Passwords are like Pants... a Creative Commons Attribution, Noncommercial, No Derivative Works image from Richard Parmiter's Flickr fotostream

One of the DefCon contests that most sparked my imagination was the “Crack me if you can” password cracking contest, organized by KoreLogic. The goal of the contest is to crack as many of the password hashes provided as possible. The rules of the contest allow the use of off-site and on-site computer equipment of any kind, but in order to be eligible for any prize money at least one team member had to be physically present at the DefCon conference.

The competition is interesting in more than one way. First of all the contest is educational in setup. Even though the amount of computer power a team can come up with is important in getting to good results, it is not the determining factor in winning or losing the contest. Key to winning or doing well in the contest was understanding human behavior. KoreLogic generated a set of passwords they feel is representative of what they actually encounter in the field. Most corporate environments rely on a common set of rules that are used to enforce user to pick “strong” passwords and force them to change them regularly. While the goal of the rules is actually commendable, KoreLogic’s experience learns them that the human behavior triggered by these rules cause passwords to be very predictable. “If you force employees to change their passwords four times a year, they will select something that naturally changes four times in most cities (except Las Vegas)”, typical passwords we find are things like Winter2010. Once you understand this pattern, you can actually reliably predict what this password will in say 9 months or a year. Teams that actually saw this pattern and used it to make smarter password guesses did better in the competition.

The key to making hard to guess passwords is to break with this predicable behavior. If people have to put a special character in their passwords they usually put them in the beginning or at the end of their password, e.g. Summer1969! We had a number of passwords that actually had a password in the middle of it and these passwords where significantly harder to crack.

There is a significant difference between the success rates of cracking certain password hashes. E.g. windows password hashes have proven at be extremely easy to crack. All the teams together cracked 94% of all the windows password hashes provided to them. These contain some LM hashes, but mostly NTLM and NTLM2 hashes. A stupid 20 character long Windows administrator password (2345678901234567890) was guessed by all teams, even though there are no rainbow tables available for passwords of this length . Operating systems like FreeBSD do much better, less than ten of these hashes where cracked and BCrypt hashes achieved an even better success rate, only a few hashes where cracked. Absolute winner where the Oracle password hashes, none of these where cracked.

While this was a serious competition and the first prize of $600 was won by team HashCat, the competition was mostly educational in its setup. Only teams that published their methods for cracking are eligible to win and all results and methods used will be published online later this week (@@@@). The contestants used an interesting array of computer equipment. Graphics Cards based systems, clustered Amazon EC2 instances and a university super computer cluster with 1TB of memory where all used as well as plain simple desktop computers.
Hopefully this competition will not only learn us how to better crack passwords, but also how to pick better passwords and thus make us all a little bit more secure.

GLOBAL BATTLE - KIDS TO SAVE THE WORLD SERIES (Explore #4) a CC, non-commercial, no derived works image from JOHN CORVERA's flickr photostream

This talk is a follow up of Felix’ talk at Black Hat Europe which I blogged about earlier here (http://www.cupfighter.net/index.php/2010/04/blackhateu-fx/) marking the release of the tool BlitzAbleiter.

One of the new point highlighted is that his work is not just of interest to normal users that are running flash content, but also to corporations that serve pre-compiled flash advertisements that they do not want to be infected with malware or other unwanted behaviour.
For the release of Blitzableiter Felix has chosen to integrate with NoScript. If you have the latest version of NoScript, you allready have BlitzAbleiter.
Next Felix actually demoed BlitzAbleiter by using it to stop some in the wild Flash exploits.

I managed to speak to Felix in a more informal setting later and he pointed out that there are two major differences between BlitzAbleiter as presented in Barcelona and the current version. BlitzAbleiter now support both the version 1 and version 2 Flash virtual machines. Besides that the code quality of the tool is now at such a level that it is actually a usable tool that can be released to the public.

The name BlitzAbleiter is the German word for lightning rod, because it has the potential to turn harfull Flash into harmless tunder.

Delchi’s talk evolves around an imaginary assignment to design the physical security system of a high security facility with CCTV, and the methodology how to handle this assignment.

If you want to design such a system you need to follow the steps of:

• Assessment – What do we secure? What is the status? What are the risks?
• Assignment – Which area gets which security? Prioritize. What external requirement do you have?
• Arrangement – Find the most effective locations for you security devices. Consider security and ergonomics.
• Approval – get quotes from multiple vendors. Consider lifetimes and service plans and take expansions into account. E.g. Will you require biometric in the future.
• Action – Lets implement it. Build, train and test.

Next Delchi encourages us keep failure into mind. Physical security systems will go wrong, building the systems will go wrong as well.

Delchi’s final section of the talk outlines the various problem security professions will encounter when dealing with various parties involved in the process. Management, vendors, people who know better, users and construction workers. With funny and concrete examples he shows what to expect and how to handle these groups.

Building access control systems are getting more and more IP enabled, but the IP enabled portions of access control systems are often poorly controlled and don’t get much love from either the it or facilities system.

But the vendors are not always helping the S2 security box e.g. Is using both a web server and a mysql version with lots of security vulnerabilities in it. The amount of security problems Shawn pointed out in various products was truly shocking.

Show continued to show us the results of the exploitation on a demo box he tested which just allowed him to open doors and get to camera feeds.

There is a worrying perception in the physical industry that hackers will not go after these systems, but after financial data and trade secrets, but this is not correct, it is very interesting flr attacks to actually attack the physical security infrastructure. There are some perceptions that these device are deep in the network and not connected to the internet, but a simple Google hack showed that there are 350+ devices connected to the internet today.

Vendors has start to offer better security and this will only happen if customers start to demand better security.

The Room was packed and warning poster where all over the place warning people that cell phone traffic may be intercepted in the area around the talk. Expectations are high at the start of the talk and we were about to find out if they are to be met.

In this presentation Chris is going to intercept cell phone calls, specifically GSM calls. For this purpose he uses what he calls an IMSI catcher. Critical for intercepting calls is the IMSI, the International Mobile Subscriber Identity, think of this as the GSM username. Chris built his IMSI catcher for $1,500 out of open software and open hardware, a fraction of the millions charged for commercial IMSI catchers.

Because handsets always choose the strongest signal and a attacker will always win the battle for this. Since GSM assumes that the network is trusted, the base station dictates the settings, so if the base station wants to disable encryption, the phone will do that. The IMSI catcher does have to not break GSM encryption, it just acts as a base station and tell the phone to disable GSM encryption. In theory the phone could warn of this behaviours, but most sims have this disabled, because it would confuse users.

Because of difference in regulations between the USA and Europe there is a frequency in both spectrums that you can use that is in the HAM radio band and thus governed by the HAM radio regulations and these regulations give enough lead way to run GSM across it without needing a telco license. A HAM radio license allows the use of transmitting power of up to 1500W, a very small fraction of the 0.25W used by Chris during his demo.

In order to spoof a network you need some information: the mobile country code, the mobile network code and th enetwork name. All this information can be easily found on Wikipedia and after programming these values into the OpenBST the AT&T network could reliably be spoofed. Without spoofing the settings 30 handsets already associated themselves with the fake basestatiion. After spoofing the AT&T network over 45 handset associated with the fake base sation.

If no additional techniques are used, it may take a phone over an hour to hand over to the fake base station, but there some tricks to make them hand over faster.  Most of these techniques do not fit into the regulations for ham radio. E.g. Disrupting the base stations around us. A noise generator and a 100W signal amplifier could disrupt GSM traffic for most of Las Vegas and force cell phones to switch over to the HAM radio frequency. This would be highly illegal, but impossible to stop. You could also spoof and advertised neighbour cells but then you would have to transmit on a GSM reserved frequency. Chris therefore refrained from demonstrating these techniques.

Fake base stations don’t actually have to transmit a strong signal, the GSM standards allow a basestation to just tell the handset to treat its signal as if it is stronger then it actually is. Because the network is trusted in the GSM system, the cellphone has to comply. Unfortunatly this command is not supported in the OpenBTS.

Is there a solution to prevent these attacks for GMS 2G. GSM 2G is seriously broken. You can compare it to the telnet vs. ssh situation. “2G is telnet and 3G is ssh”.

Chris did not play back any of the captured calls live on stage in fear of legal consequences, but cell phone calls where captured life on stage.

After the presentatioin I joined Fyodor end David in the Q&A room to talk further about the Nmap NSE session. Here are some of the questions and answers…

Is there anything like XML output to glue the output of the scripts together? Script output is included in the normal XML output, but it is not yet in any structured format. The cool guys from the nmap project has not yet figured out how to do that.

Will the password cracking capabilities in nmap make stuff like John the Ripper obsolete? The passwordcracking functionality demoed is not a replacement of John the Ripper, but work is in progress to make the capabilities of nmap better, especially on the ncrack project which will release a rdp password cracking in the next few days.

Is there a way to run scripts with a declared dependancy so one script runs and thenthe other script runs based on the results? The is fully supported.

Why lua over other languages? It was a fight over the scheme laguage or another language. In the end we settled on lua. Perl and pyhon where too big to ship with nmap. Lua really fitted with what we needed and wasn’t too big.

Is nmap turning into the new Nessus? Well, it could, but is will never include all scripts to find all vulnerabilities. Each product has its own use, but nmap is getting nearer and nearer to becoming a vulnerability scanner. Conflicker is a great example of that nmap was the first scanner that was able to remotely detect conflicker infected machines.

Are there plans to include hping functionality in nmap. Yes, there is nping, which has similar functionality and more.

Is there raw packet functionality in NSE? There are packet creation functions in the lua libraries and there is an interface to pcap as well.

David asked the audience to submit their scripts so they can be shared with others.

How can you make a living with Nmap? We get a little money for licensing nmap to people who want to include nmap in their closed source programs, but we cannot support a big company from this revenue. Web advertisement and the income from Fyodors book help as well, as well as donations. Google summer of code has helped bigtime as well, it enables us to tap into programmers without the associated cost.

What other languages can interfaces with nmap? There are interfaces in Perl and Ruby both for scanning and analyzing results, it should not be hard to interface with other languages as well.

How is you book selling and is there any other news? The book sold very well, about 10,000 copies sold, which is a lot for a network scanning book. Print can not allways keep up with the current rapid changes with nmap. Fortunatly the online version of the book is updates as nmap is updated. But a lot of the content of the paper based book is still very valid, because the basic scanning has not changed much.

Fyodor would like to add that Ndiff is a good tool for monitoring differences in the network, it is not as well known as he would like it too be.

He also pointed the attendies to the Rainmap project (this name may change in the future). It is online scanning software (cloud based or private) that will also give you the changes on the network. It is currently under development in the summer of code. We hope that we have some early beta quality in about a week or three.

In this talk Fyodor and David are giving an in depth overview of the nmap scripting engine. The Nmap scripting engine allow users to create and share scripts for all ip related tasks from vulnerability detection to exploitation.

There are a lot of NSE scripts already available for tasks like discovery, authentication tests, Denial of Service, Exploitation and lots of other stuff. All come with nmap by default, there are 131 NSE scripts bundled with Nmap at the moment.  There are two catagories the are of special interest; disruptive and safe and they mean exactly what you would expect them to do.  In 3.5 years the number of available nse scripts has grown from 20 to over 130.

In the next part of the presentation Fyodor shows an example of a scenario where NSE really enables a big assessment. Fyodor applied the scripts submitted by Ron Bowes around SMB vulnerabilities against Microsoft’s public IP space, a space of over 1,000,000 ip addresses. First step was a quick scan of over 1 million hosts to find interesting targets. Nmap is currently smart and fast enough to scan these ip addresses in about 26 hours.

In his scanning Fyodor found loads of printers and RDP servers openly exposed to the internet, but he was specifically looking for the ports related to SMB. Using NSE Fyodor ran a scan looking for SMB vulnerabilities.
Microsoft has machines that share their IPS$, C$ and D$ shares over the internet and in some cases allow full user enumeration.

NSE allows you to develop scripts yourself or adapt some of the scripts provided by insecure.org. NSE scripts use the language called LUA, which distribution fits comfortable on a floppy disk. “For the young people in the audience, this is a small storage technology”  Fyodor shows us the rpcinfo.nse script which is only 46 lines long and surprisingly readable.

Next up on the stage is David who is going to demonstrate how easy it is to write an NSE script that will look for a webcam located in his home in Denver. The script was not hard to write and within a couple of minutes the webcam was found. Another script was needed to brute force the username and password and we where able to look out of David’s window.

All in all a very interesting talk that show the huge potential of the Nmap scripting engine.

I walked into the social engineering contest just as the second contestant was ready to start his assignment. His target was a major US automotive company. During his session he was able to speak to two people.

It is very good to hear that at least the first guy they got on the line was actually not comfortable to answer the questions ask them by the contestant.

The second victim was a person that only worked with the company (a major automobile manufacturer) for 2 months as a security engineer. He was eased into answering mundain but valuable questions like his work and break times, but also about food service at the company etc.

At the end of the call the contestant knew:

• The subjects name and function
• His working hours
• His break hours
• Which desktop os was used and which XP service pack was used
• The brand and model of the desktop
• The brand of anti-virus and the exact version used
• The internet browser version installed
• The home page of the browser
• If dual factor authentication was used
• Mail client installed and which version of outlook was used
• If wireless was used in the company
• If url filtering was in use (no)
• If there is an internal IT support group
• Which internal phone system is in use
• Which pdf reader was used and the exact version number
• How waist paper is disposed of

It was really scary to know that one of the reasons the contestant was not able to obtain all information was because his victim did not no some of the details.

