Raoul is a member of UNICRI (http://www.unicri.it/), a United Nations crime and justice research institute.

Unicri research technology as well, because if normal people use technology, the bad guys use it as well.

“Every new technology opens the door to new criminal approaches”

In the 70s the first wave of hackers where searching for knowledge. In the early 80s the second wave of hackers was driven by curiosity. The third wave of hackers in the 90s where eager to hack and started to exchange information. The first communities where created. The current fourth wave is now driven by anger and money. Hacking has met politics (hacktivism) and money (cybercrime).

Why is cybercrime on the rise?
1)    There are more and more targets, thanks to broadband
2)    A need to make money, think economical crisis
3)    Hacking got easier, 0-day attacks and skimmers can be easily bought online.
4)    Fall guys are easy to recruit, e.g. for money laundering
5)    The criminals think they cannot be caught
6)    There is no violence, no need to face your victims

Hackers are no longer part of the ICT community, they are in it for the money and are professionals, but the media image of ciber criminals is still the old hacker image. Sometimes today the hackers are the good guys and the professionals are the bad guys.

Some numbers on cybercrime:
•    285 millions records compromised in 2008
•    $2,000,000,000 yearly turnover of RBN
•    148% increasing in ATM fraud

RBN is the Russian Business Network, its basically the ISP for cybercrime, they offer hosting and good bandwidth to those running a criminal enterprise on the web. It will give user anonymity and interaction with “like souls”.

Underground economy is the mechanism to clean money. Stealing money is easy, using that money is not so. Therefore any cybercriminal needs to set up a money laundering operation.

It is an organized enterprise.
Hackers, coders and scammers get the money for the boss and the mules make the money clean for him. Underground economy is everything from trading stolen information and good, the services needed to get them and the services to clean the money.

So how does this economy work?

In order to trade goods (CCV codes, cards, credentials, identities) on online forums you have to be approved by the organization that runs the forum
Fake credit cards are of  high quality and look very legitimate?
On line checks give full details of card holders for card production.

www.darkmarket.ws was run by two business mans. ChaO was arrested, but has been for years one of the biggest sellers of ATM skimmers. His villa, with personal swimming pool, contained a hologram printer, 10 boxes of skimmers and lots of fake cards.

These guys live in luxury.

Tor is really a community of developers and volunteers and is still looking for developers and volunteers to enhance themselves.

Top countries in the world in bandwidth:
•    Germany
•    USA
•    Netherlands
•    France
•    Sweden

Anonymity means different things to different people:
•    Private citizens – Privacy
•    Government – Traffic analysis resistance
•    Human rights activists – Reachability
•    Businesses – Network Security

Tor gives three anonymity properties by design, nto by policy:
1)    A local network can learn of influence your destination
2)    No single router can link you to your destination
3)    The destination or somebody watching it cannot learn you location

Tor is constantly being attacked, not by attacking the code, but by:
•    Blocking the directory authorities
•    Blocking relay IP addresses in the directory
•    Filtering based on Tor’s fingerprint
•    By preventing users from finding the tor software

Outers/IPS-es could filter on Tor’s signature in the past, but it now looks like Firefox talking to Apache. When the Tor download website was blocked, the Tor project test up a download tor by email service.

When the Peoples Republic of China turned 60 years, the censorship stepped up in preparation for it. Protecting the torproject.org website with an SSL certificate was good enough in the pas. They also took a snapshot of the network and blocked all its ip addresses for the day of the anniversary. Jacob showed a graph that showed us what suppression looked like.

As a reaction users where able to still get on the Tor network via bridge which you could get via email, or that is kept private.

There is quite a bit of censorship going on in the Western world, this is not something exclusively for evil regimes.

If you want to help the Tor project go to http://torproject.org and download and install the software.

The talk is about the “Smart Grid”. The key components are and advanced metering infrastructure, Transmission and distribution and generation of electricity.

Advanced Metering Infrastructure enables two way communication between the meters in your home and the power company. It offers the following features:
•    Load control works like this: Some power offer a discount in return for control over the thermostat of your AC or by allowing them to turn off your clothes dryer during peak hours. The main reason for this is officially to prevent black outs, but it can be used to prevent penalties as well.
•    Demand response: It allows for dynamic rates to be loaded to your meter.

Why move to a smart gird?
•    Energy conservation
•    Cost reduction
•    Improved Reliability of Delivery

Smart Grid security is significant because it has national security implications, because there are millions of entry points into the grid.

Why attack a smart gird?
•    Financial gain
o    Hacking your meter
o    Monitor the power usage for breaking and entering
•    Mischief
o    Turn off your neighbors’ power
•    Chaos

What are the attack vectors?
Meters are outside the houses in the US and their physical security depends on a normal screw. This means you can do hardware reverse engineering.
Keying millions of meters is hard, so it is likely that keys predicatable.
Once the channel is hacked open, the fun can begin.

Meter talk to devices in the home using ZigBee, but it is broken. KillerBee, written by Josh Wright, allows you to do anything you ever wanted to do on a wireless project on a ZigBee network.

As more and more control hardware starts using wireless protocols like WiMax, Wifi or ZigBee the bigger the attack surface. Even if these things control systems that result in death or personal injury if they fail.

Almost no hardware has firmware signing.

A self propagating worm for smart power meters has been demonstrated by Mike Davis of ioActive with a payload that can change rates, brick a meter alter usage, etc.

There is already so much hardware deployed with defunct security that it is very hard to get it fix.

He also released, into open source, an offline MiFare cracking utility that can be used to crack any MiFare card for 30 euros and with just a few hours of work.

In the past MiFare’s encryption technology, Crypto1, was only available in hardware and thus survived for a surprisingly long time.

Pavol explained how his program can computer derived keys from the main key by using the time distance between the keys.

For those people that dodn’t know. MiFare Classic can be cloned in 99.6% (Except for sector 0 that cannot be written) a ProxMark3 card emulator can emulate all cards 100% perfect.

There are currently three countermeasures:
1)    User safe cards (Mifare Plus/Mifare Desfire or other)
2)    Use decrement counter protection (workaround)
3)    Use online checking

Slovak public transport card allows anybody to read the name of the passenger and has no protection against cloning or modification.

The tool can be downloaded from https://www.nethemba.com/research/ .

Coming up:
•    Cracking hitag rfid
•    Cracking GSM encryption

You can download the slides below:

• TLS renegotiation authentication GAP v1.1 pdf
• TLS renegotiation authentication GAP v1.1 pptx

Special thanks to Marsh Ray for his suggestions and corrections.

Slide deck “Seccubus Confidence 2009.02 v0.1″

On the 19th of November Frank Breedijk announced that Jason Mansfield, who runs the website http:/clinicallyawasome.com, has won the contest by sending in the name Seccubus. A bottle of Vueve Clinquot champaing will be sent to him shortly.

The author has provided the following explanation of the name Seccubus:

Seccubus is a mythical creature that helps security professionals analyze and report the results of, repeated, vulnerability scans. Like its distant cousins the Succubus and Incubus the Seccubus is also a creature of the night. At night, or any other scheduled time, the Seccubus draws its energy from repeatedly performing vulnerability scans  of infrastructures until the vulnerabilities become exhausted or die.
The Inseccubus is the male counterpart of the Seccubus. While the Inseccubus draws his life energy from the assessor by repeatedly requiring him to (re-)analyse the same findings, the Seccubus get her energy from pleasing the assessor by reducing the number of findings by means of delta reporting.

The name Seccubus was chosen from a list of over 50 ideas sent after the contest was announced via the AutoNessus.com website, Hacker Public Radio, Paul dot com and various other social media outlets like Twitter, Facebook and LinkedIn.

“I wanted a name that was completely different from AutoNessus” said Frank Breedijk, explaining why suggestions like AutoVAS and AutoVAMP where turned down. Other suggestions where turned down because their name was already taken on media like twitter (e.g. VAsak, Vulnerability Assessment Swiss Army Knife) or “simply because I didn’t like them” (e.g. Mick Douglass is awesome).

Now that the new name has been announced the “rebranding” will be complete before the end of the year. The website www.seccubus.com is already live but still points to the AutoNessus.com site. Also Frank’s twitter account, @autonessus, will be renamed to @seccubus soon.

The response to the renaming contest was overwhelming and we would like to thank everybody who participated.

The first part of his presentation explained why routers are interesting targets (they are in the core), but also why routers are not actually exploited that much. One of the reasons is that the attack surface of router is quite small because routers don’t expose that much services to a truly remote attacker and are rarely used as clients.

The exception to the rule is “cisco-sa-20070124-crafted-ip-option” which is a remotely exploitable bug that causes a stack overflow on the router. Since “nobody ever updates router software” this vulnerability is still very much alive.

But routers need to support more and more, like IPv6, VoIP, XML configuration interface, luckily most services off.

Writing exploits for Cisco IOS is hard because it is not a real OS, but a single ELF binary. It is not based on a real OS we know hoe to exploit. Its only option to recover from a critical fault is a full reboot.

Another thing that makes exploitation hard is the memory layout. It is different from each single IOS version that it out there, and there are quite a few, currently there are over 270,000 different IOS images known by Cisco and you cannot get the version number remotely.

Best bet for getting a reliable return address for router exploitation is Rommon, the routers bios which loads the IOS and then remains in memory. It is at a fix address and there are big pools of the same versions present on the internet.

Unlike his talk at BlackHat Felix actually showed how the crafted ip option exploit can be used to get working reliable exploit. But since IOS is not an OS you need to get away with it without killing the router. If the stack is not completely overwritten, the return registers remain in tack and thus can be used to reliably return. His method has one drawback, in order for it to work, you need to know the version, but it is not remotely identifiable.

As an alternative there are code similarities in IOS images, but this still has problems.

Felix also made progress on shell code, he showed code that would cause the password evaluation function to always return true.

How do you protect your router?
•    Have faith.
•    Don’t allow people to talk to your router
•    Protect your routing protocols
•    Don’t run services on routers
•    Treat your service cards as the linux machines they are

Running Rancid helps, modification of the data structures show up here.

Turn crash dumping on, this will make sure you keep evidence of any attacks.

The he showed us how you can normalize the feeds and integrate them into NetWitness.

By tying infosec intelligence feeds and combining them with things like traffic statistics events on the network start making more sense. In stead of a random dynamic dns call you now all of a sudden you can tie that to a botnet infection on your network.