a private security event for friends Stade de Suisse Bern 2006-10-13 2006-10-15 3 00:00 01:00 19:00 01:00 Talk wlanhd Talks Lecture English Welcome to our private labs, this presentation is segmented in two parts and based on our privates experimentations: The first one, on hard drive security, the main intention is to provide access methods to the "manufacturer area" inside all hard drive and a review of the tools software / hardware to grant an access. Theses technics permits to completely hide data against standard forensic tools. The second one, was oriented in wifi-security, in fact, the main goal of this presentation is to learn how to make a home build automatic tracking antenna for wifi or Bluetooth snipping. Laurent Dupuy 20:00 01:00 Talk dbd Talks Workshop English A presentation to default passwords, installation, behaviors threat in the computing and technology environment with the idea to federate a database. The presentation will focus on the idea of creation a structured semi-public database for hardware, software and misc knowledge about default behaviors. Nothing very new but introducing a clear database schema , a clear API and a easy to use web interface. KISS. A proof of concept tool in PERL to exploit the actual example database will be presented : supporting basic protocols and allowing automatic and intelligent detection of default behaviors. The tool was written first without database motivated by the need, on daily bases, for the system administration of big heterogeneous IT companies where computing is just a tool and user not IT literate. alphacc 21:00 01:00 Talk rfid Free Hardware and Software for reading and emulating RFID Talks Lecture English This presentation will introduce and demonstrate OpenPCD and OpenPICC. The purpose of those projects is to develop free hardware designs and software for 13.56MHz RFID reader and transponder simulator. OpenPICC can be used to e.g. simulate ISO 14443 or ISO 15693 transponders, such as those being used in biometric passports and FIFA worldcup tickets. The OpenPCD project is a 100% Free Licensed RFID reader hardware and software design. It has first been released on September 13, 2006. Using OpenPCD, interested hackers can directly access the lowest layers of 13.56MHz based RFID protocols. The hardware offers a number of digital and analog interfaces, and the firmware source code is available and can be modified and compiled using arm-gcc. The OpenPICC project is the counterpart to OpenPCD. It is a device that emulates 13.56MHz based RFID transponders / smartcards. Like OpenPCD, the hardware design and software are available under Free Licenses. It has not been released yet, but the first prototypes are working and it is expected to be released before 23C3. The presentation will introduce and explain the OpenPCD and OpenPICC hardware as well as software design. Harald Welte http://www.openpcd.org/ 13:00 01:00 Talk rootcode Talks Lecture English The talk presents an alternative to the existing requirements to run daemons as root and unwieldy use of the setuid bit. It will cover existing ways to avoid the requirement for root for the majority of the code paths in an application, alongside clean extensions to the Linux and BSD kernels to improve current Privilege Seperation techniques. Use of the proposed solution prevents an attacker from recovering root via setuid(0) and SAVED_IDS. Code running as root can be reduced to a small validation "gatekeeper" which can be more easily audited and secured against attack than the current method of dropping then restoring root via setuid(). The extensions use the existing 'cmsg' socket infrastructure for exchanging and validating credentials, patching in the ability to elevate privileges, providing a safe equivalvent to setuid() via Unix Domain Sockets. Rob Holland 14:00 01:00 Talk futurexss Talks Lecture English Cross-Site Scripting has become one of the most common vulnerabilities in todays webapplications. Experts say that about 80% of all webapplications are vulnerable to those attacks. So it's not that surprising that many white- and of course also blackhats did (and still do) some research on the topic of XSS. In this lecture Disenchant will talk about the present and mainly the future of this powerfully attack class. Disenchant 15:00 01:00 Talk forensic Talks Lecture English It might seem unusual to talk about CD-R and DVD-R analysis in the end of 2006, 30 years after the invention of audio CDs. CD-R and DVD-R are used by millions of people who daily burns they discs without a deep knowledge of these medias. CD-R and DVD-R could carry out valuable datas hidden between their holes and pits. Hidden so well that also the people who burned that CD could think to be safe... Andrea "Pila" Ghirardini 16:00 01:00 Talk biometric Talks Lecture English Today biometric systems are becoming mainstream. They can be found everywhere. In mobile phones, computers, entrance systems even in