25C3 Day 3

Paul and I turned in pretty early on Day 2 and managed to make the first talk on Day 3, though not without the assistance of Club Mate and Starbucks.  Day 3 was where things started to get really hairy in terms of being able to get into rooms to see the talks I wanted to see; I ended up missing the RFID talk I really wanted to see in favor of getting to the room for the Storm talk half an hour early.  But that’s what conference recordings are for, isn’t it!

As before, be sure to also check out Security4All’s post on Day 3 for a more Belgian perspective on things.

inside of a GSM microBTS

Running your own GSM network

We’re really excited about the results from this talk at the hacklab, as we’re hoping to get a couple of cells (pending investigation of the appropriate Canadian licensing requirements) in order to build something awesome and shiny for Hacking At Random next summer.

  • the big “why”: they wanted to demo known (theoretical) security issues with GSM networks
  • the network authorizes mobile devices using their sims, the devices don’t do any sort of authorization against the network
  • copious “don’t try this at home” warnings – use a good dummy load, and don’t interfere with other operators, particularly military
  • like all telco / ITU protocols, the intelligence is in the network not the endpoints, protocols described as a “TDMA nightmare”
  • the base station they obtained (in 2006 on eBay, then bought the whole lot of 74 when they got the one working) is a Siemens BS-11 microBTS
  • there are a bunch of specifications of the base station in their slides, as well as a hierarchy of needed components
  • the documentation is available under NDA but 99% of the specs are available
  • they were able to get in touch with others running the same BTS
  • they got it basically working using an E1 card hooked up to a Linux PC, and you can too! (With the proper licensing of course)
  • fun fact from the talk: phones have code in them implementing “Egypt detection” as GPS is illegal in that jurisdiction; the phones detect that they are on an Egyptian network and disable the GPS in software
  • they also did an awesome demo which I won’t describe here – feel free to ask me about it offline

Stormfucker: Owning the Storm Botnet

As far as I could tell, the talk didn’t contain any new information that I hadn’t seen in other talks about Storm.  The researchers had thoroughly reverse-engineered the Storm bot and were able to control the remains of the botnet; it’s mostly or totally dead these days, however.

SWF and the Malware Tragedy

This talk discussed some theoretical and some practical vulnerabilities in Adobe Flash, as well as how to use Flash as a sidechannel or a loader for other malware to obfuscate malicious code.  Flash can hide malicious code in externally referenced resources as well as internally stored objects, though fukami says that it does strange things to some kinds of media files which pre-empt their use in steganographic storage.

They also explored some behavioral analysys of ActionScript bytecode using erlswf, an ActionScript disassembler written in Erlang.

Methods for Understanding Targeted Attacks with Office Documents

targeted trojans
Oh, PowerPoint...

Bruce Dang’s talk and the conversation afterwards was one of the highlights of the Congress for me.  He went over the OLE structured storage format which these attacks leverage (in addition to PDF vulnerabilities), as well as a number of easy mitigation strategies (he didn’t mention using OpenOffice, cough cough).  He pointed at a few interesting things: Technical Cyber Security Alert TA05-189A; the pythoncom wrapper for Microsoft’s COM API’s, and the MOICE tool which converts documents into the much safer Office XML.  They also have a blog here.

I’m going to leave Day 4 to another post which I’ll put up tomorrow.

After chatting with Bruce and Seth for a while I had dinner and eventually made my way to c-base again.  There was a hilarious auction in which I contributed to VHS acquiring the c-base server, a really great hackerspaces call-in featuring about 20 people at c-base, a bunch from the US, Canada, and around Europe, as well as a caller from the nascent space in Durban, South Africa (zomg!).  Afterwards there was lots more conversation about hackerspaces in Canada and a zillion other things.  It was a great night.

4 thoughts on “25C3 Day 3

  1. BDIFA (Bruce Dang Is Fucking Awesome). If you see him again ask him about the joy of being the one Asian guy with a squadron of Gaijin in Tokyo and not speaking Japanese. Everywhere we went people just figured he was our tour guide. Hilarity ensued. Other than that, thanks for posting these, wish I could make a C3 but Jesus does not approve of expensive flights to Germany during the holiday season.

  2. Hehe, I will indeed ask him about that – hoping to go see MSRC when I’m in Seattle next week, woo.

    You should come to HAR this summer! It’s not during the holiday season!

  3. It’s possible… Definitely Shmoo (not optional since Nate and I are speaking) and NotaCon again, and of course BH/DC. I googled but was unable to conclude what is a HAR.

Comments are closed.