ISACA Melbourne Chapter, Andreas Dannert
Exciting IT Securitybased on 27C3
ISACA Melbourne Chapter, Andreas Dannert
> Chaos Computer Club (CCC)_
Founded September 12, 1981 by Wau Holland et al
Currently 4000+ members
Became famous through the “Bildschirmtext” hack
Promotes free access to computers and technology
Hosts Europe’s oldest and largest hacker conference
Since 2009 also hosting SIGINT in Cologne
ISACA Melbourne Chapter, Andreas Dannert
all volunteers
70 Euro for 4 days
3000+ tickets, sold out
6000+ liter Club Mate
(but only 600 liters of beer)
100+ hours of lectures
top of 5807 streaming clients
3TB of video
oldest visitor 86
provided childcare
ISACA Melbourne Chapter, Andreas Dannert
> Things to come_
Just stick to 1st principles
Embedded controllers everywhere
Smart phones many options
Let’s go IPv6
Fun with PDF
ISACA Melbourne Chapter, Andreas Dannert
> Just stick to 1st principles_PS3 Console Hack
Signed executables (ineffective)
Chain of trust (broken)
Security coprocessor (pointless)
Hypervisor (useless)
Encrypted storage (bypassed)
Public key crypto (broken)
:-(
ISACA Melbourne Chapter, Andreas Dannert
> Just stick to 1st principles_SMS-o-Death
All major feature phone producers effected(Nokia, Samsung, LG, Motorola, and Micromax)
Finding “killer SMS” was easy using fuzzing
While this was research it could be used for real infrastructure attacks :-(
ISACA Melbourne Chapter, Andreas Dannert
> Just stick to 1st principles_Smart Card system for Public Transport
Weak encryption algorithm
No backend verification
Change of business requirements, but not security
:-(
ISACA Melbourne Chapter, Andreas Dannert
> Just stick to 1st principles_
Use proven encryption algorithms
Ensure proper implementation of security
Ensure secure code (i.e. boundary checking)
Ensure random numbers are random
Use appropriate level of security (Do you need it?)
Appropriate level of testing (consider automated testing and fuzzing)
ISACA Melbourne Chapter, Andreas Dannert
> Embedded controllers everywhere_
Embedded controllers are in most devices
Standardized controllers have “extra” capacity
Complex systems have several attack vectors
:-(
ISACA Melbourne Chapter, Andreas Dannert
> Embedded controllers everywhere_
Uses signatures/hashing for ALL software considered vulnerable
Stay flexible and learn, security devices are not all
Ensure remote flashing on laptops not possible
Use appropriate security(There are always ways around it.)
ISACA Melbourne Chapter, Andreas Dannert
> Smart phones - many options_
Primary Entry Points
Default communication network, i.e. GSM, SMS, MMS...
Secondary Entry Points
Non default communication network, i.e. Email, IM, Skype ...
Tertiary Entry Points
Proximity attacks i.e. WiFi, Bluetooth...
Drive by cross site scripting attacks
:-(
ISACA Melbourne Chapter, Andreas Dannert
> Smart phones - many options_
Increased complexity, increased options
Balance between vulnerabilities and testing costs
The risk of “3rd part solutions”, i.e. nothing runs in isolation
What needs to be protected and how? (i.e. use of encrypted storage)
Likelihood of attacks (i.e. anything goes)
ISACA Melbourne Chapter, Andreas Dannert
> Let’s go IPv6_
IPv4 IPv6 Advantage
Address length 32bits 128bits many more devices
Broadcast/multicast yesno broadcast / other
form of multicastbetter bandwidth
utilization
QoS ToS using DIFFServ flow labels and classes more granular control
Configuration manual/DHCP automaticreduced error/reduced
op. cost
Security IPSec optional IPSec required security framework
Mobility mobile IPv4faster handover, router
optimizationimproved efficiency and
scalability
ISACA Melbourne Chapter, Andreas Dannert
> Let’s go IPv6_
IPv4 IPv6
Addresses “4,294,967,296“ “340,282,366,920,938,463,463,374,607,431,768,211,456”
Address 192.168.15.122001:0DB8:AC10:FE01:0000:0000:0000:0000
(2001:0DB8:AC10:FE01::)
ISACA Melbourne Chapter, Andreas Dannert
> Let’s go IPv6_
Neighbour Discovery (ND) Spoofing
Man in the middle attack (“impersonate” router)
Become default router (router advertising + use 0 lifetime)
No router available everything becomes local
Force “dual stack usage” by router advertisement
Router advertisement flooding (DOS!)
Some firewalls don’t filter IPv6
IPv6 side channels
:-(
ISACA Melbourne Chapter, Andreas Dannert
> Let’s go IPv6_
Plan, prepare, implement
Employee training
Understanding technology implications
Utilize peers (organizations and people)
Understand product strength and weaknesses
ISACA Melbourne Chapter, Andreas Dannert
> Fun with PDF_
PDF = Portable Document Format or“The most dangerous file format...”
PDF is an open standard for document exchange created in 1983 by Adobe Systems*
Build on 15mil. lines of code (Firefox 3.5 has 2.7mil.)
Turing complete
Standard doesn’t provide methods for checking conformance of files
Can execute embedded flash files / JavaScript* ISO/IEC 32000-1:2008
ISACA Melbourne Chapter, Andreas Dannert
> Fun with PDF_
PDFs can look based on OS and geo-location
PDFs can be code and documents
PDFs are not always interpreted the same
PDF readers are not necessarily sandboxing PDFs
Code can be spread across the file
Data, i.e. images, embed nicely
:-(
ISACA Melbourne Chapter, Andreas Dannert
> Fun with PDF_
Keep an eye on this topic and do risk assessments
Understand file types used in your organization
Don’t trust data just because it looks harmless
Consider using “document scrubbers”
ISACA Melbourne Chapter, Andreas Dannert
> But wait, there is more!_
Online resources of 27C3
Online resources of past events
Online resources of similar events
CCC summer camp in August 2011
Social network and other resources
ISACA Melbourne Chapter, Andreas Dannert
> You might also want to look at_
Code deobfuscation by optimization
Cognitive Psychology for Hackers
A framework for automated architecture-independent gadget search
Data Recovery Techniques
Rootkits and Trojans on your SAP landscape
ISACA Melbourne Chapter, Andreas Dannert
> Attribution, thanks and acknowledgement_(this presentation is mainly based on the below presentations at 27C3)
Collin Mulliner and Nico Golde, “SMS-o-Death” @ 27C3
“Fail0verflow” team, “Console Hacking 2010” @ 27C3
Harald Welte, “Reverse Engineering a real world RFID System” @ 27C3
Ralf-Philipp Weinmann, “The Hidden Nemesis” @ 27C3
Ilja van Sprundel, “Hacking Smart Phones” @ 27C3
Marc “van Hauser” Heuse, “Recent advances in IPv6 insecurities” @ 27C3
Julia Wolf, “OMG WTF PDF” @ 27C3
ISACA Melbourne Chapter, Andreas Dannert
> URLs_1. http://events.ccc.de/congress/2010/wiki/Documentation
2. http://www.ccc.de/en/
3. http://events.ccc.de/category/camp/
4. https://events.ccc.de/sigint/2010/wiki/Hauptseite
5. http://www.blackhat.com/html/bh-dc-11/bh-dc-11-archives.html
6. http://www.defcon.org/html/links/dc-archives.html
7. http://video.hackinthebox.org/
8. http://www.thc.org/
9. http://www.isti.tu-berlin.de/security_in_telecommunications/menue/research/publications/
10. http://lcamtuf.coredump.cx/silence.shtml
11. http://packetstormsecurity.org
12. http://www.nro.net/wp-content/uploads/2011/02/nro_depletion_deployment_faq.pdf