Cupfighter.net

Passwords are like Pants... a Creative Commons Attribution, Noncommercial, No Derivative Works image from Richard Parmiter's Flickr fotostream

One of the DefCon contests that most sparked my imagination was the “Crack me if you can” password cracking contest, organized by KoreLogic. The goal of the contest is to crack as many of the password hashes provided as possible. The rules of the contest allow the use of off-site and on-site computer equipment of any kind, but in order to be eligible for any prize money at least one team member had to be physically present at the DefCon conference.

The competition is interesting in more than one way. First of all the contest is educational in setup. Even though the amount of computer power a team can come up with is important in getting to good results, it is not the determining factor in winning or losing the contest. Key to winning or doing well in the contest was understanding human behavior. KoreLogic generated a set of passwords they feel is representative of what they actually encounter in the field. Most corporate environments rely on a common set of rules that are used to enforce user to pick “strong” passwords and force them to change them regularly. While the goal of the rules is actually commendable, KoreLogic’s experience learns them that the human behavior triggered by these rules cause passwords to be very predictable. “If you force employees to change their passwords four times a year, they will select something that naturally changes four times in most cities (except Las Vegas)”, typical passwords we find are things like Winter2010. Once you understand this pattern, you can actually reliably predict what this password will in say 9 months or a year. Teams that actually saw this pattern and used it to make smarter password guesses did better in the competition.
Read more…

GLOBAL BATTLE - KIDS TO SAVE THE WORLD SERIES (Explore #4) a CC, non-commercial, no derived works image from JOHN CORVERA's flickr photostream

This talk is a follow up of Felix’ talk at Black Hat Europe which I blogged about earlier here (http://www.cupfighter.net/index.php/2010/04/blackhateu-fx/) marking the release of the tool BlitzAbleiter.

One of the new point highlighted is that his work is not just of interest to normal users that are running flash content, but also to corporations that serve pre-compiled flash advertisements that they do not want to be infected with malware or other unwanted behaviour.
For the release of Blitzableiter Felix has chosen to integrate with NoScript. If you have the latest version of NoScript, you allready have BlitzAbleiter.
Next Felix actually demoed BlitzAbleiter by using it to stop some in the wild Flash exploits.

I managed to speak to Felix in a more informal setting later and he pointed out that there are two major differences between BlitzAbleiter as presented in Barcelona and the current version. BlitzAbleiter now support both the version 1 and version 2 Flash virtual machines. Besides that the code quality of the tool is now at such a level that it is actually a usable tool that can be released to the public.

The name BlitzAbleiter is the German word for lightning rod, because it has the potential to turn harfull Flash into harmless tunder.

By A.P. Delchi

Delchi’s talk evolves around an imaginary assignment to design the physical security system of a high security facility with CCTV, and the methodology how to handle this assignment.

If you want to design such a system you need to follow the steps of:

• Assessment – What do we secure? What is the status? What are the risks?
• Assignment – Which area gets which security? Prioritize. What external requirement do you have?
• Arrangement – Find the most effective locations for you security devices. Consider security and ergonomics.
• Approval – get quotes from multiple vendors. Consider lifetimes and service plans and take expansions into account. E.g. Will you require biometric in the future.
• Action – Lets implement it. Build, train and test.

Next Delchi encourages us keep failure into mind. Physical security systems will go wrong, building the systems will go wrong as well.

Delchi’s final section of the talk outlines the various problem security professions will encounter when dealing with various parties involved in the process. Management, vendors, people who know better, users and construction workers. With funny and concrete examples he shows what to expect and how to handle these groups.

By Shawn Merdinger

Building access control systems are getting more and more IP enabled, but the IP enabled portions of access control systems are often poorly controlled and don’t get much love from either the it or facilities system.

But the vendors are not always helping the S2 security box e.g. Is using both a web server and a mysql version with lots of security vulnerabilities in it. The amount of security problems Shawn pointed out in various products was truly shocking.

Show continued to show us the results of the exploitation on a demo box he tested which just allowed him to open doors and get to camera feeds.

There is a worrying perception in the physical industry that hackers will not go after these systems, but after financial data and trade secrets, but this is not correct, it is very interesting flr attacks to actually attack the physical security infrastructure. There are some perceptions that these device are deep in the network and not connected to the internet, but a simple Google hack showed that there are 350+ devices connected to the internet today.

Vendors has start to offer better security and this will only happen if customers start to demand better security.

By Chris Paget

The Room was packed and warning poster where all over the place warning people that cell phone traffic may be intercepted in the area around the talk. Expectations are high at the start of the talk and we were about to find out if they are to be met.

In this presentation Chris is going to intercept cell phone calls, specifically GSM calls. For this purpose he uses what he calls an IMSI catcher. Critical for intercepting calls is the IMSI, the International Mobile Subscriber Identity, think of this as the GSM username. Chris built his IMSI catcher for $1,500 out of open software and open hardware, a fraction of the millions charged for commercial IMSI catchers.

Because handsets always choose the strongest signal and a attacker will always win the battle for this. Since GSM assumes that the network is trusted, the base station dictates the settings, so if the base station wants to disable encryption, the phone will do that. The IMSI catcher does have to not break GSM encryption, it just acts as a base station and tell the phone to disable GSM encryption. In theory the phone could warn of this behaviours, but most sims have this disabled, because it would confuse users.