The next thing for the contestant to find out was somebody’s pay schedule. With only two minutes to complete that task it would be a very close call, unfortunately he could not get the right people on the line.

Moxie’s talk does not have anything to do with IT security but talks about some of his heroes. Het started his talk talking about a young solo sailer who is very heavily supported by technology. If you compare the attempt with a previous attempt from 1985 which highlight of technology was a plasic sextant the contrast is huge.

Attempts to race non stop around the world non-stop have created a number of stories about sailors and fortune seekers who risked all to win the gloden globe race. Races like the Golden Globe Race will not happen anymore. Technology allows current solo sailers to set their autopilot and litterally tweet their way around the world in two months.

Is less technology really more? Is it about less technology, or is it about having less communication opportunities?

The Gloden Globe Race prompts athe question who are the heroes of our generation? Is it Twitter, is that a satisfying answer? Where did all the lunatics/weirdoes go? History seems to be full of them, but where are they now?

It appears that the increase of communication is causing a narrowing of culture. While individuals are experiencing more and thus feel that culture is widening, it is actually narrowing because diversity is decreasing.

Sing It Back, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from alphadesigner's photostream

By Josh Corman, Dennis Fisher, HD Moore, Jack Daniel

The idea of infosec speed debates is to pick a topic and debate it betweeen the two panalists. A flip of the coin determines if the panel member has to argue for or against the idea in under 5 minutes.

Topics of the discussion

User authentication doesn’t work. Conclusion: Maybe.

End user education works. Conclusion: Dream on.

Is it posssible to talk about security research and not represent your employer? Conclusion: “Its the faukt of he press”

Do vulnerabilities still matter? Conclusion: It matters, but we are becoming unsensitive to them.

Metrics are bunk. Conclusion: A fool with a tool, is still a fool.

Besides of getting the opinion of some smart people, this panel was a lot of fun too.

Sent from my iPad

The days that Scada systems could hide behind obscurity are over. These systems are on internet, use common protocols of which information is widely available. On 15 July this year, the first Trojan was found that specifically queries databases that are also used by Scada systems.

This presentation starts by explaining how the power grid works. A typical network architecture has three zones. A corporate network, a DCS (), EMS (Energy Management System) or DMS (Distribution Management System) network and a network with the industrial systems on it. These networks are typically separated by firewalls. When you add smart meters to the mix they are typically connected in a similar fashion.

The formal models around SCADA security all evolve around this zoning model.

Red Tiger Security has developed a special process to do assessment of these networks, because industrial equipment starts behaving funny when scanned with standard vulnerability scanners. Automated scanning of Scada systems form the network is okay, but scanning the industrial equipment will cause outages.

Scada environments are often poorly patched because patches are known to break Scada systems. Most of the vulnerabilities discovered in these infrastructures are found in the Scada DMZ, because these systems are often not maintained by corporate IT, because they don;t know how to maintain it, but it is also not owned by the Scada engineers.

A further breakdown of the vulnerabilities found in this DMZ are found on Web Servers, Application Servers and Databases. The top four common vulnerabilities found are: configuration issues, cross site scripting, Denial of Service and information disclosure.

Most (over 62%) of the Scada systems are running on Microsoft Windows operating systems. Not a good match to the needed stability (monthly patches) and lifetime needed by Scada systems.

Interesting finds are hard to categorized. Adult content, game servers, Online dating databases and Bittorrent clients have all been found on these systems.

After exploring classical Scada system security mistakes the talk moved on to Smart Meter and Smart Grid technology.Smart Meter technology is making the same mistakes again.

First systems where designed to last for 20 years. That is a long time to not find any vulnerabilities in them. And the ability to remotely patch these systems is scary on its own.

Old vulnerabilities have a new impact when considering smart meters. E.g. data enumeration can tell criminals when somebody is vacation and when it is thus a good time to rob somebody’s home.

The software in smart meters is really vulnerable to very old classes of bugs like, e.g. ping of death.

About the speaker

Jonathan Pollet – Red Tiger Security, LLC

Jonathan Pollet, Founder and Principal Consultant for Red Tiger Security, has over 10 years of experience researching vulnerabilities and conducting field security assessments of Industrial Process Control Systems, SCADA Systems, Automated Meter Reading systems, and Smart Grid technology. After graduating from the University of New Orleans with honors and receiving a B.S. degree in Electrical Engineering, he was hired by Chevron and worked in the SCADA and Automation Team for the Upstream Exploration & Production division. Pollet designed and implemented PLC and SCADA systems for several offshore and onshore facilities.

