Slashdot Mirror

Searching Google on "skype reads BIOS" turns up some scary hits.

The first is to a Blackhat conference.

The second details how multiple BIOS profiles can be stored on some Asus motherboards -

"ASUS O.C. Profile
The motherboard features the ASUS O.C. Profile that allows users to conveniently store or load multiple BIOS settings. The BIOS settings can be stored in the CMOS or a separate file, giving users freedom to share and distribute their favorite overclocking settings.

Be afraid. Be very afraid.

Open VoIP Clients are Safer

Yes they are. And good ones are already available. You can now use OpenWengo as an alternative to Skype - it's GPL'ed code and uses a standard protocol (SIP), making it interoperable with most VoIP software. Except Skype.

Skype is a closed-source minefield of terrifying security holes just waiting to be stumbled upon by black hats and exploited for the usual reasons. It's a ready made peer to peer infrastructure that always uses encrypted communications, just waiting to be made into a botnet. Some security holes have already come to light - check this presentation out. A decade of security problems with Internet Explorer might seem tame in comparison to the problems that could emerge from Skype.

Skype + Free software - Proprietary crap = Wengo

I really like Wengo. I started using it recently when I had to call home from a laptop and discovered that Skype didn't work properly with the laptop microphone. Apparently Skype's ALSA implementation isn't quite right yet - shame no-one else can fix it. Wengo worked well, even though both endpoints were behind NAT.

I installed it from Debian testing (yes, it's THAT free). Call quality was excellent and it seems to cope reasonably well with lag spikes.

Skype is a potential minefield of terrifying security holes too. If I was a corporate IT administrator I think I'd ban it from the company - it can't be audited for safety or effectively monitored for problems. Check out this article - http://www.blackhat.com/presentations/bh-europe-06 /bh-eu-06-biondi/bh-eu-06-biondi-up.pdf

If a program can do this, can a virus or trojan could do this as well?

Well, yes.. but this wouldn't necessarily achieve anything. There must be something running inside the firewall already. However, if security holes exist in Skype, then a firewall will not protect Skype users from remote attacks. There is a fascinating article on this subject:

http://www.blackhat.com/presentations/bh-europe-06 /bh-eu-06-biondi/bh-eu-06-biondi-up.pdf

In short, security holes in Skype would allow the creation of a massive Skype-based botnet that would communicate through traffic that couldn't be distinguished from normal Skype chatter. The article also contains many fascinating descriptions of reverse engineering obfuscated code.

Yes, the company I worked for was in the financial industry and was worried about "lifted" fingerprints.

We tried lifting user fingerprints with many types of materials and none we tried could fool the sensor.

Don't confuse Digital Persona's reader with Microsoft's reader. Yes the sensor is the same, but Microsoft does not recommend using their product, to secure sensitive systems, due to the lack of encryption in the USB data stream. This makes Microsoft's reader vulnerable to a replay attack.

A detailed analysis can be found here.

I suspect Digital Persona and Microsoft have an agreement to remove the encryption features from the MS product to prevent MS from competing with Digital Persona.

-ted

The reason Microsoft does not recommend using their fingerprint reader to secure business data because the data stream between microsoft's reader and the PC is not encrypted. This makes the device vulnerable to a "replay" attack. Even so, a replay attack requires local access to the machine to capture the USB data streams.

A detailed analysis of this can be found here.

This security feature was removed due to an agreement between Digital Persona and Microsoft.

If you want business grade security, you must pay up for the Digital Persona product. Both sets of readers are remarkably resistant to "fake" fingerprints placed on the sensor.

Actually, it's well known fact in Poland, that mrs. Rutkowska is a transvestite. Just few years ago her/his name was Jan K. Rutkowski, and guess what? He also was a security researcher interested in Windows Rootkits. This is one of his/her old presentations on Blackhat:

http://www.blackhat.com/presentations/bh-usa-03/bh -us-03-rutkowski/bh-us-03-rutkowski-r2.pdf

Check out the BluePill presentation here:
http://blackhat.com/presentations/bh-usa-06/BH-US- 06-Rutkowska.pdf

Basically the whole thing about it being able to subvert the OS is based on an inherent security problem in the way Vista handles direct block access. This is just basic OS architecture. If the OS won't load anything but signed driver but will still allow anyone to write anything to the swap area, then that's just an insecure OS. Because even if it wasn't some virtualization thing that was getting loaded, then page file modification would be a wonderful attack vector for lots of other stuff.

