20th DFN CERT Workshop

I was fortunate enough to be able to attend this year’s DFN Workshop which happened to be an anniversary as the event turned 20. Needless to say that I didn’t make all 20 πŸ˜‰ Well, I did a few anyway.

The keynote was surprisingly political. Marcus J. Ranum (Tenable Network Security) talked about Cyberwar – A Matter of Logistics and Privilege and made witty and thoughtful points. So he asked questions such as whether Stuxnet was an act of terrorism and whether its victims could sue the US to get their damages reimbursed. Highly interesting subject, highly interesting speaker.

Jan Ole Malchow presented “distPaste”, a HTML 5 based webapp that uses all the browsers to store data. So a distributed storage. Might be related to the fun project FillDisk.com.

Jens Liebchen from the awesome Redteam Pentesting did again a nice presentation this year. They got a new “Multi Function Printer” like a Canon C5051i (so a huge thing…) and had certain requirements regarding its security. He presented a threat model and shared some insights he gained while dealing with the vendor, and, more importantly, after having analysed the machine himself. It turns out that the device has a regular hard drive and runs some flavour of Linux with a big BLOB for their services. However, data was found to be spread over the partitions even though they bought a licence for “secure deletion” of data. They, rightfully, did not expect to find traces of their print or scan jobs. He mentioned that the security properties of such devices were not assessed yet. So there are loads of toys to play with.

Also funny was the work of Benjamin Kahler and Steffen Wendzel who did “Wardriving against building automation“. Basically, the question was how easy it is to break into a network and remote control the building, i.e. open doors and windows. Turns out, there are standard products which are not well secured and the deployment is usually not done properly either, so that network boundaries either don’t exist or can be passed easily.

The security of Android-App’s SSL/TLS usage was presented by Matthew Smith. They examined many many “Apps”, decompiled them and statically analysed how well they handle various conditions when building up a TLS connection. Apparently, many programs just do not care about the security properties of their TLS connection so that they just disable the verification of the certificate chain. The model is said to be too complex and too burdensome to set up during development. They also recommended to introduce a new privilege, namely sending data unencryptely. So that a user could select that an application must not transfer data as plain text.

Besides listening to the talks and chatting to people, I tried to get on the wireless in the hotel. Turns out, they interfere with your traffic, i.e. they block everything and redirect your web traffic to present you a landing page from which you are supposed to log in to the gratis wireless. The credentials to be entered were the room number and the last name of a guest of that room. Well, given the speakers and attendees list (or some knowledge of popular names in the region) it seems easy enough to just poke some data in and hope for the best. Or, instead of doing that manually, have a program doing that for you. Voila, je vous presente “petitelysee”. A simple Python script to try to log in to a landing page. As I’ve said, it’s the result of three hours or so work. So it’s not very nicely done and I obviously didn’t try it out. It has just been coded in a way that I *think* might work.

19th DFN Workshop 2012

The 19th DFN Workshop happened again *yay* and I was lucky enough to be able to take part πŸ™‚

After last year we all knew the venue and it’s great. The hotel is very professional and the receptions are very good. The conference room itself is very spacious and well equipped for having a couple of hundred people there.

So after a first caffeine infusion the conference started and the first guy gave the keynote. Tom Vogt (from Calitarus GmbH) talked about Security and Usability and he made some interesting points. He doesn’t want to have more “Security Awareness” but more “User Awareness”. He claims that users are indeed aware of security issues but need to be properly communicated with. He gave Facebook as an example: If you log in wrongly a couple of times, Facebook will send you an email, excusing themselves for the troubles *you* have while logging in. As opposed to the “if the question is stupid, the helpdesk will set you on fire” attitude.

So instead of writing security policies with a lot of rules he wants us to write policies that take the user’s view into account and make sense for the average user. He also brought up passwords and password policy. Instead of requiring at least 8 characters (which will be read as “8 characters” by the user anyway) one should encourage a more sensible strategy, i.e. the XKCD one.

He also disliked the metaphors we’re using all the time, i.e. we’re talking about documents or crypto keys. A document is something static that you hold in your hand. It can’t do any harm. But a Word-“document” is indeed something different, because there are macros and whatnot. And it’s not a big problem to temporarily give away physical keys. But in the crypto world, it is. And people, he claimed, would make those associations when confronted with these terms. Unfortunately, he didn’t have a fix for those long-term used metaphors but he said extra caution needed to be applied when talking in these terms.

Dissonance was another big thing. He claimed that it’s problematic that starting a program and opening a file is the very same action in modern operating systems. If the open document was triggered differently, then the user could see if the document that they received was indeed a text file or a some binary gibberish.

And well, as the talk was titled “Usability” user interfaces were criticised, too. He mentioned that dialogues were very rude and that it was equal to holding someone until they answer a question. That trained the user to avoid and escape the dialogue as quickly as possible without even reading them, totally destroying the whole point of a dialogue. So we should only use them in a “life or death” situation where it would be okay to physically hold someone. And well, “user errors are interface errors”.

My favourite usability bug is the whole Keysigning story. It’s broken from beginning to end. I think that if we come up with a nice and clean design of a procedure to sign each others keys, the Web of Trust model will be used more and more. Right now, it’s an utterly complex process involving different media and all that is doomed to be broken.

After that, a guy from the Leibniz-Rechenzentrum talked about internal perpetrators from university data centres. They basically introduced Login IDS, a tool to scrub your logs and make them more administration friendly. He said that they didn’t watch their logs because it was way too much data. They had around 800 logins per day on their two SSH and two Citrix servers and nobody really checked when somebody was logging in. To reduce the amount of log, they check the SSHd log and fire different events, i.e. if there is someone logging in for the very first time. Or if user hasn’t logged in at that time of the day or from the IP she’s using before. That, he claimed, reduced their amount of log to 10% of the original volume. Unfortunately, the git repo shows a single big and scary Perl file with no license at all 😐

Another somewhat technical talk followed by Michael Weiser. He talked about security requirements for modern high performance computing environments and I couldn’t really follow all the way through. But from what I’ve understood, he wants to be able to execute big jobs and have all the necessary Kerberos or AFS tokens because you don’t know for how long you’ll have to wait until you can process your data. And well, he showed some solutions (S4U2self) and proposed another one which I didn’t really understand. But apparently everything needs to be very complex because you cannot get a ticket that’s valid long enough. And instead you get a “Granting-Ticket” which empowers you to get all the tickets you want for a basically unlimited amount of time…?

The break was just coming up at the right time so that the caffeine stock could be replenished. It did get used up quite quickly πŸ˜‰

The first talk after the break introduced to HoneypotMe, a technology that enables you to put honeypots on your production-mode machines without risking to have them compromised. They basically create tunnel for the ports that are open on the honeypot but not on the production machine. So an attacker would not detect the honeypot that easily. Although it’s kinda nonsensical for a Linux machine to have the MSSQL port open. Interesting technology, although I don’t quite understand, why they put the honeypot after the production machine (network topology wise), so that you have to modify the TCP stack on the production machine in order to relay connections to the actual honeypot. Instead, one could put the honeypot in front and relay connections to the production machine. That way, one would probably reduce plumbing the TCP layer on the machine that’s meant to serve production purposes.

Another, really technical talk was given by a guy from the research centre juelich. It was so technical that I couldn’t follow. Jesus christ were the slides packed. The topic was quite interesting though. Unfortunate that it was a rather exhausting presentation. He tried to tell us how to mange IPv6 or well, to better damn manage it, because otherwise you’d have loads of trouble in your network. He was referring a lot to the very interesting IPv6 toolkit by THC. He claimed that those attacks were not easy to defend against. But it doesn’t need an attacker, he said. Windows would be enough to screw up your network, i.e. by somehow configuring Internet Connection Sharing it would send weird Router Advertisements. But I might have gotten that wrong because he was throwing lots of words and acronyms on us. NDPMON. RAPIXD. RAMOND. WTF. Fortunately, it was the last talk and we could head off to have some proper beer.

After way too less sleep and ridiculous amounts of very good food, the second day started off with a very great talk by a guy from RedTeam Pentesting. He did very interesting research involving URL shortening services and presented us his results. Some of which are quite scary. If you’re remotely interested in this topic, you should have a look at the paper once it is available. There is slightly different version here.

