I attended ToorCon 8 in San Diego, which is a hacker/security conference. The conference was spread over four days, although two days had the majority of the sessions. I’ve always had an interest in security, and attended other hacking/security conferences before. This was, however, my first ToorCon. ToorCon is held annually in San Diego and this is their 8th year.
I attended several sessions over two days, and found most of them every interesting and insightful. There were a couple sessions that really weren’t worth sitting through, but those were the rare exceptions. After leaving, you realize how insecure many systems are, and the amount of ‘bad’ people out there trying to break into your computer systems.
I would also like to add that the opinions from my notes are my take on what the speaker was trying to convey and do not reflect my beliefs on various issues. Needless to say, neither I nor my employeer endorse, condone, or otherwise approve any ‘grey’ or ‘black’ hacking, and do not endorse the opinions the speakers. In fact many of the speakers are very anti-Government (in the big brother sense), anti-DRM, and anti-big business.
Session #1) 0wned: Hollywood’s War on Security, Keynote, Cory Doctorow www.craphound.com
Co-Editor of www.boingboing.net (Great RSS feed, BTW)
·Mainframes are not something individuals could modify, but good for business and Gov’t
oDictate what the users saw and did
·PCs were viewed as a major threat to the mainframe in the early days
·Industry replaced special purpose closed networks with general networks where anyone can communicate with anyone without third parties intervening.
·Internet allows individuals communicate and find information for themselves
·IT industry now wants to takes machines and turn them against the users that own them
oDigital Rights Management, anti-fair use copy protection, etc.
·EULA move into areas beyond films, such as buying movies on Amazon.
oCan’t return a movie, can’t take movies if you go abroad (region restrictions)
oEULA for laptop usage, e.g. 8 page agreement with hardware
o“Authorized domain” is one household’s worth of devices, where you can view a piece of content.
oCompanies design technologies for their own networks, turning them into controlled networks not for general purpose.
oEnd users end up as second class citizens living with a lot of restrictions on “their” digital data.
·Consoles such as XBO360, laser printer toner cartridges, all have restrictions which lessens their values. Companies should let the audience create more value, not restricting usage rights.
·By adding a EULA, it is in essence a private law that congress or other legal bodies would laugh at in many cases.
·DRM is described by the companies as keeping honest users honest.
oIt really keeps honest users in chains, such as the Sony DRM rootkit incident.
·Built on a broken security model, where the owner is assumed to be the attacker.
·Treating owners as attackers is bad for business in the long run.
·Rootkits are there to inflict policy on computers against a owners wishes; treats the user as a hacker.
·Companies are designing computer to enforce remote policy against the user’s wishes.
·Security is a process, not a product.
·The ability to modify and understand your own equipment is fundamental.
oThese are vital norms required for progress
·Apple’s DRM makes the cost of switching to another platform the cost of the player, plus the cost of re-purchasing your whole music library since Apple won’t license the DRM to others.
oApple stores their entire music library encrypted with a single key, and the local client (iTunes) adds the DRM. This was hacked by impersonating the client and accessing the single-key encrypted data.
·Comcast DVRs can delete content before the DVDs are released.
Note about session #2 by Simple Nomad. This guy claims to have ‘insider’ friends in the Government and other places that back up his claims. As some of you know I worked for these same agencies for a number of years, so I can’t comment on whether Simple Nomad is smoking something or accurate. I’m just passing on his claims, and you can take them for what they are worth.
Session #2) State of the Enemy of the State, Simple Nomad www.nmrc.org
·Simple claims that:
oGov’t can decrypt PGP effortlessly
oCan decrypt symmetric and stream ciphers, such as SLL, at OC-48 speeds
oEverything on the internet is monitored by the Gov’t
oIn the mid 90’s hotmail and usa.com free e-mail services were fronts by the CIA to monitor e-mail.
oNational Inquirer is a front by the CIA to leak stories damaging to the Government and public figures so that no one will believe the information and the mainstream media won’t run with the story. Resumes from the founders listed CIA as former employeers.
·Visit Tor.eff.org for some great proxy/stealth surfing information
Session #3) Black Ops 2006, Dan Kaminsky www.doxpara.com
·Dropped packets are a source of information
·Many banking web sites just post data using SSL but the primary login page is not encrypted
Session #4) Wicrawl – A next-gen Wi-Fi Auditor, Aaron Peterson www.midnightresearch/projects/wicrawl
·New wireless scanning/auditing tool
·So many WAPs available, that it’s hard to cut through the noise and automatic the scanning
·What we care about
oPenetrating testing – Security professionals
oFinding rogue access points – Every-day IT
oGetting and staying on the internet – Bussiness traveler
oFinding interesting accessing points – hackers, etc
·Wicrawl ability to select goal oriented wi-fi network checks based on profiles and plug-ins
·Discovery engine
oPassive discovery
·Plug-in Engine
oHandles all scheduling decisions
·Plugins
oCan be anything you want
oCould be a binary, script, etc
oScheduled, synchronous
oExamples; DHCP, nessus, aircrack, wepcrack, etc.
·Linux only for now, Mac and BSD in the future
·Note: Backtrack project
Note about session #5. This was a VERY unusual session. The speaker was not actually in the room, he was at an unknown location somewhere in the world. The conference coordinators actually do not know this person’s identity, location, etc. He utilized various proxies, voice changing devices, and other stealth technologies to hide his true identity. According to the ToorCon staff, this is the first time such an anonymous presentation has been given at any major hacking conference.
The reason this speaker was so stealthy is that he’s reverse engineering DRM and other technologies, which is not legal in many countries. He claims to have developed a highly stealth rootkit that is virtually undetectable.
Session #5) Tron: He Fights for the User
·Fully anonymous speaker from an unknown location over a relayed SSH connection.
·Created two rootkits as reverse engineering tools
·Created IDA plug-in to set hidden breakpoints in programs
·Goal is Debugger hiding and covert userland code modification and instrumentation
·Redirects virtual address space to hidden memory locations when memory access occurs
·64-bit secret key into Tron, which makes scanning for the APIs much harder
Session #6) 6:00PM CheapCrack (DES decryption)
·Application specific IC (ASIC) developed
·DeepCrack: $250,000 budget, $210K final cost
·Chip performance: 1536 chips resulted in 92 billion keys/second
·4.5 days search for the entire DES space
·CheapCrack: Budget of $10k
·A race to the bottom to crack DES for the least amount of money and time
·Parallel German project: 120 FPGAs, 48 billion keys a second, ~$11K. 8.7 days exhaustive search.
·CheapCrack is in the alpha stage
Note about session #7. This was somewhat unusual for a computer hacking conference. This session showed how easy it is to pick a door lock, and how to choose a more secure lock for your house or business. It was VERY scary to see how easily and quickly someone can pick a lock. Some techniques work on a HUGE range of locks and even a novice can do it in a few seconds. This really makes you think twice about the type of locks you choose to secure your property. They even had an audience member come up on stage and picked a lock in few short attempts.
Session #7) Introduction Lockpicking and Key Bumping v2.0
·“BEST” brand locks have good restrictive keyways
·Security pins – mushroom to help prevent picking
·Everist – side pin, easy to defeat
·Sargent V-10 lock is hard to pick, but easy to bump
·Axial rotation locks are very secure
·Dimple locks can be better than regular tumbler locks (used in many businesses)
·KABA – good dimple lock
·KEBump Mach II
·Trap pins help guard against bumping
·Shallow drilling also guards against bumping
·Good locks
oMedeco Bi-axial chisel pins
oBEST – SFIC
oASSA – twin, V-10
oABUS – Granit and Diskus
oAmerican – 700x, 2000 series
oSclage – Primus
ohttp://enterthecore.net/toorcon
oKaba locks
oLockpicking101.com
Session #8) Advanced Windows Firewall Subversion, Lin0xx
·Applications aren’t secure by their very nature
·Many people believe a firewall is a magic solution and it’s not
·If the operating system is compromised, a host based system is nearly useless
·Former research: Phrack 62 #13, abuse trust relationships between processes
·More research needed: File format bugs are increasing (notice the recent Microsoft Word attacks)
·Windows Firewall in XP SP2
oMSDN gives the source code to programmatically turn off the firewall
oCOM interface is exported
oWMF exploit runs the exploit code and disables the firewall
·ZoneAlarm Personal Firewall
oTrueVector is the core service that keeps ZA safe and is aggressive about defending itself
oTrueVector does not mind drivers, so SSDT (system service dispatch table) can be written to and execute code.
oShutdown code is located at <removed> and pass it a parameter of 4 to shutdown
oAll kinds of notification windows appear on the screen. Need to hide those so the user is not alerted.
§Easy to change the system tray icon status to hide the service being shut down
§Screen text strings can be overwritten in memory, to hide the alerts
·Main point is to disable the firewall so that the hacker can maintain direct access to the system.
Session #9) VoIP Attacks, I)ruid, www.caughq.org
·Aha.metasploit.org
·Flooding Attacks
oFlood the hard device with SIP messages or traditional TCP SYNs
oDegrade quality, crash, halt
oMitigation: Protect VoIP from external access, rate-limit offensive traffic
·Fuzzing
oProtocol stacks are poorly implemented
oMost end devices will crash, halt or freeze with invalid data inputs
oMitigation: Demand resilient devices from vendors, ask about QA processes
·Amplification Attacks
oUnauthenticated communications
oConnectionless transport (UDP)
oSpoof addresses, etc
oMitigation: use TCP, authenticate protocol messages, rate-limit network traffic
·Forced Call Teardown
oMost protocols are unencrypted and not authenticated
oSignaling channel can be monitored
oInject spoofed call tear-down messages
oMitigation: encrypt the signaling channel and authenticate all messages
·Signaling Attacks
oProtocols are unencrypted and unauthenticated
oAll kinds of manipulations
·Caller-ID Spoofing
oMany automated systems rely on caller-ID information (credit card activation, etc.)
owww.spoofcard.com, www.iax.cc
·Eavesdropping the Media
oRTP un-encrypted on the wire
oMedia traffic can be sniffed and recorded
oCalls are not private
oEthereal / Wireshark
oCain & Abel
·Directory Enumeration
oTools: SIPCrack, SIPSCAN
·Configuration disclosure
oMost hard phones use TFTP or FTP when booting
oUsernames passwords, call servers, registration servers, etc.
oCisco phones have files usually based on the device MAC address
owww.hackingexposedcisco.com/tools/tftp-bruteforce.tar.gz
·Cisco
oIP phone forced reboot, disclosed 2 years ago and still not fixed.
oAllows the attacker to impersonate the tftp server and make the phone download configuration files, firmware, etc.
·Mitigation: Use SRTP
Session #10) Windows Vista: Exploitation Countermeasures, Richard Johnson, Microsoft
·Memory corruption vulnerability exposure can be mitigated though memory hardening.
·New features for Vista
oPrivilege Separation
oIE 7 Protected Mode
oKernel Patch Protection
oCode Integrity
oAddress Space Layout Randomization
oWindows Vista Dynamic Memory Allocator
·Windows Vista has nearly all of the protection features of Linux and BSD, plus then some
·ASLR makes exploits a statistical problem, since process memory addresses are randomized
·8 bits of entropy (256 possibilities) for entry addresses
·Service Restart Policy (after 3 restarts, it’s not restarted again to prevent brute force attacks)
·ASLR is only for remote exploits, not local, because all programs share the same mappings.
·Prior to Vista, NX (no-execute) could be pretty easily disabled by various means
·In Windows Vista, NX cannot be disabled once it is turned on in a process
Session #10) The Evolving Art of Fuzzing, Jared DeMott, www.appliedsec.com
·Sending “random” crap to applications and see what happens.
·%n is a special case, which is used a lot in fuzzing
·Functional testing – dynamic – run the program and test it
·Structural testing – static – Look through source code for coding problems
·Half of Unix utilities crapped out when fuzzing was first used (early 90s).
·Fuzzers send semi-valid data to the target and optionally determine if a fault has occurred.
oAutomated tool that functionally tests a program
·Fuzzers have a general goal to break software
·Fuzzer types
oGeneration – Full internal description of protocol
oMutation – Capture/replay file, which can be modified
oFuzzing Frameworks and fuzzer scripts – Spike, peach
oPure random stream generators – Old school but finds bugs
Session #11) TrackSploit, Counter Hacking the Criminal Element, Secure Science Corp.
·Utilize subversive techniques to identify, track, detect and deter online threats.
·Must be legal, lots of out of the box thinking
·Phishy malware: 16,000 logins stolen per day, about 5,000 credit cards
·Since January 2006, recovered 2 million credit card numbers
·1 Billion dollar problem
·J0nny Long – Jonny.ihackstuff.com – Google hacking
Note about session number 12. This was one of THE best sessions all weekend. The speaker was very informative, funny, and the attacks he showed were downright scary. The session went way over the allocated time, but was so worth it. The speaker has worked for many Government agencies and is a recognized expert in the field of protecting against SQL/Web hacks.
Session #12) SQL Injection. Matt Fisher, SPI Dynamics
·SQL Injection and cross-site scripting are the majority of the exploits
·Web apps are the most exposed and least protected
·Can be exploited over HTTP, HTTPS, or any other port. Completely bypasses firewalls, IDS, etc. – bypasses the perimeter.
·SQL injection is about running arbitrary database commands – Its more than reading data, it’s running any command.
·SQL injection is about handling data safely – not input validation
·The general techniques are the same, regardless of the database backend (SQL, Oracle, etc.)
·Two basic types of injections
oVerbose: Lack of error handling and throws error messages in browsers
oBlind- Input still vulnerable to SQL in ijection, but error handling is performed to prevent ODBC errors. Read whitepaper on their website.
·MSDN code shows the worst way to build dynamic queries. Query parameter appended to the query.
·“Union” operator is very powerful, sending two queries
·Conversion Attacks
oSQL is strongly typed language
oSQL server – CONVERT(), CAST()
·Trace 3625 will suppress evaluated expression, enable at server startup
·SQL injection annonyances: shutdown, drop DBs, etc., port scan internal network from the DB server
·Additional capability: 30 registry procedures that can be called: root the box!
·Blacklist: reject the whole query, since you can embed extra characters to get around the blacklist
·Whitelist: Validate against known good format, trim lengths, use parameterized queries, HTML encode output (for XSS)
·PARAMETERIZED QUERIES are a strong mitigation. Substitute paramaters.
·Mitigation
oDon’t have web app run as SA.
oEstablish different logins for different parts of the web app for least privilidge
oSet an option to disallow concatenated procedures
oLog every option, log exception by hand if necessary
oLog EVERYTHING in ISS
oInstrument code to log errors
oSave transaction logs and treat them like audit logs.
