The first night of Black Hat briefings concluded with the Pwnie Award Ceremony. The awards reward achievements in security… but mostly failures. Notably, this was the first year anyone accepted an award in person. Hack a Day took home an early victory by producing a MacBook mini-DVI to VGA adapter (pictured above). The ceremony was fairly straight forward after that. Best Server-Side Bug went to the Windows IGMP kernel vulnerability. It was a remote kernel code execution exploit in the default Windows firewall. The Best Client-Side Bug went to Multiple URL protocol handling flaws like this URI exploit. Mass 0wnage went to WordPress for many many vulnerabilities. Most Innovative Research went to the Cold Boot Attack team. Lamest Vendor Response was won by McAfee for saying XSS can’t be used to hack a server. The Most Overhyped Bug went to [Dan Kaminsky] for his DNS vulnerability. Most Epic FAIL was won by the team behind Debian for shipping the OpenSSL bug for two solid years. Lifetime Achievement Award was won by [Tim Newsham]. Finally, the Best Song was by Kaspersky Labs for Packin’ The K!, which you can find embedded below.
cons1390 Articles
Black Hat 2008: FasTrak Toll System Completely Broken
FasTrak is the electronic toll collection system used by the state of California. Motorists can purchase a toll transponder for ~$26 and link the serial number with a debit account to have their tolls deducted automatically. Today at Black Hat in Las Vegas, security researcher [Nate Lawson] presented not just the privacy problems with FasTrak, but why absolutely no transaction from the tag should be trusted.
Continue reading “Black Hat 2008: FasTrak Toll System Completely Broken”
Black Hat 2008: Dan Kaminsky Releases DNS Information
[Dan Kaminsky]’s much anticipated talk on his DNS findings finally happened at Black Hat 2008 in Las Vegas today. [Dan] has already uploaded the complete slides from his talk as well as posted a short summary to his site. New information in the slides since our previous coverage includes “Forgot My Password” attacks and new attacks on internal network vulnerabilities as a side of effect of DNS cache poisoning. [Dan]’s talk today was over capacity; our shot of the conference room overflow is shown above.
Defcon 16: Badge Details Released
Defcon will once again be one-upping the sophistication of the conference attendee badges. Wired has just published a preview of this year’s badge. The core is a Freescale Flexis MC9S08JM60 processor. The badge has an IR transmitter and receiver on the front plus eight status LEDs. On the back (pictured below), there is a mode select button, CR123A battery, Data Matrix barcode, and an SD card slot. You can add a USB port to the badge and upload code to it using the built in USB bootloader. All the dev tools needed will be included on the conference CD or you can download the IDE in advance. The low barrier to entry should lead to some interesting hacks. In previous years, you needed a special dongle to program the hardware. There is no indication as to what the badge does out of the box. Releasing the badge early is a first for Defcon and the one pictured isn’t the attendee color, but we’re sure someone will still come up with a clone.
Now comes the fun part: What do you think the best use of this badge will be? Would Defcon be so cavalier as to equip everyone in the conference with a TV-B-Gone? I think our favorite possibility is if someone finds a security hole and manages to write an IR based worm to take over all the badges.
Defcon 14 introduced the first electronic badge which blinked in different patterns. Defcon 15 had a 95 LED scrolling marquee. [Joe Grand] will be posting more specific Defcon 16 badge details to his site after the opening ceremony. Check out more high resolution photos on Wired.
The GIFAR Image Vulnerability
Researchers at NGS Software have come up with a method to embed malicious code into a picture. When viewed, the picture could send the attacker the credentials of the viewer. Social sites like Facebook and Myspace are particularly at risk, but the researchers say that any site which includes log ins and user uploaded pictures could be vulnerable. This even includes some bank sites.
The attack is simply a mashup of a GIF picture and a JAR (Java applet). The malicious JAR is compiled and then combined with information from a GIF. The GIF part fools the browser into opening it as a picture and trusting the content. The reality is, the Java VM recognizes the JAR part and automatically runs it.
The researchers claim that there are multiple ways to deal with this vulnerability. Sun could restrict their Virtual Machine or web applications could continually check and filter these hybrid files, but they say it really needs to be addressed as an issue of browser security. They think that it is not only pictures at risk, but nearly all browser content.
More details on how to create these GIFARs will be presented at this week’s Black Hat conference in Las Vegas.
More Defcon 16 Events Announced
Defcon keeps announcing more and more interesting events for next week’s conference. A free workshop is planned for the soon to be released DAVIX live CD. DAVIX is a collection of tools for data analysis and visualization. They’ll be running through a few example packet dumps to demonstrate how the tools can help you make sense of it all. [Thomas Wilhelm] will be driving out from Colorado Springs in his Mobile Hacker Space. He’s giving a talk Sunday, but will be giving presentations a few hours every day at the van. Some researchers from NIST will be setting up a four node quantum network and demonstrating some of the possible vulnerabilities in the system. Finally, as part of an EFF fundraiser, Defcon will feature a Firearms Training Simulator. Conference attendees will participate in drills designed to improve their speed, accuracy, and decision making skills.
WarBallooning At Defcon
[rocketman] has posted about a new event at Defcon dubbed WarBallooning. They are using a Kismet drone (a modified WRT54G), a webcam, and a few high gain antennas. The balloon will be launched at about 15 stories and will be remotely fed targets chosen directly by the Defcon participants. The the directional antenna will be mounted to the camera so pan and tilt can be controlled. The Kismet CSV files will be available for everyone after the event.
If you are interested in WarDriving or building you own high-gain antennas, we suggest you check out this WiFi biquad dish antenna mounted on a car. If cars are too boring, or you do not have one, you could always go WarSailing or WarFlying. Yes, the permutations are endless.
[photo: JoergHL]