Unfortunately media has focused way too much attention on the "virtualization" part of this stunt, but reporters were probably not smart enough to understand that the blue pill thing actually exploits a intrinsic weakness of Vista (and she hasn't really made an effort to dispell that -- on the contrary, she's claimed from day 1 that the exploit isn't based on any OS flaw or weakness, which left me scratching my head until I finally got my hands on her presentation and discovered this part of the claim is bull). Fortunately for MS, though, it seems that they have smart engineers because as she admits in the article refered to in the Slashdot summary, they've made the page file out of reach. She, though, continues to think that this is somehow the wrong answer (as she hints in her presentation) ... Clearly _real_ OS design and security aren't her specialty.

I think the limitation on Virtual Machines is in direct response to the Blue Pill malware presentation [PDF] at SyScan this year. One of the core ideas for bypassing Vista's security was to throw the OS into a Virtual Machine. Maybe this move is step towards having legal grounds against malware authors who attempt that route and get caught? Of course, IANAL, but it's still an interesting thought.

Here: http://www.blackhat.com/presentations/bh-usa-06/BH -US-06-Rutkowska.pdf

The kernel mode signed driver restriction has already been broken by Blue Pill. Full details are in the black hat presentation, but the basic gist is you force a driver (eg null.sys) to be swapped out to disk, overwrite a function in the copy in swap with your own code, then call that function. And now you're executing unsigned code in kernel space.

fun read:
http://www.blackhat.com/presentations/bh-europe-06 /bh-eu-06-biondi/bh-eu-06-biondi-up.pdf

No.. The Blue Pill refers to creating undetectable malware using AMD's Secure Virtual Machine extensions (aka Pacifica) on AM2 based processors.

In short, what happens is that the malware enables Virtual Machines in the CPU by setting the SVME bit in the MSR EFER register, and puts the OS into a VM. It is then able to hook into all layers of the OS using the VM hypervisor, which controls all processing before the OS can. It doesn't need to install any files and depending on the extents that the malware author goes to hide itself against timing analysis (1:15 difference in execution latency when in VM mode vs native mode), it's pretty darn undetectable.

The question becomes, how do you get this malware to be loaded in the first place? The answer (what the OP is about) is to use raw disk access to the pagefile. By VirtualAlloc()'ing a shitload of RAM and causing all unused drivers to be paged to disk, you can edit the pagefile where those code bits have been swapped to inject malicious code. As far as I can tell, this is the part that the original post is about, not the "Blue Pill" (the AMD VM hack). In all likelihood, MS will disable these critical parts of the kernel from being pagable at all to mitigate this issue (it's already a registry option.)

AMD Virtual Machines Ref: http://www.amd.com/us-en/assets/content_type/white _papers_and_tech_docs/24593.pdf

Joanna's paper should be available here in about two weeks or so.

There's another possibility (other than getting hold of the Skype keys by whatever method).

See "Silver Needle in the Skype", Biondi & Desclaux, Blackhat Europe 06 presentation

From the slides:
"Skype voice interception:

You are Skype Inc.
- You are the certificate authority
- You can intercept and decrypt session keys
- Job's done.

You are not Skype Inc.
- Build your own Skype Private Network
- Lure your victim into using your modified Skype version
- You can decrypt and intercept session keys
- Job's done.
"

And yes, these messieurs disassembled Skype too, found a heap overflow and lots of other tidbits.
The pdf for the slides are on the web, well worth a read for anyone interested.
http://www.blackhat.com/presentations/bh-europe-06 /bh-eu-06-biondi/bh-eu-06-biondi-up.pdf (PDF)

T Stjernefeldt

Wrong black hat, though yeah, that could have been phrased better.