ATMs. Because of the low costs, small sizes and the alleged maturity mostly fingerprint sensors are used. But contrary to the assurance of the manufacturers they are still very easy to hack with techniques invented three years ago (see http://www.ccc.de/biometrie/fingerabdruck_kopieren). The capacitive sensors built into the new generation of Thinkpad computer from IBM / Lenovo were one of the first implementing countermeasures against this type of dummies. But counter measures only lead to new types of dummies! Using this fingerprint system as an Example I want to explain the different techniques of hacking biometric systems, from the attack on the communication and the stored reference data to the direct hack of the sensor itself. The talk will present tools and ways to extract communication data to enhance dummy materials and a step by step approach to the final dummy finger that will defeat the sensor. starbug 17:00 01:00 Talk x25 Why, What, When, Who, How ? Real life & field experiences analysis of an underestimated (and still actual) security issue Talks Lecture English The presentation will focus on X.25 security issues, positioned in nowadays contest and problems. The main intention is to bring personal and professional know-hows, backgrounds and X.25 penetration testing experiences to the auditorium, with real-life case studies. You will discover how an airplane flying over the Atlantic Ocean uses X.25 packet switching to communicate with the outside world, as well as why many government institutions around the world still uses the reliable frame-relay X.25 networks. Raoul Chiesa 20:00 01:00 Talk wartracking Satellite Tracking, harvesting and security Talks Lecture English An spiced up introduction into the world of satellite telecommunications. We'll begin at reception setup. Explain theory behind the technical part of satellite telecommunications and finally present the variety of signals flowing down from orbit to the reciever. Several hack-valued topics will be covered. Such as "Be your own satellite broadcaster", fascinating data traffic, "Who else is listening?" and self made recieving/transmitting gear. WarTracking as deducted from WarDriving and Satellite Tracking is a traditional field of interest to the technically talented (aka nerd), though only few master the obstacles on the way to successfull advanced satellite listening. Our journey will begin at the basics. We'll explain terms and definitions of WarTracking to assure an equalized level of understanding for the attending audience. As our Journey proceeds the listeners will learn about satellite-orbit calculation / prediction for non-geosynchronous orbits and the technical requirements for reception of such satellites. We'll also stop by to revisit past noteworthy events such as live-military-war footage on non suspicious commercial TV-transponders. A main part of this Lecture will be the current situation "up there" including information on easy but fascinating catches for the beginning WarTracker. We'll shed a light on the often neglected commercial broadcast satellite transponders carrying fascinating payload. Then audience will be taken one step further: "Ever wanted to be a satellite broadcaster heard around the world? - No Problem!". There are several ways for low budget *active* fun with satellites - some of them even are legal. ;) Rounding up the journey we'll also have a look at the commercial "WarTrackers" and the enormous efforts undertaken by them (Echelon, Satos). Finally we'll try to draw a picture of what the near and not so near future holds for us WarTrackers. Everything concluded by an open Q&A session with much space for in-depth discussions that will continue outside the lecture room. Thomas B. Rücker Miguel Elias 21:00 01:00 Talk dylan Talks Lecture English The security industry is in a paradox situation: many security appliances and analysis tools, be it IDS systems, virus scanners, firewalls or others, suffer from the same weaknesses as the systems they try to protect. What makes them vulnerable is the vast amount of structured data they need to understand to do their job, and the bugs that invariably manifest in parsers for complex protocols if written in unsafe programming languages. We present the design and implementation of a domain-specific language (DSL) for description of structured byte-oriented protocols that addresses this problem. The DSL is applicable to a wide range of problems, such as network communication or file formats, and allows the programmer to write an abstract definition of some packet format, from which parsers and generators are then created automatically. That mechanism saves the programmer from tedious manual work for supporting new protocols, and at the same time prevents him from introducing vulnerabilities into the parsing process. Our DSL is implemented on top of Dylan, a dynamically typed, object-oriented programming language. It makes heavy use of the Dylan macro facility to extend the language for the domain of packet format description, without sacrificing performance in the process. Beyond the safety gained by automating the parser creation process, Dylan provides additional security by its strong typing, mandatory bounds checking and automated memory management. We also show the implementation of a userland TCP/IP stack, which uses the packetizer DSL for description of network packet formats, as well as a packet flow graph framework for packet processing and a layering mechanism for protocol handling. The flow graph allows the user to connect packet processing nodes such as packet sources, sinks, decapsulators, demultiplexers and filters into complex arrangements for handling packets. It can be used to implement applications like filtering bridges or network analysis tools in just a couple of lines of code. The layering mechanism handles the stacking of protocol layers. In theory, one OSI layer corresponds to one instance of a layer object, there are for instance layers to handle Ethernet, IP and UDP, which are stacked on top of each other. In practice, TCP/IP has parts which cannot be clearly attibuted to a specific OSI layer (ARP being the prominent example), so we handle bonding of layers using adapter objects, which know about both the layers they connect. Stackability of layers allows easy implementation of protocols such as IP-over-ICMP. Hannes Mehnert 22:00 01:00 Talk openssh from LDAP patch to a cleaner abstraction layer Talks Lecture English Once upon a time there was a project named openssh-lpk, aiming to hack public key lookup over LDAP into OpenSSH. The patch did a reasonable job, allowing central administration of users in a LDAP environment. However, having LDAP code in OpenSSH felt wrong and ugly, and a new system was necessary. Abstracting public key lookup would provide a flexible way for quickly allowing arbitrary lookup of keys without compromising OpenSSH code base cleaniness and conformity to strict coding standards. The talk will cover the current openssh-lpk patch, its benefits and reasons to exist, a first approach for abstracting public keys lookup in a Quick and Dirty (tm) way, followed by a Nice and Clean (tm) approach with a complete abstraction layer. We'll show and debate concepts as well as showing our current code for the three solutions. openssh-lpk; from egg, to ugly duckling, to swan. Andrea Barisani Rob Holland 23:00 01:00 Talk nedap Talks Lecture English In 2006 some hackers from the Dutch "wijvertrouwenstemcomputersniet" ("We don't trust voting computers") initiative and from the CCC got their hands on a dutch Nedap voting computer. Nedap claims "Hacker haben absolut keine Chance" ("Hackers have absolutely no chance") (in [1]). In this talk (slightly unprepared) I'll present what has been done with this "Dedicated Special Purpose Machine" [1]. Hannes Mehnert Es3b-en.pdf 2006_WIRVERTRAUENWAHLMASCHINENNICHT.pdf 13:00 01:00 Talk web20 Talks Lecture English On the security implications of AJAX and how XForms may in fact be considerably more secure while offering many of the same benefits: JavaScript is not a problem that can be solved by encouraging good web programming. It is about deliberate malicious attacks using a powerful programming language that, by design, bypasses firewalls, virus-protection, and anything else you have in place to run on your computer - unannounced. If anything, AJAX only shows how powerful it is, because JavaScript's current use in 'Web 2.0' websites was never foreseen by its creators. AJAX can be replaced by a safer way to create Web 2.0 application - XForms. XForms, a dialect of XML, is precisely designed to allow the sort of asynchronous jiggery-pokery used in AJAX, and can be integrated with safe server side scripts to have the same effect. Schnitz 14:00 02:00 Talk hpp A new approach to Cybercrime Talks Lecture English This talk will detail the results learned from the first year of activity of the HPP research study, developped by Raoul Chiesa, a security researchers, and Dr. Stefania Ducci, a criminologic researcher at UNICRI (United Nations Interregional Crime and Justice Research Institute, ONU). The research project includes the dissemination of questionnaires, the installation of targetted Honeynet systems and the cross-linked analysis of computer intrusions and IT attacks. You will discover how many myths about the hackers and the so-called "security underground world" have been often misunderstood, giving to this world kind of a "black vision", taking away the attention from the really important psicological and technical issues of a reality in continuos development. Raoul Chiesa 16:00 01:00 Talk firmware Talks Lecture English This lecture aims at providing ideas and practical techniques about the reverse-engineering process of equipment firmware images. It touches upon data encoding, compression, bootstraps, deciphering, disassembly, and emulation. khorben