Post Thu Feb 21, 2008 9:57 am

Blackhat 2008 DC Day 1

Since Chris gates is here too I will just dump some of my notes from the sessions I sat in.... I would also like to add that the presentations from BlackHat are normally added online free after the con. As for day one I have fun and I must say the RFID talk was the best!

Ok here is my notes dump (forgive any bad grammar or mis-spellings)

---------------------------------------------
Black Hat 2008 DC Opening Keynotes
The holy Grail of Online Fraud
Jerry Dixon; Director, Analysis
jd@cymru.com
Team Cymru

((Side note we have over 22 countries here at BlackHat this year))

Talk cover electronic crimes and trends in Internet fraud.

Holy Grail refers to money, identity, or valuable data.

Corporate insider info leaks and competitor data theft.

Botnet and Malware quality is very good and the people behind it are not trying to make a name for them self’s, but now just focusing on money and ways to extract money form businesses and people.

A lot of companies claim they have critical infrastructure is on separate networks but in the end they may have other services like VoIP or building security systems linking there critical networks to they local LANs & WANs.

A lot of the data loss is due to insider’s maliciously sharing the data or making the holes in the networks.

He listed a map of malicious traffic sources and most of the hot zones where ISP’s for home internet service like DSL & Cable modem services.

Malware list of common known Malware in the wild was tested against the top AV products and on average on 37% of the Malware was found by the top AV software.

Trojans provide a lot of personal data that allows identity theft very easy and a good number of people have there important documents scanned on the computer like birth certs, SS cards/numbers, Tax info, and much more that would allow a cracker steel your id.

Botnet techniques are changing from the old IRC to P2P, fast flux, VM Adware, Trojans, rooted zombies, and many more sources (even hardware devices like routers or CPE can run botnet firmware).

Storm???  Storm warm has 11.5 million IP associated with it.

((Russian Business network was talked about a lot))

Online bank account username and ID theft is too easy if there is not 2 factor authanacation.
Businesses in a lot of cases do not have dedicated Security Operations groups to monitor or respond to issues on the network. Other issues are lack of Cyber literate lawyers or legal staff to tackle issues because the federal and local law agencies are over worked and slow to respond if they do at all.

In the end the internet is international and our laws normally do not apply.

• Security Misconceptions
• But I use NAT
• I block everything inbound
• Our AV keeps us safe
• We’ve got a good FISMA grade
• We have a firewall

Next speaker:

Andy freed
Special Agent Treasury (IRS)
Treasury Inspector General for Tax Administration

Phishing:

• First IRS Phishing site appeared in 2003
• Second Phishing site in 2004
• Wave of phishing began 11/27/2005

Targeting the IRS brand

• Better Business Burial  Malware
• 419 schemes
• Vishing/Pretext calls
• Storm/Rock Phish Malware
• Threats
• eFile
• Tax Rebate scams


Once you find a piece of Malware it’s best to send it to the AV vendors to make sure it’s added to there database.

PerTexting of federal organizations to prove there identity and using spoofed caller ID to earn your trust then getting you to give out your personal info or money.

-------------------------------------------

Wireless Hacking & Cracking on GSM Networks
Steve
Davd Hulton

Encryption used in GSM networks:
A 5/1 Strong
A 5/2 Weak

In this talk to was discussed that the encryption on GSM is at best flawed. The strongest encryption used in GSM (A 5/1) was broken in 1998 and not been updated since. The encryption is based on 2 known keys (one on the sim and the other in the provider’s database).

The speakers showed how the cracking of GSM worked and also explained how to sniff the traffic plus other flaws in how the keys on the sim card are stored in plain-text. Another thing that was mentioned was the fact you could buy a GSM reader for around $1USD (plus $10 shipping china). The tactics to crack the A 5/1 is based on word list, rainbow tables, & brute force. A 5/1 is similar to a LM hash with it’s way of a one way hash but it is 64 bits.

He talked a lot on the use of rainbow tables and how to generate tables. Some of the info he discussed on rainbow tables was not 100% accurate but the basics where correct so I did not feel inclined to challenge him in a packed room with about 20 extra people standing in the back.

They did a demo on how to generate a rainbowtable and explained how the indexes are made. He explained that table generation on a FPGA’s is around 600 times fasted than on a standard PC.

They also claimed to be releasing the tables publicly to crack GSM (tables will crack it with in 30 minutes) there faster tables they are making but they (crack 30 seconds) will be sold for commercial customers.

Once you crack the key with the table it will allow you to listen to 16 calls or SMS’s before you will have to crack the next generated key since the session is key is normally used about 16 times.

Writing in this is hard because there is a lot of factor discussed on how to extract the correct hash to decrypt the data.

They showed a live demo of a GSM stream being cracked with there customer rainbowtables.

End notes… GSM is not secure and needs to be! The GSM network is very large and needs to be secured ASAP.
-----------------------------

RFIDIOts
Adam Laurie
Adam(at)algroup.co.uk
Work: The Bunker

What he dose? (he is from the UK)  His worries are some of the newer laws in the UK that say is you make a tool (computer program) that is used in a crime you could also be liable.

He discussed a hotel stay he had and the info from the safe manufactures website whiles showing a video on him breaking into the safe with a leatherman and a paper clip.

RFID really dose not use RF….. The chip or tag is passive and the reader powers it and allows it to send it’s info to validate the info.

Distance is an issue with RFID because of the fact the reader has to power the RFID tag and at distances the SNR can be problematic.

RFID (Dumb vs. Smart) cards

Dumb RFID

• Animal ID
• Hotel Keys
• Car Immobilizers
• Ski passes
• Goods labels
• Luggage handling
• Vending
• Human implants

Unique ID
Cannot be cloned (claims)

Unique ID?
RFID can be cloned http://cq.cx/vchdiy.pl

Manufactures reply to the clones “These “clones” do not have the same form factor and are therefore not true clones”

Other Manufactures replies to the cloned issue is legal and patent threats to the maker of a clone device.

The Challengs:

Create a “true” clone

• Same ID
• Same form factor

Understand the ID and how it works…
Animal tagginf is covered by stabdards ISO
Reader & tag will communicate Frequency
125/134 khz – dumb
13.56 Mhz – smart RFID
Country codes are IOS stdandart or manufactures codes.

Multi- Format Transponders

Q5


Sending the ID

Clone Trovan “Unique” Tag

-Access Control System

Clone ISO 11784 “Animal” TAG (FDX-B)

- Cow Implant

-VeriChip paperweight


RFID tag readers can come in a USB format that allows you to get the ID off of the tag in peroration of reloading a new RFID tag.

Smart RFID

Passports:

- 48 items of data
- -finger print
- -face image
- -brith cert
- -home address
- -visas
- -contact info
- -SS #

Pseudo random UID
- -cannot determine presence of specific passwort without authentication

Strong Authentication
- basic access control
- *3DES

Content Encryption
- Extended Access Control










In his demos he proved he could clone many different type of tags from similar RFID’s the in the end he was able to make perfect clones. He also showed how to read a UK passport and all the info in it. He also showed and explained how you can decode a passport with out seeing it buy educated uses some of the key and brute forcing the rest of the key.

Interesting issue is that you can target RFID holder or passport holder with terrorist  attacks by key info form the passports transmission even if the data is random how the data is sent can ID what country issued the passport. This could allow targeting of passport holder from cretin countries.

Credit card RFID info may also be hacked of cloned so the possible impact could be big.
Example: you walk by some one with a reader and now they have your Passport info, Credit card info, and possible history from your passport on where you have been. In this case not only has your identity been stolen but your Passport, credit card, and other critical info has been stolen and you would have never known.




http://rfidiot.com 
---------------------------

Thats about All I was able to get note on due to my laptop not having the best battery and the lack of power plugs in the cramped rooms.

Brian
aka Slimjim100
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP