys" (999 keys) work. Apparently this allows you to pick even high-quality locks and advanced locks like the keso.
The speaker gave a good demonstration by breaking a wide range of locks within mere minutes on stage (see below).Basically you cut the key with the deepest set of grooves possible (often by setting the key making machine to "9999.."). This bump key is then inserted and hit with a vibrating little hammer. This causes the bolts in the lock to shake quickly up and down, allowing for brief openings during which the key can be turned.
See http://www.gregandbeth.com/imagegallery/index.php?action=display&imageID=222
The speaker also showed a (rather easy) attack against the Winckhaus Bluekey system. (Breaking a 250 euro lock with a 40 euro magnet).

_SAP security_
- As people want to be "on the safe side", there are often very insecure settings (i.e. chmod 777) on folders
- look for cleartext passwords in scripts
- look for NFS exports

_phishing_
- They showed an interesting technique that redirects the victim to the legitimate web site, but opens a pop-up window on top of that;
the counteraction for the legitimate site owner is to open a pop-up window with the same name as the phisher's pop-up

_code reviews_
- They showed some source code from Cisco, Microsoft and MySQL that didn't look very secure. (Hard to fall asleep).

_automated web site hacking (php worms)_
- apparently quite a few people are interested in writing PHP worms that use Google now.
- look at the tools RATS and nikto to find flaws

_Sun Solaris 10_
- Sun Solaris comes with a tool called "dtrace" that gives you a very deep view into the system. (and can allow you to read out passwords).
- There's a new rootkit called SiNAR.

__Various miscellaneous notes__

Onion routing
e.g. using TOR (http://tor.eff.org/ )

Infrared hacking
look at http://www.lirc.org/ and http://www.irtrans.org/

Personal firewalls on Windows
will always be breakable/insecure because of the low-level inter-process communication possible in Windows

Fravia on searching the web
-> http://www.searchlores.org/

__Next major event in Europe_
"What the hack?" - July 28-31st in the Netherlands.
This it the bi-annual European Summer camp (HIP97, Heart-of-Gold (99), HAL2001, Fairy-Dust (03), now: WTF 05)
http://www.whatthehack.org/

 
Comments: Post a Comment


Me enjoying a "Mate-Club", Alt-Landsberg near Berlin, summer 2003.

RSS Feed now atom.xml!
My public bloglines universe

Essential Security Web-Sites
Internet Head Up Display, Internet Storm Center incl. Handler's Diary NewsNow.co.uk on Virii and Security - Messagelabs stats, Trendmicro, Symantec, CAI, McAffee, F-Secure -- securityfocus, packetstorm


Recently added Detections from CAI
Standalone Virus Cleaner
Trendmicro Sysclean and Signature, Symantec Removal tools, Stinger from McAfee, F-Secure removal tools, Bitdefender free removal tools
The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.
ARCHIVES
11/01/2003 - 12/01/2003
/ 12/01/2003 - 01/01/2004
/ 01/01/2004 - 02/01/2004
/ 02/01/2004 - 03/01/2004
/ 03/01/2004 - 04/01/2004
/ 04/01/2004 - 05/01/2004
/ 05/01/2004 - 06/01/2004
/ 06/01/2004 - 07/01/2004
/ 07/01/2004 - 08/01/2004
/ 08/01/2004 - 09/01/2004
/ 09/01/2004 - 10/01/2004
/ 10/01/2004 - 11/01/2004
/ 01/01/2005 - 02/01/2005
/ 02/01/2005 - 03/01/2005
/ 03/01/2005 - 04/01/2005
/ 04/01/2005 - 05/01/2005
/ 05/01/2005 - 06/01/2005
/ 06/01/2005 - 07/01/2005
/ 07/01/2005 - 08/01/2005
/ 01/01/2006 - 02/01/2006
/ 02/01/2006 - 03/01/2006
/ 03/01/2006 - 04/01/2006
/ 06/01/2006 - 07/01/2006
/ 08/01/2006 - 09/01/2006
/ 09/01/2006 - 10/01/2006
/ 12/01/2006 - 01/01/2007
/ 03/01/2007 - 04/01/2007
/ 05/01/2007 - 06/01/2007
/ 07/01/2007 - 08/01/2007
/ 08/01/2007 - 09/01/2007
/ 10/01/2007 - 11/01/2007
/ 11/01/2007 - 12/01/2007
/ 12/01/2007 - 01/01/2008
/ 02/01/2008 - 03/01/2008
/ 09/01/2008 - 10/01/2008
/ 10/01/2008 - 11/01/2008
/ 03/01/2009 - 04/01/2009
/ 09/01/2009 - 10/01/2009
/ 11/01/2009 - 12/01/2009
/ 01/01/2010 - 02/01/2010
/ 02/01/2010 - 03/01/2010
/ 06/01/2010 - 07/01/2010
/


Powered by Blogger


related blogs: general and family research