I attended ToorCon 8 in San Diego, which is a hacker/security conference. The conference was spread over four days, although two days had the majority of the sessions. I’ve always had an interest in security, and attended other hacking/security conferences before. This was, however, my first ToorCon. ToorCon is held annually in San Diego and this is their 8th year.
I attended several sessions over two days, and found most of them every interesting and insightful. There were a couple sessions that really weren’t worth sitting through, but those were the rare exceptions. After leaving, you realize how insecure many systems are, and the amount of ‘bad’ people out there trying to break into your computer systems.
I would also like to add that the opinions from my notes are my take on what the speaker was trying to convey and do not reflect my beliefs on various issues. Needless to say, neither I nor my employeer endorse, condone, or otherwise approve any ‘grey’ or ‘black’ hacking, and do not endorse the opinions the speakers. In fact many of the speakers are very anti-Government (in the big brother sense), anti-DRM, and anti-big business.
Session #1) 0wned: Hollywood’s War on Security, Keynote, Cory Doctorow www.craphound.com
Co-Editor of www.boingboing.net (Great RSS feed, BTW)
· Mainframes are not something individuals could modify, but good for business and Gov’t
o Dictate what the users saw and did
· PCs were viewed as a major threat to the mainframe in the early days
· Industry replaced special purpose closed networks with general networks where anyone can communicate with anyone without third parties intervening.
· Internet allows individuals communicate and find information for themselves
· IT industry now wants to takes machines and turn them against the users that own them
o Digital Rights Management, anti-fair use copy protection, etc.
· EULA move into areas beyond films, such as buying movies on Amazon.
o Can’t return a movie, can’t take movies if you go abroad (region restrictions)
o EULA for laptop usage, e.g. 8 page agreement with hardware
o “Authorized domain” is one household’s worth of devices, where you can view a piece of content.
o Companies design technologies for their own networks, turning them into controlled networks not for general purpose.
o End users end up as second class citizens living with a lot of restrictions on “their” digital data.
· Consoles such as XBO360, laser printer toner cartridges, all have restrictions which lessens their values. Companies should let the audience create more value, not restricting usage rights.
· By adding a EULA, it is in essence a private law that congress or other legal bodies would laugh at in many cases.
· DRM is described by the companies as keeping honest users honest.
o It really keeps honest users in chains, such as the Sony DRM rootkit incident.
· Built on a broken security model, where the owner is assumed to be the attacker.
· Treating owners as attackers is bad for business in the long run.
· Rootkits are there to inflict policy on computers against a owners wishes; treats the user as a hacker.
· Companies are designing computer to enforce remote policy against the user’s wishes.
· Security is a process, not a product.
· The ability to modify and understand your own equipment is fundamental.
o These are vital norms required for progress
· Apple’s DRM makes the cost of switching to another platform the cost of the player, plus the cost of re-purchasing your whole music library since Apple won’t license the DRM to others.
o Apple stores their entire music library encrypted with a single key, and the local client (iTunes) adds the DRM. This was hacked by impersonating the client and accessing the single-key encrypted data.
· Comcast DVRs can delete content before the DVDs are released.
Note about session #2 by Simple Nomad. This guy claims to have ‘insider’ friends in the Government and other places that back up his claims. As some of you know I worked for these same agencies for a number of years, so I can’t comment on whether Simple Nomad is smoking something or accurate. I’m just passing on his claims, and you can take them for what they are worth.
Session #2) State of the Enemy of the State, Simple Nomad www.nmrc.org
· Simple claims that:
o Gov’t can decrypt PGP effortlessly
o Can decrypt symmetric and stream ciphers, such as SLL, at OC-48 speeds
o Everything on the internet is monitored by the Gov’t
o In the mid 90’s hotmail and usa.com free e-mail services were fronts by the CIA to monitor e-mail.
o National Inquirer is a front by the CIA to leak stories damaging to the Government and public figures so that no one will believe the information and the mainstream media won’t run with the story. Resumes from the founders listed CIA as former employeers.
· Visit Tor.eff.org for some great proxy/stealth surfing information
Session #3) Black Ops 2006, Dan Kaminsky www.doxpara.com
· Dropped packets are a source of information
· Many banking web sites just post data using SSL but the primary login page is not encrypted
Session #4) Wicrawl – A next-gen Wi-Fi Auditor, Aaron Peterson www.midnightresearch/projects/wicrawl
· New wireless scanning/auditing tool
· So many WAPs available, that it’s hard to cut through the noise and automatic the scanning
· What we care about
o Penetrating testing – Security professionals
o Finding rogue access points – Every-day IT
o Getting and staying on the internet – Bussiness traveler
o Finding interesting accessing points – hackers, etc
· Wicrawl ability to select goal oriented wi-fi network checks based on profiles and plug-ins
· Discovery engine
o Passive discovery
· Plug-in Engine
o Handles all scheduling decisions
· Plugins
o Can be anything you want
o Could be a binary, script, etc
o Scheduled, synchronous
o Examples; DHCP, nessus, aircrack, wepcrack, etc.
· Linux only for now, Mac and BSD in the future
· Note: Backtrack project
Note about session #5. This was a VERY unusual session. The speaker was not actually in the room, he was at an unknown location somewhere in the world. The conference coordinators actually do not know this person’s identity, location, etc. He utilized various proxies, voice changing devices, and other stealth technologies to hide his true identity. According to the ToorCon staff, this is the first time such an anonymous presentation has been given at any major hacking conference.
The reason this speaker was so stealthy is that he’s reverse engineering DRM and other technologies, which is not legal in many countries. He claims to have developed a highly stealth rootkit that is virtually undetectable.
Session #5) Tron: He Fights for the User
· Fully anonymous speaker from an unknown location over a relayed SSH connection.
· Created two rootkits as reverse engineering tools
· Created IDA plug-in to set hidden breakpoints in programs
· Goal is Debugger hiding and covert userland code modification and instrumentation
· Redirects virtual address space to hidden memory locations when memory access occurs
· 64-bit secret key into Tron, which makes scanning for the APIs much harder
Session #6) 6:00PM CheapCrack (DES decryption)
· Application specific IC (ASIC) developed
· DeepCrack: $250,000 budget, $210K final cost
· Chip performance: 1536 chips resulted in 92 billion keys/second
· 4.5 days search for the entire DES space
· CheapCrack: Budget of $10k
· A race to the bottom to crack DES for the least amount of money and time
· Parallel German project: 120 FPGAs, 48 billion keys a second, ~$11K. 8.7 days exhaustive search.
· CheapCrack is in the alpha stage
Note about session #7. This was somewhat unusual for a computer hacking conference. This session showed how easy it is to pick a door lock, and how to choose a more secure lock for your house or business. It was VERY scary to see how easily and quickly someone can pick a lock. Some techniques work on a HUGE range of locks and even a novice can do it in a few seconds. This really makes you think twice about the type of locks you choose to secure your property. They even had an audience member come up on stage and picked a lock in few short attempts.
Session #7) Introduction Lockpicking and Key Bumping v2.0
· “BEST” brand locks have good restrictive keyways
· Security pins – mushroom to help prevent picking
· Everist – side pin, easy to defeat
· Sargent V-10 lock is hard to pick, but easy to bump
· Axial rotation locks are very secure
· Dimple locks can be better than regular tumbler locks (used in many businesses)
· KABA – good dimple lock
· KEBump Mach II
· Trap pins help guard against bumping
· Shallow drilling also guards against bumping
· Good locks
o Medeco Bi-axial chisel pins
o BEST – SFIC
o ASSA – twin, V-10
o ABUS – Granit and Diskus
o American – 700x, 2000 series
o Sclage – Primus
o http://enterthecore.net/toorcon
o Kaba locks
o Lockpicking101.com
Session #8) Advanced Windows Firewall Subversion, Lin0xx
· Applications aren’t secure by their very nature
· Many people believe a firewall is a magic solution and it’s not
· If the operating system is compromised, a host based system is nearly useless
· Former research: Phrack 62 #13, abuse trust relationships between processes
· More research needed: File format bugs are increasing (notice the recent Microsoft Word attacks)
· Windows Firewall in XP SP2
o MSDN gives the source code to programmatically turn off the firewall
o COM interface is exported
o WMF exploit runs the exploit code and disables the firewall
· ZoneAlarm Personal Firewall
o TrueVector is the core service that keeps ZA safe and is aggressive about defending itself
o TrueVector does not mind drivers, so SSDT (system service dispatch table) can be written to and execute code.
o Shutdown code is located at <removed> and pass it a parameter of 4 to shutdown
o All kinds of notification windows appear on the screen. Need to hide those so the user is not alerted.
§ Easy to change the system tray icon status to hide the service being shut down
§ Screen text strings can be overwritten in memory, to hide the alerts
· Main point is to disable the firewall so that the hacker can maintain direct access to the system.
Session #9) VoIP Attacks, I)ruid, www.caughq.org
· Aha.metasploit.org
· Flooding Attacks
o Flood the hard device with SIP messages or traditional TCP SYNs
o Degrade quality, crash, halt
o Mitigation: Protect VoIP from external access, rate-limit offensive traffic
· Fuzzing
o Protocol stacks are poorly implemented
o Most end devices will crash, halt or freeze with invalid data inputs
o Mitigation: Demand resilient devices from vendors, ask about QA processes
· Amplification Attacks
o Unauthenticated communications
o Connectionless transport (UDP)
o Spoof addresses, etc
o Mitigation: use TCP, authenticate protocol messages, rate-limit network traffic
· Forced Call Teardown
o Most protocols are unencrypted and not authenticated
o Signaling channel can be monitored
o Inject spoofed call tear-down messages
o Mitigation: encrypt the signaling channel and authenticate all messages
· Signaling Attacks
o Protocols are unencrypted and unauthenticated
o All kinds of manipulations
· Caller-ID Spoofing
o Many automated systems rely on caller-ID information (credit card activation, etc.)
o www.spoofcard.com, www.iax.cc
· Eavesdropping the Media
o RTP un-encrypted on the wire
o Media traffic can be sniffed and recorded
o Calls are not private
o Ethereal / Wireshark
o Cain & Abel
· Directory Enumeration
o Tools: SIPCrack, SIPSCAN
· Configuration disclosure
o Most hard phones use TFTP or FTP when booting
o Usernames passwords, call servers, registration servers, etc.
o Cisco phones have files usually based on the device MAC address
o www.hackingexposedcisco.com/tools/tftp-bruteforce.tar.gz
· Cisco
o IP phone forced reboot, disclosed 2 years ago and still not fixed.
o Allows the attacker to impersonate the tftp server and make the phone download configuration files, firmware, etc.
· Mitigation: Use SRTP
Session #10) Windows Vista: Exploitation Countermeasures, Richard Johnson, Microsoft
· Memory corruption vulnerability exposure can be mitigated though memory hardening.
· New features for Vista
o Privilege Separation
o IE 7 Protected Mode
o Kernel Patch Protection
o Code Integrity
o Address Space Layout Randomization
o Windows Vista Dynamic Memory Allocator
· Windows Vista has nearly all of the protection features of Linux and BSD, plus then some
· ASLR makes exploits a statistical problem, since process memory addresses are randomized
· 8 bits of entropy (256 possibilities) for entry addresses
· Service Restart Policy (after 3 restarts, it’s not restarted again to prevent brute force attacks)
· ASLR is only for remote exploits, not local, because all programs share the same mappings.
· Prior to Vista, NX (no-execute) could be pretty easily disabled by various means
· In Windows Vista, NX cannot be disabled once it is turned on in a process
Session #10) The Evolving Art of Fuzzing, Jared DeMott, www.appliedsec.com
· Sending “random” crap to applications and see what happens.
· %n is a special case, which is used a lot in fuzzing
· Functional testing – dynamic – run the program and test it
· Structural testing – static – Look through source code for coding problems
· Half of Unix utilities crapped out when fuzzing was first used (early 90s).
· Fuzzers send semi-valid data to the target and optionally determine if a fault has occurred.
o Automated tool that functionally tests a program
· Fuzzers have a general goal to break software
· Fuzzer types
o Generation – Full internal description of protocol
o Mutation – Capture/replay file, which can be modified
o Fuzzing Frameworks and fuzzer scripts – Spike, peach
o Pure random stream generators – Old school but finds bugs
Session #11) TrackSploit, Counter Hacking the Criminal Element, Secure Science Corp.
· Utilize subversive techniques to identify, track, detect and deter online threats.
· Must be legal, lots of out of the box thinking
· Phishy malware: 16,000 logins stolen per day, about 5,000 credit cards
· Since January 2006, recovered 2 million credit card numbers
· 1 Billion dollar problem
· J0nny Long – Jonny.ihackstuff.com – Google hacking
Note about session number 12. This was one of THE best sessions all weekend. The speaker was very informative, funny, and the attacks he showed were downright scary. The session went way over the allocated time, but was so worth it. The speaker has worked for many Government agencies and is a recognized expert in the field of protecting against SQL/Web hacks.
Session #12) SQL Injection. Matt Fisher, SPI Dynamics
· SQL Injection and cross-site scripting are the majority of the exploits
· Web apps are the most exposed and least protected
· Can be exploited over HTTP, HTTPS, or any other port. Completely bypasses firewalls, IDS, etc. – bypasses the perimeter.
· SQL injection is about running arbitrary database commands – Its more than reading data, it’s running any command.
· SQL injection is about handling data safely – not input validation
· The general techniques are the same, regardless of the database backend (SQL, Oracle, etc.)
· Two basic types of injections
o Verbose: Lack of error handling and throws error messages in browsers
o Blind- Input still vulnerable to SQL in ijection, but error handling is performed to prevent ODBC errors. Read whitepaper on their website.
· MSDN code shows the worst way to build dynamic queries. Query parameter appended to the query.
· “Union” operator is very powerful, sending two queries
· Conversion Attacks
o SQL is strongly typed language
o SQL server – CONVERT(), CAST()
· Trace 3625 will suppress evaluated expression, enable at server startup
· SQL injection annonyances: shutdown, drop DBs, etc., port scan internal network from the DB server
· Additional capability: 30 registry procedures that can be called: root the box!
· Blacklist: reject the whole query, since you can embed extra characters to get around the blacklist
· Whitelist: Validate against known good format, trim lengths, use parameterized queries, HTML encode output (for XSS)
· PARAMETERIZED QUERIES are a strong mitigation. Substitute paramaters.
· Mitigation
o Don’t have web app run as SA.
o Establish different logins for different parts of the web app for least privilidge
o Set an option to disallow concatenated procedures
o Log every option, log exception by hand if necessary
o Log EVERYTHING in ISS
o Instrument code to log errors
o Save transaction logs and treat them like audit logs.
