SecDocs Feed for category Audios

[Audio] Having fun with RTP

Tue, 15 May 2012 06:51:44 +0200

Tags: VoIP
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: A lot of people are interested and involved in voice over IP security. Most of the effort is concentrated on the security of the signalling protocols. This talk is focussing on the security of the voice part involved in todays voice over IP world. It is the result of the questions that I had to ask myself while i was debugging audio quality problems of customers and implementing a RTP stack from scratch. The talk gives an introduction on the shortcomings of the Realtime Transport Protocol (RTP), how systems attempt to work around them and how they introduce security vulnerabilites. A few short demonstrations will give an idea on how they can be exploited in the real world (denial of service, man in the middle attacks, call redirection). The last part of the talk will discuss some solutions to fix those vulnerabilities.

[Audio] Data Analysis in Terabit Ethernet Traffic

Mon, 14 May 2012 23:46:17 +0200

Authors: Lars Weiler
Tags: sniffer
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Network traffic grows faster than monitoring and analysis tools can handle. During the last two years a couple of appliances hit the market which help in finding the “bits of interest”. Recently installed strategies and solutions for carriers, banks or lawful interception organizations will be discussed as examples. Quite every laptop nowadays is capable of handling Gigabit traffic. But doing a network analysis will hit the boundaries of CPU load quite quickly. Now, with 10GbE lines as the usual speed of carrier's and company's backbone, traffic monitoring and analysis became more and more painful. Even the biggest and most expensive analysis appliances on the market are barely capable of a real time traffic monitoring for more than 8Gbit/s. That's were a couple of vendors showed up and created devices which can handle multiple 10GbE lines at the same time. They call them “Active Distributed Traffic Capture Systems” or “Intelligent Data Access Networking Switches” – in short “Data Access Systems”. The primary use is for the aggregation and distribution of traffic. But all of the Data Access Systems are also capable of filtering traffic with the help of FPGA or CPLD techniques. So a carrier, bank or lawful interception organization can aggregate the data from many physical lines into one Data Access System, enter some filters with the help of a browser GUI, and distribute the resulting traffic to the analysis machines. It's easy to monitor 100 lines of 10GbE traffic. For competitive reasons, those vendors started to invent new features for a better or easier analysis of the data on the analysis devices. These include ingress port tagging, time stamping with nanosecond accuracy, slicing of packets and recalculation of checksums in realtime, blanking bits in packets, or even layer 7 filtering for e-mail and instant messenger addresses with full flow capturing. The interesting part for the usage is to create an infrastructure where even without data retention and a long term analysis specific users or just their communication with possible ”interesting“ data for intelligence agencies can be triggered and captured in real time. So, the process of the analysis can be quickened to quite no time. It's safe to say, that the flagship appliance by a vendor has been designed by request of US intelligence agencies. Of course, those devices have to be managed by administrators. For the ease of usage every vendor moved from a CLI based configuration interface to a shiny web GUI – with a couple of flaws. It is easy to break into the system or read out the configuration without access. This lecture will discuss the possibilities of today's data analysis with the help of these Data Access Systems. An overview of the features will help to understand that data analysis devices are not anymore the limiting factor in deep packet inspection of a huge amount of traffic. Examples will show what already has been set up and what is possible by companies and organizations – and which traffic they might monitor yet. During the last three years the speaker installed those appliances from different vendors at customers across Europe, gained deep knowledge of their usage, established a strong contact to the technicians and chief officers both at the vendors and customers side, and found out a lot about the hardware and software by reverse engineering.

[Audio] News Key Recovery Attacks on RC4/WEP

Mon, 14 May 2012 23:35:45 +0200

Authors: Martin Vuagnoux
Tags: WiFi
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In this paper, we present several weaknesses in the stream cipher RC4. First, we present a technique to automatically reveal linear correlations in the PRGA of RC4. With this method, 48 new exploitable correlations have been discovered. Then we bind these new biases in the PRGA with known KSA weaknesses to provide practical key recovery attacks. Henceforth, we apply a similar technique on RC4 as a black box, i.e. the secret key words as input and the keystream words as output. Our objective is to exhaustively find linear correlations between these elements. Thanks to this technique, 9 new exploitable correlations have been revealed. Finally, we exploit these weaknesses on RC4 to some practical examples, such as the WEP protocol. We show that these correlations lead to a key recovery attack on WEP with only 9,800 encrypted packets (less than 20 seconds), instead of 24,200 for the best previous attack.

[Audio] How the Internet sees you

Mon, 14 May 2012 06:42:35 +0200

Authors: Jeroen Massar
Tags: network Netflow
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: On the Internet one tends to think that one is pretty much safe from poking eyes. Taps in most countries can only be established after a judge has issued a warrant, thus upto such a tap is succesfully deployed one might think one is pretty much in the clear. Most ISPs though actually employ a toolset comprising one of various NetFlow, IPFIX or sFlow protocols to do trend monitoring, billing and of course, the ability to try and establish which connections a certain IP address is making. During the CCC conference we will monitor the CCC network with NetFlow, collecting and directly anonimizing this information on IP basis. We will map a couple of well-known websites/trackers to a private IP range and preserving these mappings, while anonimizing the rest of the IP addresses, thus your anonimity is safe and please be yourself while using the network. Flow data will not be stored, thus we won't be able to go back and re-analyze the information. As a collector/analyzer we will be using the Anaphera tool by IBM Zurich Research Laboratory [1]. This tool is used in IBM datacenters and by customers of IBM worldwide for detecting malicious/unknown network traffic, traffic trending, anomaly detection, growth prognosis and billing. We'll be explaining the intriciate parts about NetFlow, IPFIX and sFlow, what the technologies are and how they work, hopping briefly in the big difference with taps and what they could see when they are deployed and also what we don't see now and what gets lost in the noise. We will be showing you what information and details can be taken from a flow based tool, so that you know what can be seen by ISPs around the world.

[Audio] Closing Event

Sun, 13 May 2012 21:09:07 +0200

Authors: Frank Rieger
Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010

[Audio] OpenLeaks

Sun, 13 May 2012 21:02:49 +0200

Authors: Daniel Domscheit-Berg
Tags: information operation privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Due to popular demand, the talk will give an introduction to the OpenLeaks system and the idea behind it.

[Audio] International Cyber Jurisdiction

Fri, 11 May 2012 06:28:44 +0200

Authors: Tiffany Rad
Tags: law
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Concepts of sovereignty, freedom, privacy and intellectual property become amorphous when discussing territories that only exists as far as the Internet connects. International cyber jurisdiction is supported by a complicated web of international law and treaties. Jurisdiction hopping, a technique that is becoming popular for controversial content, is one we have used for the U.S. 1st Amendment censorship-resistant and non-profit hosting company, Project DOD, by using PRQ's services in Sweden. This technique is used to place assets in a diverse, but accessible, web of countries in which that content may be legal in the hosting country, but may have legal complications in the country in which it is accessed. As ownership and protection of property becomes a concept that is difficult to maintain across boundaries that are not easily distinguishable, can the U.S. "kill-switch" parts of the Internet and under what authority can it be done? Similarly, the geographic challenges to international cyber criminal law – and the feasibility of new sovereign nations – will be analyzed. When a cybercrime is committed in a country in which the electronic communication did not originate, there is difficulty prosecuting the crime without being able to physically apprehend a subject that is virtually within – and physically without – a country's boarders. Similarly, a technique called jurisdiction hopping can be used to place assets in a diverse, but accessible, web of countries in which that content may be legal in the hosting country, but is not in the country in which it is accessed. Lastly, if the U.S. attempts to isolate damage by cutting off Internet connections, under what authority can it be done? This presentation will discuss the types of international laws and treaties that may be cited in the event of extradition of cyber criminals, legal and geographic challenges – such as new sovereign nations – to jurisdiction hopping and the authority with which the U.S. may "kill switch" the Internet. I will also discuss the practical example of where, as a result of our Project DOD case in U.S. Federal court, we have put non-copyright infringing materials on PRQ's servers in Sweden to reduce the incidences of Digital Millennium Copyright Act’s "Take Down" infringement notices that are illegitimate.

[Audio] Hackers and Computer Science

Fri, 11 May 2012 06:28:44 +0200

Authors: Sergey Bratus
Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Although most academics and industry practitioners regard "hacking" as mostly ad-hoc, a loose collection of useful tricks essentially random in nature, I will argue that hacking has in fact become a "distinct research and engineering discipline" with deep underlying engineering ideas and insights. Although not yet formally defined as such, it are these ideas and insights that drive the great contributions that hacking has been making to our understanding of computing, including the challenges of handling complexity, composition, and security in complex systems. I will argue that hacking uncovers and helps to understand (and teach) fundamental issues that go to the heart of Computer Science as we know it, and will try to formulate several such fundamental principles which I have learned from hacker research. At some point I realized that I was learning more about what really matters in computer science from hacker conventions, Phrack, Uninformed, and other hacker sources than from any academic source. Moreover, it wasn't just about exploits and vulnerabilities, it was about how systems were really designed, as opposed to how developers thought and students were taught they were. Then I realized that the reason for vulnerabilities that kept on giving were quite deeply theoretical and involved, e.g., theory of computation and information theory. Very little of this was quoted or understood in the academic publications.

[Audio] OMG WTF PDF

Thu, 10 May 2012 06:36:11 +0200

Authors: Julia Wolf
Tags: PDF
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Ambiguities in the PDF specification means that no two PDF parsers will see a file in the same way. This leads to many opportunities for exploit obfuscation. PDFs are currently the greatest vector for drive-by (malware installing) attacks and targeted attacks on business and government. A/V technology is extraordinarily poor at detecting these. The PDF format itself is so diverse and vague, that an A/V would need to be 100% bug-compatible with the parser in the vulnerable PDF reader. You can also do cool tricks like make a single PDF file that displays completely differently in several different readers.

[Audio] Three jobs that journalists will do in 2050

Thu, 10 May 2012 06:36:11 +0200

Authors: Annalee Newitz
Tags: social
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Print media are dying, but what is rising up to take their place? In this presentation, I'll answer that question by describing three new kinds of jobs for journalists that do not exist in mainstream print media. These jobs are: hacker journalist, data-mining reporter, and crowd engineer. I'll be describing what these jobs entail, and current examples of organizations already employing people to do them. My observations in this presentation are based on the nearly twenty years I have written for traditional print as well as new media publications, including zines like Bad Subjects and 2600, as well as mainstream media outlets like Wired and the Washington Post. I also created io9.com, the world's most widely-read blog devoted to science and science fiction. As I've watched friends and colleagues suffer through layoffs in the publishing industry, I've also seen the rise of new kinds of journalists who use technology to break stories in ways that would have been impossible even five years ago. Hacker journalists use everything from Perl scripts to open source mapping platforms to do investigative reporting (examples include writing at Ars Technica, as well as people working with the Ushahidi mapping platform). Data-mining reporters are people who analyze vast amounts of data to investigate issues from war crimes (using services like Wikileaks) to the stock market "flash crash". Crowd engineers work on crowd-sourced news sites like Reddit and Metafilter, writing algorithms and community software that makes it easy for people to share information. Like editors, crowd engineers can be very powerful figures who determine which information rises to the top. What these new journalists have in common is a newfound ability to aggregate and analyze information on a massive scale. Ultimately I'll explore how this changes the playing field in media, and why journalists of the future may be more powerful than ever before.

[Audio] A framework for automated architecture-independent gadget search

Thu, 10 May 2012 06:36:11 +0200

Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: We demonstrate that automated, architecture-independent gadget search is possible. Gadgets are code fragments which can be used to build unintended programs from existing code in memory. Our contribution is a framework of algorithms capable of locating a Turing-complete gadget set. Translating machine code into an intermediate language allows our framework to be used for many different CPU architectures with minimal architecture-dependent adjustments. We define the paradigm of free-branch instructions to succinctly capture which gadgets will be found by our framework and investigate side effects of the gadgets produced. Furthermore we discuss architectural idiosyncrasies for several widely spread CPU architectures and how they need to be taken into account by the generic algorithms when locating gadgets.

[Audio] Cybernetics for the Masses

Wed, 09 May 2012 06:50:39 +0200

Authors: Lepht Anonym
Tags: science robotics
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Lightning talk on biohacking, complete with cyborg speaker, implant demonstrations, and knowledge of how to hack your own perception of electromagnetic radiation for approximately thirty Euros. A talk on what's become my specialty - biohacking, or meathacking, whatever you wanna call it. I've got a full set of home-brewed implants, a subdermal RFID, a sort of cult on the Internet plus things like proven designs for cheap EM sensory nodes, experimental verification of that shit I'm claiming, etc. I have videos of procedures, photos of what I've been doing and the like, and will happily make gory slides for all to see. Can do demos of the EM nodes and RFID chip as well. I want to talk about the grinder movement - underground biohacking - it's my life. Thus, my article in H+ Magazine: "A call to arms for biohackers".

[Audio] Analyzing a modern cryptographic RFID system

Wed, 09 May 2012 06:50:39 +0200

Authors: Henryk Plötz Milosch Meriac
Tags: RFID
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Popular contactless systems for physical access control still rely on obscurity. As we have shown, time and time again, proprietary encryption systems are weak and easy to break. In a follow-up to last year's presentation we will now demonstrate attacks on systems with 'proper' cryptographic algorithms. Since we broke the last of the big players on the market at 26C3, most vendors are now migrating to new systems which rectify our main point of concern: proprietary algorithms. All new technologies use AES or 3DES for encryption and/or authentication and vendors tirelessly tout the security of their systems and the use of these algorithms between card, reader and host. We will discuss the design of the successor to a system we attacked last year, and demonstrate how a system can be insecure despite the use of secure cryptoprimitives.

[Audio] Fnord-Jahresrückblick 2010

Tue, 08 May 2012 06:42:29 +0200

Authors: Felix von Leitner Frank Rieger
Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010

[Audio] Lightning Talks - Day 4

Tue, 08 May 2012 06:42:29 +0200

Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: 4 minutes for every speaker. Learn about the good, the bad, and the ugly - in software, hardware, projects, and more. Give a lightning fast talk about your favourite project, program, system - and thereby find people with the same interest to proceed and promote it. Alternatively - give us a good rant about something and give us some good reasons why it should die. ;) Get right at it, don't waste time by explaining too much, get the main points across, and then let us know how to contact you on the congress for a talk! Whatever you do - please practise it, and don't be boring. Or else. You have been warned!