Bit of a clarification...they mean this sort of Black Hat.

houldn't we be creating and deploying self immunizing tools in our infrastructure that detects these boxes and quarantines them?

We already do. They are refferred to as Nematodes. The primary paper on them is available online: http://www.blackhat.com/presentations/bh-federal-0 6/BH-Fed-06-Aitel.pdf

I maintain some of these for my internal network. Difficult to code, but when you get it (and I haven't yet, I have just coded some well) they are awesome for security.

Also handy to do automatic analysis of open ports, and alerting etc. The world is your oyster, and these help prevent people stealing your pearl.

I'm going to revoke the force with which I said that. I've read a few links and it seems like MITM attacks are more broadly defined than the impression I had. HOWEVER, I stand by it to the point that usually a MITM attack is what I said:

Wikipedia lists eavesdropping as a possible MITM attack, but also says "MITM is typically used to refer to active manipulation of the messages, rather than passively eavesdropping."

Both Network Security by Kaufman, Perlman, and Speciner, and Computer Secuity: Art and Science by Bishop define MITM as the more narrow definition I gave.

A Blackhat conference paper defines it more broadly, but includes my definition and doesn't include eavesdropping.

You'd be surprised how easy it is to tap a fiber without interrupting service. You still need to strip the jacket and buffer, but once the core is exposed simply bending it will cause enough leakage to detect the data flow with an optical pickup placed against the core. There are commercial clip-on taps. You will introduce some attenuation, but most fiber equipment won't notice any attenutation unless the receive power gets too low. It would take a OTDR to find such a tap. http://www.blackhat.com/presentations/bh-federal-0 3/bh-fed-03-gross-up.pdf Still much harder than copper, but not impossible.

More information here. Blowing the whistle here is roughly equivalent to sending the info to US-CERT except that US-CERT probably doesn't allow whistle-blowing against a vendor....

http://www.blackhat.com/presentations/bh-usa-05/BH _US_05-Lynn.pdf

Just removing the link... isn't that security by obscurity? ;-)
http://www.blackhat.com/presentations/bh-usa-05/BH _US_05-Lynn.pdf

If you are in Vegas this week, you can meet/get books signed by Johnny Long on July 28 at 12:30PM http://www.blackhat.com/html/bh-usa-05/bh-usa-05-s chedule.html Or, at DEFCON on July 30 at 8:00PM http://www.defcon.org/html/defcon-13/dc13-schedule .html

First, the idea that the recovery software is worthless because the user will wipe the drive ignores the idea that the thief may boot the OS to try to steal sensitive data. The real value of such warez is the chance that you will recover or disable the system. I've been looking into the option because I have careless people who carry gigs of sensitive data on their laptops and who could lose it. Cyberangel (http://www.sentryinc.com/) adds file encryption / locking to the idea, stuffbak is not software based but offers a reward for return of not just laptops (http://www.stuffbak.com/stuffBakAdmin/) and others offer a similar service. Some insert the tool in the form of a root kit (http://blackhat.com/html/bh-usa-05/bh-usa-05-sche dule.html) that might be difficult to detect and delete. Obviously hardware is prefered. Recovery is not the key, teh real key is information leak prevention. I just use sysinternals boot logoing to set my windows craptop to show the CIA logo on boot. Geek Marine

When supporting the EFF in words, how about with funding? There is theSummit 2005, on Thursday July 28, 2005 in Las Vegas...

At the end of Black Hat and the beginning of DEFCON this year is theSummit 2005 - bringing together DEFCON & Black Hat speakers from past/present, as well as well known names in the computer security world. We all come together in a small, private venue for the evening summit to meet and discuss the important topics and socialize.

Note that there will be no more than 200 tickets sold (including featured guests), and all proceeds go to the Electronic Frontier Foundation [http://www.eff.org/ with the sponsor covering event overhead.

theSummit is our gathering of BlackHat / DefCon speakers and big thinkers in the Information Security realm. Anyone interested in supporting the EFF, are highly encouraged to attend; meet with fellow Information security professionals, and talk with big thinkers from the Information security world in a more private and informal setting. Too many times people want to ask questions, or have ideas that cannot make it to the big thinkers. This is either because of time conflicts or they are nervous to come up and talk. This event plans to pull out the stops, and allow the free form of conversation to flow.

The Electronic Frontier Foundation [http://www.eff.org/ is a nonprofit group of passionate people -- lawyers, technologists, volunteers, and visionaries -- working to protect our digital rights.

Where: Ice House Lounge, 650 S. Main Street, Las Vegas, Nevada
When: Thursday July 28, 2005, 9:00PM - 12:00AM
Tickets: $30 (pre-sale) $40 (at the door, if available) All Ages welcomed!

For more information, and to purchase tickets for the event:
http://www.dc702summit.org/home/

Event is sponsored by the Hackajar Foundation, and by the members of DEFCON 702.

We all hope to see you there!

(as posted in the Livejournal DEFCON community [http://www.livejournal.com/community/defcon_defco n/323.html ])

When supporting the EFF in words, how about with funding? There is theSummit 2005, on Thursday July 28, 2005 in Las Vegas...

At the end of Black Hat and the beginning of DEFCON this year is theSummit 2005 - bringing together DEFCON & Black Hat speakers from past/present, as well as well known names in the computer security world. We all come together in a small, private venue for the evening summit to meet and discuss the important topics and socialize.

Note that there will be no more than 200 tickets sold (including featured guests), and all proceeds go to the Electronic Frontier Foundation [http://www.eff.org/ with the sponsor covering event overhead.

theSummit is our gathering of BlackHat / DefCon speakers and big thinkers in the Information Security realm. Anyone interested in supporting the EFF, are highly encouraged to attend; meet with fellow Information security professionals, and talk with big thinkers from the Information security world in a more private and informal setting. Too many times people want to ask questions, or have ideas that cannot make it to the big thinkers. This is either because of time conflicts or they are nervous to come up and talk. This event plans to pull out the stops, and allow the free form of conversation to flow.

The Electronic Frontier Foundation [http://www.eff.org/ is a nonprofit group of passionate people -- lawyers, technologists, volunteers, and visionaries -- working to protect our digital rights.

Where: Ice House Lounge, 650 S. Main Street, Las Vegas, Nevada
When: Thursday July 28, 2005, 9:00PM - 12:00AM
Tickets: $30 (pre-sale) $40 (at the door, if available) All Ages welcomed!

For more information, and to purchase tickets for the event:
http://www.dc702summit.org/home/

Event is sponsored by the Hackajar Foundation, and by the members of DEFCON 702.

We all hope to see you there!

(as posted in the Livejournal DEFCON community [http://www.livejournal.com/community/defcon_defco n/323.html ])

I'm attending Black Hat this year and I read an interesting post from Ian Clarke, the creator of FreeNet, on their website. It seems like he was in the midst of creating a truly dark and searchable P2P client. I guess the supreme court will hold him liable now. Here's a link to the posting: http://www.blackhat.com/html/bh-blackpage/bh-black page-2005.html I'm definitely going to attend his talk at Black Hat to see what else he has to say about this ruling.

http://blackhat.com/presentations/bh-europe-05/BH_ EU_05-Kaminsky.pdf

After reading the review of Dan Farmer and Wietse's Forensic Discovery, you should hear about The Grugq who got fired from @stake after writing a Phrack Article in which he exposed numerous flaws in The Coroner's Toolkit by Dan & Wietse. Before you read this book, check out the video (bittorrent) of The Grugq on The Art of Defiling and see how to defeat "industry grade" forensic tools and techniques . You can also meet him at a hacker convention near you (in March at BCS2005 in Jakarta, in April at Black Hat in S'pore and Amsterdam and at HITB2005 Bahrain.

