Add
Private Notes
Harm Reduction Methodology
Hackers are a high-risk population. This talk will provide hackers with tools to reduce the risk to themselves and their communities using harm reduction methodology.
Hacktivism, social networks, hacking’s learning opportunities, grey area use of communication tools by revolutionaries and countermovements, information transparency opportunities, privacy and security abuse and user risk situations all share one central tension: resolving ethical decisions around potentially harmful behavior.
At the same time, those who confuse information with advocacy perceive much of what we do – and discuss – as dangerous.
This talk will provide hackers with tools to reduce the risk to themselves and their communities. We’ll examine the similarities between extreme risk populations and the risk / harm situations hackers find themselves in – especially those with exceptional access, power or talent.
Importantly, I’ll explain how the controversial – yet effective – harm reduction model can be used specifically as a tool for at-risk hackers, and those faced with decisions that may result in perceived or actual harm.
The talk begins with an overview of harm reduction and its roots in reducing risk in European drug culture. We’ll also look at how it is currently used hands-on in the US by urban activists/educators/crisis volunteers such as myself to effectively educate and reduce risk in high-risk, typically underserved, populations.
Threaded throughout the talk is the idea that informed consent practices and the acceptance that harmful behavior is immutable can be effective tools to solve ethical decisions. Used on a wider scale, harm reduction in this light can be used to change the cultural conversation when black vs. white solutions (“just say no,” jailing those who publish information or “real names” policies) are unsuccessfully applied to complex problems (drug abuse, abusive use of information, using pse
Gebilde(r)ter Hirnsalat – die rhekkcüЯ der Bilderrätsel
Gut gereift und mit verbesserter Rezeptur.
Aber immer noch: Zwei sich auf Couchen fläzende Teams gehirnwinden, spitzfinden und assoziieren gegeneinander an, um Bilderrätsel aus den Gefilden IT, Netzgesellschaft und Informatik zu entwirren. (Hashtag: #Nougatbytes)
Für die zwei Runden NOUGATBYTES werden ingesamt vier Teams benötigt. Die zwei der ersten Runde wollen wir im Voraus anheuern. Wenn Ihr also Lust verspürt, Eure Zellen mit uns zu teilen und das Publikum in Lachhaft zu nehmen, dann sammelt Euch zu ganzzahligen Gruppen von 3-5 Menschen und schickt Eure Bewerbung an
Die Deadline ist in 41 Minuten. ;)
Mitigating Timing Side Channels on the Web
In this year’s talk, I tie on my 28c3 talk and present timing side channels from a defending viewpoint: How can one mitigate timing side channels? Aren’t random delays sufficient to prevent timing side channels in practice? What is the minimum size of random delays to be effective? Are there other delay strategies besides random delays that are more effective and efficient?
Timing side channels are vulnerabilities in software applications that leak sensitive information about secret values such as cryptographic keys. They differ from common intrusive vulnerabilities such as Buffer Overflows or SQL-Injection because the attacker sends normally looking requests to the server and infers secret information just from the time it took to process the request. Timing attacks are getting increasingly well understood by day-to-day penetration testers and in academia, breaking Web standards such as XML Encryption, or helping to fingerprint Web Application Firewalls. At 28c3, I gave the talk “Time is on my Side”, which gave an overview of timing attacks, introduced a set of tools for timing attacks and explained practical timing attacks against real applications.
In this year’s talk, I tie on my 28c3 talk and present timing side channels from a defending viewpoint: How can one mitigate timing side channels? Aren’t random delays sufficient to prevent timing side channels in practice? What is the minimum size of random delays to be effective? Are there other delay strategies besides random delays that are more effective and efficient?
I am going to present the state-of-the-art of timing side channel mitigation. Furthermore, I show the results of a practical evaluation of the timing attack mitigations.
or: How I Learned to Start Worrying and Love Nuclear Plants
Modern civilization unconditionally depends on information systems. It is paradoxical but true that ICS/SCADA systems are the most insecure systems in the world. From network to application, SCADA is full of configuration issues and vulnerabilities.
During our report, we will demonstrate how to obtain full access to a plant via:
a sniffer and a packet generator
FTP and Telnet
Metasploit and oslq
a webserver and a browser
About 20 new vulnerabilities in common SCADA systems including Simatic WinCC will be revealed.
Releases:
modbuspatrol (mbpatrol) – free tool to discover and fingerprint PLC
Simatic WinCC security checklist
Simatic WinCC forensic checklist and tools
close to real life attack scenario of a Simatic WinCC based plant
Intro
1.1 Who we are?
1.2 History of research
Overview of ICS/SCADA architecture
SCADA network puzzle
3.1 Overview of protocols used in SCADA networks
3.2 Modbus overview
3.3 S7 overview
3.4 Modbus/S7 SCADA/PLC fingerprint (release mbpatrol - free tool for PLC fingerprint)
Who is mister PLC?