Realizing the potential security implications of the industry moving towards TCP/IP communications in the late 1990s, and seeing a trend to connect SCADA systems to Enterprise IT networks, Pollet started investigating SCADA, Process Control Systems, and embedded devices for cyber security vulnerabilities.

Throughout his career, he has been actively involved with the IEEE, ISA, ISSA, UTC, CSIA, and other professional societies. Pollet has been involved in over 110 vulnerability assessments of plant and process control systems. He has also delivered over 75 presentations and training sessions on SCADA Systems, Critical Infrastructure Protection, and SCADA Security to the FBI, Department of Homeland Security, and several private sector security conferences. He has spoken at many conferences and workshops for government and professional organizations around the world. Pollet has also authored over 25 white papers, all specifically on the security of SCADA and embedded control systems.

The Spyderlabs guys had a busy year. They investigated over 200 incidents in 24 different countries and ended up collecting enough malware samples. Based upon last year’s DEFCON talk they are going to dive deeper and bring you the most interesting samples from around the world

This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider.

The malware being demoed are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic, even tough the major categories have stayed the same.

Malware comes in various categories: Keyboard logger, screen loggers and memory scrapers. Disk scrapers are not very popular because it is slow and is noticed to easily due to heavy disk activity. There are three basic ways to own a system: Physical, Easy and Uber . Physical means inserting something like a USB stick or key logger. Easy is e.g. through publicly exposed RDP and default passwords.

Malware is getting much harder to detect because they are better tested and using more stealthy techniques like root kits.

Sample SL2009-127 – Memory Rootkit Malware – Captain Brain Drain

The malware consisted of three files. Loader.exe, ramsys32.sys and searcher.dll. The loader was able to install the sys file, which was the root kit. The main oabjective was to steal credit card data from a Miami Sports Bar. All the data is stored in a system file in the windows system directory. The data is automatically uploaded to the criminals at 10pm every night.

Sample SL2010-018 – Windows Credential Stealer – Don’t Call Me Gina

This malware consists of three files, fsgina.ddl and fsgina.dll and timestop.exe which allows the attacker to change the access times and creation timestamps of the files it creates. Upon installation the malware actually sets the timestamp of fsgina.ddl to the timestamp of msgina.dll so that it looks like the file is created when the system was installed, this applies to all dates, including the datas in the master file table (mft). Next the registry is modified to load the fsgina.dll in front of the msgina.dll. The fsgina.dll looks just like the msgina.dll and even funcitons the same, not letting in users that enter the wrong credentials, but it captures and stores all account names and passwords entered.

Msgina is the dll the handles the graphical logon screen.

Sample SL2009-143 – Network Sniffer Rootkir – Clandestine Transit Authority

This malware was found on the systems of an international voip provider with about 80.000 clients. It was a typical root kit that captured credit card data, but in stead of taking the track data from memory it logged all network packets that contained track data. The captured packets did upload all data to an ftp server at 01:00 when everybody sleeps. The malware actually compresses the data in RAR format and password protects the RAR file to avoid detection by IDS systems.

Sample SL2010-007 0 Client-Side PDF Attack – Dwight’s Duper

This attack was performed against a US defense contractor. The malware was spread by a specially crafted email with PDF attached that exploited the system. The email was actually very impressive, it was coming from the right sender, used his email signture lines and was written in the kind of language used in the organisation.

The malicious PDF file actually first extracts all the files it needs, and then shows another PDF with content you would expect. The malware gets everything that it is in the my documents folder, steals firefox passwords and FTPs them off.

Conclusions

The key to malware success is customisations. Generic malware does not work. The key to successful exploitation is to be slow, steady and stealthy.

Malware is getting more and more advanced.

About the speakers

Nicholas J. Percoco – Trustwave

Nicholas J. Percoco is the head of SpiderLabs at Trustwave -the advanced security team that has performed more than 750 cyber forensic investigations globally, thousands of penetration and application security tests for Trustwave clients. In addition, his team is responsible for the security research that feeds directly into Trustwave’s products and services through real-time intelligence gathering. He has more than 15 years of information security experience. Nicholas acts as the lead security advisor to many of Trustwave’s premier clients by assisting them in making strategic decisions around various security and compliance regimes. As a speaker, he has provided unique insight around security breaches and trends to public and private audiences throughout North America, South America, Europe, and Asia including security conferences such as Black Hat, DEFCON, SecTor and You Sh0t the Sheriff. Prior to Trustwave, Nicholas ran security consulting practices at both VeriSign and Internet Security Systems. Nicholas holds a Bachelor of Science in Computer Science from Illinois State University.

Jibran Ilyas – Trustwave

Jibran Ilyas, is a Senior Forensic Investigator at Trustwave’s SpiderLabs. He is a member of Trustwave’s SpiderLabs -the advanced security team focused on penetration testing, incident response, and application security. He has investigated some of nations largest data breaches and is a regular contributor for published security alerts through his research. He has 7 years experience and has done security research in the area of computer memory artifacts. Jibran has presented talks at security conferences (DEFCON, SecTor) in the area of Computer Forensics and Cyber Crime. Jibran is also a regular guest lecturer at DePaul and Northwestern University. Prior to joining SpiderLabs, Jibran was part of Trustwave’s SOC where he helped Fortune 500 clients with their Security Architectures and deployments. Jibran holds a Bachelors of Science degree from Depaul University and Masters degree in Information Technology Management from Northwestern University.

To clear up a common misunderstanding, this Fyodor is not the same Fyodor as the author of Nmap.

XProbe-NG was written to discover a rouge server in a network of the major Taiwanese internet provider. It turned out that XProbe was not sufficient to handle all the application level stuff that was going on in this case.

However doing level 7 probes introduced two problems:

• Bandwidth – Having to send far more data
• Time – Making sure you finish in time

Other motivations for XProbe-NG include:

• Scanning other protocols then IP only
• Bulk scanning
• Probing “en-route” systems
• Migration to IPv6
• Honeypots/nets
• Improving precision

“en-route” findings include:

• Caching proxies, transparent proxies
• L7 switches
• Reactive IDS/IPS
• Application Firewalls
• Active Spoofing attacks

How do you minimize the network load of a tool like XProbe?

• Information Gain metrix
• “Lazy Mode” execution
• “target” drive execution
• New scan engine (in progress)

Information gain means that each plugin has a rating that characterizes how much “information” the probe might bring givne what we know allready. Plugins that cause the most information gain will be executed first and probes that don’t gain information do not have to be executed.

Excluding 0 gain modules and only scanning for ports that are interesting for the plugins is called “Lazy mode” execution.

Neither optimisations are ideal, but gaining performance is always a trade-off between efficiency and accuracy.

After July 7 XProbe-NG can be downloaded at: http://xprobe.sourceforge.net/ or grabbed from the GIT repository.

About the speaker

Fyodor Yarochkin is a security hobbyist and happy programmer with a few years spent in business objectives and the “security” service delivery field. These years, however, were not completely wasted – Fyodor has been contributing his spare time to a few open and closed source projects, that attracted limited use among non-business oriented computer society. He has a background of system administration and programming and holds Engineering degree in Software Engineering.

Q: What is Hack in the Box?

A: There is not simple answer to that, but let me give it a try. There are two parts to the Hack in the Box: the websites and the conferences. But mostly HitB is a group of people bundled in a not-for-profit organisation.

Q: What is the difference between the HitB conferences and other conferences like Black Hat, DefCon, BruCon, Source, etc?

A: Hack in the Box is really a different conference. It is different from Black Hat because Black Hat is a commercial organisation and we are not. Black Hat conferences are too expensive. In a sense we are more like DefCon, but we are different as well. Hack in the Box tries to bridge the gap between three groups. The underground, the security professional and law enforcement. We want to create an environment that promotes open discussion between all these groups.

Q: Is Hack in the Box a Security conference or a Hacker conferences?

A: We are a mix of both, this is what we try to be.

Q: Why did you pick Amsterdam for this conference?

A: Because I love Amsterdam. Besides that I have relatives in The Netherlands, and being familiar with Amsterdam and the Netherlands really helps when you want to set up a conference.

Q: The conference is at its 3/4 mark right now, how do you feel it is going?

A: I’m really happy with the conference, there will be another HitB in Amsterdam for sure. We did not quite make the 500 attendees we would have liked, but with over 200 people we did not fail. We will be planning the conference a little bit earlier in the year, say the mid May timeframe

Q: If you’d have to name one reason to attend a hack in the Box conference what would it be?

A: It’s a different conference.

Maltego is like a box of Lego’s, but then for open source information gathering. Open source information gather refers to gathering information that is publicly available on the Internet.

Maltego has release version 3.0 about two weeks ago , and I previously blogged about the preview at Black Hat EU. Paterva has added quite a few new features, the most interesting is NER, Named Entity Recognition. NER gets text and marks entities like person names / companies / phone numbers. NER can be used to get to a big brother scenario where SMS, radio signals and web pages are constantly monitored for named entities.