Because of difference in regulations between the USA and Europe there is a frequency in both spectrums that you can use that is in the HAM radio band and thus governed by the HAM radio regulations and these regulations give enough lead way to run GSM across it without needing a telco license. A HAM radio license allows the use of transmitting power of up to 1500W, a very small fraction of the 0.25W used by Chris during his demo.

Read more…

By Fyodor and David Fifield

After the presentatioin I joined Fyodor end David in the Q&A room to talk further about the Nmap NSE session. Here are some of the questions and answers…

Is there anything like XML output to glue the output of the scripts together? Script output is included in the normal XML output, but it is not yet in any structured format. The cool guys from the nmap project has not yet figured out how to do that.

Will the password cracking capabilities in nmap make stuff like John the Ripper obsolete? The passwordcracking functionality demoed is not a replacement of John the Ripper, but work is in progress to make the capabilities of nmap better, especially on the ncrack project which will release a rdp password cracking in the next few days.

Is there a way to run scripts with a declared dependancy so one script runs and thenthe other script runs based on the results? The is fully supported.

Why lua over other languages? It was a fight over the scheme laguage or another language. In the end we settled on lua. Perl and pyhon where too big to ship with nmap. Lua really fitted with what we needed and wasn’t too big.

Is nmap turning into the new Nessus? Well, it could, but is will never include all scripts to find all vulnerabilities. Each product has its own use, but nmap is getting nearer and nearer to becoming a vulnerability scanner. Conflicker is a great example of that nmap was the first scanner that was able to remotely detect conflicker infected machines.

Are there plans to include hping functionality in nmap. Yes, there is nping, which has similar functionality and more.

Is there raw packet functionality in NSE? There are packet creation functions in the lua libraries and there is an interface to pcap as well.

Read more…

By Fyodor and David Fifield

In this talk Fyodor and David are giving an in depth overview of the nmap scripting engine. The Nmap scripting engine allow users to create and share scripts for all ip related tasks from vulnerability detection to exploitation.

There are a lot of NSE scripts already available for tasks like discovery, authentication tests, Denial of Service, Exploitation and lots of other stuff. All come with nmap by default, there are 131 NSE scripts bundled with Nmap at the moment.  There are two catagories the are of special interest; disruptive and safe and they mean exactly what you would expect them to do.  In 3.5 years the number of available nse scripts has grown from 20 to over 130.

In the next part of the presentation Fyodor shows an example of a scenario where NSE really enables a big assessment. Fyodor applied the scripts submitted by Ron Bowes around SMB vulnerabilities against Microsoft’s public IP space, a space of over 1,000,000 ip addresses. First step was a quick scan of over 1 million hosts to find interesting targets. Nmap is currently smart and fast enough to scan these ip addresses in about 26 hours.

Read more…

A the DefCon social engineering contest, contestants are given a list of information they have to obtain and a target company that they have to obtain it from, along with a list of phone numbers of people to get it from. They are given a limited amount of time to get as much of the information as they can.

I walked into the social engineering contest just as the second contestant was ready to start his assignment. His target was a major US automotive company. During his session he was able to speak to two people.

It is very good to hear that at least the first guy they got on the line was actually not comfortable to answer the questions ask them by the contestant.

The second victim was a person that only worked with the company (a major automobile manufacturer) for 2 months as a security engineer. He was eased into answering mundain but valuable questions like his work and break times, but also about food service at the company etc.

Read more…

Sing It Back, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from alphadesigner's photostream

By Josh Corman, Dennis Fisher, HD Moore, Jack Daniel

The idea of infosec speed debates is to pick a topic and debate it betweeen the two panalists. A flip of the coin determines if the panel member has to argue for or against the idea in under 5 minutes.

Topics of the discussion

User authentication doesn’t work. Conclusion: Maybe.

End user education works. Conclusion: Dream on.

Is it posssible to talk about security research and not represent your employer? Conclusion: “Its the faukt of he press”

Do vulnerabilities still matter? Conclusion: It matters, but we are becoming unsensitive to them.

Metrics are bunk. Conclusion: A fool with a tool, is still a fool.

Besides of getting the opinion of some smart people, this panel was a lot of fun too.

Sent from my iPad

By Jonathan Pollet

The days that Scada systems could hide behind obscurity are over. These systems are on internet, use common protocols of which information is widely available. On 15 July this year, the first Trojan was found that specifically queries databases that are also used by Scada systems.

This presentation starts by explaining how the power grid works. A typical network architecture has three zones. A corporate network, a DCS (), EMS (Energy Management System) or DMS (Distribution Management System) network and a network with the industrial systems on it. These networks are typically separated by firewalls. When you add smart meters to the mix they are typically connected in a similar fashion.

The formal models around SCADA security all evolve around this zoning model.

Red Tiger Security has developed a special process to do assessment of these networks, because industrial equipment starts behaving funny when scanned with standard vulnerability scanners. Automated scanning of Scada systems form the network is okay, but scanning the industrial equipment will cause outages.

Scada environments are often poorly patched because patches are known to break Scada systems. Most of the vulnerabilities discovered in these infrastructures are found in the Scada DMZ, because these systems are often not maintained by corporate IT, because they don;t know how to maintain it, but it is also not owned by the Scada engineers.

Read more…