Passwords are like Pants... a Creative Commons Attribution, Noncommercial, No Derivative Works image from Richard Parmiter's Flickr fotostream
One of the DefCon contests that most sparked my imagination was the “Crack me if you can” password cracking contest, organized by KoreLogic. The goal of the contest is to crack as many of the password hashes provided as possible. The rules of the contest allow the use of off-site and on-site computer equipment of any kind, but in order to be eligible for any prize money at least one team member had to be physically present at the DefCon conference.
The competition is interesting in more than one way. First of all the contest is educational in setup. Even though the amount of computer power a team can come up with is important in getting to good results, it is not the determining factor in winning or losing the contest. Key to winning or doing well in the contest was understanding human behavior. KoreLogic generated a set of passwords they feel is representative of what they actually encounter in the field. Most corporate environments rely on a common set of rules that are used to enforce user to pick “strong” passwords and force them to change them regularly. While the goal of the rules is actually commendable, KoreLogic’s experience learns them that the human behavior triggered by these rules cause passwords to be very predictable. “If you force employees to change their passwords four times a year, they will select something that naturally changes four times in most cities (except Las Vegas)”, typical passwords we find are things like Winter2010. Once you understand this pattern, you can actually reliably predict what this password will in say 9 months or a year. Teams that actually saw this pattern and used it to make smarter password guesses did better in the competition.
Read more…
GLOBAL BATTLE - KIDS TO SAVE THE WORLD SERIES (Explore #4) a CC, non-commercial, no derived works image from JOHN CORVERA's flickr photostream
This talk is a follow up of Felix’ talk at Black Hat Europe which I blogged about earlier here (http://www.cupfighter.net/index.php/2010/04/blackhateu-fx/) marking the release of the tool BlitzAbleiter.
One of the new point highlighted is that his work is not just of interest to normal users that are running flash content, but also to corporations that serve pre-compiled flash advertisements that they do not want to be infected with malware or other unwanted behaviour.
For the release of Blitzableiter Felix has chosen to integrate with NoScript. If you have the latest version of NoScript, you allready have BlitzAbleiter.
Next Felix actually demoed BlitzAbleiter by using it to stop some in the wild Flash exploits.
I managed to speak to Felix in a more informal setting later and he pointed out that there are two major differences between BlitzAbleiter as presented in Barcelona and the current version. BlitzAbleiter now support both the version 1 and version 2 Flash virtual machines. Besides that the code quality of the tool is now at such a level that it is actually a usable tool that can be released to the public.
The name BlitzAbleiter is the German word for lightning rod, because it has the potential to turn harfull Flash into harmless tunder.
By A.P. Delchi
Delchi’s talk evolves around an imaginary assignment to design the physical security system of a high security facility with CCTV, and the methodology how to handle this assignment.
If you want to design such a system you need to follow the steps of:
- Assessment – What do we secure? What is the status? What are the risks?
- Assignment – Which area gets which security? Prioritize. What external requirement do you have?
- Arrangement – Find the most effective locations for you security devices. Consider security and ergonomics.
- Approval – get quotes from multiple vendors. Consider lifetimes and service plans and take expansions into account. E.g. Will you require biometric in the future.
- Action – Lets implement it. Build, train and test.
Next Delchi encourages us keep failure into mind. Physical security systems will go wrong, building the systems will go wrong as well.
Delchiâs final section of the talk outlines the various problem security professions will encounter when dealing with various parties involved in the process. Management, vendors, people who know better, users and construction workers. With funny and concrete examples he shows what to expect and how to handle these groups.
By Shawn Merdinger
Building access control systems are getting more and more IP enabled, but the IP enabled portions of access control systems are often poorly controlled and don’t get much love from either the it or facilities system.
But the vendors are not always helping the S2 security box e.g. Is using both a web server and a mysql version with lots of security vulnerabilities in it. The amount of security problems Shawn pointed out in various products was truly shocking.
Show continued to show us the results of the exploitation on a demo box he tested which just allowed him to open doors and get to camera feeds.
There is a worrying perception in the physical industry that hackers will not go after these systems, but after financial data and trade secrets, but this is not correct, it is very interesting flr attacks to actually attack the physical security infrastructure. There are some perceptions that these device are deep in the network and not connected to the internet, but a simple Google hack showed that there are 350+ devices connected to the internet today.
Vendors has start to offer better security and this will only happen if customers start to demand better security.
By Chris Paget
The Room was packed and warning poster where all over the place warning people that cell phone traffic may be intercepted in the area around the talk. Expectations are high at the start of the talk and we were about to find out if they are to be met.
In this presentation Chris is going to intercept cell phone calls, specifically GSM calls. For this purpose he uses what he calls an IMSI catcher. Critical for intercepting calls is the IMSI, the International Mobile Subscriber Identity, think of this as the GSM username. Chris built his IMSI catcher for $1,500 out of open software and open hardware, a fraction of the millions charged for commercial IMSI catchers.
Because handsets always choose the strongest signal and a attacker will always win the battle for this. Since GSM assumes that the network is trusted, the base station dictates the settings, so if the base station wants to disable encryption, the phone will do that. The IMSI catcher does have to not break GSM encryption, it just acts as a base station and tell the phone to disable GSM encryption. In theory the phone could warn of this behaviours, but most sims have this disabled, because it would confuse users.
Because of difference in regulations between the USA and Europe there is a frequency in both spectrums that you can use that is in the HAM radio band and thus governed by the HAM radio regulations and these regulations give enough lead way to run GSM across it without needing a telco license. A HAM radio license allows the use of transmitting power of up to 1500W, a very small fraction of the 0.25W used by Chris during his demo.
Read more…
