Paul and I turned in pretty early on Day 2 and managed to make the first talk on Day 3, though not without the assistance of Club Mate and Starbucks. Day 3 was where things started to get really hairy in terms of being able to get into rooms to see the talks I wanted to see; I ended up missing the RFID talk I really wanted to see in favor of getting to the room for the Storm talk half an hour early. But that’s what conference recordings are for, isn’t it!
As before, be sure to also check out Security4All’s post on Day 3 for a more Belgian perspective on things.
We’re really excited about the results from this talk at the hacklab, as we’re hoping to get a couple of cells (pending investigation of the appropriate Canadian licensing requirements) in order to build something awesome and shiny for Hacking At Random next summer.
- the big “why”: they wanted to demo known (theoretical) security issues with GSM networks
- the network authorizes mobile devices using their sims, the devices don’t do any sort of authorization against the network
- copious “don’t try this at home” warnings – use a good dummy load, and don’t interfere with other operators, particularly military
- like all telco / ITU protocols, the intelligence is in the network not the endpoints, protocols described as a “TDMA nightmare”
- the base station they obtained (in 2006 on eBay, then bought the whole lot of 74 when they got the one working) is a Siemens BS-11 microBTS
- there are a bunch of specifications of the base station in their slides, as well as a hierarchy of needed components
- the documentation is available under NDA but 99% of the specs are available
- they were able to get in touch with others running the same BTS
- they got it basically working using an E1 card hooked up to a Linux PC, and you can too! (With the proper licensing of course)
- fun fact from the talk: phones have code in them implementing “Egypt detection” as GPS is illegal in that jurisdiction; the phones detect that they are on an Egyptian network and disable the GPS in software
- they also did an awesome demo which I won’t describe here – feel free to ask me about it offline
As far as I could tell, the talk didn’t contain any new information that I hadn’t seen in other talks about Storm. The researchers had thoroughly reverse-engineered the Storm bot and were able to control the remains of the botnet; it’s mostly or totally dead these days, however.
This talk discussed some theoretical and some practical vulnerabilities in Adobe Flash, as well as how to use Flash as a sidechannel or a loader for other malware to obfuscate malicious code. Flash can hide malicious code in externally referenced resources as well as internally stored objects, though fukami says that it does strange things to some kinds of media files which pre-empt their use in steganographic storage.
They also explored some behavioral analysys of ActionScript bytecode using erlswf, an ActionScript disassembler written in Erlang.
Bruce Dang’s talk and the conversation afterwards was one of the highlights of the Congress for me. He went over the OLE structured storage format which these attacks leverage (in addition to PDF vulnerabilities), as well as a number of easy mitigation strategies (he didn’t mention using OpenOffice, cough cough). He pointed at a few interesting things: Technical Cyber Security Alert TA05-189A; the pythoncom wrapper for Microsoft’s COM API’s, and the MOICE tool which converts documents into the much safer Office XML. They also have a blog here.
I’m going to leave Day 4 to another post which I’ll put up tomorrow.
After chatting with Bruce and Seth for a while I had dinner and eventually made my way to c-base again. There was a hilarious auction in which I contributed to VHS acquiring the c-base server, a really great hackerspaces call-in featuring about 20 people at c-base, a bunch from the US, Canada, and around Europe, as well as a caller from the nascent space in Durban, South Africa (zomg!). Afterwards there was lots more conversation about hackerspaces in Canada and a zillion other things. It was a great night.