Roelof demoed NER by trying to find the winner of the Fifa World Cup. He searched for all websites containing the phrases: FIF, “win the world cup”. Het found the top 50 sites that contained the phrases and got the urls on these sites. NER was run against these urls.

Using Maltego Paterva come up with the prediction that Brazil will win the World Championship.

Roelof showed a very cool demo where Maltego was used to mine information from Facebook.

When getting data from Facebook you have to be carefull because you are violating the Terms of Service and Facebook is taking this very seriously. Due to anti-scraping measures Roelof and his team had to revert to bugs in the Facebook software to get the data from Facebook.

Using Maltego Roelof searched for “gmail” “contact me” and “facebook”. Het then mapped these addresses to facebook accounts and their friends on facebook.

The demo also showed the demo played at Black Hat EU finding the top ten people associated with “Black Hat briefings”.

Another new feature in Maltego 3 is the Community Container TAS. This allows users to host their own transforms for others to use. It is an enhancement to local transforms which are local and not easy to code. They will be advertised to all Maltego clients if you desire. These containers will allow others to quickly write transforms for others to use.

Roelof also show the SQLTAS which will allow the user to offer database queries as Maltego transforms. He demoed this against the leaked carders forum database to get infromation about who posted messages about Amex on a credit card fraud forum.

Biggest news was that maltego v3 Community edition will be available on the 9th of July and not be as restricted as version 2.

Mark starts of by giving a very funny overview of his very impressive career. He currently has a non-security security job at Microsoft running the MSDN subscription services department. Being away from security has given him room to think about information security more.

His talk is about 10 crazy ideas that might change the state of information security. These ideas all cost little money, but may have a big impact.

#1 – Adopt Chinese Medicine Business Model

In China the doctor gets paid to keep you healthy, not to cure you. There are currently actually two companies that are experimenting with this business model.

#2 – Stop Human Pattern Matching

Humans seen things they expect so see. The brain is wired to see what it is expecting to see. This is why optical illusions work, which was demonstrated to the audience with two illusions. Security people do his all the time. I have XSS, this is going to happen, this vulnerability will cause this worm.

#3 – Community Driven Statistical modelling

An example of this is http://freerisk.org. It allows people to input and consume financial modelling data. In the security world there is no data that will give us some predictable model of how security behaves. Wine quality can actually be captured in a formula: Wine Quality = 12.145 + 0.00117 * winter rainfall + 0.0614 average growing season – 0.00386 harverst rainfall. Where is the equivalent of security? Rubbish you say? Well, the formula for wine quality is actually used in the field now

#4 – Teach Kids Computer Security

Computer Science students do often not know about IT security. It should be a core value of learning IT.

#5 – Make Developing Countries Centers for Security Excellence

IT security hotspots are where engineering is considered a good job.

#6 – Make hacking a competitive sport

If hacking is a competitive sport, nations might actually get good at it and it might just increase funding for IT security

#7 – Connected Information Security Framework

IT security tools do not talk to each other. You may want to get different part of IT security puzzle form different sources, but integrating the reports is very hard.

#8 – Embrace Design Driven Security

We must reward the builders AND the breakers. Not just the people who break IT Security.

#9 – Crowd Source Access Control

Resetting you banking password generally happens in a call center (probably in India). It is very crazy that we trust people we do not know at all to reset our password. Why not use the people who actually know you to determine if you need access or not. The wiki at OWASP was actually very successful in this aspect, because there are social networks that actually control who has access to edit the pages and who hasn’t.

#10 – Adopt Agile Mindset

It is explained in the Agile Manifesto – http://agilemanifesto.org/

The agile mindset is about:

• Individuals and interactions over processes and tools
• Working software over comprehensive documentation
• Customer collaborations over contract negotiation

Within a constrained (time/resources) you write a working increment of the software.

Most security projects deal with a large amount of uncertainty and complexity. The right spot for the Agile mindset.

Contract negotiations are done at the point where you know the least about what is ahead of you. Basically setting you up for failure.

About the speaker:

Mark Curphey recently moved to a mainstream software management role at Microsoft running the MSDN Subscriptions engineering team. He started OWASP, ran foundstone and held various security positions at various banks around the world.

Into the sepia night, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from thelightningman's photostream

I recently became familiar with the concept of lightning talks and want to make you familiar as well. Basically a lightning talk is an opportunity for a presenter to present on his topic for a short time.

This short time frame (between 5 and 15 minutes) has some interesting effects. First of all it forces the presenter be brief and to the point otherwise his timeslot will be over before he knows is. Second of all it means that the audience is more willing to listen to a topic they would otherwise not be interested in. Don’t worry if you don’t like what you are hearing, there will be another subject in a couple of minutes. This is also reflected in the acceptance criteria for lightning talks. Sometimes it is enough just to edit a wiki page, sometime there is a small selection process based on a two paragraph talk outline.

Last but not least lightning talks are a great opportunity for people to present if they do not feel up to presenting a full talk or have not yet got enough material for a full talk.

Want to try it yourself?

At the moment both BruCon and Hack in the Box Amsterdam have lightning talk slots open. Both conferences will waive the entrance fees for those speakers participating in the lightning talks and they might even buy you a beer afterward.

I know I will be trying my luck at both conference and I hope to see you there.

lolcat adaptation #3, a Creative Commons Attribution No-Derivative-Works (2.0) image from kevinsteele's photostream

Exploit wednessday ois the day after patch Tuesday, the second Tuesday of the month when Microsoft releases its patches. While some people say it’s impossible to write an attack in one day, Yaniv has seen it happen and tries to explain how.

This process is based on diffing. Diffing means finding the differences between the old and the patched version of the binary file.

This could be done on the same machine, or between two different versions of the OS (e.g. Windows XP and Vista).

The toolkit for a typical patch analysis consists of:

• Diff programs
• Compare programs
• Decompiles  and compilers
• Different versions of windows

Yaniv, then went off to demonstrate a to us the creation of an exploit for MS10-005.

First of all information from public source was gathered to find out which program was effected, what the root cause of the vulnerability was and in which version of Windows the problem is present.

The next part is extracting the patch and analyzing it. First this that needs to be done is finding the files that will be updated. The these files will be compared against the original file, just to find which functions have been changed.

The changed function are then converted to execution graphs which are colored to highlight the amount of change in that part of the code. This is used to determine the interesting area’s of the code. These interesting area’s are then compared byte by byte and the differences analyzed.

If we need to understand how the vulnerability work in order for us to determine how to write the exploit. Since MS10-005 deals with integer overflow in paint using the the jpeg format, understanding if the understanding of the jpeg format is crucial.

Using this knowledge a denial of service exploit could be generated. Yaniv showed us the process in real life.

I had the opportunity to meet Tam at SigInt earlier, so I simply had to attend his talk at Confidence.

The security of mobile systems is often weak because users are not willing to accept reduced battery life to run anti-virus. Also users and developers of do not think about security.

Tam mathematically shows how the chances of two users with a smart phone meeting goes up enormously as the market share of smart phones go up.

The current biggest problem to phones is theft. This is not stopped, because stopping theft does not benefit the carriers, phone manufacturers or governments.

Targeted phone theft is even a bigger problem, because data that resides on a smart phone is nearly never infected.

Mobile malware is now emerging. It is basically hacking without buffer overflows, etc.

Premium rate buggery is another classical example, user are tricked into sending text messages of calling premium rate numbers.

Developers are defending themselves by prompting users. This is suffering from the usual problems:

• Granularity – When do you click the warning
• False positives – If a users gets 30 warning from a single program they will either  stop or ignore the warnings
• Users are not qualified to make the decision – They could be persuaded to click something they don’t want to.

Signing applications does not work, because it is not possible for vendors to do the full QA we all really require.

So what will happen in the future?

You can only stop the malware authors by hitting their cash-cow, by banning premium numbers of displaying the costs.

We can also hope that the users will be knowledgeable enough to not install malware

Ultimately if we all fail, the mobile app space will become a closed system.

Axelle talk discusses four examples of mobile malware

• iPhoneOS/Eeki.B
• Symbian/Yxes
• WinCE/Redoc
• Jaa/GameSat

While mallware for mobile phones is far less nuomerous then malware for PC’s, that does however not mean that there are few infections.

• CommWarrior (2005) > 100,000 infections
• Yxes (2009) “hundereds of thousands of infections”

How many owners of a jail broken iPhones have actually changed their root password as recommended by the authors of Cydia just of the screen? This lead to the spreading of the Eeki worm.

The worm Yxes is actually very hard to detect because if comes with a valid application which is actually signed by Symbian.

All mobile mallware has similarities:

• Malware code is relatively simple, using standard API’s and no vulnerabilities etc.
• They are almost all after money, via SMS, premium number, phishing.
• There is some annoyware that locks or reboots the phone.

Application signing is not a panacea. As the Yxes malware has shown it is possible to get malware signed, because code is not tested against malware.

So how can we stop malware?

Non-technical solutions:

• Educate end-users
• Sue mallware authors
• Display SMS and call codes explicitly

Technical solutions:

• Anti-virus
• Better analysis tools
• Compartmentalizing processes
• Permission structures for SMS sending and contact parsing