All Episodes 2013 - 2014

Port-Scanning large networks can take ages. Asking yourself how much of this time is really necessary and how much you can blame on the port-scanner, you may find yourself integrating your own scanner into the linux-kernel. Or at least we did. How fast a port-scan can be is largely dependent on the performance of the network in question. Nonetheless, it is clear that choosing the most efficient scanning-speed is only possible based on sufficient information on the network's performance. We have thus designed and implemented a port-scanning method which provokes extra network-activity to increase the amount of information at our disposal in an attempt to gain speed on the long run. Further tweaking the actual implementation by integrating it into the linux-kernel left us with a port-scanner ready to tackle big networks at an impressive speed. The presentation will also include thoughts and motivations why we decided to work on topics that are largely considered done by the community and why such considerations may be interesting to other researchers.

There has been many publications on the topic of Stuxnet and its "sophistication" in the mainstream press. However, there is not a complete publication which explains all of the technical vulnerability details and how they were discovered. In this talk, you will get a first-hand account of the entire story. We will discuss various techniques used in analyzing Stuxnet. First, we will share several tricks that were used to quickly identify the vulnerabilities. Second, we describe the thought processes that went into debugging and triaging the vulnerabilities themselves. Finally, we show some tips that you can use if you feel like decompiling stuff for fun.

Harm Reduction Methodology Hackers are a high-risk population. This talk will provide hackers with tools to reduce the risk to themselves and their communities using harm reduction methodology. Hacktivism, social networks, hacking’s learning opportunities, grey area use of communication tools by revolutionaries and countermovements, information transparency opportunities, privacy and security abuse and user risk situations all share one central tension: resolving ethical decisions around potentially harmful behavior. At the same time, those who confuse information with advocacy perceive much of what we do – and discuss – as dangerous. This talk will provide hackers with tools to reduce the risk to themselves and their communities. We’ll examine the similarities between extreme risk populations and the risk / harm situations hackers find themselves in – especially those with exceptional access, power or talent. Importantly, I’ll explain how the controversial – yet effective – harm reduction model can be used specifically as a tool for at-risk hackers, and those faced with decisions that may result in perceived or actual harm. The talk begins with an overview of harm reduction and its roots in reducing risk in European drug culture. We’ll also look at how it is currently used hands-on in the US by urban activists/educators/crisis volunteers such as myself to effectively educate and reduce risk in high-risk, typically underserved, populations. Threaded throughout the talk is the idea that informed consent practices and the acceptance that harmful behavior is immutable can be effective tools to solve ethical decisions. Used on a wider scale, harm reduction in this light can be used to change the cultural conversation when black vs. white solutions (“just say no,” jailing those who publish information or “real names” policies) are unsuccessfully applied to complex problems (drug abuse, abusive use of information, using pse

Gebilde(r)ter Hirnsalat – die rhekkcüЯ der Bilderrätsel Gut gereift und mit verbesserter Rezeptur. Aber immer noch: Zwei sich auf Couchen fläzende Teams gehirnwinden, spitzfinden und assoziieren gegeneinander an, um Bilderrätsel aus den Gefilden IT, Netzgesellschaft und Informatik zu entwirren. (Hashtag: #Nougatbytes) Für die zwei Runden NOUGATBYTES werden ingesamt vier Teams benötigt. Die zwei der ersten Runde wollen wir im Voraus anheuern. Wenn Ihr also Lust verspürt, Eure Zellen mit uns zu teilen und das Publikum in Lachhaft zu nehmen, dann sammelt Euch zu ganzzahligen Gruppen von 3-5 Menschen und schickt Eure Bewerbung an [email protected] Die Deadline ist in 41 Minuten. ;)

Mitigating Timing Side Channels on the Web In this year’s talk, I tie on my 28c3 talk and present timing side channels from a defending viewpoint: How can one mitigate timing side channels? Aren’t random delays sufficient to prevent timing side channels in practice? What is the minimum size of random delays to be effective? Are there other delay strategies besides random delays that are more effective and efficient? Timing side channels are vulnerabilities in software applications that leak sensitive information about secret values such as cryptographic keys. They differ from common intrusive vulnerabilities such as Buffer Overflows or SQL-Injection because the attacker sends normally looking requests to the server and infers secret information just from the time it took to process the request. Timing attacks are getting increasingly well understood by day-to-day penetration testers and in academia, breaking Web standards such as XML Encryption, or helping to fingerprint Web Application Firewalls. At 28c3, I gave the talk “Time is on my Side”, which gave an overview of timing attacks, introduced a set of tools for timing attacks and explained practical timing attacks against real applications. In this year’s talk, I tie on my 28c3 talk and present timing side channels from a defending viewpoint: How can one mitigate timing side channels? Aren’t random delays sufficient to prevent timing side channels in practice? What is the minimum size of random delays to be effective? Are there other delay strategies besides random delays that are more effective and efficient? I am going to present the state-of-the-art of timing side channel mitigation. Furthermore, I show the results of a practical evaluation of the timing attack mitigations.