[Audio] Tor is Peace, Software Freedom is Slavery, Wikipedia is Truth

Tue, 08 May 2012 06:42:29 +0200

Authors: Adam Obeng
Tags: Tor privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Internet began as state-sponsored anarchy, but it is now the tool of first resort for dissidents and propagandists alike. The poster-child project of the Free Software Movement runs on the authority of a single person; the rest clash over the very definition of the word 'free'. A company which pictured itself as smashing Big Brother is now seen as one of the perceived secretive and authoritarian in the industry; and for another, 'Don't Be Evil' is proving to be a challenging motto to live by. This talk aims to present a view of the societies of Internet from the perspective of political philosophy. Political philosophy is not politics, in the same way that computer science is not programming. It's not the politics about the Internet, but the politics *of* the Internet. Even so, events at any particular place or time just provide examples to be studied. Political philosophy is meta-politics, it's about the trends in politics and the theories we use to understand them. Real-world political systems have striking parallels in the evolution of the Internet: there was primitive anarchy before Eternal September, the era of walled gardens resembled that of Ancient Greek city-states, which were succeeded by more-or-less liberal regimes following the geographical territories of real-world governments. Because of its rapid evolution, mass participation, and highly complex human interaction, the Internet should be subjected to the sorts of questions that political philosophers ask. On the Internet, what is freedom? Do we have obligations to those in control? To each other? What rights do we have? What can we own? Once we know the way it is, we can ask how it should be...

[Audio] Hacker Jeopardy

Mon, 07 May 2012 06:37:37 +0200

Tags: hacker jeopardy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Hacker Jeopardy is a quiz show. The well known reversed quiz format, but of course hacker style. It once was entitled "number guessing for geeks" by a German publisher, which of course is an unfair simplification. It's also guessing of letters and special characters. ;) Three initial rounds will be played, the winners will compete with each other in the final.

[Audio] FrozenCache

Mon, 07 May 2012 06:37:37 +0200

Authors: Juergen Pabel
Tags: forensic
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Cold boot attacks are a major risk for the protection that Full-Disk-Encryption solutions provide. FrozenCache is a general-purpose solution to this attack for x86 based systems that employs a special CPU cache mode known as "Cache-as-RAM". Switching the CPU cache into a special mode forces data to held exclusively in the CPU cache and not to be written to the backing RAM locations, thus safeguarding data from being obtained from RAM by means of cold boot attacks. A Proof-of-Concept implementation for Linux will be demonstrated and implementation details discussed.

[Audio] Zero-sized heap allocations vulnerability analysis

Mon, 07 May 2012 06:37:36 +0200

Authors: Julien Vanegue
Tags: heap overflow heap
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The dynamic memory allocator is a fundamental component of modern operating systems, and one of the most important sources of security vulnerabilities. In this presentation, we emphasize on a particular weakness of the heap management that has proven to be the root cause of many escalation of privilege bugs in the windows kernel and other critical remote vulnerabilities in user-land applications. The problem is not specific to any operating system and is present in both user-land and kernel-land allocators. The presentation is divided into three parts. First, we will reveal the exact nature of the weakness and provide a taxonomy of all tested operating systems (both in the Windows and UNIX world, most of them are exposed). We then present a custom static analyzer for this class of defects based on the HAVOC framework, a heap-aware verifier for C programs, developed in the RISE team at Microsoft Research. We have deployed the analyzer on multiple kernel components, some of them reaching one million lines of C code. The analyzer produces a reasonable amount of warnings without any complex configuration. Finally, we generalize our analysis technique by characterizing what happens when the size of heap chunks is in the neighbourhood of zero (e.g. near-zero allocations) and give another example of fixed remote bug. We emphasize that this weakness should not be considered as a new class of vulnerabilities (such as buffer overflow), but rather a new type of code defect in the same style as integer overflows, as many occurrences are legit and do not lead to a bug.

[Audio] Console Hacking 2010

Sun, 06 May 2012 06:52:33 +0200

Tags: games
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Over 70 million Wiis, over 40 million Xbox 360s and over 35 million Playstation 3s have been sold in the last few years. That makes over 145 million embedded devices out there and most of them are just used to play games. But what can you do with them if you don't like playing games? You hack them to make them run your own code of course! We're going to talk about the various hacks that you can use to gain control of your hardware and make it do what you want it to do. 2010 saw the first hacks for the Playstation 3, soon after Sony removed Other OS functionality. We will detail the operation of current PS3 exploits, show a few new ones and explain where and how Sony went wrong when designing its security system, and show how these holes can be used to gain control over the system and bring Linux back to the PS3. We will also go over hacks for the other consoles, including the JTAG hack for the Xbox 360 which made running homebrew code more convenient, and the cat-and-mouse games that Nintendo played with us to combat Wii hacks. We might also check out the security of their 'new' handheld console - the DSi. Gamers might find this talk interesting even though it is targeted at those who hack (or design) embedded system security. A basic knowledge of crypto is therefore assumed. We will also be present in the Hackcenter before and after the presentation for those of you who are interested in learning more about the subject.

[Audio] Safety on the Open Sea

Sun, 06 May 2012 06:52:33 +0200

Authors: Bernhard Fischer
Tags: GPS
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In maritime shipping accurate positioning is vital to preserve damage to life, ship, and goods. Today, we might tend to think that this problem is sufficiently solved yet because of the existence of electronic positioning systems like, most notably, the Global Positioning System (GPS) or the Russian counterpart GLONASS. This is wrong. Positions in terms of latitude and longitude just make sense together with an accurate sea chart (and of course, together with a navigator that is able to translate charting data into reality). Sea charts are available of national geospatial agencies and business companies as hard-copy or as digital maps and dependent on costs one might spend they are more or less accurate. In today's open world the idea of making an open sea chart is obvious. Several projects now started to apply the rules used for the OpenStreetMap, "...a free editable map of the whole world." (http://www.openstreetmap.org/), to create a free editable sea chart of the whole world and it turns out to be much more difficult because of potential serious consequences in case of charting errors. A sea chart contains a lot of vital information to a navigator. It has to be accurate, up to date, and confidential. Since we (the open sea chart community) cannot just chart every navigational important item on the world we are dependent on information that was already charted before or on third-party information. The latter could be for example measurements or GPS tracks of people that are somehow involved into maritime shipping but not necessarily into details of marine mapping. Thus, data accuracy may be questionable but still valuable. The fact that unauthenticated people are editing data in an open database is a big challenge for an open community since safety and security of life heavily depends on it. This talk covers the basic principles of sea charts and marine mapping. It emphasizes the problems of an open sea chart in general and its distinction to an open street map since requirements to ensure safety at sea are very different. Data preparation and import of other sources are discussed in detail, mainly focused on lights and depths. The lecture will connect real world shortcomings to a pedantic definite IT world for an IT-oriented audience and approaches IT security from a different angle.

[Audio] Reverse Engineering a real-world RFID payment system

Sat, 05 May 2012 06:40:46 +0200

Authors: Harald Welte
Tags: RFID bank
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: How to reverse engineer the data format of a real-world RFID based debit card system. One of Asia’s most popular electronic payment systems uses insecure technology. The EasyCard system, established in 2001, is the most popular stored-valued card in Taiwan. With more than 18 million issued cards, it is the predominant means of paying for public transportation services in the capital Taipei. In 2010, use of the EasyCard was extended beyond transportation. Card holders can now pay in all major convenience stores like 7eleven, coffe shops like Starbucks and and major retail companies like SOGO. Despite the large fraud potential, the EasyCard system uses the MIFARE Classic RFID technology, whose proprietary encryption cipher CRYPTO1 relied on obscurity and was first publicly broken several years ago at 24C3 This presentation analyzes the results of combining the practical attacks on the MIFARE Classic CRYPTO1 system in the context of the EasyCard payment system. It describes the process of reverse- engineering the actual content of the card to discover the public transportation transaction log, the account balance and how the daily spending limit work. Furthermore, the talk will present how fundamentally flawed the system is, and how easy it is to add or subtract monetary value to/from the card. Cards manipulated as described in the talk have been accepted by the payment system.

