Wednesday, February 20, 2008

Blackhat DC '08 Day1 wrapup

Holy crap, just when i was feeling a little blue after shmoocon (I felt the talks were better last year, but location was better this year), BlackHat cheers me up.

Dont get me wrong, there are some unfun things. The "con" area is super cramped, no room to even walk during the talk breaks, rooms were like 100 degrees today, lunch sucked cept for the super sleepy good cheesecake and the talk rooms were cramped in the popular talks. That aside the talks i caught today were great. Maybe i just picked poorly at shmoo, but i did good today.

Lets recap. schedule here if you want it

Cracking GSM: David Hulton and Steve

David only got 20 minutes at Shmoocon, so it was a chance for Steve to do all the GSM theory and David to go a little more into the cracking process. Things from my notes:

-They were able to see the IMSI from their phone in cleartext which is against the GSM standard, IMSI is basically your GSM phone's unique id.
-Every SIM has a JVM running on it and you can load and run code on there without user's knowlege, phone operators regularly send updates to phone and the user doesnt know.
-Your SIM stores the last 16 sessions IDs, so if an attacker can get physical access to your SIM and they have been recording the encrypted sessions they could potentially crack the last 16 calls or SMS, unless a phone operator is not cycling sessions IDs like they should.
-They built a GSM cracker, the commercial one was $1 Million USD, theres should be around $200k and crack a session key in 30 sec. the "cheap" one can be built for around 1500, you need 1 FPGA and 2 TB of tables, it will take about 30-60 min to crack a key for a recorded call or SMS. no real info on how to go about recording those calls but i imagine anyone that is thinking about buying one has figured out how to record the calls already.

RFIDIOts!!!Practical RFID hacking (without soldering irons): Adam Laurie
Adam has given this talk a few times but i have never been able to see it, glad i went today.
Things from my notes:
-RFID chips are passive, the energy from the reader is what powers them up.
-two types; dumb and smart
-dumb= animal tags, door readers
-smart=smart cards, credit cards with chips, E-passports
-He did several cool demos reading and writing two different types of "dumb" RFID chips and showed reading his UK E-passport and talked about some of the issues with the implementation. very cool. code is available on the site and he sells RFID reader/writers on his site, the code (in python) is freely available.

Bad Sushi: Beating Phishers at their own game: Billy Rios & Nitesh Dhanjani
-They went into really good deatil about phishers, phishing kits, ATM Skimmers, really talking about the motivations and total lack of hiding what they are doing. I didnt take many notes but a really good talk. The most interesting part was how most of the phishing kits were "backdoored" where the mailer in the code would also send a copy to the orginial code author and how most of the people using the kits usually left it in there...cute.

URI Use and Abuse: Nathan McFeters & Rob Carter

What the F is a URI? Uniform Resource Identifier. still lost? how about "http://", "ftp://", "aim://", "trillian://", "mailto://"...allows for a browser to interact with programs, all URIs registered can be accessed via browswer
-XSS is possible
-RFC 4395 to see URI Schemes
-talked about different vulnerabilities, see links, using URIs on windows, mac, and linux

Scanning Applications 2.0 - Next Generation Scan, Attacks and Tools: Sheeraj Shah
I really didnt take any notes because he covered SO MUCH in the talk. I've been trying to wrap my head around web2.0. It was definitely better to actually hear him talk through the slides even though he was a little hard to understand. obviously knows his web2.0 kung fu.
-i did go up after and ask Sheeraj about SQLI in Web2.0 apps. you basically have to feed all your SQLI thru wsdl requests which obviously makes current scanners worthless from a 2.0 look. but he did write a tool called WsFuzzer and you can feed it in whatever list of SQLI stings you want. so not totally automated, once you find the sql injection point you can automate the rest and you may or may not get any usable sql error messages back depending on the web service and backend database. Tons of demos of using the tools and some example ajax code on the BH disk, a very good added bonus.

Other things of interest (maybe); I got to meet Richard Bejtlich of taosecurity, nice guy we talked for a minute after the phishing talk about user training versus technical fixes.

talked to the saint guy, they have added a pivot function to the tool, so you exploit a host and they have built into their shellcode a proxy type function that i can now user Saint's vuln or port scanner thru that connection into the internal lan without having to load any type of agent on the box like Core Impact does. pretty cool if it works, i'm gonna see if i can get a demo set up.

No comments: