Hack in the Box Day #1 Wrap Up

The first day of the HiTB security conference is already over! HiTB (“Hack in the Box“) organizes conferences for a while in Dubaï and Kuala Lumpur but this is the first time that an event is held in Europe and not too far from Belgium. I left home very early this morning to avoid the traffic jams to Amsterdam.

Registration done, some coffee with known people and ready for a day of technical talks about risks on the Internet. A welcome message was presented by Rop Gonggrijp, founder of the dutch magazine Hack-Tic and later of XS4ALL, one of the first Dutch ISPs. He spoke about the growing amount of information collected by companies and government agencies and the associated risks.

Rop’s introduction was immediately followed by the keynote of Dr Anton Chuvakin. The topic was the “security chasm“. It was a long presentation about the different security approaches: one about “improving the security” and the other about “cleaning up the mess“. What’s the job of security professionals? To ensure that the business runs and if they don’t succeed some regulatory body would come and beat them up. He also compared the security to the seat belts: Do you prefer the death or a risk of 50€ fine? Theoretical but interesting presentation.

Then, the technical talks started after a short break. The first presentation I attended was the one of John ‘Kanen’ Flowers about his Kane|Box. John briefly reviewed the big steps in the history of security (from the Phrack and 2600 magazines, the BBS, vulnerabilities, exploits, etc). Today’ main problem concerns the security tools available: they are based on 10+ years old logic. Some big names became commercial (like Nessus or Snort) and commercial software are very expensive and, sometimes, with bad results. One of the fact is: “Your network is unique and constantly changing“. That’s why he decided to create the Kane project. This is an  open source (and he insisted on this point!) vulnerability and exposure framework which uses statistical information to detect security issues. Instead of being signature based, it learns patterns from behavior. Why is it open source? John’s point of view is: “Don’t trust anything if you can’t fully understand how it works“. The software is:

• made for actual users
• affordable
• should do everything
• proposes multiple interfaces (web, console)
• and … anyone can make it better.

The solution is available as a pack “software + hardware” for a very low price (more information: www.kane-box.com). Note that the software is also available as a VM image.

With Fyodor Yarochkin, we dived into the Russian underground forums. He analyzed with a colleague, dozen of Russian web forums and tried to discover and understand the hacker’s culture. First, Fyodor explained the difficulties. Everything had to be analyzed manually due to the language used by the hackers (specific terms, no standard formats, etc). What the study revealed?

• It’s a business (100% money driven)
• The classic targets remains the average PC users (read: your Dad and your Mum)
• Attacks are: extrusion, job recruitment, services and offers
• Virtual money is used and washing money processes are developed (ex: via iTunes card, Skype credits, …)

If you need money and have ideas, you win! Everything has a price and can be sold: passports, credit cards, SIMM cards, … Example: a Dutch passport is already available for $8000. Even “packages” are sold (1 passport + 1 cc + 1 SIMM). Perfect to build your new fake identity. Network “services” are also for sale. How much does it cost to bring Twitter down? $80/day!

The first talk after the lunch was about mobile phones. As the Internet traffic generated from mobile devices is constantly growing, it is clear that such devices became interesting targets. There was two concurrent sessions related to mobile devices security. I attended “Hijacking mobile data connection – State of the art”. The second has been resumed on securitybananas.com. The goal of the hijacking session is to reconfigure the mobile device to force it to redirect all its HTTP(S) traffic to a proxy. This is completely transparent for the end-user! But, it happens always due to an unsecure behaviors like by accepting a SMS message spoofed from the mobile operator or by installing a suspicious application. Two types of devices were covered: the iPhone and Android platforms. The speakers (Roberto Gassira & Roberto Piccirillo) gave lot of details about the way the malicious SMS are generated. The goal is to let the mobile phone owner to load a new profile which will reconfigure the network settings as silently as possible. Once done, an Apache server with mod_proxy, mod_security and SSLstrip will do the job. All traffic will be redirected to the proxy and can be decoded. It’s also possible to perform injection of code. For the Android platform, this can be achieved via a rogue application signed and uploaded on the Android market! According to the Google contract, an attacker is free to publish an app that change settings. The ultimate solution to protect you is maybe to run your own base station? 😉

“Owned live on stage – Hacking wireless presenters” by  Niels Teusink. Wireless presenters are the speakers’ best friends. They are easy to browse  thru slides but, if you analyze them, they can also be a potential issue. At operating system level, the wireless presenters are detected as a regular keyboard! Even if they have a limited set of keys, this means that they could potentially send any type of keystroke to the computer. That’s what investigated Niels. He focused on a well-know model from Logitech. Using USBee SX, he performed some reverse engineering to understand the protocol used to send data to the host. Once successfully done, he created his own wireless presenter based on an Arduino micro-controller. The demo was funny: Step one, search for available hosts with an USB remote control dongle. Select the right channel and just send your sequences of keystrokes. The demo used MetaSploit and VNCconnectback.exe to gain a remote access on the host. But a lot of other attacks could be easily performed: open sessions to other computer resources (FTP, SMB, etc), create user accounts. Nice research. What are the countermeasures to prevent this type of attacks? Of course, encryption and use specific protocols and not dumb keyboard codes.

After a coffee break, last talk of the day: FireShark. Today all websites are potential targets, even big names. In 2009, the amount of compromized websites increased by 225%! Fireshark project has been founded by Stephane Chenette. It was the same presentation has the one done during BlackHat Europe in Barcelona.

In parallel to the talks, lightning-talk sessions were organized, a CTF contest, lot of demos made by international hacker spaces. There was also a nice social engineering concept: Very nice “girls in black” trying to convince people to register on www.hitbjobs.com. Safe or not? 😉

The venue is very good. Wi-Fi coverage, coffee, sweeties, air-conditioning (mandatory with the current weather) and enough power cables! The HiTB team did a good job! After the official day, we went to the center of Amsterdam with some HiTB volunteers for a cool lunch.

If you want to follow the presentations and what’s happening “life”, follow the official Twitter hashtag: #hitb2010ams. Nice initiative from the organization: presentations are released on the website a few minutes after the talk (the material is available here). Stay tuned for the second day!