Organized by members of the local Defcon chapter in Switzerland (DC4131), the hashdays Security Conference is going to be the first incarnation of an independent and technical security conference in Switzerland. Two days full of technical talks covering the most current research on all aspects of IT security. The conference will take place from November 4th to 5th and will be held in Lucerne in the heart of Switzerland in the Radisson BLU Hotel directly at the lake front of lake Lucerne.

Renowned speakers that are already confirmed are: Alexander Kornbrust, Karsten Nohl, Tavis Ormandi, Philippe Oechslin, Ertunga Arsal, Harald Welte and many more.

Furthermore, there will be two 2-day workshops from November 3rd to 4th at the same location. The two offered workshops are:
* Saumil Shah: Exploit Laboratory. Learn how to write exploits from scratch
* Harald Welte, Karsten Nohl, David Burgess: Protecting from GSM attacks. Learn the latest of their research of cracking GSM networks and how to protect from it

More information can be found on our web page: https://www.hashdays.ch/

We’d enjoy to welcome you here in Switzerland!

ISSE is Europe’s only independent, interdisciplinary, security conference. It is designed to educate & inform on the latest developments in technology, solutions, market trends and best practice.

Now in its twelfth year, ISSE 2010 will attract over 300 representatives from across Europe, providing an informal and stimulating environment for attendees to learn, share experiences and explore solutions with their European counterparts, focusing on security and related issues like cost of ownership, risk management and interoperability.

To join them or for further information please visit the event website at http://www.isse.eu.com

Book now to take advantage of the Early Booking rate that saves €150 off the standard delegate fee.

The 5th IEEE International Conference on Malicious and Unwanted Software (Malware 2010) to be held at the Grand Hotel De La Reine, Nancy, France, Oct. 20-21, 2010.

The conference is designed to bring together experts from industry, academia, and government to present and discuss, in an open environment, the latest advances and discoveries in the field of malicious and unwanted software. Techniques, economics and legal issues surrounding the topic of Malware, and the methods to detect and control them will be discussed.

This year’s conference will pay particular attention to (and will also be extensively discussed in a panel session) the pressing topic of “Malware and Cloud Computing”. As low-cost Netbooks become popular, Google’s Chrome OS enters the mainstream, and social networks (Facebook, YouTube, Twitter, LinkedIn, and so forth) become ubiquitous, the security dangers associated with the new computing paradigm increase exponentially. In effect, “Cloud Computing”, Multi-tenant, Single Schema, Single Server Platforms (C2S3P) increase vulnerabilities by providing a single point of failure and attack for organized criminal networks. Critical/sensitive/private information is at risk, and very much like previous technology adoption trends, such as wireless networks, the dash for success is trumping the need for security

Thus, the organizers of Malware 2010 solicit original written contributions addressing these issues and research questions. Manuscripts focusing on the security properties of Cloud Computing, the risks associated with the deployment of such networks, and the analysis of real incidents where a breach has occurred will be particularly welcomed.

The Call for Papers is still open, you are welcome to hand it in at: http://malware2010.org/

I had the honor to attend CONFidence 2010 and hear some great talks on security as well as meet people of the industry which are outside your regular circle.

This included speakers you would not normally meet, such as from Israel, Russia, Germany and other countries.

I really enjoyed the lecture by Dan Kaminsky on how to change Internet security “one step at a time” by providing, maybe for the first time? a secure solution for session cookies as well as solve the SQL injection issues with as little burden as possible on the developers.

Though those two ideas require proof, i.e. they are just theory now, if they do become actual code lines, I am sure people will take a deeper look into them - as the name Dan Kaminsky will surely draw attention to them.

The lecture on “Don’t touch my WinNY” proved both funny and technically interesting with the display of a 0day in the WinNY (file sharing) product.

Mario’s lecture on “The Presence and Future of Web Attacks Multi-Layer Attacks and XSSQLI” proved once again how much more work and research can be done in this field, with browsers constantly changing the rules of the game and creating new ways for attackers to inject malicious content.