or: How I Learned to Start Worrying and Love Nuclear Plants Modern civilization unconditionally depends on information systems. It is paradoxical but true that ICS/SCADA systems are the most insecure systems in the world. From network to application, SCADA is full of configuration issues and vulnerabilities. During our report, we will demonstrate how to obtain full access to a plant via: a sniffer and a packet generator FTP and Telnet Metasploit and oslq a webserver and a browser About 20 new vulnerabilities in common SCADA systems including Simatic WinCC will be revealed. Releases: modbuspatrol (mbpatrol) – free tool to discover and fingerprint PLC Simatic WinCC security checklist Simatic WinCC forensic checklist and tools close to real life attack scenario of a Simatic WinCC based plant Intro 1.1 Who we are? 1.2 History of research Overview of ICS/SCADA architecture SCADA network puzzle 3.1 Overview of protocols used in SCADA networks 3.2 Modbus overview 3.3 S7 overview 3.4 Modbus/S7 SCADA/PLC fingerprint (release mbpatrol - free tool for PLC fingerprint) Who is mister PLC? 4.1. Typical PLC architecture 4.2. Security and configuration issues 4.3. Coordinated disclosure of vulnerabilities in several PLC DEMO. Owning plant with ftp and telnet. During demo, I will demonstrate how several vulnerabilities and configuration issues of PLC can be used to get root access to the device, install rootkit and manipulate something in real world. Miss SCADA 6.1. Place of OS and DB in security of SCADA infrastructure 6.2. Simatic WinCC default configuration issues 6.3. Ways to abuse OS and DB vulnerabilities 6.4. Coordinated disclosure of several OS/DB WinCC vulnerabilities 6.5. Simatic WinCC security checklist 6.6. Simatic WinCC postexploitation/forensic Heavy weapon 7.1. SCADA/HMI application architecture (based on Simatic WinCC) 7.2. Clients-side in SCADA network? (release of client-site fingerprint tool for HMI software) 7.

Cooking gets digital We know, that cooking is an art. Selecting the ingredients, carefully washing, pealing and cutting them before you put them into the right dish at the right time with the right heat. Watching the food change his color, form and consistency, seasoning it to develop it's flavors and serving it on beautiful plates is a pleasure. For some, but not for all.Those who love cooking can spend hours at the stove and relax while preparing delicious meals. For others cooking is pure stress. What is the difference between orange and yellow carrots? Did I forget something? Is the pan hot enough? Or too hot? How long after the pasta do I start cooking the steak? Will it be healthy? Is it sustainable? So many questionsappear if one starts to think about food. The answers are complicated and ambiguous. They require research and analyzing. Many have stopped thinkingabout food. They just believe what is written on the package. I can't cook is such an easy answer. And it is accepted in our society. Nobody is ashamed of it. This gives more and more control tomultinational corporations. Through precooked food and shiny commercials they calm our conscience and stimulate our laziness. The consequences are dramatic!The profit-focused approach of multinational corporations have led to things like: • Patented genetically modified seeds. Lawyers suing farmers for copyrights. • Destruction of South-American jungle to make soya to feed European cows so they make more milk. Although a cow as never born to eat proteins. • Chickens that can't stand on their own feet due to the weight of their breasts. They will never see soil, worms or even sunlight. • Oran-Utangs losing their homes for palm oil • Vegetables getting grown in the desert, wasting huge amounts of drinking water. Conclusions: • We must know more about our food • We have to cook more ourselves • So we will recover some control over what we eat What is EveryCook? Hardware We build our machi

You might remember Tamagotchi virtual pets from the 1990's. These toys are still around and just as demanding as ever! This talk covers my attempts to hack the latest Tamagotchis. Starting with the IR interface, and moving down into the hardware, this presentation will discuss techniques for reverse engineering a device with limited inputs, computing power and debugging capabilities. Recent Tamagotchis are more than just pets. They can talk to their friends over IR, support games on external ROMs and store generations worth of information about their ancestors. This talk goes through the different ways Tamagotchis can be tampered with through these channels, including making Tamagotchis rich and happy over IR, altering their states in persistent memory and writing custom games. It also goes through attempts to dump the Tamagotchi's code from ROM.