After reading the review of Dan Farmer and Wietse's Forensic Discovery, you should hear about The Grugq who got fired from @stake after writing a Phrack Article in which he exposed numerous flaws in The Coroner's Toolkit by Dan & Wietse. Before you read this book, check out the video (bittorrent) of The Grugq on The Art of Defiling and see how to defeat "industry grade" forensic tools and techniques . You can also meet him at a hacker convention near you (in March at BCS2005 in Jakarta, in April at Black Hat in S'pore and Amsterdam and at HITB2005 Bahrain.

I wish people would talk about the work of The Grugq who got fired from @stake after publishing an article in Phrack Magazine. He will be talking in Jakarta, Indonesia at BCS2005 in March, Blackhat Singapore and Amsterdam in in April. (and he will probably never speak in USA because he embarasses and ridicules the profession and ... the FBI.

The most interesting thing that I learned was that most all RFID tags have a 128 byte "user data" buffer than can be read or written by ANY RFID gate. (Ie: you can put an RFID interface on your laptop and query the tags and change the "user data" portion on them.)

Obviously, this means that any application that is sensitive to tampering should only use the hard-coded serial numbers, not the "user data" area... but history has told us how well people stick to "common sense" security practices in their implementations.

His paper and the Linux tool that allows you to query and change the data are located here: http://www.blackhat.com/html/bh-media-archives/bh- archives-2004.html (scroll down to Lukas Grunwald under "Layer 0".

The most interesting thing that I learned was that most all RFID tags have a 128 byte "user data" buffer than can be read or written by ANY RFID gate. (Ie: you can put an RFID interface on your laptop and query the tags and change the "user data" portion on them.)

Obviously, this means that any application that is sensitive to tampering should only use the hard-coded serial numbers, not the "user data" area... but history has told us how well people stick to "common sense" security practices in their implementations.

His paper and the Linux tool that allows you to query and change the data are located here: http://www.blackhat.com/html/bh-media-archives/bh- archives-2004.html (scroll down to Lukas Grunwald under "Layer 0".

DC Phone Home (ppt, rtsp only).

Great. /graf0z.

I have implemented such a system and am presenting on the subject of Cryptographic Port Knocking @ BlackHat this year!
Check out the abstract @ http://www.hexi-dump.org/bytes.html

Hacker's Logo

Right?

This is an obvious attempt by RIAA blackhats to get everyone to buy new CDs while simultaneously destroying computer CD-RW. Time to grep for a good lawyer.

Exactly what I thought. I imagine things like inlining and other compiler optimisations might confuse things further.

• Suppose you worked for a software customer has large exposure in the event of a security compromise (e.g. stock market/bank/medical data/social security numbers/military data). They want to limit their risk exposure. They can now check binaries for some known vulnerabilities before they are deployed and make detailed reports to their vendors. They may be able to cancel contracts with vendors who deliver code that is shown to be unsafe, or they may make passing these tests a precondition to acceptance, or they could work with the vendor and release detailed reports to them so they can fix the problems.
• Imagine you are a software vendor, and you have the source code to your project. You can usually compile extra symbol table information in for debugging, so that you can map data and instruction locations back to source code.

  I do agree that source code analysis tools may be informative, but if you have cross language development or have to link to libraries that you don't have the source for, this sort of tool could be really helpful.

The stuff presented is hardly new. Halvar Flake
presented IDC scripts to analyze binaries in a
similar (if not better) fashion in 2000 ... does
it really take three years to rip an idea ?

Presentation Amsterdam 2000
Presentation Vegas Spring 2001
Presentation Vegas Summer 2001

Furthermore, there's a free sourceforge project
which has all of BugScan's features plus some
more:


http://sourceforge.net/projects/bugscam

So what's up with re-announcing old work in a
pretty new dress ? And if there's a free
alternative, why announce a commercial variant
on slashdot without mentioning the free one ?

The stuff presented is hardly new. Halvar Flake
presented IDC scripts to analyze binaries in a
similar (if not better) fashion in 2000 ... does
it really take three years to rip an idea ?

