Thursday, April 7, 2011

Hackito Ergo Sum 2011 - Second half of the first day

Short summaries of the talks in the second half of the first day:

Itzik Kotler / Let Me stuxnet you
Although the name of the talk has Stuxnet in it it does not another one of these boring Stuxnet talks but focuses on Permanent DOS (PDOS) of your hardware using all sorts of methods. This is a research that is still WIP.
Several key concepts:
  • SW can harm HW by making it perform harmful operations
  • SW can harm FW and cause it to do harmful operations
  • SW can take advantage of one piece of HW to harm another HW
PDOS can be achieved in many manners:
  • Phlashing - overwriting FW on Flash to brick parts
  • over-clocking
  • over-volting
  • over-using - esp. in mechanical parts
  • power cycling - uses temperature flection
Can attack CPUs, GPUs, RAM, HDDs, SSDs, Flash, NICs, CRTs, Floppys and more...
Interesting focus on examples how to implement these attacks so the user doesn't realize it's done until his system dies.

Marc Heuse / Recent advanced in IPv6 insecurities
This is Van Hauser from THC. First part of the talk focused on IPv6 basics. He then covered some attacks against IPv6 he released since 2005 and then went on to talk about new attacks - I'll try to cover everything real quick. In particular I liked the quote: "if you start fuzzing things will blow up".
First it is important to mention the THC IPv6 attack tool he is developing, many parts of which are not yet released BUT if you join the dev team he is willing to share (and he is looking for help)... He also released a new version of THC Hydra during his talk.
So, a real quick overview of IPv6 attacks he mentioned (only the headlines or I won't finish this post):
  • ARP Spoofing => ND spoofing
  • Duplicate address detection DOS
  • Many ways to MITM using redirects
  • Using Autoconfig (like DHCP but built in IPv6) for pretending to be a router
  • Replacing the default router using lifetime=0
  • Most Linux distros (and in general) don't filter most IPv6, especially weird headers
  • Can announce a remote network as local to spoof it
  • RA flooding - can DOS cisco, Netscreen, all Windows, FreeBSD, some Linux
  • you can detect systems sniffing on your local network
  • taking over as MLD
  • side channels in IPv6
  • techniques to identify remote systems (can't scan 16 octets!)

Tarjei Mandt / Kernel pool exploitation on Win7
This talk was too technical to go into details in a brief summary - see the slides for details.
The short version is as following: Win7 has protections in the kernel pool - these are not good enough. several tehcniques were invented by Tarjei to bypass these and two exploits for CVEs were shown.
CVE-2010-3939 (MS10-098) - Used Quota process pointer to exploit
CVE-2010-1893 (MS10-058) - Used Pool index overwrite to exploit
If you like kernel exploits on Windows you really should check out Tarjei's slides and blog.

Sebastien Tricaud / Capture me if you can!
Sebastien discussed handling incidents in large networks (country level). He talked about capture methods like: PCAP, netfilter queue, DAQ and others. And on data processing techniques - how to find meaningful information in logs. He made a very convincing point on log "0day" - due to not collecting or collecting information incorrectly you can lose important information,
In my view, the most interesting news in the talk were:

Well, I hope you enjoyed; Please leave a comment. I will try to keep up in the next two days...

No comments:

Post a Comment