Considerations for the Connected Vehicle To date, remote vehicle communications have provided little in the way of privacy. Much information and misinformation has been spread on what the system is and can do, especially within the information security community. The recent field trial in the US of a connected vehicle infrastructure raises the level of concern amongst all who are aware of existing privacy issues. In this talk I will examine a current system high level design for North American vehicles, conforming to IEEE and SAE standards and used in a recent road test in Ann Arbor, Michigan, USA. I will consider privacy concerns for each portion of the system, identifying how they may be addressed by current approaches or otherwise considered solutions. I conclude with a discussion of the strategic value in engagement between the privacy community and automotive industry during development efforts and the potential community role in raising privacy as a competitive advantage. I was contracted to do a privacy audit in July to identify aspects of the technology that would pose threats to users' privacy, as well as offering summaries of methods to partially or completely compromise the system. For this program to be successful, it must be accepted by the public since the benefits are derived from others' broadcasts. Good technologists realize that until the system is close to deployment in the field, none of the details mean that much unless you have real hardware. However, careful early consideration of the overall system design can identify and lead to solutions to information leaks that will compromise the user's ability to control their private information.

Von ACTA, IPRED und Freunden ACTA war das beherrschende Thema des zweiten Halbjahres. Mit ACTA sollte der Weg einer Privatisierung der Rechtsdurchsetzung weiter gegangen werden. Was das konkret bedeutet, können wir bereits im Ausland sehen: Netzsperren, 3-Strikes-Systeme und eine Echtzeit-Überwachung des Datenverkehrs zur Bekämpfung von Urheberrechtsverletzungen. Existierende Modelle in anderen europäischen Staaten zeigen, dass diese Maßnahmen erhebliche grund- und datenschutzrechtliche Probleme aufwerfen. Aber auch in Deutschland haben wir die Debatte über die mögliche Einführung einer Warnmodell-2-Strikes-Infrastruktur als ersten Schritt in diese Richtung. Das Problem: Internetanbieter und Hoster werden damit gleichzeitig zu Richtern und Hilfspolizisten in Personalunion gemacht. Diese Maßnahme durchbricht ein ehernes Prinzip: Der Internetanbieter ist nicht für die transportierten Inhalte haftbar und soll sich ausdrücklich nicht um diese kümmern. Der Vortrag will einen Überblick bieten, was in welchen Staaten wie bereits läuft. Der Vortrag will gleichzeitig Einblick geben, wer die Lobbies dahinter sind und welche Ideen sie vertreten. Und es gibt einen Ausblick auf die kommenden Kämpfe auf EU- und internationaler Ebene durch IPRED2 und TPP sowie die Nebenschauplätze wie Clean IT und CEO-Koalition.

Exploiting VMWARE ESXi Binary Protocols Using CANAPE This presentation will cover a demonstration of the new version of the Canape protocol analysis tool being released for Ruxcon. During the course of the presentation various attack scenarios against the VMWare ESXi binary protocol will be demonstrated using Canape. The VMWare ESXi protocol is a complex multi-layered protocol which transitions between many protocol states throughout a connection lifetime. The protocol uses multiplexed frames, compression and encryption all over a single TCP connection. The talk will discuss and outline serious weaknesses within the ESXi protocol and how these can be leveraged from within Canape. During the talk, new features of Canape will be demonstrated live to show the audience how the tool can be used from traffic interception and initial protocol dissection through data injection and fuzzing and finally demonstrating full PoC exploitation all within Canape. Presentation outline: What is Canape Examining the VMWare ESXi protocol Demonstrating ESXi protocol interception Intercepting the ESXi encryption Data injection to brute force user credentials Fuzzing ESXi 0day demonstration Questions Testing and exploiting binary network protocols can be both complex and time consuming. More often than not, custom software needs to be developed to proxy, parse and manipulate the target traffic. Canape is a network protocol analysis tool which takes the existing paradigm of Web Application testing tools (such as CAT, Burp or Fiddler) and applies that to network protocol testing. Canape provides a user interface that facilitates the capture and replaying of binary network traffic, whilst providing a framework to develop parsers and fuzzers.

adventures in mobile paging In the last years, mobile security and specifically GSM has been attacked in many different ways. It was demonstrated how to sniff and crack traffic, how to impersonate a subscriber by placing a fake call and the general security characteristics of this mobile protocol stack have been evaluated. In this presentation, we will check out a part of the protocol procedures that hasn't been looked at yet, specifically Mobile Terminated services. This talk is all about paging in GSM. How is a phone call or an SMS actually delivered to a phone? How do carriers locate your phone and transmit these services over the air? We will have a look at the related protocol procedures and more importantly, what could possibly go wrong. During the presentation, we will show new attacks based on mobile paging that can ultimately disrupt mobile telecommunication or even worse.