SecurityXploded Blog

SecTor 2011 – Exclusive Coverage of Final Day from Ground Zero

[Update by Silent Dream & James who were our official media representative at SecTor]

.


.

I was excited on Day Two of SecTor to finally meet Mikko Hypponen, the chief antivirus researcher working for F-Secure Antivirus. Mikko has been working for decades in the security field and has great expertise in the area of antivirus, malware and cybercrime attacks. One highlight of his talk was a demo of the attack on RSA, which used a zero-day vulnerability in Adobe Flash to penetrate the company’s internal network. F-Secure researchers showed great persistence in spending half a year tracking down the particular file used in the attack.

.

The “sophisticated cyber attack”, as Mikko ironically noted, was a simple social engineering email requesting the user to open a file attachment. The attachment appeared as a legitimate Excel file, but it had a booby-trapped Flash file within it that exploited the 0day vulnerability. The main target of the attack was believed to be Northrop Grumman, which deployed SecurID tokens in their company.  Once RSA was compromised, SecurID was as well.

.

.

One of the more interesting talks I attended on Wednesday was given by Gunter Ollmann of Damballa.  The talk covered Targeted and Opportunistic Botnet Building.  Ollmann emphasized how easy it was to become a cybercriminal; all it takes is Google and the ability to install software on your computer.  Back years ago, cybercriminals ran a one house shop, but modern cybercrime is specialized and nothing more than business.  There are a number of sophisticated exploit kits and online virus scanning services for sale, which aid even technically-lacking cybercriminals in getting their bots distributed and undetected.  Nowadays as malware has evolved, sophisticated rootkits like TDSS have Mac and Mobile support, further enabling cybercriminals to spread their wares and gain profit.

.

.
Another fascinating talk was called How to Survive DDoS: The Play at Home Game.  One thing which I always wondered is how to block DDoS attacks completely.  Michael Smith explained that you don’t have to block every little piece of bad traffic, just enough to get your company back online and functioning.  He covered many types of DDoS attacks; SYN floods, UDP flood, HTTP flood, and tools like Tor’s Hammer and Apache Killer.  Then he talked about various forms of mitigation for these attacks, such as BGP null routing, DNS CNAME redirections, reverse proxies, and utilizing cloud hosting and massive scaling.  There are various ways to detect an attack in progress such as external monitoring, network capacity, local server response time, CPU load, and RAM usage.   Smith was responsible for handling the Anonymous 2009 DDoS attack on Paypal and Mastercard during the Operation Avenge Assange incident. In many cases the DDoSers asked for protection money in order to stop the flood.
.


.

The talk on NFC (near field communication) quickly made it clear this was a unique feature, not an extension of RFID or similar. NFC is highlighted especially in android devices and is getting hype with Google’s virtual wallet that will rely on the NFC protocol, obviously drawing much interest towards the technology’s security guarantees. NFC tags will be capable of basic crypto calculations but there is no requirement that information sent through the air is encrypted. The only guarantee is that 4cm is the max distance to create a communication link with another device or NFC tag. Theoretically once a link is created, 4cm is no longer the cut-off distance, making sniffing easier.

.

To setup NFC in a homebrew environment the libnfc library is needed as well as a few devices: touchatag reader, mifare DESFire EV1 (or similar), and an oscilloscope at 13.56 MHz. More information can be found at Mulliner.org and in the article, “Practical Attacks on NFC Enabled Cell Phones”. Physical attacks on NFC tags are a large problem. Simply cover up a legitimate tag with a small signal blocking foil and place your own on top to skim data. The talk also pointed out a malformed tag null pointer exception that is as yet unexploitable, and an interesting use of droid’s intent filters. Any droid app can register itself as capable of handling an intent, like opening a map. If a NFC tag sends data under the map intent, the user will have to chose the app to handle the data. With custom app icons, a malicious app is indistinguishable from a legitimate one. The talk ended with an appropriate and catchy acronym, NFC: aNother Freaking attaCk vector.
.

All in all, there were some extremely interesting talks, and I wish I could have attended even more of them.  SecTor has been an outstanding conference, and I was privileged to be able to attend the event.

.

SecurityXploded was official media partner of SecTor 2011 and it was our great pleasure to bring forth detailed coverage of the event !

.

See Also

SecTor 2011 is Set for the 5th Annual Show !
SecTor 2011 – Update from Ground Zero

Leave a Reply