So the basic problem was described as follows: A user wants to send a link to a friend but the URL is too long so that email clients break it (well, he didn’t mention which though) or Twitter would simply not accept it… We kinda have to assume that Twitter is a useful thing that people do actually use to transmit links. Anyway, to shorten links, people may use a service that translates the long URL into a short one. And now the problems start.

First of all, the obvious tracking issues arise. The service provider can see who clicks on which links and even worse: Set cookies so that users are identifiable even much later. Apparently, almost all of these service do make use of tracking cookies which last for a couple of years. Interestingly, Google is reported to not make use of tracking technologies in their URL shortening service.

Secondly, you eventually leak a secret which is encoded in the URL you are shortening. And that’s apparently, what people do. They do use Google Docs or other sensitive webapps that encode important access tokens in the URL that you are throwing with both hands at the service provider. He claimed to have found many interesting documents, ranging from “obviously very private photos” over balance sheets from some company to a list of addresses of kindergarten kids. He got a good percentage of private documents which was really interesting to see.

But it gets worse. He set up a brand new web server listening on a brand new domain (fd0.me) and created URLs which he then shortened using the services. On the page his webserver delivered was a password which no search engine knew back then. The question was: Do URL shortening services leak their data to search engines? Or worse: Do they scan the database for interesting looking URLs themselves? Turns out: Yes and yes. He found his password on search engines and curious administrators in his webserver log.

Other obvious problems include loss of URL. Apparently people do use shortened URLs in long lasting things like books. And well, URL shortening services are not necessarily known for being long living. Fun fact: His university used to have such a service, but they shut it down…

Another technical issue is speed. Because of the indirection, you have an overhead in time. Google are the winner here again. They serve the fastest.

So yeah that was a very interesting talk which clearly showed the practical risks of such services.

A electronic ID card was introduced in Germany rather recently and the next guy did some research (sponsered by the ministry of interior) to explore the “eID Online Authentication Network Threat Model, Attacks and Implications”. Nobody in the audience actually used the eID so he had to tell us what you are supposed to do with it. It is used to authenticate data like your name, address, birthday or just the fact that you are at legal age. It’s heavily focussed on Browser stuff, so the scenarios are a bank or a web shop. After the website requested eID functions, the browser speaks to the local eID deamon which then wants to read your eID and communicates with the servers. Turns out, that everything seems to be quite well designed, expect well, the browsers. So he claims it is possible to Man in the Middle a connection if one can make a browser terminate a successfully opened connection. I.e. after all the TLS handshakes were finished, one would terminate the connection, intercept it and then no further verification was done. A valid attack scenario, not necessarily easy to be in that position though.


There were tiny talks as well. My favourite was Martin John from SAP talking about Cross Domain Policies. Apparently, standards exist to “enhance” the same origin policy and enable JavaScripts in browsers to talk to different domains. He scanned the internet^tm and found 3% of the domains to have wildcard policies. 50% of those had in some way sensitive webapps, i.e. authentication. He closed giving the recommendation of using CORS to do cross domain stuff.

The last two talks were quite interesting. The first one talked about XML Signature Wrapping. A technique that I haven’t heard of before, mostly because I’m not into XML at all. But it seems that you can sign parts of a XML document and well, because XML is utterly complex, libraries fail to handle that properly. There are several attacks including simply reproducing the XML tree with different properties and hoping that the parser would verify the correct tree, but work on the other. Simple, huh? But he claimed to have found CVE 2011-1411, a vulnerability in an interesting user of XML: SAML, some authentification protocol based on XML.

Afterwards, I was surprised to see an old tool I was playing with some time ago: Volatility. It gained better Linux support and the speaker showed off some features and explained how to make it support your Linux version. Quite interesting to see that people focus on bringing memory forensics to Linux.

So if you are more interested in the topics, feel free to browse or buy the book which includes all the papers.

This year’s DFN Workshop was much more interesting content wise and I am glad that it managed to present interesting topics. Again, the setting and the catering are very nice and I hope to be able to attend many more DFN Workshops in the future πŸ™‚

28C3 – Behind enemy lines

I was lucky enough to get a ticket for the Chaos Communication Congress 2011 in Berlin, Germany. So many people wanted to attend the CCCongress that the tickets were sold out in an instant. But the current location can’t handle more visitors so we’re forced to somehow limit the number of visitors unless the location or the concept of the CCCongress changes. Both options don’t sound really inviting, but refusing people to come isn’t fun either. So we’ll see what the future brings.

But I’d like to raise the point that the CCCongress is very much an event made by the people, i.e. the participants. It’s not that there is an overly mighty set of people who decide everything and are responsible for having a great event. It’s everybody that is responsible for helping out if somethings need to be done, contributing ideas, talks, workshop, etc. It’s rather a place where you play a part by helping physically and paying a fraction of the cost to have a good time. That means that you can’t make a CCCongress by paying the entrance fee only. It’s not a show for your entertainment. Hence you can’t have expectations that somebody has to do things for you. This applies to things you don’t like, too. If you don’t like stuff that is happening, stand up and change it. Don’t sit and complain. This especially applies to things like sexism or other politically incorrect things. There is no personnel being obliged to do anything. It’s all our big party and you’re supposed to contribute yourself to make it great. I mention this, because there were complaints about supposedly right-wing people being present but nobody did anything.

Many people go to the CCCongress for the talks. And well, I didn’t really managed to watch many of them, but the following make a list of notable talks, because they were in some ways, say, “interesting”.

But you can have very good talks as well. For example

A very big applause needs to be given to the video team. It’s just amazing that the recordings were available within a few days. I just envy those guys for rocking so hard.

Now it’s time for a shameless plug: As I want to watch the recordings of this CCCongress and I know that I won’t do it myself, because the last years proof that I don’t watch the videos anyway, I’ll publicly show two videos of the recordings every Wednesday in the local Chaos Computer Club. So if your disk is filling up with videos that you wanted to watch but never will, feel free to show up on the “Chaotic Congress Cinema“. Funny thing is, that there are 100 videos recorded and if we watch 2 videos every week, we’d finish all of them within the year πŸ™‚

26C3 Review

Attending last years CCCongress was a great pleasure. Although there were great lectures, it’s the spirit that’s the best part of the conference. Meeting all these nice hacker people, hanging around, talking, discussing, hacking is just brilliant. You’ve got all those smart hackers around you and it just can’t get boring.26c3 logo

A good way of socialising is, of course, visiting the various parties that take place. The Phenoelit party was awesome. Thanks FX for the invites πŸ™‚

Besides drinking I spent time on some crypto problems and tried to investigate on the magnetic-stripe-card authentication in Hotels and Hostels. I found out, that all our cards for one room are equal, but not one card that has been obtained later. The data on the card is just ~100bits and I tried to find timestamps and room numbers in it but I failed. I blame my dataset to be too small. I’ll launch more advanced experiments next year. If you happen to have insider knowledge in magnetic-stripe locks, drop me a line.

I want to highlight two things about the last CCCongress. Firstly, Friend Tickets were available and the concept is just awesome: Basically you can propose a friend of yours you think would benefit of attending the CCCongress but has no way to cover the expenses. The organisers then decide whether you can get a discount (which will, of course, apportioned to every regularly paying attendee). I like to see this solidarity among hackers. Unfortunately, no stats are available to see how many people were enabled to come through this method. I hope, having these friend tickets will be considered next year again. So if you wanted to come to the CCCongress but feared the expenses, consider asking for a discount. Just for the record: The prices are at rock bottom anyway: 80 Euros for a 4 day conference of this kind is amazingly cheap. Thanks to all the angels! πŸ™‚

The second noteworthy concept to distribute the CCCongress as much as possible (called Dragons Everywhere). The idea is fantastic: Increase the number of attendees as much as possible by building mini conferences and stream the most important things. It would be even better, if the gatherings had a feedback channel, i.e. Webcam. Hopefully, it’ll be better next year, i.e. better and more reliable streaming services and more places, especially in Berlin, because many people were sent away because the conference was already sold out πŸ™

If you want to get a feeling of what the CCCongress is like, you might want to have a look at the recordings. If you organize a public viewing, make sure you show these videos πŸ™‚ Based on the feedback, the best talks were:

And for entertainment, the following German talks are very good:

I hope you enjoy watching the CCCongress and consider coming in next year!

Creative Commons Attribution-ShareAlike 3.0 Unported
This work by Muelli is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported.