Exciting IT Security - ISACA Melbourne · 2013. 10. 16. · ISACA Melbourne Chapter, Andreas...

ISACA Melbourne Chapter, Andreas Dannert

Exciting IT Securitybased on 27C3


> Chaos Computer Club (CCC)_

Founded September 12, 1981 by Wau Holland et al

Currently 4000+ members

Became famous through the “Bildschirmtext” hack

Promotes free access to computers and technology

Hosts Europe’s oldest and largest hacker conference

Since 2009 also hosting SIGINT in Cologne


all volunteers

70 Euro for 4 days

3000+ tickets, sold out

6000+ liter Club Mate

(but only 600 liters of beer)

100+ hours of lectures

top of 5807 streaming clients

3TB of video

oldest visitor 86

provided childcare


> Things to come_

Just stick to 1st principles

Embedded controllers everywhere

Smart phones many options

Let’s go IPv6

Fun with PDF


> Just stick to 1st principles_PS3 Console Hack

Signed executables (ineffective)

Chain of trust (broken)

Security coprocessor (pointless)

Hypervisor (useless)

Encrypted storage (bypassed)

Public key crypto (broken)

:-(


> Just stick to 1st principles_SMS-o-Death

All major feature phone producers effected(Nokia, Samsung, LG, Motorola, and Micromax)

Finding “killer SMS” was easy using fuzzing

While this was research it could be used for real infrastructure attacks :-(


> Just stick to 1st principles_Smart Card system for Public Transport

Weak encryption algorithm

No backend verification

Change of business requirements, but not security

:-(


> Just stick to 1st principles_

Use proven encryption algorithms

Ensure proper implementation of security

Ensure secure code (i.e. boundary checking)

Ensure random numbers are random

Use appropriate level of security (Do you need it?)

Appropriate level of testing (consider automated testing and fuzzing)


> Embedded controllers everywhere_

Embedded controllers are in most devices

Standardized controllers have “extra” capacity

Complex systems have several attack vectors

:-(


> Embedded controllers everywhere_

Uses signatures/hashing for ALL software considered vulnerable

Stay flexible and learn, security devices are not all

Ensure remote flashing on laptops not possible

Use appropriate security(There are always ways around it.)


> Smart phones - many options_

Primary Entry Points

Default communication network, i.e. GSM, SMS, MMS...

Secondary Entry Points

Non default communication network, i.e. Email, IM, Skype ...

Tertiary Entry Points

Proximity attacks i.e. WiFi, Bluetooth...

Drive by cross site scripting attacks

:-(


> Smart phones - many options_

Increased complexity, increased options

Balance between vulnerabilities and testing costs

The risk of “3rd part solutions”, i.e. nothing runs in isolation

What needs to be protected and how? (i.e. use of encrypted storage)

Likelihood of attacks (i.e. anything goes)


> Let’s go IPv6_

IPv4 IPv6 Advantage

Address length 32bits 128bits many more devices

Broadcast/multicast yesno broadcast / other

form of multicastbetter bandwidth

utilization

QoS ToS using DIFFServ flow labels and classes more granular control

Configuration manual/DHCP automaticreduced error/reduced

op. cost

Security IPSec optional IPSec required security framework

Mobility mobile IPv4faster handover, router

optimizationimproved efficiency and

scalability


> Let’s go IPv6_

IPv4 IPv6

Addresses “4,294,967,296“ “340,282,366,920,938,463,463,374,607,431,768,211,456”

Address 192.168.15.122001:0DB8:AC10:FE01:0000:0000:0000:0000

(2001:0DB8:AC10:FE01::)


> Let’s go IPv6_

Neighbour Discovery (ND) Spoofing

Man in the middle attack (“impersonate” router)

Become default router (router advertising + use 0 lifetime)

No router available everything becomes local

Force “dual stack usage” by router advertisement

Router advertisement flooding (DOS!)

Some firewalls don’t filter IPv6

IPv6 side channels

:-(


> Let’s go IPv6_

Plan, prepare, implement

Employee training

Understanding technology implications

Utilize peers (organizations and people)

Understand product strength and weaknesses


> Fun with PDF_

PDF = Portable Document Format or“The most dangerous file format...”

PDF is an open standard for document exchange created in 1983 by Adobe Systems*

Build on 15mil. lines of code (Firefox 3.5 has 2.7mil.)

Turing complete

Standard doesn’t provide methods for checking conformance of files

Can execute embedded flash files / JavaScript* ISO/IEC 32000-1:2008


> Fun with PDF_

PDFs can look based on OS and geo-location

PDFs can be code and documents

PDFs are not always interpreted the same

PDF readers are not necessarily sandboxing PDFs

Code can be spread across the file

Data, i.e. images, embed nicely

:-(


> Fun with PDF_

Keep an eye on this topic and do risk assessments

Understand file types used in your organization

Don’t trust data just because it looks harmless

Consider using “document scrubbers”


> But wait, there is more!_

Online resources of 27C3

Online resources of past events

Online resources of similar events

CCC summer camp in August 2011

Social network and other resources


> You might also want to look at_

Code deobfuscation by optimization

Cognitive Psychology for Hackers

A framework for automated architecture-independent gadget search

Data Recovery Techniques

Rootkits and Trojans on your SAP landscape


> Attribution, thanks and acknowledgement_(this presentation is mainly based on the below presentations at 27C3)

Collin Mulliner and Nico Golde, “SMS-o-Death” @ 27C3

“Fail0verflow” team, “Console Hacking 2010” @ 27C3

Harald Welte, “Reverse Engineering a real world RFID System” @ 27C3

Ralf-Philipp Weinmann, “The Hidden Nemesis” @ 27C3

Ilja van Sprundel, “Hacking Smart Phones” @ 27C3

Marc “van Hauser” Heuse, “Recent advances in IPv6 insecurities” @ 27C3

Julia Wolf, “OMG WTF PDF” @ 27C3


> URLs_1. http://events.ccc.de/congress/2010/wiki/Documentation

2. http://www.ccc.de/en/

3. http://events.ccc.de/category/camp/

4. https://events.ccc.de/sigint/2010/wiki/Hauptseite

5. http://www.blackhat.com/html/bh-dc-11/bh-dc-11-archives.html

6. http://www.defcon.org/html/links/dc-archives.html

7. http://video.hackinthebox.org/

8. http://www.thc.org/

9. http://www.isti.tu-berlin.de/security_in_telecommunications/menue/research/publications/

10. http://lcamtuf.coredump.cx/silence.shtml

11. http://packetstormsecurity.org

12. http://www.nro.net/wp-content/uploads/2011/02/nro_depletion_deployment_faq.pdf

http://www.ccc.de/en/

http://www.ccc.de/en/

https://events.ccc.de/sigint/2010/wiki/Hauptseite

https://events.ccc.de/sigint/2010/wiki/Hauptseite

http://www.blackhat.com/html/bh-dc-11/bh-dc-11-archives.html

http://www.blackhat.com/html/bh-dc-11/bh-dc-11-archives.html

http://www.defcon.org/html/links/dc-archives.html

http://www.defcon.org/html/links/dc-archives.html

http://video.hackinthebox.org

http://video.hackinthebox.org

http://www.thc.org

http://www.thc.org

http://www.isti.tu-berlin.de/security_in_telecommunications/menue/research/publications/

http://www.isti.tu-berlin.de/security_in_telecommunications/menue/research/publications/

http://lcamtuf.coredump.cx/silence.shtml

http://lcamtuf.coredump.cx/silence.shtml

http://packetstormsecurity.org

http://packetstormsecurity.org

http://www.nro.net/wp-content/uploads/2011/02/nro_depletion_deployment_faq.pdf

http://www.nro.net/wp-content/uploads/2011/02/nro_depletion_deployment_faq.pdf

Date post:	14-Oct-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Exciting IT Security - ISACA Melbourne · 2013. 10. 16. · ISACA Melbourne Chapter, Andreas...

Documents