A team of security researchers and academics has broken a core piece of internet technology. They made their work public at the 25th Chaos Communication Congress in Berlin today. The team was able to create a rogue certificate authority and use it to issue valid SSL certificates for any site they want. The user would have no indication that their HTTPS connection was being monitored/modified.
Continue reading “25C3: Hackers Completely Break SSL Using 200 PS3s”
While we had been excited about 25C3’s CTF competition, we couldn’t even venture a guess as to who would win. It seems the iphone-dev team weren’t satisfied to just give an amazing talk. They teamed up with the Wii hackers from HackMii to win the competition. You can see their progress during the eight hour competition above in red. It’s impressive to see hardware hackers jumping over to network security AND completely killing at it.
[googlevideo=http://video.google.com/videoplay?docid=713763707060529304]
As promised in their yellowsnow demo, [pytey], [MuscleNerd], and [planetbeing] from the iphone-dev team presented at 25C3 on their work Hacking the iPhone. The team originally formed in 2007 and this is the most comprehensive presentation on how the iPhone was compromised to date. You can find the full talk embedded above.
[Florian] and [Xavier Carcelle] started the day at 25C3 by covering power line communication. PLC technology is not widespread in the US, but has gained popularity in countries like France where it’s included in set-top boxes. PLC lets you create a local network using the AC wires in your wall. The team started exploring PLC because despite being newer technology, it had a few principles that made it similar to old networks. There’s no segmentation in the wiring, which means it behaves like a layer 2 hub. You get to see all of the traffic unlike a switched network. Most power meters don’t filter out the signal, so it’s possible that you might see your next-door neighbor’s traffic on your line. [Florian] reports having seen all the traffic in a six-story building just by plugging in. The wiring also acts as a large antenna so you could employ tempest attacks.
[Kai Kunze] from the Embedded Systems Lab at Passau came to 25C3 to talk about Cyborgs and Gargoyles: State of the Art in Wearable Computing. There have been a lot of homebrew wearable computing solutions, but [Kai] covered specifically projects that could see everyday use in the real world.
Continue reading “25C3: State Of The Art Wearable Computing”
The 25th Chaos Communication Congress is underway in Berlin. One of the first talks we dropped in on was [script]’s Solar-powering your Geek Gear. While there are quite a few portable solar products on the market, we haven’t seen much in the way of real world experience until now.
Capture the Flag (CTF) is a long running tradition at hacker conventions. It pits teams of security researchers against each other on the same network. Every team gets an identical virtual machine image. The VM has a set of custom written services that are known to be vulnerable. The teams work to secure their image while simultaneously exploiting services on the machines of other teams. A scoring server monitors the match as it progresses and awards points to teams for keeping their services up and also for stealing data from their competitors.
The Chaos Communication Congress in Berlin December 27-30, 2008 will host a CTF competition. Most CTF matches are done head to head in the same room. While 25C3 will have local teams, it will also be wide open for international teams to compete remotely. Remote teams will host their own images on a VPN with the other competitors. Now is a good time to register and familiarize yourself with the scoring system. It will certainly be interesting to see how this competition plays out now that teams that can’t make the trip can still compete.
