For more, see Cybercriminals taking cues from Mafia
Trusted Computing by Bruce Potter: Vista requires TPM (Trusted Platform Module) 1.2, Apple MacBook has 1.1, Many good things will be made possible by TPM, such as signed kernel, signed boot routine, signed apps, so you could start your computer and know with great confidence that you don't have any rootkit. He works with the SCHMOO group, and has several research projects with students, including a Firefox extension that encrypts email.
Hacking Malware by Valsmith & Danny Quist: They use disassembly, reverse engineering, and exploit generation techniques to use evil to fight evil. Many malware items share common code, and these guys find security flaws in that code and hack it. They demonstrated how to write a denial of service exploit you could use to stop a work from spreading over your own LAN, and a buffer overflow exploit you can use to get root on an infected box, stopping the worm. They also showed how the Dasher worm detects VMWare, and if it is inside a VM, crashes the VM by opening many command prompts. For more, go to offensivecomputing.net. They also have a database of downloadable malware and malware analysis, a highly controversial service, because you do not have to prove you are a 'good guy" to download the malware.
Old Skewl Hacking: Magstripe Madness, by Major Malfunction: He bought a commercial device that can read and write magstripes, and used it to clone hotel room keys and other such items. his boarding pass, like the hotel room key, had all the info unencrypted and in an obvious pattern, so he could upgrade his seat easily. But to update it on the database, he'd have to inject SQL. He also made a computer-controlled electromagnet implanted on a credit card, and used it to successfully take an audience member's credit card, change the name to his, and keep all the credit information intact. He also showed how a product named Magnasee makes magnetic stripe data visible. Modern products that do the same thing are Qview, and 3M has one that is cleaner, like tape, named Magnaview.
A hacker's guide to RFID spoofing and Jamming by Melanie Rieback: A passive RFID tag responds with a very weak signal, 90 dB below the reading power. To handle many tags at once, it uses 16 time divisions, chosen by XORing a tag's ID value with a pseudorandom value sent out by the scanner. If two or more tags respond in the same time division, there is a collision, so both tags must retransmit. The RFID Guardian she built acts like an RFID firewall, by jamming the particular time division that corresponds to tags you don't want read. This could be used to implement an authentication firewall with a Guardian-aware RFID scanner that would only permit authorized scanners to read your RFID tag. She showed the Baja Beach Club, a bar that only lets people into a special area after they have implanted subdermal RFID tags. For more info, see rfidvirus.org.
ipv6 World Update: IPv6 seems to be poorly-defined, not agreed on in all nations, not useful for American businesses, and not likely to be implemented soon. Some other nations have a serious lack of IP addresses, but not the USA. When IPv6 is implemented, all the equipment will have to support both IPv6 and IPv4 at the same time, with conversions and emulations, so the attack area will increase.
802.1x Networking: An authentication scheme using RADIUS servers, can be used for either wired or wireless. Better than WPA, I think.
Black Ops 2006, Dan Kaminsky: He showed a nice way to visualize code, by breaking it up into 32-bit words and then calculating a difference measure, such as the number of bits that changed. Then one code string is the X axis and the other one is the Y axis. This makes it possible to visualize patterns in huge sections of code. One easy app is to compare 2 versions of the same software. A wavy diagonal line shows the places that did not change, the breaks show inserted new code. He also pointed out the insecurity of online banking login sites, and humiliated them so publicly that one banking rep there said she would fix it. He recommended to all computer security students that they take psychology: we hack computers, they hack us. He devised a scheme to replace the SSH fingerprints with 5 names of married couples, which are far easier for humans to remember.
Fun with 802.11 device drivers, Johnny Cache: 802.11 is far too complex, leaving lots of room for exploits. He used fuzzing (random packet generation) to find flaws in device drivers, and by using 3 NICs to control a fuzzing attack and record it, he isolated and analyzed an exploit in a USB Wi-Fi adapter for the Mac. Using this he gained a remote Kernel-level shell on a Mac from a PC. This is a scary thing, it applied to all OS's, and firewalls and antivirus won't stop it. It's not a process. It takes over the Kernel. Apple is working on doing something about it, but no easy cure is forthcoming. The video is online here.
Kiosk Security, Peleus Uhley: He defeated Windows 2003's Software Restriction Policy by downloading a modified CMD that has a different hash, from freshmeat. JuJu Jiang installed a keylogger on public computers at 13 Kinkos locations to collect data customers put in, and kept it there for 2 years, even though the security technique used by Kinko's at that time was to completely reimage the workstations every week.
DNS Amplification Attacks, Randal Vaughn & Gadi Evron: a DNS request can be made recursive, and a DNS record can also have a large text file attached to it. Verisign was attacked using these features, in an exploit that involved using a botnet to send DNS requests to a set of thousands of DNS servers that just forwarded the queries on to Verisign's DNS servers, amplified by 700 times. So an attack that was originally only 90 MBps bandwidth turned into a 2.2 GBps attack on Verisign. This is a dangerous, powerful exploit and there is no known way to patch it or to defend against it, because all the companies with default-configured routers would have to reconfigure them, and they would gain nothing of direct, immediate value to themselves from that. Here's the paper.
Secrets of the Hollywood Hacker, by Johnny Long: A very funny talk explaining and defending hacker language used in Hollywood movies.
Traffic Analysis Panel, John Callas, Raven Alden, Ricardo Bettati, Nick Matthewsom: Traffic analysis is studying the pattern of packets that flow through a network without examining the data inside them. Encrypting packets does not stop traffic analysis. Intrusion Detection Systems use traffic analysis. One advantage of traffic analysis is that it reduces the amount of data, which makes it possible to examine huge amounts of traffic. The bad guys are already using it -- organized crime, government spying, data miners.
Timing analysis allows you to break SSH, and also to identify machines. By just counting packets, Ricardo was able to determine who was downloading from whom even when the packets were sent through a naive mix network -- this technique is called Blind Source Analysis.EFF v. AT&T: Cindy Cohn, Kevin Bankston, Kurt Opsahl, Jason Schultz: The Bush administration has admitted a "limited" program of wiretaps on the phone and Internet networks called the Terrorist Surveillance Program. But according to the whistleblower EFF got data from, AT&T gave the NSA complete access to all their phone and Internet traffic without proper search warrants. Therefore EFF sued AT&T for taking this apparently illegal action. This was done in San Francisco by inserting a splitter into the fiber optic trunk, and also in other locations, 15-20 total. Well over half of its total traffic was routed to the NSA.Authorship Analysis is a technique used to link authors of malware, finding similarities in the code used in two different malware products. Earlybird uses from-to patterns to find works without using signatures, merely from address spread information. This is an heuristic anti-malware process.
Tor has about 200,000 users, but MixMedia has only 100 or 200. TCP has a high time footprint, making it easy to track TCP traffic through such a mix network. But a precise rating is not clear -- this is a new area of research, and there is not even a metric to measure the difficulty of traffic analysis. It is difficult to perform traffic analysis legally, because you need informed consent from the users. DEFCON is one network for which such traffic analysis would probably be possible.
There is a website with downloadable loyalty card barcodes, like Safeway cards, for you to print and apply to your loyalty card, to avoid leaving a trail.
Wiretaps require warrants. The Foreign Intelligence Surveillance Act (FISA) limits wiretaps even when the President authorizes them for National Security. Such wiretaps must be approved by a special secret FISA court. The government has already tried to have the case dismissed using State Secrets privilege, but failed, because the details of the wiretap are not needed for the case against AT&T -- all that is required is the fact that taps took place, which the government has already admitted, and information about what authorization was given for them.
There is a bill before Congress, the Specter-Cheney Compromise, that would move all legal challenges against AT&T to the secret FISA court. EFF strongly opposes this bill -- see eff.org.
How the FBI uses NLP on YOU, Brad Smith: NLP is Neuro-Linguistic Programming. Each person has a favored modality -- visual, auditory, or tactile, or smell/taste. They also have a preferred speed of speech. These things are analogous to the protocol and baud rate in a computer link. If you wish to communicate with a person, you must first listen to them and detect the correct modality and speed, then speak in that manner to them. If done correctly, you will see indications that the person is at ease and accepting you as their leader. This is how cops interrogate people, and how other successful social engineers operate. He recommends the book Blink: The Power of Thinking Without Thinking by Malcolm Gladwell.
For more info: