Saturday, April 9, 2011

Hackito Ergo Sum 2011 - Day 3 (and last)

Day 3 was another great day: we had a couple of cybercrime talks, Ruby on rails, DNIe , USB autorun for Linux and the solution to the conference crackme. I want to take a chance to thank the organizers, I really enjoyed this conference, the people were great and the talks interesting and I hope to be back next year, maybe even to present a talk.
As usual I welcome comments, either here or directly to me - feel free to let me know anything constructive.

Raoul Chiesa / Keynote
Raoul's keynote focused on cybercrime and UNICRI and their hacker profiling project (HPP). Cool quote - "you got information, you got power". The talk was cool and included parts focusing on who's behind cybercrime that I won't recount here out of respect to the fact he asked not to record anything during these parts of the talk. He shared his views on why cybercrime works:
  • New user every day = new fools every day
  • Making money  (fits to the economical crisis)
  • Technical know how is easy to get
    • Back in the day we worked hard to get something
  • Easy to recruit idiots ("mules")
  • Psychological - "they will never find me/bust me"
  • Psychological - Lack of violent actions
And how HPP classifies hackers:
  • Amateur
    • Wanna be lamer (9-16)
    • Script kiddie (10-18)
  • Hobbyist
    • Cracker (17-30)
    • Ethical hacker (15-50)
    • Quiet, paranoid, skilled hacker (16-40)
  • Pros
    • Cyber warrior (18-50)
    • Industrial spy (22-45)
    • Gov agent (25-45)
    • Military hacker (25-45)
He had a lot of interesting stuff to say and the talk actually went overtime. I can't possibly begin to recount even the public parts of the talk in a short summary but I highly advise you to listen to him if you get a chance.

Joernchen of Phenolit / Ruby on Rails form a code auditor's perspective
This talk focused on how to audit Ruby on Rails (RoR) code. Key points:
  • 3 layers called MVC - Models, Views, Controllers - review them
    • Start from the controllers
  • Look at the database
  • Look at the filters
  • RoR has some fancy magic that can go wrong - for example: mass assignments ( had a vuln because of using this)
Nice talk and definitely someone you should talk to if you audit RoR, personally this isn't in my focus areas.

Gabriel Gonzalez Garcia / Man in the Remote: PKCS 11 for fun and profit
This talk focused on ways to defeat the DNIe which is the Spanish government system of digital IDs used for authentication and non-repudiation certificates. Basically he implemented an attack against the untrusted terminal problem that the PC is posing between the DNIe device and what it authenticates to. There are two ways to use DNIe for web auth: Java applet or SSL + client certificate. The device itself has an EAL 4+ certification and defends against most hardware tampering attacks. What he found were two practical attacks on the terminal:
  1. Write a fake interface library that acts as an RPC server connecting his machine with a remote DNIe
  2. Write a fake java applet that acts as the proxy and runs on the client machine (easier)
He proposed a solution that I personally disagree with to use "distance bounding" == measure response time and disallow slow responses.

Jon Larimer / USB autorun attacks against Linux
This talk focused on how to implement autorun attacks against Linux and showed one successful attack. To be exact it is successful against GNOME. So first of all the specs of forbid systems from running code without asking the user. That being said a lot of processing is done when a new storage device is connected: file system drivers execute, file browsers read the contents and thumbnailers create thumbnails. These attacks are basically physical access which usually means "game over" because you can use DMA attacks using 1394 vulns and other attacks like cold boot attacks. However, assuming the latter is complicated for you and you are on a system where protections for against 1394 DMA attacks were implemented you need another way. From here on Jon described his processes of research which I will skip directly to the end - he decided to focus on Thumbnailers used by Nautilus (GNOME file manager). He found a vulnerability in the Evince thumbnailer for DVI files (among others). Luckily (or unfortunately, depending on you view) Evince uses AppArmor and compiles as PIE, in addition the kernel has ASLR enabled (but 32bit system). He worked on overcoming this:
  • ASLR and PIE can be defeated by brute forcing -
    • On a 32bit system there are only about 3000 addresses that the Linux kernel can load libc to.
    • Using this we can just generate 3000 files - 1 for each address
    • Loading will be slow (about 10 min), but success is almost sure
    • Interesting result he found were that in his statistics around 10% of the addresses were used significantly more than others
      • So you can create only about 300 files and have high chance of success
      • He says he didn't research why is this. This is something that someone should really pay attention to.
  • AppArmor can be worked around
    • Doesn't protect against X11 library calls
He showed a demo of killing the lockscreen using a USB stick. Jon Oberhide added an interesting comment that there is a rather new layer for partition parsing in Linux that had a lot of bugs recently.

Yuval Vadim Polevoy / Money is in the eye of the beholder: new and exciting ways to steal you money
This talk again focused on Cybercrime, Yuval is from RSA research lab and really interesting to talk to. He focused on how cyber-criminals make money and the underground economy. I will recount some of the most interesting points, I'm not sure I can do justice to the details but that is the cost of summarizing...
  • A cybercrime operation requires:
    • Bots
    • Campaign
    • Drop point
    • Bot plugins
    • Hiring & managing mules
    • Establishing covert channels
    • Maintain fast-flux (optional)
  • The skill set required for that is:
    • Low level programmer
    • Oday researcher
    • Spammer
    • Hosting owner
    • JS programmer
    • HR recruiter
    • E-commerce export
    • IT specialist
These are too many skills for most people, so the common solution nowadays is outsourcing parts of this effort to others.
For the end, he focused a bit on the future techniques that malware authors will use, in particular screen grabbing. Yuval showed a demo of two techniques that can be used for screen grabbing in Windows, thus defeating on screen keyboard and allowing other stuff like cheating in online poker…

Eloi Vanderb├ęken / Hackito Ergo Sum crackme
For the end Eloi talked about the crackme. I won't go into all the details but here are the highlights:
  • Verification alg - based on modified RC4
  • Obfuscation
    • Inst. Mutation
    • Control flow graph obfuscation
  • Encryption layers
  • Direct native API call
  • Using sysenter (also uses a lot of random invalid syscalls) which is why the crackme only worked on 32bit systems
  • Anti-X
    • Anti debugger
    • Anti-instrumentation
      • This was especially interesting to me, in particular because Eloi used Pin as the example for instrumentation engine
      • Detect hook on KiUserExceptionDispatcher nad KiUserCallbackDispatcher
      • Detect stack reuse by instrumentation code: place a constant in esp-4, execute syscall, check constant
    • Anti data-tainting
This is definitely a respectable set of protections. Only 3 solutions were submitted. I might try to write a PinTool that will be able to handle all these protections and post it here if I can.

Well, that's it for Hackito this year - I hope you will read my future posts.

No comments:

Post a Comment