To my surprise the interview turned out a lot better then I remembered it.

Click here to view the embedded video.

Internet was provided by XS4ALL, BIT and OpenTransit. There were direct peering connections with Akamai, Google and Giganews.

First problem: how do you get from Vierhouten to Amsterdam? In Vierhouten you have several options:
•    3KM fibers to Nunspeet
•    There are two fibers of KPN and UPC in Vierhouten

KPN provided a link from Amsterdam to Putten, Putten to Harderwijk, Harderwijk to Hunnen, Hunnen to Uddel, Uddel to Vierhouten. Last 650m was put there by the NOC team themselves.

Cables used:
•    560m SMF
•    3.5 KM MMF
•    15KM Cat 5e
•    5Km rope.

One of the biggest challenges: putting fiber in trees.

Network equipment needed:
•    1 * Foundry MLX 8 – Core
•    4 * Mach 4002 – Distribution
•    44 * HP Procurve – Access

Dixie toilets acted as Datenklos because they can be locked and are watertight. A datenklos lock can be picked in less than 5 seconds.

The NOC team did not receive a single abuse call during the entire event.

Nice hacks during HAR2009:
•    WPAD. Set via DynamicDNS to wpad.visitors.har2009.net and you will get a lot of traffic for his proxy server.
•    One report of a MitM attack in the lounge

Wireless equipment:
•    30 Cisco 1131 ap’s
•    30 Cisco 1242 ap’s
•    2 WLC 4404 controllers
•    1 WCS Server
•    1 Location appliance
Total value 170,000 Euro’s

The Location appliance can be used to locate users. There were about 1500 unique users and a peak of 700 simultaneous users. There were quite a few rogue wireless access points.

Esther started her presentation by showing a hackerspaces video. Which explained that hackerspaces are groups of people who are into hardware hacking and try to figure out how technology stuff works, and what you can make from basically whatever?

Projects are maily hardware hacking, hardware reverse engineering, software development and art projects. They started in 1981.

Member of hackerspace are not just there to put together cool blinky shiny things, although this is an important thing, but they also came there to share their minds and ideas.

There is even a website with “Hacker Spaces Design Patterns”, it is “not a cookbook”. Currently there are 340 hackerspaces around the world.

For more info see http://hackerspaces.org

Roland started off by explaining the basics of DNS Cache poisoning and the details of the trick discovered by Dan Kaminski last year. Explaining why you don’t have to wait for the answer to expire to in order to poison the cache.

Quite a bit of the patching done after the Kaminski attack became public is actually been undone by NAT-ing firewalls, who do not randomize the source ports the use to keep track of their NAT table.

The DNS resolvers put up by Rick and his team at HAR where attacked, but nobody was able to poison it as projected by Bert Hubert.

DNSSEC uses public/private key cryptography to sign DNS records. Because this makes the packets larger, you do not need a DDoS attack to cause a DoS, but you can do it with a single computer.

DNSSEC uses a two tiered key model. There is a key signing key (>= 2048 bit RSA) and a zone signing key (>= 1024 bit key). DNSSEC users additional resources records. For keys: DNSKEY, DS, Signatures: RRSIG and for authenticated denial-of-existance: NSEC or NSEC3. This will make zones quite a bit larger.

So how is the signature validated? Each answer has a signature in it. So we need to get the key in a way we can trust. The hash of the key of each domain is signed by the key of the domain below it.

DNSSEC on .com and .net will be signed by 2011. Signing of the root (.) zone is expected by the end of this year. Since only a few zones are signed we have islands of trust each with a trust anchor. There are interim solutions for this like https://itar.iana.org and ISC “DNSSEC look-a-side validation”. These solution all have their own trust issues like SSL or their reliance on DNS.

There is a lot of work going on at the moment because root zone signing is there.

Even tough there are a lot of problems with DNSSEC, but even the critics agree that it is the only solution we have available at the moment. The biggest lack at the moment is easy to use tools. Luckily a lot a people are working on this.

The alternatives to DNSSEC are maybe worse. Patching against vulnerabilities is an arms race. SSL and TLS is too heavy for the lightweight DNS protocol is not an issue, and SSL has its own issues. TSIG does not scale because it relies on shared secrets and DNScurve is just not available.

Surfnet has implemented DNSSEC for their resolvers and was able to validate 1% of the answer. 1% is a higher adoption rate then IPv6.

You can help by helping open source projects like PowerDNSSEC or OpenDNSSEC.

Bert Hubert introduced us in the world of DNS. He opened by stating that “DNS is Scary and complex” and “DNS it is everywhere”.

Why is DNS scary and complex. DNS answers consist of a single UDP packet with binary variable length fields. It is a common misperception that DNS answers end in a NULL character. E.g. \3www\9my\0domain\3com\0 is a valid answer for www.my\0domain.com so same bug that is present in may SSL implementation may also exist in DNS.
DNS compression also causes issues, because it allows you to use pointers to refer to other parts of the answer. This other part of the answer can contain a pointer as well which means you can cause a loop. Some DNS implementations will follow these endless loops very fast.

In order to have a secure and stable DNS implementation you need to do each and everything right

DNS is everywhere and there is more and more devices containing DNS like 20 euro ADSL routers who interfere with your DNS queries, camera’s, phones. DNS also has more and more alternative uses like anti-virus, advertising and also censorship.

What are the threats to DNS?
The main risks are around availability. If there is no DNS, “The Internet is Down”. A single resolver may be servicing anything from 1 to more then 100,000 users. The largest authoritive DNS server hosts more then 8,000,000 zones.

Exploitation is also a risk. If you owning a DNS you own the internet for the users trusting that DNS, also if you own the DNS server you usually own the box the DNS is running on.

Another further interesting angle is integrity. If the DSN sends you the wrong way, your traffic goes to the wrong server and your money will follow.

When you talk about availability, the situation is not very good, it is extremely easy to kill a DNS server. It only takes about 10,000 well designed queries per second to kill a resolver. If you can generate about 50,000 queries per second you will be able to kill an authorative server. This is why large companies like akamai and large provider have stacks and stacks of DNS servers.

Exploitation is also a risk, typical resolver routines in common OS-es and appliances have very old DNSSEC code of 1984 in it. The most scaring part is that nobody seems to care, the original windows XP used ’1′ or ’2′ as its random DNS transaction ID.

Integrity however is the biggest issue. The whole internet is built on top of DNS. From a technical perspective DNS spoofing is easy: anybody can answer a DNS query if they have the right source IP, destination port and transaction ID and the right name on it and should arrive before any other answer.
Luckily changes of doing this successfully are 1:2,000,000,000, before people stated to patch for the Kaminski code, the changes was 1:65535. By randomizing the source port the time to get a 50% change of spoofing DNS increased from 10 seconds to 10 hours.

Currently in order to successfully spoof DNS you need to create too much traffic. This traffic will kill the DNS servers and “People notice that”.

But what if we are patient and start a slow attack? If we regenerate 100 queries per second, we have a 50% change of succeeding after trying for 6 weeks. However if you spoof . (the root zone) 6 weeks it not that long to wait. Because once I can spoof the root zone, I own the DNS for that resolver.

The details of this technique is kept quiet because it works very well. The countermeasures against it don’t work or these measures break too much stuff.

What are the medium term solutions?
Why not do DNS over TCP? Most people will tell you that this is not performing well enough, but this is mainly because the RFP states that there should be a 2 minute timeout.
Another solution might be to send every DNS query three times and pick the majority answer. However round-robin servers or servers like Akamai will actually give you an different answer for every query.
The speaker has proposed an alternative solution, EDNS-PING, and extra 16 bit number added to DNS.

What are the long term solutions?
DNSSEC does solve all spoofing risks, unfortunately it increases the packet size and thus increases the DoS risks. Also DNSSEC only works if everybody uses DNSSEC.

The speaker believes that DNSSEC is way too complex. That is why he created PowerDNSSEC, because “if we use DNSSEC it should be easy”.

In summary:
•    DNS security is hard to get right, which is bad because it is everywhere.
•    Slow DNS attacks are worrying and there are no real countermeasures.
•    If DNSSEC is not done right it will only make it more complex.

Unfortunately his demonstration turned into a demonstruction, even tough he managed to upload the file, the payload did not execute. The payload did however execute when he visited the uploaded php file himself, clearly demonstrating the exploit technique works.

The exploit works on WAMP platforms (Windows, Apache, MySQL, PHP) and may work on LAMP platforms (Linux, Apache, MySQL, PHP) but then requires that the user can upload to anywhere in the document root and that the file is then executable, both of which are classical examples of configuration mistakes.

When we talk about high security locks, what are we talking about? There are us standards for high security locks, but do they offer any value?

In order to know that, we have to look at what it is that makes a lock secure? There are three factors that determine this, it resistance against forced entry, it resistance agains covert entry, and key security. In.security.org has developed a rating based on the three T’s, Time, Tools and Training needed to compromise a lock.

When you look at the standers they cover a very limited set of attacks, e.g. the US standards do not cover cover dumping attacks.

In.security.org was able to successfully attack electromechanical locks because in the end they “are still mechanical locks”.

The attacks focused on the Clock system which is the most widely used implementation of Electromechanical locks, made by ASSA Abloy. It is e.g. used in the ASSA Cliq Solo system which was just released in Europe and will not be released in the USA because they where compromised.

Contrary to their advertisements (1, 2) here are real issues with Cliq system:
•    Simulation of keys
•    Lost or stolen cannot be deleted, but in stead put the entire system of a site at risk
•    Certain cylinders cannot be rekeyed
•    It is possible to simulate credentials
•    Or to totally bypass the electronic system
•    These attacks to not leave the promised audit trail

Toool, The Open Organisation Of Lockpickers has offered key vendors like ASSA Abloy their full research in exchange for locks and a promised that the fault found would be fixed, but this offer has turned down. Vendors will provide not locks for research, will not provided fixes and has “no interest” in the data.

They then showed a video where these locks where all compromised. One of the ways to prevent the creation of an audit trail is to block the interface of the electronics of the lock with the use of an “advanced attack”; putting a piece of paper between the lock and the key.

The most smashing demonstration was manually picking of one of these locks, something these locks are supposed to prevent.

As these locks contain fundamental security engineering flaws it is the believe of the speakers that the vendors should fix these issues and offer a full free replacement of all vulnerable locks installed. Unfortunately the  vendors have a different opinion.