160 likes | 311 Vues
Windows User Group. August 15, 2008 10:30am. Today’s Round Up Topics. The Vista and DNS exploits vulnerabilities presented The CVORG presentation regarding Linksys wireless router hardware Trojans A brief look at hacks that involve both the Emergency Broadcast System and Pagers
E N D
Windows User Group August 15, 2008 10:30am
Today’s Round Up Topics • The Vista and DNS exploits vulnerabilities presented • The CVORG presentation regarding Linksys wireless router hardware Trojans • A brief look at hacks that involve both the Emergency Broadcast System and Pagers • Review of the Metro Card hack that has created so much controversy and was just on CNN • And a few other things briefly that were noteworthy • A short overview of the talk that I gave about Open Source Warfare (as used by insurgents in Iraq and Afghanistan).
What are Defcon & Black Hat • Essentially both are computer security conferences • Defcon is geared towards hackers August 7-10, Riviera www.defcon.org • Black Hat is geared more towards corporate security people August 2-7, Caesars Palace www.blackhat.com
Using a browser to evade Vista’s Security • Who: Mark Dowd, Alexander Sotirov • What: evade Vista protections such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) • How: by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395,00.html
Using a browser to evade Vista’s Security • How: • “defenses that Microsoft added to Vista are designed to stop host-based attacks. ASLR, for example, is meant to prevent attackers from predicting target memory addresses by randomly moving things such as a process's stack, heap and libraries. That technique is useful against memory-corruption attacks, But in Dowd’s case these protections don’t work” • “memory protection mechanisms available in the latest versions of Windows are not always effective when it comes to preventing the exploitation of memory corruption vulnerabilities in browsers.” • “Two factors contribute to this problem: the degree to which the browser state is controlled by the attacker; and the extensible plugin architecture of modern browsers “Dennis Fisher, Executive Editor SearchSecurity.com
DNS Exploit • Who: Michael Zusman • What: Abusing SSLVPNs : purchase a certificate from a major CA with a FQDN (fully qualified domain name ) of an existing fortune 500 company’s website • How: in simply filling out the request form he checking the box that says the certificate is not going to be used on the internet and is for internal testing only • And then: keep doing it until you find a CA that agrees • Jamey Heary: Cisco Security Expert http://www.networkworld.com/community/node/30822
DNS Exploit • What happens: The user has their DNS cache poisoned on their client so that the website (that contains the cert pointer and actual cert) points to a http proxy • This means that the attacker will then “sit in the middle” of any communications between the user and the real + proxied website • The cert is queried and qualified as legit • Your communications though aren’t • Risk level: moderate • Anything you can do about it? No
CVORG Hardware Trojans • Who: Kiamilev, Hoover • How: In an electronic Trojan attack, extra circuitry is illicitly added to hardware during its manufacture. • What: the hardware Trojan performs an illicit action such as leaking secret information, allowing attackers clandestine access or control, or disabling or reducing functionality of the device. The growing use of programmable hardware devices (such as FPGAs) coupled with the increasing push to manufacture most electronic devices overseas means that our hardware is increasingly vulnerable to a Trojan attack from potential enemies. • Note: these are thermal, optical and radio resultant trojans • http://www.defcon.org/html/defcon-16/dc-16-speakers.html#Kiamilev • Related: Autoimmunity disorder in Wireless LAN http://www.networkworld.com/community/node/30842
The Subway Ticket Hack • Who: Massachusetts Bay Transportation Authority • Vs.: MIT students Alessandro Chiesa, R.J. Ryan, and Zack Anderson • http://news.cnet.com/8300-1009_3-83.html?keyword=%22Defcon+2008%22 • Observation: you just have to laugh at loud
The Subway Ticket Hack • What: how the fare system can be circumvented through a few simple hacks • How: this is one that is easy and simple to find online and well worth your time • Similar to the Boarding Pass hack that still hasn’t been fixed!?!!!!!!
Commission on Cyber Security for the 44th Presidency • Do you ever get the feeling you’re being lied to? • Done by the CSIS • In a related note: the Air Force has cut off funding for their own cyberwar efforts and will decide within the next 12 weeks whether to continue operations or not
EMS & Pagers • “DCFluX” Krick: EAS (Emergency Alert System) • NYCMIKE: • activity of FLEX (1600/3200 level 2, 3200/6400 level 4) and POCSAG (512, 1200, 2400) , how to decode, how to set up a listening post, Decoding digital data with a soundcard
Some other great topics • Bristow: ModScan: A SCADA MODBUS Network Scanner • Multiple TOR presentations • Bello & Bertacchini : Predictable RNG in the Vulnerable Debian OpenSSL Package • Brossard: Bypassing pre-boot authentication passwords • Major related note work done on password retention through supercooling of RAM companents vs. Trusted Computing
Some other great topics • Moulton: Solid State Drives Destroy Forensic & Data Recovery • Data on a Solid State Device is virtualized and the Physical Sector that you are asking for is not actually the sector it was 5 minutes ago. The data moves around using wear leveling schemes controlled by the drive using propriety methods. When you ask for Sector 125, its physical address block is converted to an LBA block and every 5 write cycles the data is moved to a new and empty previously erased block. This destroys metadata used in forensics & data recovery. File Slack Space disappears, you can no longer be sure that the exact physical sector you are recovering was in the same location or has not been moved or find out what it used to be! • Another great presentation was about “hacking” “Installed” medical devices such as pacemakers
Open Source Warfare • Berghammer: OSW has become a highly lucrative area that covers topics such as computer security, shaping of potential battlefields and populations, and actual in the field uses of mutated electronics devices such as microwave ovens, model rockets, remote controlled aircraft as well as computer based command and control protocols. What is so particularly interesting is how under funded and ill-equipped insurgency (and counter insurgency) groups can make use of off-the-shelf technology to fight against vastly better funded armies. It will also examine communications methods of these groups - and how they approach not only Internet style communication (and in some cases set up their own superior communications networks) but also how they approach communications security.
Thank you! And now, something amusing…..