4.1. Typical PLC architecture
4.2. Security and configuration issues
4.3. Coordinated disclosure of vulnerabilities in several PLC
DEMO. Owning plant with ftp and telnet. During demo, I will demonstrate how several vulnerabilities and configuration issues of PLC can be used to get root access to the device, install rootkit and manipulate something in real world.
Miss SCADA
6.1. Place of OS and DB in security of SCADA infrastructure
6.2. Simatic WinCC default configuration issues
6.3. Ways to abuse OS and DB vulnerabilities
6.4. Coordinated disclosure of several OS/DB WinCC vulnerabilities
6.5. Simatic WinCC security checklist
6.6. Simatic WinCC postexploitation/forensic
Heavy weapon
7.1. SCADA/HMI application architecture (based on Simatic WinCC)
7.2. Clients-side in SCADA network? (release of client-site fingerprint tool for HMI software)
7.
Cooking gets digital
We know, that cooking is an art. Selecting the ingredients, carefully washing, pealing and cutting them before you put them into the right dish at the right time with the right heat. Watching the food change his color, form and consistency, seasoning it to develop it's flavors and serving it on beautiful plates is a pleasure. For some, but not for all.Those who love cooking can spend hours at the stove and relax while preparing delicious meals. For others cooking is pure stress. What is the difference between orange and yellow carrots? Did I forget something? Is the pan hot enough? Or too hot? How long after the pasta do I start cooking the steak? Will it be healthy? Is it sustainable? So many questionsappear if one starts to think about food. The answers are complicated and ambiguous. They require research and analyzing. Many have stopped thinkingabout food. They just believe what is written on the package. I can't cook is such an easy answer. And it is accepted in our society. Nobody is ashamed of it. This gives more and more control tomultinational corporations. Through precooked food and shiny commercials they calm our conscience and stimulate our laziness. The consequences are dramatic!The profit-focused approach of multinational corporations have led to things like: • Patented genetically modified seeds. Lawyers suing farmers for copyrights. • Destruction of South-American jungle to make soya to feed European cows so they make more milk. Although a cow as never born to eat proteins. • Chickens that can't stand on their own feet due to the weight of their breasts. They will never see soil, worms or even sunlight. • Oran-Utangs losing their homes for palm oil • Vegetables getting grown in the desert, wasting huge amounts of drinking water. Conclusions: • We must know more about our food • We have to cook more ourselves • So we will recover some control over what we eat
What is EveryCook?
Hardware We build our machi
You might remember Tamagotchi virtual pets from the 1990's. These toys are still around and just as demanding as ever! This talk covers my attempts to hack the latest Tamagotchis. Starting with the IR interface, and moving down into the hardware, this presentation will discuss techniques for reverse engineering a device with limited inputs, computing power and debugging capabilities.
Recent Tamagotchis are more than just pets. They can talk to their friends over IR, support games on external ROMs and store generations worth of information about their ancestors. This talk goes through the different ways Tamagotchis can be tampered with through these channels, including making Tamagotchis rich and happy over IR, altering their states in persistent memory and writing custom games. It also goes through attempts to dump the Tamagotchi's code from ROM.
Considerations for the Connected Vehicle
To date, remote vehicle communications have provided little in the way of privacy. Much information and misinformation has been spread on what the system is and can do, especially within the information security community. The recent field trial in the US of a connected vehicle infrastructure raises the level of concern amongst all who are aware of existing privacy issues.
In this talk I will examine a current system high level design for North American vehicles, conforming to IEEE and SAE standards and used in a recent road test in Ann Arbor, Michigan, USA. I will consider privacy concerns for each portion of the system, identifying how they may be addressed by current approaches or otherwise considered solutions. I conclude with a discussion of the strategic value in engagement between the privacy community and automotive industry during development efforts and the potential community role in raising privacy as a competitive advantage.
I was contracted to do a privacy audit in July to identify aspects of the technology that would pose threats to users' privacy, as well as offering summaries of methods to partially or completely compromise the system. For this program to be successful, it must be accepted by the public since the benefits are derived from others' broadcasts. Good technologists realize that until the system is close to deployment in the field, none of the details mean that much unless you have real hardware. However, careful early consideration of the overall system design can identify and lead to solutions to information leaks that will compromise the user's ability to control their private information.
Von ACTA, IPRED und Freunden
ACTA war das beherrschende Thema des zweiten Halbjahres. Mit ACTA sollte der Weg einer Privatisierung der Rechtsdurchsetzung weiter gegangen werden. Was das konkret bedeutet, können wir bereits im Ausland sehen: Netzsperren, 3-Strikes-Systeme und eine Echtzeit-Überwachung des Datenverkehrs zur Bekämpfung von Urheberrechtsverletzungen. Existierende Modelle in anderen europäischen Staaten zeigen, dass diese Maßnahmen erhebliche grund- und datenschutzrechtliche Probleme aufwerfen.
Aber auch in Deutschland haben wir die Debatte über die mögliche Einführung einer Warnmodell-2-Strikes-Infrastruktur als ersten Schritt in diese Richtung. Das Problem: Internetanbieter und Hoster werden damit gleichzeitig zu Richtern und Hilfspolizisten in Personalunion gemacht. Diese Maßnahme durchbricht ein ehernes Prinzip: Der Internetanbieter ist nicht für die transportierten Inhalte haftbar und soll sich ausdrücklich nicht um diese kümmern.
Der Vortrag will einen Überblick bieten, was in welchen Staaten wie bereits läuft. Der Vortrag will gleichzeitig Einblick geben, wer die Lobbies dahinter sind und welche Ideen sie vertreten. Und es gibt einen Ausblick auf die kommenden Kämpfe auf EU- und internationaler Ebene durch IPRED2 und TPP sowie die Nebenschauplätze wie Clean IT und CEO-Koalition.
Exploiting VMWARE ESXi Binary Protocols Using CANAPE
This presentation will cover a demonstration of the new version of the Canape protocol analysis tool being released for Ruxcon. During the course of the presentation various attack scenarios against the VMWare ESXi binary protocol will be demonstrated using Canape.
The VMWare ESXi protocol is a complex multi-layered protocol which transitions between many protocol states throughout a connection lifetime. The protocol uses multiplexed frames, compression and encryption all over a single TCP connection. The talk will discuss and outline serious weaknesses within the ESXi protocol and how these can be leveraged from within Canape.
During the talk, new features of Canape will be demonstrated live to show the audience how the tool can be used from traffic interception and initial protocol dissection through data injection and fuzzing and finally demonstrating full PoC exploitation all within Canape.
Presentation outline:
What is Canape
Examining the VMWare ESXi protocol
Demonstrating ESXi protocol interception
Intercepting the ESXi encryption
Data injection to brute force user credentials
Fuzzing ESXi
0day demonstration
Questions
Testing and exploiting binary network protocols can be both complex and time consuming. More often than not, custom software needs to be developed to proxy, parse and manipulate the target traffic.
Canape is a network protocol analysis tool which takes the existing paradigm of Web Application testing tools (such as CAT, Burp or Fiddler) and applies that to network protocol testing. Canape provides a user interface that facilitates the capture and replaying of binary network traffic, whilst providing a framework to develop parsers and fuzzers.
adventures in mobile paging
In the last years, mobile security and specifically GSM has been attacked in many different ways. It was demonstrated how to sniff and crack traffic, how to impersonate a subscriber by placing a fake call and the general security characteristics of this mobile protocol stack have been evaluated.
In this presentation, we will check out a part of the protocol procedures that hasn't been looked at yet, specifically Mobile Terminated services.
This talk is all about paging in GSM. How is a phone call or an SMS actually delivered to a phone? How do carriers locate your phone and transmit these services over the air? We will have a look at the related protocol procedures and more importantly, what could possibly go wrong. During the presentation, we will show new attacks based on mobile paging that can ultimately disrupt mobile telecommunication or even worse.
This action-packed lecture presents the inner workings of the author's from-scratch implementation of a USB Mass Storage disk in user-land Python, along with some embarrassing bugs in operating systems that support such disks. The lecture concludes with an introduction to Active Antiforensics, in which a thumbdrive's own firmware can recognize and defend itself against disk imaging and other forensic tools.
USB is a lovely little conduit into the deepest parts of the kernel. Drivers are made to speak complicated protocols in hastily written C, leaving a goldmine of bugs and unexplored behaviors for a crafty attacker to exploit. This lecture will show how a USB Mass Storage device was implemented from scratch in user-land Python for the Facedancer board. Along the way, we'll take a look at how to abuse a number of bugs in kernels, automounters, filesystems, and forensic utilities, all of which are easily confused. As an example application of these techniques, the culmination of this lecture presents a prototype disk that actively resists forensics, wiping itself to an innocent state whenever it detects disk imaging, undeletes, access by the wrong operating system, or the presence a write blocker.