[Audio] Running your own GSM stack on a phone

Fri, 04 May 2012 06:36:00 +0200

Authors: Harald Welte Steve Markgraf
Tags: GSM phone
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In recent years, we have seen several Free Software projects implementing the network side of the GSM protocol. In 2010, OsmocomBB was started to create a free software implementation of the telephone-side. The OsmocomBB project is a Free Software implementation of the GSM protocol stack running on a mobile phone. For decades, the cellular industry comprised by cellphone chipset makers and network operators keep their hardware and system-level software as well as GSM protocol stack implementations closed. As a result, it was never possible to send arbitrary data at the lower levels of the GSM protocol stack. Existing phones only allow application-level data to be specified, such as SMS messages, IP over GPRS or circuit-switched data (CSD). Using OsmocomBB, the security researcher finally has a tool equivalent to an Ethernet card in the TCP/IP protocol world: A simple transceiver that will send arbitrary protocol messages to a GSM network.

[Audio] INDECT - an EU-Surveillance Project

Fri, 04 May 2012 06:36:00 +0200

Authors: Sylvia Johnigk
Tags: intelligence
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The acronym stands for Intelligent Information System Supporting Observation, Searching and Detection for Security of Citizens in Urban Environment. A total of 17 partners in nine member states are developing an infrastructure for linking existing surveillance technologies to form one mighty instrument for controlling the people. They are laying the foundation of a European police state, since INDECT's results serve to increase the effectiveness of police operation on the national and European level. INDECT is funded under the European Commission's Seventh Framework Programme (FP7), the security-related research of which provides € 1.4 billion Euro for more than 60 partly interlaced projects. This Is What the Police Will Work with in the Future: ·Unmanned aerial vehicles/drones with surveillance camera and sensors ·Software (for cameras etc.) to identify supposedly suspicious behavior or hostile intent ·Auto-tracking of mobile objects ·Software (autonomous agents) to monitor virtual spaces such as discussion forums in the Internet or social networks ·Trojan horses which record users’ private computer activity ·Safeguards, such as watermarking, to allow sophisticated controls on recorded images for evidence, and to index, analyse and administer multimedia content (such as video) ·A search engine combining direct search of data from the real and the virtual world

[Audio] Your Infrastructure Will Kill You

Fri, 04 May 2012 06:36:00 +0200

Authors: Eleanor Saitta
Tags: security
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The past century our infrastructure has seen both massive expansion and heavy centralization. When it fails, it fails big -- this is the reality of our modern interconnectedness. We live in a world of crumbling bridges and bankrupt states, and our infrastructure will kill us. The people we’re relying on to keep us safe are trying to accomplish long-term risk management with short-term thinking. So, what now? We can't opt out, but we can become more resilient, and we can start thinking about risk differently. In this talk, we'll look at threat modeling in the real world, six ways to die, failing states, that big party in the desert, the failure of the humanitarian project, algae and the U.S. military, large-scale natural disasters, the power grid, and many other things. The problems we face are big in every sense of the word -- they involve some of the biggest things we've ever built -- but the solutions may not be. Can non-governmental networks step up when governments fail to provide basic services? Can we avoid a further expansion of neoliberalism in a post-infrastructural state? Are the power structures embedded in our infrastructure cultural destiny? What happens when maker culture grows up?

[Audio] Chip and PIN is Broken

Fri, 04 May 2012 06:36:00 +0200

Authors: Steven J. Murdoch
Tags: bank smart card
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as “Chip and PIN”, it is used in Europe; it is being introduced in Canada; and there is pressure from banks to introduce it in the USA too. EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a PIN. In this paper we describe and demonstrate a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the issuing bank that no PIN was entered at all. The paper considers how the flaws arose, why they remained unknown despite EMV’s wide deployment for the best part of a decade, and how they might be fixed. Because we have found and validated a practical attack against the core functionality of EMV, we conclude that the protocol is broken. This failure is significant in the field of protocol design, and also has important public policy implications, in light of growing reports of fraud on stolen EMV cards. Frequently, banks deny such fraud victims a refund, asserting that a card cannot be used without the correct PIN, and concluding that the customer must be grossly negligent or lying. Our attack can explain a number of these cases, and exposes the need for further research to bridge the gap between the theoretical and practical security of bank payment systems. Smart cards have gradually replaced magnetic strip cards for point-of-sale and ATM transactions in many countries. The leading system, EMV (named after Europay, MasterCard, and Visa), has been deployed throughout most of Europe, and is currently being rolled out in Canada. As of early 2008, there were over 730 million EMV compliant smart cards in circulation worldwide. In EMV, customers authorize a credit or debit card transaction by inserting their card and entering a PIN into a point-of-sale terminal; the PIN is typically verified by the smart card chip, which is in turn authenticated to the terminal by a digital certificate. The transaction details are also authenticated by a cryptographic message authentication code (MAC), using a symmetric key shared between the payment card and the bank that issued the card to the customer (the issuer). EMV was heavily promoted under the “Chip and PIN” brand during its national rollout in the UK. The technology was advertised as a solution to increasing card fraud: a chip to prevent card counterfeiting, and a PIN to prevent abuse of stolen cards. Since its introduction in the UK the fraud landscape has changed significantly: lost and stolen card fraud is down, and counterfeit card fraud experienced a two year lull. But no type of fraud has been eliminated, and the overall fraud levels have actually risen (see Figure 1). The likely explanation for this is that EMV has simply moved fraud, not eliminated it. One goal of EMV was to externalise the costs of dispute from the issuing bank, in that if a disputed transaction has been authorised by a manuscript signature, it would be charged to the merchant, while if it had been authorised by a PIN then it would be charged to the customer. The net effect is that the banking industry, which was responsible for the design of the system, carries less liability for the fraud. The industry describes this as a ‘liability shift’. In the past few years, the UK media have reported numerous cases where cardholders’ complaints have been rejected by their bank and by government-approved mediators such as the Financial Ombudsman Service, using stock excuses such as ‘Your card was CHIP read and a PIN was used so you must have been negligent.’ Interestingly, an increasing number of complaints from believable witnesses indicate that their EMV cards were fraudulently used shortly after being stolen, despite there having been no possibility that the thief could have learned the PIN. In this paper, we describe a potential explanation. We have demonstrated how criminals can use stolen “Chip and PIN” (EMV) smart cards without knowing the PIN. Since “verified by PIN” – the essence of the system – does not work, we declare the Chip and PIN system to be broken.

[Audio] IMMI, from concept to reality

Thu, 03 May 2012 06:31:29 +0200

Authors: Daniel Domscheit-Berg
Tags: privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The talk will give an update on the status of the Icelandic Modern Media Initiative. If we put IMMI into the context of the bus Rop talked about in the keynote, then IMMI is the quality rubber for the tires that can ride that road safely. It is part of what our bus should look like, ride like, feel like. The talk will also try to define some more of that bus, and elaborate on what else we need apart from the best rubber we can get. The talk will hence deal with some of the latest developments in respect to freedom of speech, specifically that of the press, and political pressure being excersized on it, roles and responsibilities, and the role of responsibility. The talk will give an update on the status of the Icelandic Modern Media Initiative. If we put IMMI into the context of the bus Rop talked about in the keynote, then IMMI is the quality rubber for the tires that can ride that road safely. It is part of what our bus should look like, ride like, feel like. The talk will also try to define some more of that bus, and elaborate on what else we need apart from the best rubber we can get. The talk will hence deal with some of the latest developments in respect to freedom of speech, specifically that of the press, and political pressure being excersized on it, roles and responsibilities, and the role of responsibility.

[Audio] Android geolocation using GSM network

Thu, 03 May 2012 06:31:29 +0200

Authors: Renaud Lifchitz
Tags: GSM phone locating Android
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: We introduce a new forensic technique that allows to collect users' past locations on most current Android phones, within a few seconds. It becomes possible to tell where the user was at a given time, or where a phone call took place over the last few hours or days. The attack is based on GSM BTS cell location and little-known Android logging features and can be extended to track a user's activity over long periods of time. We will also show how to perform the attack locally and remotely, and ways to protect against these techniques, as well as forensic applications and privacy concerns. As a part of the presentation we plan to show a live demonstration of both local and remote attacks to retrieve geolocation and activity history of targeted phones. The graphical mapping tool used for the presentation will be released as open source.

[Audio] Cognitive Psychology for Hackers

Wed, 02 May 2012 06:45:09 +0200

Tags: hacking social
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Experience firsthand some of the most interesting, surprising, and perspective-changing findings from cognitive and social neuropsychology. With perceptual illusions, priming, biases, heuristics, and unconscious influences, humans have tons of firmware "bugs". All have exploits; some even have patches. Learn how to improve your own thinking, use others' bugs to your advantage, and gain new perspective on the unconscious and often illusory processes involved in your perceptions. This interactive talk goes through as many interesting, surprising, perspective-changing findings from the cognitive sciences as I can fit in one hour while ensuring that as much as possible has a real, live demonstration that the audience participates in (rather than merely being told about). It's not just a collection of 'stupid human tricks' (though I'll be using lots of those for examples); this is a coherent narrative about surprising ways in which humans are flawed, how these aren't just things that happen to "other people", and how one might go about improving the situation at least for oneself. Every point will be supported by good science, with references to papers for those who care to read up more about them. Come to the meditation workshop afterwards to learn several more interesting and powerful techniques to proactively control your own mindstate.

[Audio] DIY synthesizers and sound generators

Wed, 02 May 2012 06:45:09 +0200

Tags: music
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: At least if you have used all the features of a synthesizer, you probably ask the questions: "How can I modify it? How can I build a synthesizer myself? What features do I personally need?" This talk covers this topic from a theoretical and technical point of view. Since commercial synthesizers have been built, the interest in modifying existing synthesizers and building own synthesizers has increased. Nowadays there is a much bigger DIY (Do-It-Yourself) community, and the idea of building own synthesizers and modules has been even merged with the idea of open-source and creative-commons hardware. This gives a wide range of new possibilities. Another part of the talk will be a quick introduction of less or more known DIY-synthesizer projects and the demonstration of a DIY synthesizer based on MOS 6581-like synthesis (The Commodore SID), which can be built from quite cheap electronic components and give a wide range of possibilities for sound generation and a reasonable sound. This talk will briefly describe the basics of sound synthesis and what makes it so interesting. A little bit of basic knowledge is recommended, but not necessary.

[Audio] Ignorance and Peace Narratives in Cyberspace

Tue, 01 May 2012 06:45:10 +0200

Authors: Angela Crow
Tags: data mining
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: This paper explores the challenges of being proactive with existing and future data mining possibilities when facing the realities of institutional expectations for assessment and when facing the fact that one’s own understanding of cyber capabilities is less than ideal. This paper discusses the current assessment cyber resources, trends, and pressures within USA academic institutions and the challenges of reactive/proactive labor in the midst of multiple levels of technological/informational literacies amongst administrators. Years ago, when young nuns were entering a particular Catholic convent, they were asked to write autobiographical essays which were filed away along with other information about each nun. When they were elderly, these nuns agreed to be a part of a study on Alzheimers, giving permission for scientists to perform autopsies upon their deaths. Susan Kemper, a cognitive psychologist and psycholinguist was able to take the autobiographies from these humanities-based school teachers, and predict the probability of alzheimers from their sentence structures at eighteen. Luckily, replications of this kind of research are difficult. I say luckily because these kinds of findings might have potential hazards for those whose writing at 18 indicates alzheimers: specifically, living in a country in which health care is not a fundamental right, insurance companies might want access to this kind of data. I think of this study each time that I find myself in a meeting as an administrator at a university in the United States, navigating difficult decisions about gathering writing samples from a large group of 18 year old students. While our assessment rhetoric suggests that we “come in peace,” I find myself worrying over the potential hazards of employing certain cloud computing resources to facilitate our data collection of student essays. This paper explores the challenges of being proactive with existing and future data mining possibilities when facing the realities of institutional expectations for assessment and when facing the fact that one’s own understanding of cyber capabilities is less than ideal. This paper discusses the current assessment cyber resources, trends, and pressures within USA institutions and the challenges of reactive/proactive labor in the midst of multiple levels of technological/informational literacies amongst administrators.

[Audio] SIP home gateways under fire

Tue, 01 May 2012 06:45:10 +0200

Authors: Wolfgang Beck
Tags: VoIP SIP
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The SIP home gateway -- which combines a NAT router, a SIP proxy, and analogue phone adapters -- is the weakest link in a Voice over IP network. SIP's numerous source routing mechanisms share the well-known security weaknesses of IP source routing. The talk discusses possible exploits and countermeasures. Telephony is steadily moving to Voice over IP, opening up a world of hacking opportunities. While many security issues have long been addressed in standardization, real-world VoIP suffers from incomplete and sometimes broken implementations. SIP home gateways -- which combine a NAT router, a SIP proxy, and a phone adapter are especially at risk. The predominant VoIP protocol SIP (Session Initiation Protocol) has been designed as an -- almost -- stateless protocol. The network elements responsible for call routing only keep very little and short-lived state. This makes SIP highly scalable and substantially simplifies fail-over. To achieve this, SIP uses source routing mechanisms extensively. Due to its security weaknesses, the network layer protocols have long abandoned the idea of source routing, despite its theoretical appeal. Some IP source routing attacks and countermeasures can be applied to SIP.

[Audio] Lightning Talks - Day 3

Mon, 30 Apr 2012 06:35:11 +0200

[Audio] Terrorists Win - Exploiting Telecommunications Data Retention?

Mon, 30 Apr 2012 06:35:11 +0200

Authors: Kay Hamacher Stefan Katzenbeisser
Tags: terrorism
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Telecommunications data retention (TDR) has become a reality in most Western countries. Protagonists claim that the collection of massive amounts of data on the communication behavior of all individuals within a country would enable law enforcement agencies to exploit patterns in the stored data to uncover connections between suspects. While this is obviously true for investigations after an incident happened, there is up to now no critical and sound assessment publicly available that evaluates whether TDR brings any pro-active benefits for the above mentioned, justified purposes. In this talk we give for the first time a critical assessment of the power of TDR based on methods from information theory. To this end we have employed agent based simulations, which mimic the communication behavior of a large community including a dark-net of alleged suspects. The structure and statistics of our telecommunication simulation, which drive the dynamics of telephone calls and simulated TDR data, were generated according to known statistics of real-world telecommunications networks. Hiding in the unavoidable noise seems to be a passive strategy for terrorists to circumvent pro-active detection. This stems from a "needle in the haystack"-problem, that arises due to the small number of conspirators compared to the number of other participants. In particular situations and with adopted strategies suspected terrorists might be able to eventually exploit TDR for their purposes and take an active approach to hiding in the crowd. Such TDR exploits would lower the probability of detection by law enforcement agencies and render TDR a potential security threat. Again, we use our simulations and our analysis procedure to assess this problem.

[Audio] A Critical Overview of 10 years of Privacy Enhancing Technologies

Mon, 30 Apr 2012 06:35:11 +0200

Tags: privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The objective of the session is to provide a critical overview of "privacy research" within computer science. The mechanisms proposed in the last ten year include mechanisms for anonymous communications, censorship resistance, selective disclosure credentials (and their integration in identity management systems), as well as privacy in databases. All of these system are meant to shield the user from different aspects of on-line surveillance either through allowing a user to keep some of her data "confidential" or by allowing her to assert "control" over her data. We will illustrate using concrete examples, why some paradigms came to dominate the ﬁeld, their advantages, but also their blind spots, and unfulfilled promises given the conditions of our surveillance societies. Since 2000 there has been a renewed interest amongst computer scientists in the ﬁeld of ”privacy technology”. This includes mechanisms for “anonymous” communications, censorship resistance, selective disclosure credentials, as well as privacy in databases - all of which are meant to shield the user from some aspects of on-line surveillance. Beyond the lab, some of those systems have been deployed and are widely used today. Yet, the type of surveillance against which privacy technologies are supposed to offer protection is often ill-deﬁned, and widely varying between works: from an individual who wishes “to hide an occasional purchase from his spouse”, to “groups coordinating political dissent under totalitarian regimes”. While privacy is seen as the key unifying theme of these works only one aspect of it is systematically represented, namely ”conﬁdentiality”. Privacy as self-deﬁnition, informational self-determination or as a public good that needs to be negotiated is often neglected. Further, the increasing omni-presence of surveillance technologies, the informatisation of every day life, as well as active resistance to on-line surveillance are used as justifying departure points for privacy technologies but they have so far not been explored in depth in the privacy research ﬁeld. In this talk, we explore the development of contemporary privacy technologies, its key results and methodologies. At its heart our argument is that the ﬁeld of privacy technology was seeded by computer security and cryptography experts that rushed to apply their tools to new problems, yielding mixed results. Additional pressures from different stakeholders to devise technology that will make large IT systems acceptable to the public has led to further confusion about the goals and methods most appropriate to embed privacy friendly values into computer systems. Further, the recent trend has been to replace the confidentiality paradigm with what can be called the "control" paradigm. Using concrete examples, we seek to explain why some paradigms came to dominate the ﬁeld, their advantages, but also their blind spots, and unfulfilled promises.

[Audio] Adventures in Mapping Afghanistan Elections

Sun, 29 Apr 2012 06:48:39 +0200

Tags: election
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Monitoring and reporting about elections in a war zone is a complex and dangerous task. While crisis mapping carried out via sms and email proved highly successful with the use of Ushahidi in situations like post-election violence in Kenya, tracking crime in Atlanta, or earthquake recovery in Haiti, could it prove useful in such a complex situation as the Afghan political process? This year a team of people set out to do just that with three different Ushahidi mapping projects for national media, national election observers, and international observers. The following presentation is about the challenges we faced, successes we did or did not have, and the lessons learned for the future of crisis mapping. In 2008 an open source mapping system called Ushahidi was put into public use for the first time in history. The occasion was a constitutional referendum in Kenya and the goal of the Ushahidi system was to map and track reports of violence throughout the country in the days following the vote. Through the use of sms reports from the general public, which were then categorized and published on an interactive map accessible on the internet, anyone anywhere in the world could not only get reports about what was happening, they could get almost real time reports about where violence was happening, when, and details regarding those incidents. The response in Kenya was so large and the attention the site got was so wide spread, Ushahidi would soon be used to map not only violence surrounding an election, but also earthquake recovery, snow storm recovery, forest fire prevention, crime data in urban environments, and elections monitoring. In each of these situations, the power of crowd-sourcing and interactive mapping via simple sms and email technology was all that was needed to get a body of information no media or government organization could compete with. In the summer of 2010, on the eve of Parliamentary elections in Afghanistan, several organizations interested in monitoring what happens at the polls and after the votes are in became interested in whether or not Ushahidi could be useful for their purposes. The Afghan Press agency, Pajwhok, as well as the national elections observer organization (FEFA) and the international elections observers (Democracy International) all sought to implement some form of Ushahidi system for their observers. They approached my organization, Small World News (SWN) that has assisted in Ushahidi projects in the past, to carry out this task. Over the course of just over 1 month, these three systems were rolled out in different ways, with varying level of restrictions due to security and other institutional regulations. The result tells three different stories about how the election went, while also providing a list of lessons about what open source interactive mapping can provide (or not provide) for a nation like Afghanistan with such a specific list of problems. The presentation is an explanation of both the process and the lessons learned.

[Audio] Data Recovery Techniques

Sun, 29 Apr 2012 06:48:39 +0200

Authors: Peter Franck
Tags: forensic
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Data recovery has always been an area of myths. This lecture will lift some of their covers.

[Audio] The Hidden Nemesis

Sun, 29 Apr 2012 06:48:38 +0200

Authors: Ralf-Philipp Weinmann
Tags: backdoor embedded
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Want to persistently backdoor a laptop? Backdooring the BIOS is out of the question since your target can dump and diff it? Planting hardware is out of the question as well? Shhhhhhh.. I have something for you: Embedded controllers are present in every modern laptop, yet their security impact has been unresearched thus far. An embedded controller has access to the complete stream of keyboard scan codes, can control fans and the battery charging process. Backdooring the embedded controller is a powerful way to plant a persistent firmware keylogger that works in a cross-platform fashion. Since ECs usually also provide battery and temperature sensor readings through ACPI, there also exists a way to funnel out the keystroke data through a low-privilege process later. Some laptops even allow EC controller firmware updates over the LAN! I will present a PoC backdoor for a widespread series of laptops and show you how to defend yourself against this attack by dumping the EC firmware yourself.

[Audio] The importance of resisting Excessive Government Surveillance

Sat, 28 Apr 2012 06:39:25 +0200

Authors: Nicholas Merrill
Tags: privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: My name is Nicholas Merrill and I was the plaintiff in a legal case in the US court system where I challenged the FBI’s policy of using a feature of the so-called USA PATRIOT act - what are called “National Security Letters” - to bypass the American Constitution's system of checks and balances and in violation of the United Nations Universal Declaration of Human Rights - in order to obtain protected personal information and to unmask anonymous Internet users. I spent over 6 years not able to speak to anyone (other than my lawyers) about my case - forced to lie to those closest to me due to an FBI gag order that carried a possible 10 year prison sentence for violating it. However the lawsuit resulted in the establishment of two key legal precedents and made changes that affect every Internet worker and Telephone worker in America. I would like to speak to the 27C3 audience in order to tell about my experience and to challenge (and offer my support and assistance to) those individuals who are in a position to challenge government surveillance requests to follow their consciences and do so. People who work at Internet Service Providers and Telephone companies as well as IT workers at Universities and private businesses are increasingly likely to encounter government attempts at surveillance. I would like to speak to the CCC regarding my experiences in resisting a National Security Letter and also a “Grand Jury Subpoena” as well as my experience of being gagged by the FBI for nearly 7 years - unable to speak on the subject or identify myself as the plaintiff in the NSL lawsuit. Nicholas Merrill founded Calyx Internet Access Corporation in 1995. Calyx Internet Access was one of the first commercial Internet service providers operating in New York City. Calyx pursued relationships with and worked with many activist groups on a pro bono or low-cost basis, including the New York Civil Liberties Union, the Independent Media Center (Indymedia.org) and the Drug Policy Foundation. In 2004, after a receiving a “National Security Letter” from the Federal Bureau of Investigation, and a subsequent request from the U.S. Secret Service, Calyx became involved with the ACLU and in using the legal system and the media to resist illegal government requests for information on Internet users. For six and a half years, Merrill and the ACLU tirelessly challenged the orders contained in the letter, resulting in the establishment of two key legal precedents overturning aspects of the national security letter program. Along the way he encountered court proceedings where he could not even be present - where he could not be referred to by name, but instead was referred to in all court documents as "John Doe". He also encountered heavy handed government censorship of court documents under the guise of "National Security" and secret evidence presented to the judge by the FBI that his attorneys were not allowed to see. The merging of Merrill's long interest in advocacy and free speech combined with his experience with the U.S. government inspired him to form a non-govermental organization (NGO) to deal specifically with this issue without being distracted or compromised by the requirements of a for-profit business.

[Audio] Secure communications below the hearing threshold

Sat, 28 Apr 2012 06:39:25 +0200

Authors: Marcus Nutzinger Rainer Poisel
Tags: cryptography
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Auditive steganography allows for various usage scenarios. In our project we focused on hidden communications in VoIP and GSM in which voice data is typically compressed and transmitted in realtime. A framework has been developed to meet these requirements, providing interfaces for robust steganographic algorithms. The need for steganography has arisen from scenarios that forbid the application of cryptographic algorithms for secure communications. Countries that made secret message exchange a delict are an example for such scenarios. The LSB algorithm used by many open- and closed-source projects is insecure, as its application can be statistically detected. Therefore, we focused on alternate approaches which are more robust against operations on the bit-level, such as compression, D/A-, A/D-conversion and channel idiosyncrasies, such as spread spectrum steganography in time and frequency domain. Secure and hidden communications demand more than an embedding algorithm. Involved elements include: protocols for data flow handling, various embedding algorithms and support for different I/O-interfaces. For correct interaction of these elements, arranging them in a layered model is a reasonable approach for the distribution of the required tasks such as frame and packet building, checksumming, transmission, etc. From this model we derived our software architecture which is portable to common platforms (Linux/Unix, Windows, ...) and various architectures (x8632, x8664, mips). This talk gives an introduction to the topic and describes the development and implementation of our framework based on a novel layered model for auditive steganography including a live demonstration.

[Audio] "Spoilers, Reverse Green, DECEL!" or "What's it doing now?"

Fri, 27 Apr 2012 06:48:03 +0200

Authors: Bernd Sieker
Tags: science
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Getting the interfaces right to computers controlling complex and dangerous machines such as commercial airliners is crucial. I will present a successful accident analysis method and talk about interface design problems, ideas for solutions, methods for understanding causal control flow. There will be some spectacular aviation accident videos and stories of bad luck, bad design, bad decisions, and a hero that managed to turn a near-catastrophe into an accident without fatalities. Getting the Interface right can be crucial. So does an understanding of the underlying logic, and knowledge of correct procedures when operating complex devices. Modern airliners are incredibly complex machines, no person can fully understand what is going on. This starts at simple things like fuel systems (e. g. the B777 has only two engines and three fuel tanks, how complicated can that be? Surprisingly so.) and goes on to autopilots, autothrottle systems, FADECs (Full Authority Digital Engine Control), Flight Management, Guidance and Envelope Computers (FMGEC), digital fly-by-wire systems, weight computations etc. Apart from the largely unsolved problems of how to create software for these systems that is demonstrably extremely reliable (in commercial aviation we're talking about probablities of dangerous failures of 1 in a billion flight hours: testing just won't do), there is the underrated question of getting the interface right. What to annunciate to the crew and when, and in which form? Some accidents and incidents are directly related to a flight crew being confused by the annunciations, or didn't know how to react properly to seemingly unrelated warnings. At other times, a pertinent and important warning is suppressed because another, ostensibly more important warning inhibited the other one. I'll be talking about some accidents that we have analysed using Why-Because-Analysis (see http://www.rvs.uni-bielefeld.de/research/WBA/) in which the interface and the automation played a role. I will also be talking about some design principles to guide interface design and interactive safety.

[Audio] The Baseband Apocalypse

Fri, 27 Apr 2012 06:48:02 +0200

Authors: Ralf-Philipp Weinmann
Tags: GSM
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Attack scenarios against mobile phones have thus far concentrated on the application processor. The operating systems running on these processors are getting hardened by vendors as can be seen in the case of Apple's iOS -- the current release uses data execution prevention and code signing. In contrast, the GSM stack running on the baseband processor is neglected. The advent of open-source solutions such as OpenBSC and OpenBTS for running GSM base stations is a game-changer: Malicious base stations are not within the attack model assumed by the GSMA and ETSI. This talks explores the viability of attacks against the baseband processor of GSM cellular phones. Results presented will be the first over-the-air memory corruption exploitation of bugs in a number of widespread GSM stacks that that allow for remote code execution.

[Audio] A short political history of acoustics

Thu, 26 Apr 2012 06:29:52 +0200

Authors: Oona Leganovic
Tags: audio music
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The birth of the modern science of acoustics was directly intertwined with the desires to surveill and communicate, either in secret or to everybody at once. Acoustics was not just about 'learning more about nature,' right from the start it was an applied science, driven by very clear notions of who has the right, and thus should have the possibility, of listening in on others, who needs to be able to converse in private, and who should be heard by everybody if he wishes to. How are these historical ideas related to those of today? The talk teases out these juicy implications from mostly original source material, focussing on the strange figure of the Jesuit Athanasius Kircher, but also looking at better known characters of the Scientific Revolution like Francis Bacon, Marin Mersenne, and the early Royal Society. There are plenty of phantastic 'scientific' illustrations to look at as well as descriptions of devices (for the amplification of sound, for acoustical surveillance, entertainment, and the so called 'cryptoacoustics') that did or rather did not work to laugh about, but the key questions are those about power and its relationship to notions of privacy and communication, the history of privacy as a privilege and surveillance as a 'right' of government. Some of these ideas become especially clear in the phantasies they produced. How are these historical ideas related to our own about who gets to listen in, who gets to converse in private, and who get to be heard by everybody? And what has all that to do with the history of science, and even magic?

[Audio] "The Concert"

Thu, 26 Apr 2012 06:29:52 +0200

Authors: Alex Antener Corey Cerovsek Julien Quentin
Tags: music
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Corey Cerovsek and Julien Quentin, accomplished musicians known worldwide for their classical recital performances, and media artist Alex Antener present something that's not quite an ordinary concert, to draw attention to the importance of the public domain in centuries of classical music tradition. It's both more — and less — than what you might expect to see and hear at a classical concert. Mixing live and recorded music with visuals with a message, Julien Quentin, Corey Cerovsek and Alex Antener imagine the heavy curtain of a non-free culture falling on four hundred years of classical music. Ripping and mixing have been going on for longer than you might imagine, and without the Public Domain, much of our classical heritage would be replaced with silence. From Lennon to Bernstein, Bernstein to Mozart, Liszt to Paganini, Sarasate to Bizet, Mendelssohn to Bach, classical music has been a culture of ceaseless sharing in which individuals have nonetheless been able to project indelible voices across the centuries. Had music always been controlled as some would like it to be controlled now, would we have this rich tradition to transmit to you?

[Audio] Building Custom Disassemblers

Wed, 25 Apr 2012 06:38:44 +0200

Authors: Felix 'FX' Lindner
Tags: reverse engineering
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Reverse Engineer occasionally faces situations where even his most advanced commercial tools do not support the instruction set of an arcane CPU. To overcome this situation, one can develop the missing disassembler. This talk is meant to be a tutorial on how to approach the task, what to focus on first and what surprises one may be in for. The primary focus will be on the transformation of byte code back into mnemonic representation where only the reverse transformation is available (i.e. you have the respective assembler). It also covers how to integrate your new disassembler into your reverse engineering tool chain.

[Audio] Defense is not dead

Wed, 25 Apr 2012 06:38:44 +0200

Authors: Andreas Bogk
Tags: security
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The security model of our current computer architectures - kernel in ring 0, processes in ring 3 - goes back to the early 70s. However, science hasn't stopped. This talk is going to look into the state of the art in building secure computers, with a focus on type systems and formal verification, and hopefully an outlook on how tomorrow's computers will be more secure than what you can buy now.

[Audio] High-speed high-security cryptography: encrypting and authenticating the whole Internet

Wed, 25 Apr 2012 06:38:44 +0200

Authors: Daniel J. Bernstein
Tags: cryptography
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Are you writing a program that sends data through the Internet? Are you sending the data through HTTP, or SMTP, or simply TCP, leaving it vulnerable to espionage, corruption, and sabotage by anyone who owns a machine connected to the same network? You can use SSH and IPsec to protect communication with your own machines, but how do you talk to the rest of the Internet? You can use TCPcrypt to protect yourself against attackers too lazy to forge packets, but how do you protect yourself against serious attackers? You can use HTTPS for low-frequency communication, but how do you handle heavy network traffic, and how do you protect yourself against the security flaws in HTTPS? Today's Internet cryptography is slow, untrustworthy, hard to use, and remarkably unsuccessful as a competitor to good old unprotected TCP. This talk will present a different approach to high-security Internet cryptography. This approach is easy for users, easy for system administrators, and, perhaps most importantly, easy for programmers. The main reason that the approach has not been tried before is that it seems to involve very slow cryptographic operations; this talk will show that the approach is extremely fast when it is done right.

[Audio] Part-Time Scientists

Tue, 24 Apr 2012 06:51:17 +0200

Authors: Karsten Becker Robert Böhme
Tags: science robotics
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Part-Time Scientists is an international team of Scientists and Engineers participating in the first private race to the moon, the Google Lunar X-Prize. Our approach to win this competition is quite unique as everyone involved really is a part-time scientist. In our presentation we will present our latest lunar rover, lander, electronic and communications developments. The presentation will feature: our self developed embedded systems, how we designed radiation hardened and fault tolerant systems, the production of our second rover generation and their first tests, our prototype real world testings, what we've done in 2010, what we've planning for 2011, and a lot more interesting topics! Our presentation will be focused on actual hardware with a rather short introduction to the topic in general.

[Audio] Is the SSLiverse a safe place?

Tue, 24 Apr 2012 06:51:17 +0200

Authors: Jesse Burns Peter Eckersley
Tags: X.509 SSL
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The EFF SSL Observatory has collected a dataset of all TLS/HTTPS certificates visible on the public web. We discuss this dataset - what we have learned from it, how you can use it, and how intend to offer a live, continually updated version of it. TLS/SSL is only as good as your mechanism for verifying the other party, and it turns out that with HTTPS and other CA-certified applications of TLS, that mechanism involves trusting a lot of governments, companies and individuals. The SSL observatory is a project to bring more transparency to SSL Certificate Authorities, and help understand who really controls the web's cryptographic authentication infrastructure. The Observatory is an Electronic Frontier Foundation (EFF) project that began by surveying port 443 of all public IPv4 space. At Defcon 2010, we reported the initial findings of the SSL Observatory. That included thousands of valid 'localhost' certificates, certificates with weak keys, CA certs sharing keys and with suspicious expiration dates, and the fact that there are approximately 650 organisations that can sign a certificate for any domain that will be trusted by modern desktop browsers, including some that you might regard as untrustworthy. In this talk we will give an update on new developments in the project, including where to find a copy of our data and how to work with it for your own research; the progress made at fixing some of the vulnerabilities we found; and our design for a new, decentralised version of the SSL Observatory.

[Audio] I Control Your Code

Mon, 23 Apr 2012 06:50:48 +0200

Authors: Mathias Payer
Tags: exploiting
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Unsafe languages and an arms race for new bugs calls for an additional line of defense in software systems. User-space virtualization uses dynamic instrumentation to detect different attack vectors and protects from the execution of malicious code. An additional advantage of these virtualization systems is that they can be used to analyze different exploits step by step and to extract the exploit code from a running program. This talk explains the concept of different attack vectors (stack buffer overflows, format string attacks, return to libc attacks, race attacks / TOCTTOU, integer overflows, heap buffer overflows, and code anomalies). For each of these attack vectors we show possible exploits and explain how the virtualization system is able to detect and prevent the exploit. User-space virtualization uses a binary translation framework to instrument all running code. The instrumentation works like an additional virtualization layer and makes it possible to observe any changes to the runtime datastructures (code and data) of a running program. We use fastBT to instrument and analyze different exploitable programs. The added instrumentation detects changes in runtime layout and stops the program whenever exploit code is about to be executed. This talk presents different classes of exploits that can be observed in a dynamic instrumentation system. The exploits are analyzed and different security strategies are discussed. We then show how the instrumentation framework can implement an online protection mechanism against each class of attack vectors. Observable Attack Vectors Stack Overflow A limited buffer is (over) flown with user-data and over writes data on the stack (e.g., the return instruction pointer). Format String Attack An attack can write to an arbitrary address (e.g., the return instruction pointer or the address of a library function) if unvalidated user input is passed directly to the printf function. Return to libc Attack This attack prepares multiple stack frames that execute code sequences in libraries. The stack frame can be constructed so that (almost) arbitrary code is executed. Race Attacks / TOCTTOU Time-of-check-to-time-of-use race conditions exploit the fact that they can change values on the stack after they are checked but before they are used in the program or kernel. Integer Overflow Overflows can be triggered by using a negative integer value instead of an unsigned value. Heap Overflow A heap buffer overflow is used to overwrite function pointers or data from the memory allocator to trigger execution of arbitrary code. Code Anomalies x86_64 code is backward compatible to ia32 and in modern operating systems x86_64 and ia32 code can be mixed. The mix of different system calls makes it possible to break out of sand boxes that are not aware of all possible combinations of system calls. The exploits are detected generally whenever the program branches to the injected code or to the constructed code fragments. The program is interrupted and a debugger can be attached to analyze the state of the program. TOCTTOU attacks can be detected by observing the threads and using a specific system call architecture. Conclusion Dynamic instrumentation is an important tool to prohibit, detect, and analyze different attack vectors to running programs. Additional instrumentation guards can be used to better understand exploits. The additional layer of virtualization implemented through dynamic instrumentation can be used to detect and log bugs and is an additional line of defense against new exploits. Related Work A detailed discussion of related work is in the paper. These references here are for informational purposes only (to show how this talk was inspired) and not complete.