The full archive of slides and white papers from this year has been posted too.
It looks like it’s time to update our event list. Here are some hacking related events happening through the rest of the year.
- ToorCon September 26-28 San Diego, CA – In its tenth year, ToorCon has always been one of our favorites. The conference is fairly small, but features great content like last year’s fuzzing talk.
- Arse Elektronika (NSFW) September 25-28 San Francisco, CA – Happening the same time as ToorCon, this conference covers the sexual side of human and machine interaction. The device list has gems like The Seismic Dildo, which only turns on if there is seismic activity in the world.
- Maker Faire October 18-19 Austin, TX – It’s Maker Faire! In Texas!
- Roboexotica December 4-7 Vienna, Austria – The premier festival for cocktail robotics is also back for the tenth time. They’re always looking for more exhibitors. Check out our Hackit for ideas.
- 25C3 December 27-30 Berlin, Germany I think we pretty much covered all the bases on this incredible conference yesterday.
Did we miss anything?
Researchers at NGS Software have come up with a method to embed malicious code into a picture. When viewed, the picture could send the attacker the credentials of the viewer. Social sites like Facebook and Myspace are particularly at risk, but the researchers say that any site which includes log ins and user uploaded pictures could be vulnerable. This even includes some bank sites.
The attack is simply a mashup of a GIF picture and a JAR (Java applet). The malicious JAR is compiled and then combined with information from a GIF. The GIF part fools the browser into opening it as a picture and trusting the content. The reality is, the Java VM recognizes the JAR part and automatically runs it.
The researchers claim that there are multiple ways to deal with this vulnerability. Sun could restrict their Virtual Machine or web applications could continually check and filter these hybrid files, but they say it really needs to be addressed as an issue of browser security. They think that it is not only pictures at risk, but nearly all browser content.
More details on how to create these GIFARs will be presented at this week’s Black Hat conference in Las Vegas.
Which is a better method for finding vulnerabilities, fuzzing or static-code analysis? The question will be put to the test at next month’s Black Hat USA conference, where two experienced
hackers security researchers will be given a piece of mystery code and one hour to find all the vulnerabilities they can using one of the two methods. [Charlie Miller] from Independent Security Evaluators will use fuzzing and [Sean Fay] from Fortify Software will use static-code analysis to detect the vulnerabilities in the code. We reported on [Miller]‘s fuzzing talk while at Toorcon 9.
The pair will be allowed to use their own equipment, but they won’t see the code until the moment the showdown begins. For an added bit of fun, conference attendees are welcome to join in the contest. The audience member who finds the most exploits within the hour wins a free dinner at a new Las Vegas restaurant. But you don’t have to wait until then to weigh in; go ahead and post your thoughts on fuzzing vs. static-code analysis in the comments, just be ready to back up your claims.
The second ToorCon Seattle got off to a quick start last Friday with a round of Lightning Talks at the Public Nerd Area. Each talk was limited to 5 minutes and covered a broad range of topics. Some talks were just supplying a chunk of information while others were a call to action for personal projects. Here are a few of the talks that we found interesting.
I’m attending ToorCon Seattle Beta this weekend. Today was a single track made up of 20 minute talks. ToorCon is really best in breed when it comes to hacker conferences. Highlights follow:
Beetle, from the Shmoo, opened the conference with WiFight Club. Of course, by me mentioning that, you’re officially in WiFight Club. This will eventually become a competition that is summarized best with the phrase: “Faraday Cage Match”. He mentioned interesting projects like GNU Radio and others. I really want to see where this goes. It looks like a lot of fun.
Rodney Thayer’s talk on credit cards boiled down to this: everyone worries about internet security when doing online transactions, but that doesn’t really matter since the credit card company security policies are garbage.
Now that the CCC is over, we finally dug ourselves out of a ginormous pile of cables (Kabelsalat ist gesund!) to bring you this round up post about the best stuff from the last two days of the con.
First up on day 10 was I See Airplanes!, Eric Blossom’s excellent speech on creating hardware for making homebrew radars and software using the GnuRadio project. He uses bistatic passive receivers in the 100 MHz range doing object detection using other peoples’ transmitters. The project has a lot yet to accomplish including the use of helical filters (if there are any antenna freaks reading this, contact Eric, he’s looking for a bit of help).
Next on the third day we attended Ilja van Sprundel‘s huge fuzzing extravaganza. Fuzzers generate bad data that is designed to look like good data and will hopefully break something in an interesting way. Our fav part? When the list of irc clients broken by his ircfuzz tool was so long he had to use 10pt font to get it all on one slide (see slide 53)! His paper can be found here and the slides here.
We then wandered to Harald Welte‘s talk on hacking the Motorola EZX series phones (which we’ve reported on here before). In case you forgot, the EZX series has a linux kernel. Incidentally the phone runs lots of stuff it really doesn’t need (like glibc, 6 threads for just sound processes, and even inetd). He presented the project for the first time in an official context since we saw him at 0Sec in October. Apparently lots of kinks have been worked out and there’s an official code source tree here.
The clincher for day 11 was FX and FtR of Phenoelit‘s semi-controversial talk on Blackberry security (covering both handheld devices and server based RIM products). This talk was a bit of a wake up call for RIM and thus the slides are still not available online so keep a sharp eye out for the video when it’s released by the CCC.