Presentation Amsterdam 2000
Presentation Vegas Spring 2001
Presentation Vegas Summer 2001

Furthermore, there's a free sourceforge project
which has all of BugScan's features plus some
more:


http://sourceforge.net/projects/bugscam

So what's up with re-announcing old work in a
pretty new dress ? And if there's a free
alternative, why announce a commercial variant
on slashdot without mentioning the free one ?

The stuff presented is hardly new. Halvar Flake
presented IDC scripts to analyze binaries in a
similar (if not better) fashion in 2000 ... does
it really take three years to rip an idea ?

Presentation Amsterdam 2000
Presentation Vegas Spring 2001
Presentation Vegas Summer 2001

Furthermore, there's a free sourceforge project
which has all of BugScan's features plus some
more:


http://sourceforge.net/projects/bugscam

So what's up with re-announcing old work in a
pretty new dress ? And if there's a free
alternative, why announce a commercial variant
on slashdot without mentioning the free one ?

You can get the slides of his presentation here:

http://www.blackhat.com/presentations/bh-usa-03/bh -us-03-hoglund.pdf

Now, maybe I can get a discount on their Ultimate hacking class at the Black Hat Briefings. Heheh..

It can be interesting and it improves ones ability to read, write, and understand code.

Doing so in a public forum can create reputation capital for ones consulting services or products. In some cases may lead to employment.

Some folks are truly motivated by the desire to see vendors patch their software. This is sometimes a result as well.

The companies involved in the OIS have already established their reputation. They aren't doing this for fun. It is to their advantage to prevent others from competing with them. The idea here is to keep interesting research and discussions closed while charging naive corporations thousands of dollars to attend talks which provide little to no real information.

Look the goal here is to make money and that is noble and good. In order to do this people shouldn't just give away all of their hard work and research. The problem here is that these guys are protecting their bottom line under the guise of Internet Safety. It is a bit disgusting but I think might be irrelevant in the long run. Since SecurityFocus is part of this plan though I bet the mailing lists over there will be short lived. Oh well nothing lasts forever.

Dave Aitel makes some rather lucid observations.

If you think that was good, wait and see what happens at Black Hat.

Incidentally, even being linked to in a /. comment has increased my web traffic a hundredfold in 45 minutes - not sure how much longer my DSL will cope...

This was a truly scary demonstration of this kind of technology being used by private industry, namely casinos, to track relationships between people.

Real stream available at: rtsp://media-1.datamerica.com/blackhat/bh-usa-02/v ideo/BH-USA-02-JEFF-JONAS.rm

This was a truly scary demonstration of this kind of technology being used by private industry, namely casinos, to track relationships between people.

Real stream available at: rtsp://media-1.datamerica.com/blackhat/bh-usa-02/v ideo/BH-USA-02-JEFF-JONAS.rm

Jon Littman wrote an interesting book about Kevin Mitnick entitled The Fugitive Game. In it he partly addresses the situation of an FBI informant and not-so-l33t hax0r, Kevin Poulsen. 100 to 1 this is the same l33t hax0r. Way back in the day--1990--Poulsen was described as not very l33t:

Their UNIX expertise was not high....I got the feeling these were guys not used to thinking in terms of multiuser systems, not being alert to the fact that "who"s and "ps"s casually invoked by someone else could expose them.

Now I grant you that 13 years is a lot of time for someone to change and learn to abandon stupid sensational media tactics. But look at the substance of the linked slashdot article : "I wrote a rootkit for Windows, I'm cool, and I ran a script kiddie workshop so lots of people can do it! By the way, I screwed up the old code. But the new ones the evil hax0rs will make will be really bad. .. So hire me as a consultant!"...um, yeah, right.

Yup. Ian Goldberg gave a very interesting presentation on cracking WEP at BlackHat Vegas this year. None for me, thanks.

I'm inclined to agree with you that Disney couldn't possibly be dumb enough to rely on WEP alone, but then I wouldn't have thought ETrade was stupid enough to put their login credentials in a cookie vulnerable to cross-site scripting attacks either.

They are one of the requirements of a Trusted OS