Yaniv’s “Microsoft Patch Analysis” shows how straight forward of a process you can do for converting a patch by Microsoft to an exploit - the process may not be easy, but once you nail the method it shouldn’t be hard to recreate for every patch that comes out.

The second day lecture of “Hacking games for fun and profits” proved how wrong I am on playing games to earn prizes, the two presenters showed that they could easily win any online contest without having to actually put any effort to playing the game - that calls it quits for me on getting my highest score on Game X (change X to whatever game you like).

Alexey’s “De-blackboxing of digital camera” showed me how much can be done with very little, having access just to the led of the camera allowed them to dump the camera’s memory via a blinking led data transfer method - even though it was slow, it proved useful in bypassing the protection mechanisms implemented in the camera.

Chris’s “Web browser PKI/SSL security policy weaknesses and a potential solution” talked about how the wording shown to people in relation to SSL should really change - and I have to agree - saying to someone that the certificate name doesn’t match doesn’t tell mom and pop what they should do about it, is that a good or bad thing? should they continue or not?

To summarize, there is a lot to learn, and much to listen to, hope to catch you all again on the next conference with new information and new techniques.

Keep up the good work,
Noam.

Hi,

In light of the KHOBE story, it seems a “darker” truth has been uncovered. Apparently the researchers have published their advisory in order to sell their research material to anyone who wants to know more than their limited technical details.

Why is this important? Well, it shows that when publishing their research, their intent was to:
1) Scare
then
2) Sell their software

While there might be legit reasons to check out their research, these new facts do bring the “KHOBE” paper into question, especially whether it is more noise than signal.

More details on the story can be seen here: KHOBE - no problem.

BTW, a bit of exaggeration by our colleague Aviram got him this week’s medal for PR scandal assistant.

I just read the sad news that st0rke, also known as the maintainer and founder of milw0rm has passed away, the problem with this news item is that it very difficult to judge whether or not it is true, as the source is not “the official news media” you would normally trust.

This of course will not hit CNN, FOX, or any other news agency, and will be posted on, usually, underground mailing list or blog which might or not have a hidden agenda in respect to giving out such news items.

This if of course not the first time someone was claimed to have died, with only rumours circulating and then finally after some time, it was determined to be true, as their site was no longer being updated, and emails sent to him never got a reply.

If it is in fact true, the story about str0ke, I am sadden to hear it, and I send my condolences to his family, wife and 4 kids.

We purchased security vulnerabilities as part of our SSD program from a researcher who has conducted extensive audit on a popular bulletin board system, IPB. For those not familiar with it, it is a good product, quite common, and well supported by a commercial company called Invision Power. The audit revealed a few high risk issues in the program allowing remote attackers to gain access to entries found in the database with minimal requirements on the attacker’s side.

After verifying the issue we contacted the company in several ways, emailing several addresses, but failed to “reach” anyone. We received several automated responses, and even our inquiry to their sales emails, returned nothing, are we missing something?

From their site it is apparent that support is provided only to paying customers, fair enough, but I am not a customer, I am trying to help them. I am willing to give them the security researcher we paid for, for FREE, yes free, they aren’t asked to pay anything for the vulnerabilities discovered, they are only asked to fix them, which will benefit them for sure.

If anyone has an idea how we could reach Invision Power’s guys/developers, please feel free to contact me at noamr[at]beyondsecurity.com.

A NULL reference vulnerability in the tun source code of the Linux kernel has been discovered to be “immune” if the code is audited, and vulnerable once GCC has put into place its code optimizations.

The vulnerability allows executing arbitrary code and gaining root access.

An exploit has been released proving that the vulnerability is not just “theoretically” there, but can be actually exploited.

Need we say Black Box Fuzzing? a API fuzzer such as beSTORM would have easily caught as beSTORM can be told to open the /dev/net/tun driver and write data directly to it, one of the first tests it will preform will be the “old” nothing (NULL) data transfer.

BTW: If you want to test the vulnerability on your kernel here is a code snip:

int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);

In recent news, a posting on slashdot talked about: Cruising Fisherman’s Wharf For New Passports’ Serial Numbers as a means of gaining access to sensitive information as well as being able to secretly do surveillance on people without their concent.

Is it just me, or have everyone forgotten the little, sometimes more than one, devices they take around with them all the time called cellphones?

Those tiny devices are perfect for surveillance, they emit a signal, when the signal is too weak to reach a cell site they try harder, they - if enabled - broadcast their GPS location via Google Latitude, and can allow anyone with the right equipment - not expensive as you would think - to track you down.

I think that the RFID and Passports “noise” being generated is just a smoke screen to distract people from the already existing and being used ability of governments and bad people of course, to track you down using the signalls emitted by your cellphone.

RFID unlike cellphones, can be easily blocked by simple means, for example putting your passport into a aluminium/metal sleeve, while I don’t see anyone doing the same to their cellphones

I received this email today:

Good morning!

I inform you about site http://carder.su where people trade in stolen credit cards. As i’m a holder of visa classic i’m sincerely
exasperated at appearing such sites in your hosting. I beg of you to take strong measures and don’t be indifferent to heart-break of other people. This complaint will be sent to the FBI.

Best regrads, Jon Shirov.

At first I was shocked, why would someone allow such a site to still be up even though someone reported it to the FBI. I had to do something.

Rushing to the rescue I looked at the site and it appears to be a pretty straight forward scam-sell site, you come there and buy stolen goods.

Why have I been notified only now I wondered… I looked back in my spam log and what do you know the same email appears more than once in my spam folder with different names, dates and of course email addresses

I am not sure what the scam/spam’s purpose is, apparently they want you to go to their site and see what they have to offer - you might be a potential customer to their operation.

I of course didn’t dig in to the site, nor am I interested in buying anything found there - on the other hand I will also not report this to the FBI as the site is not hosted inside the United States (It is hosted in Russia), nor is its domain under a US registrar (ends with a SU).

Whoever knows of a place to report such sites to please let me (us) know.

A short list of legitimate emails you will never get, if you have something else feel free to add:

* Lottery winnings - Microsoft is the big winner here, they keep sending me winning notifications, but I just don’t collect
* Your doctor’s prescription (probably some obscure medicine might go through, while most won’t) - to buy “cheap” fake medicine
* Your Antivirus renewal notice - trying to get you to install some form of malware
* Your bank’s security notice, and statement - of course its phishing scams
* Paypal payments being done to your name or from your name - phishing scams mainly
* Job offers - I get these money “mule” offers and get paid per call spam
Anything I missed?

What started off nicely in 1992 and promised the much needed privacy to cordless communication at home, has been brought into a halt a few days ago with the practical approach to eavesdropping on DECT communication.

DECT or Digital Enhanced Cordless Telecommunication is a widely used standard for cordless devices, mainly phones, but not limited to it, several POS or Point of Sale devices as well use the standard to communicate in a cheap and secure manner.

The DECT standard itself was not broken, but rather using a cheap off-the-shelf device that is able to receive (not yet transmit) DECT based data, the researchers have been able to prove that eavesdropping on the communication channel is possible.

Most interesting to me as a reader of the paper is that what stopped people from ‘breaking’ it till now, was the lack of hardware, or moreover the lack of cheap hardware, to experiment with, now with the availability (it has been around for a while) of COM-ON-AIR device and its character device (or raw software driver) things have been made a lot easier.

You can read more on this at deDECTed.org

Following up on my previous post on spam, it seems that spam has now gone another step and become not just unreadable - foreign language - but also unreadable to the un-computerized eye:

Subject: Please confirm your message

Body:

IURPQ1RZUEUgSFRNTCBQVUJMSUMgIi0vL1czQy8vRFREIEhUTUwgNC4wIFRyYW5zaX
Rpb25hbC8vRU4iPg0KPEhUTUw+PEhFQUQ+DQo8TUVUQSBodHRwLWVxdWl2PUNvbnRlb
nQtVHlwZSBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9aXNvLTg4NTktMiI+DQo8L0hF
QUQ+DQo8Qk9EWT48YSBocmVmPSJodHRwOi8vY291cnNlbWlnaHQuY29tLyIgdGFyZ2V0P
SjfYmxhbmsiPg0KPGltZyBzcmM9Imh0dHA6Ly9jb3Vyc2VtaWdodC5jb20vOGR2czkuanBnIiBib
3JkZXI9MCBhbHQ9IkhhdmluZyB0cm91YmxlIHZpZXdpbmcgdGhpcyBlbWFpbD8NCkNsaWNr
IGhlcmUgdG8gdmlldyBhcyBhIHdlYnBhZ2UuIj48L2E+PC9CT0RZPjwvSFRNTD57L0JBU0
U2NF9FTkNPREVEfQ0KDQoAAAAAAAAAAAAAAAA=

Wow that is nice, I would sure want to buy an IURPQ1…

This is plain silly it is a Base64 encoded message, but why would my reader open it?

There is indication in the email headers that this is Base64 encoded, but I can’t understand what kind of reader will even try to open it as it seems that base64 encode content inside a body is not common practice unless it is part of a multipart message.

Those wondering, the email’s intention is to show you an HTML  that sells you fake? real? pills.

Yes snooping on someone else’s GoogleTalk is no big deal if you know their password, but what is interesting that unlike other chat clients like Skype, MSN and others GoogleTalk will allow you to do so simultaneously.

You can connect to the GoogleTalk server while another user using the same username and password is also connected to the GoogleTalk server.

This neat feature, probably stems from the fact that Google supports web based chat in a constantly refreshing web page (unlike MSN which launches a separate window) allows you to see incoming responses and messages being sent to your target without needing to do anything.

BTW Google, don’t fix this, I find it useful for my BlackBerry and PC chat sharing - basically never needing to logon/logoff on my PC/BlackBerry they are both constantly connected to the Google Talk servers.

UPDATE This post is not related to the recently released NSA patent on Snoop detection

With the recent introduction of a native SCTP library into beSTORM you can easily fuzz your SCTP based protocols with beSTORM.

This includes all our existing protocols as well as SCTP dedicated protocols such as M3UA and MGCP.

SCTP for those that aren’t familiar with it is a fairly common protocol in the VoIP and Telecommunication industry it sits upon IP and ‘replaces’ the TCP/UDP layers. It has several benefits over TCP and UDP but it is mainly used because it has been endorsed by the SIGTRAN group as the primary way of communication between two telecommunication providers.

Many administrators blindly block anything that isn’t running on either port 80 (http), 443 (https) or 22 (ssh). Their claim is that nothing good can work any other port. This causes their uses to get frustrated when they want to use anything else that runs on any other port.
I am not talking about P2P or any other ‘evil’ programs which are pretty good at bypassing your restrictio on their own, Skype is one such example, I am talking about for example one of your engineers wanting to get techsupport but has his corporate VPN access blocked as most VPNs require at least a non-80, 443, 22 port to be open.

In such cases (as VPN), the techsupport guy will find a way around your restriction, perhaps using port 443 to tunnel the traffic through, even though its not really SSL going inside there . The smart administrator will use a Proxy or a Content Filtering agent to prevent such things, so a smart techsupport guy will tunnel everything via SSH, or even use HTTPS to tunnel the data (there are several solutions that do that).

My point is that, blindly blocking will give you the benefit for stopping the common user, but will frustrate a techsupport guy to to the point that he will find a way to bypass it. I suggest that you ‘give’ the techsupport guy a hand, understand what he needs, and give him that. Its better than him bypassing your restriction.

I am sure the readers have additional examples that can strengthen this point.