Black Hat/DEFCON 18 Conferences Recap (Part 2)By: SecureWorks
Last Tuesday, Dennis Dwyer blogged about his experiences at DEFCON 18, a computer security conference held in Las Vegas, Nevada. This event comes after the Black Hat computer security conference, which has more of a business and corporate feel. While I did not find this year's conference as interesting as in years past, there were a number of interesting talks. Below is a quick summation of the talks I found were the most interesting.
Mobile security was a large topic of Black Hat and DEFCON this year. The Grugq kicked off the mobile talks at Black Hat by showing how vulnerable GSM (Global System for Mobile Communications) networks are to malicious phones. He talked about three separate attacks: Request channel allocation flood (also known as RACHell), IMSI Attach flood and the IMSI Detach. The Request channel allocation flood is the GSM equivalent of a SYN flood against a base station subsystem. One malicious phone can use this attack to take out a cell tower.
The second attack is the IMSI (International Mobile Subscriber Identity) Attach flood. This attack floods the backend system with connection attempts. If successful, an IMSI Attach flood would take down an entire network. It would require multiple phones for a successful attack, but obviously the outcome is worrisome.
The last attack is the IMSI Detach attack. The IMSI detach packet is an unauthenticated update that tells the network that the phone has been turned off. If you know the IMSI of your victim, then you can send detach messages every 30 seconds to prevent a victim's phone from receiving calls and SMS (Short Message Service). The Grugq concluded his talk by announcing his ongoing work in baseband fuzzing. Fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program for the purpose of finding defects if the program fails. Most phone baseband logic does not expect a malicious cell tower, so we should be expecting some interesting results in this space.
Chris Paget: Practical Cellphone Spying
Chris Paget's GSM spying talk was the most talked about presentation at DEFCON 18. This talk really was an overview of how OpenBTS works and how to use it for nefarious purposes. OpenBTS is open source cell phone base station software. It allows anyone with a software radio solution (USRP1 with 2 RFX900 daughterboards, in this case) to operate their own base station. Paget set up his base station to impersonate an AT&T base station. Cell phones in the audience noticed this new AT&T cell tower and began connecting to it. Paget's base station was configured to not encrypt their traffic and he routed outgoing calls via VoIP. From a victim's perspective, they would have no idea that their call was being intercepted. They would not have been able to receive incoming calls using this technique, as AT&T's network would have assumed the victim's phone was off the network. Paget explained that he could have taken this attack one step further by connecting his base station to AT&T's network to impersonate the victim's phone.
This action would have been illegal (he would have had to crack the cell phone's secret key and transmit in AT&T's frequency), but he noted that bad actors wouldn't care about legality. From my perspective, the interesting aspect of the talk is how he was able to do the demos legally. Chris used frequencies that were used for cell phones in Europe but licensed in the industrial, scientific and medical (ISM) radio band in the U.S. Since he is a licensed amateur radio operator, he was allowed to use the frequency as long as he identified himself every 10 minutes (he DOSed his own signal to broadcast this identification), didn't use crypto and limited his RF exposure. Ironically, the cell phone owners in the audience actually broke the law by connecting to his base station.
Barnaby Jack: Jackpotting Automated Teller Machines Redux
Barnaby Jack's Jackpotting ATMs presentation was the most talked about at Black Hat. He has been working in this space for over a year and even had this talk withdrawn last year over security concerns. Barnaby discovered bugs in four separate ATMs (Automated Teller Machines), but he was only legally allowed to display attacks against two. He identified two attack vectors: USB stick and incoming modem calls. Both attacks resulted in complete takeover of the ATMs. He could program the ATMs to record the magnetic track data and keypad information, change the image shown on the screen or eject cash. If malicious groups find these bugs before they are resolved, then we'd expect to see less skimming and more ATM rootkits. Short term mitigations include disallowing incoming calls to an ATM and replacing physical locks with stronger locks. A long-term fix would require updating ATM software to require secure boot and only executing signed code.
Moxie Marlinespike: Changing threats to privacy: From TIA to Google
Moxie's talk this year focused on technological threats to privacy. He released three new tools to help combat those threats: GoogleSharing, RedPhone and TextSecure. GoogleSharing allows anyone to use Google's services without leaving identifiable information. Requests to Google are stripped of identifiable information and sent through a proxy. RedPhone and TextSecure are Android mobile applications for secure communication. RedPhone greatly reduces the barriers of entry to secure voice communications. It uses ZRTP (Zimmermann Real-time Transport Protocol) for encryption and a Short Authenticated String for identification, preventing man in the middle attacks. TextSecure provides encrypted messaging using OTR (Off-the-Record Messaging) for SMS. Message history is stored in an encrypted format for later retrieval.
Tom Cross gave an insightful talk about current problems in the lawful intercept (CALEA: Communications Assistance for Law Enforcement Act) systems. Cross pointed out two major problems with current implementations: Cisco's default implementation of SNMPv3 (Simple Network Management Protocol) does not generate a trap for authentication failures and the protocol itself allows a tap to be generated without any logs. In other words if an attacker gains enough access to send SNMP messages towards a Cisco router, then they can brute force access and generate a new tap without generating any logs. As an immediate fix, Cross suggested implementing SNMPv3 User-Group Access Control Lists coupled with IPsec to lock down access to Lawful Intercept to the mediation device's IP address (the device legally authorized to generate taps). This technique ensures that an audit trail is generated when receiving SNMP messages and that the device requesting taps is allowed to do so.
FX demoed a tool named Blitzableiter, which attempts to neuter malicious Adobe Flash applications. From its project page:
The Blitzableiter is a defensive solution for Adobe Flash Rich Internet Applications. It realizes the protection by applying a process of normalization through recreation.
Blitzableiter protects against attacks using Adobe Flash application files in SWF format. It can prevent attacks targeted at exploiting memory corruption vulnerabilities in the runtime environment as well as attacks using the runtime environment?s native functionality maliciously.
Blitzableiter receives Flash files as input and (in theory) outputs non-malicious Flash files. At the moment, this tool is in beta form, but it might become an extremely useful tool for blocking malicious Flash ads.
Fyodor, David Fifield: Mastering the Nmap Scripting Engine
Fyodor and Fifield gave an interesting talk exploring the power of the Nmap scripting engine (NSE) and new Nmap projects. The scripting language is LUA based, which makes it quite easy to use. Fifield generated a script on the fly that scanned a range of IPs for a certain web page and then attempted to brute force the login for that page. Fyodor showed off some new SMB (Server Message Block) scripts that can enumerate SMB usernames and shares or attempt to brute force usernames and passwords. They were able to scan approximately a million Microsoft IPs for open SMB shares and usernames in under 24 hours. It's a great tool to perform internal assessments.
Fyodor also showed off ndiff http://nmap.org/ndiff/ and ncat http://nmap.org/ncat/. Ndiff will take two Nmap XML result files and display their differences. Ndiff allows an administrator to see how their network is changing over time, and if anyone has set up a server without their knowledge. Ncat is a reimplementation of Netcat with a number of improvements. Ncat supports IPv6, SSL, SOCKS 4 and HTTP proxy connections as well as Ncat chaining. Ncat chaining allows traffic to pass through multiple computers before it hits its final destination by connecting multiple processes of Ncat together. Both of these tools should make life easier for the IT administrator.