Random ramblings of a security nerd

27c3 - 27th Chaos Communication Congress in Berlin (2010-12-27 to 2010-12-30)

For the 7th time in a row Stormbringer and I visited the Chaos Communication Conference in Berlin. It was fun as always, I had my second talk about libdetox and we were able to drink many beers and I also listened to some interesting talks. A writeup about the different talks follows:

Day 1

Rop Gongrijp: 27C3 Keynote - We come in Peace Rop talks about Wikileaks, free speach, journalism and how unhappy people can be used to change the world. An angry energy is needed to change something. Although we come in peace it is important to use our unhappiness to change something.

Branko Spasojevic: Code deobfuscation by optimization Static binary translation is used to remove obfuscation. Basic blocks are merged and false conditional jumps are removed using static flag tracking. This approach is very limited as no dynamic data is checked.

Dominik Herrmann lexi: Contemporary Profiling of Web Users - On Using Anonymizers and Still Get Fucked Distinguish individual anonymized web users using the set of hosts they access. Use machine learning and patterns to differentiate between individual users. Find bots that access weird patterns. Solution to hide from these analyses: Use additional background web-traffic that obfuscates real traffic.

Felix Gröbert: Automatic Identification of Cryptographic Primitives in Software Use PIN on windows to analyze malware and automatically find crypto blocks inside the application. Generate execution trace with all executed instructions. Categorize cryptographic algorithms and select instruction combinations that are used by these algorithms. Search for these instructions, search for loops and categorize crypto.

Collin Mulliner Nico Golde: SMS-o-Death - From analyzing to attacking mobile phones on a large scale. Get large collection of phones, get baseband station, get a faraday cage and start fuzzing SMS to kill phones.

Peter Stuge: USB and libusb - So much more than a serial port with power How to handle USB devices and how to use libUSB. New findings for USB1 / 2 / 3

vanHauser: Recent advances in IPv6 insecurities Bruce Dang Peter Ferrie: Adventures in analyzing Stuxnet A Microsoft-take on analyzing malware. Insights into the structure of malware decompilation. Description of all the 0day exploits used in Stuxnet. (And yes, the exploits are really embarrassing for Microsoft). Great talk!

Alien8 Astro: Pentanews Game Show - Your opponents will be riddled as well Game show with nerd questions. Most of them too easy.

Day 2

Michael Steil: Reverse Engineering the MOS 6502 CPU - 3510 transistors in 60 minutes Interesting talk about the MOS 6502 CPU (used in Nintendos, Apple II and so on).

Karsten Nohl Sylvain Munaut: Wideband GSM Sniffing Use super cheap mobile phones (4 of them) to sniff GSM communications. Use SMS routing information to get location of target phone, find cell, get close to target phone (to the same cell), decrypt TMSI - temporary session key, wait for call, decrypt call using rainbow tables. BAM, cheap surveillance.

Karsten Becker Robert Boehme: Part-Time Scientists - One year of Rocket Science! Nerds trying to get to the moon. They already built the rover and are now building the lander. Nice pictures and some information about how to get to the moon and what to do if you are only a part-time scientist.

FX of Phenoelit: Building Custom Disassemblers - Instruction Set Reverse Engineering Inside of the Stuxnet code there was a lot of SS7 code that is used for Siemens Controllers. FX developed a disassembler for these machine codes using a free version of the Siemens compilers. He reverse engineered the complete tool-chain and verified that parts of the code were disassembled correctly. He also showed bugs in the Siemens disassemblers and how to hide hand-written code from the Siemens disassemblers.

Andreas Bogk: Defense is not dead - Why we will have more secure computers - tomorrow Talks about the SAFE computer of the DoD. Use type-safe languages with a garbage collector to reduce bugs. Use type-checking and type-guarantees even on operating-system level. Construct additional hardware that type-checks all objects as well.

Daniel J. Bernstein: High-speed high-security cryptography: encrypting and authenticating the whole Internet Get rid of DNSSEC and encrypt every single communication. Use UDP instead of TCP and move everything to a secure protocol. New protocol, new form of DNS, view from the perspective of a cryptographer.

Ralf-Philipp Weinmann: The Baseband Apocalypse - all your baseband are belong to us

Ralf-Philipp Weinmann: The Hidden Nemesis - Backdooring Embedded Controllers

Day 3

bushing marcan sven: Console Hacking 2010 - PS3 Epic Fail How to hack secure crypto systems and how to break the chain of trust. Finding bugs in console software... They had a couple of nice exploits to get around the software security system of modern consoles and showed a way how they could install and develop homebrew software on modern PS3 consoles.

Henryk Plötz Milosch Meriac: Analyzing a modern cryptographic RFID system - HID iClass demystified Use old legacy information about RFID to crack the new cards. Use holes in crypto systems or wrong implementations to escalate privileges.

Harald Welte Steve Markgraf: Running your own GSM stack on a phone - Introducing Project OsmocomBB Get old and cheap phones, crack level 1 software and use a serial line to control the phone. Implement 2nd, 3rd, and higher levels in software. Make calls and send texts in a complete open-source and free implementation.

Steven J. Murdoch: Chip and PIN is Broken - Vulnerabilities in the EMV Protocol

Harald Welte: Reverse Engineering a real-world RFID payment system - Corporations enabling citizens to print digital money Free money in Taiwan. They use the Mifare system for public transport and for small payments. They use a card-only validation scheme that relies on the security of the card only. All state is safed on the customer card. Generate your own card with your individual amount of money on that card. Get free stuff.

Felix von Leitner Frank Rieger: Fnord-Jahresrückblick 2010 - von Atomausstieg bis Zwangsintegration Genial wie immer. Spassiger Jahresrueckblick.

Damien M: illescamps Julien Vanegue: Zero-sized heap allocations vulnerability analysis - Applications of theorem proving for securing the windows kernel

Ray Stefan 'Sec' Zehl: Hacker Jeopardy - Number guessing for geeks Fun as always :)

Juergen Pabel: FrozenCache - Mitigating cold-boot attacks for Full-Disk-Encryption software

Day 4

Julia Wolf: OMG WTF PDF - What you didn't know about Acrobat Security holes in the PDF parser. Find problems and discrepancies in different PDF parsers. A PDF can be hidden in a ZIP that can be hidden in an EXE file. Stack different types and get around the protection of AV products.

maha/Martin Haase: Ich sehe nicht, dass wir nicht zustimmen werden - Die Sprache des politischen Verrats und seiner Rechtfertigung Stilistische Tricks ueber Sprache, Politik und Umgebung

Sergey: Hackers and Computer Science Sergey talks about the hacker culture and hacker ethics in general. Nice easy-listening talk about the nerd/hacker culture.

kornau: A framework for automated architecture-independent gadget search - CCC edition Automatically find gadgets in programs for return to libC attacks. Finds function tails that can be used as new gadgets. Also checks half-instructions (e.g., jumping into an instruction to get a different, unintended instruction).

Lars Weiler: Data Analysis in Terabit Ethernet Traffic - Solutions for monitoring and lawful interception within a lot of bits Product show of different black boxes. Connect multiple network ports to black boxes. Black boxes filter and drop lots of traffic. Remaining data can be analyzed by normal PC / analysis machine.

links

social