Mitigating Con Deprivation: Disobey 2020

While the Coronavirus-induced lockdown surely makes life easier for the socially anxious and awkward ones among us, it also takes away the one thing that provides a feeling of belonging and home: conferences. Luckily, there are plenty of videos of past events available online, helping to bypass the time until we can mingle among like-minded folks again. To put one additional option on the list, one event you probably never even heard of is Disobey, Finland’s annual security conference that took place for its fifth time in Helsinki earlier this year, and they recently published the playlist of this year’s talks on their YouTube channel.

With slightly under 1500 hackers, makers, and generally curious people attending this year, Disobey is still on the smaller side of conferences, but comes with everything you’d expect: talks, workshops, CTF challenges, and a puzzle-ridden badge. Labeling itself as “The Nordic Security Event”, its main focus is indeed on computer and network security, and most of the talks are presented by professional security researchers, oftentimes Red Teamers, telling about some of their real-world work.

In general, every talk that teaches something new, discusses important matters, or simply provides food for thought and new insight is worth watching, but we also don’t want to give everything away here either. The conference’s program page offers some outline of all the talks if you want to check some more information up front. But still, we can’t just mention a random conference and not give at least some examples with few details on what to expect from it either, so let’s do that.

Continue reading “Mitigating Con Deprivation: Disobey 2020”

DUHK: Don’t Use Hard-Coded Keys

The title reads like the name of a lecture in cryptography 101 or the first rule of Crypto Club. ‘DUHK‘ is in fact neither of those but the name of a recently disclosed vulnerability in a pseudorandom number generating algorithm (PNRG) that was until recently part of the federal standard X9.31.

Random numbers are essential to viable cryptography. They are also hard to obtain leading to solutions like using the physical properties of semiconductors or decaying matter, that are governed by quantum effects. The next best solution is to log events that are hard to predict like the timing of strokes on a keyboard. The weakest source of randomness is math, which makes sense, because one of maths most popular features is its predictability. Mathematical solutions have the one redeeming quality of being able to produce a lot of numbers that look random to a human in a short time.

PNRGs require a starting point from which they begin to produce their output. Once this seed is known the produced sequence becomes predictable.

The X9.31 PNRG is an algorithm that is used in various cryptographic algorithms and has been certified in the Federal Information Processing Standards for decades until it was dropped from the list of approved standards in 2016. The researchers behind DUHK found out that the standard allowed the seed to be stored in the source code of its implementation. The next step was to look for software that did this and they found X9.31 in an older version of FortiOS running on VPN gateways.

Should I be Worried?

Probably, maybe not. The analysis (PDF) published by the team behind DUHK notes that the vulnerability is limited to legacy implementations and doesn’t allow to takeover the device running them, only to eavesdrop on ‘secure’ connections. The scope of this is much more limited than exploits like remote code execution via bluetooth. It is on the other hand providing a strong case for handling standards and technical certifications with extreme scrutiny. The teams conduct also gives insight into the best practises for white-hat hacking which are frequently discussed around here. And they have a great theme song.

White-hat Botnet Infects, Then Secures IoT Devices

[Symantec] Reports Hajime seems to be a white hat worm that spreads over telnet in order to secure IoT devices instead of actually doing anything malicious.

[Brian Benchoff] wrote a great article about the Hajime Worm just as the story broke when first discovered back in October last year. At the time, it looked like the beginnings of a malicious IoT botnet out to cause some DDoS trouble. In a crazy turn of events, it now seems that the worm is actually securing devices affected by another major IoT botnet, dubbed Mirai, which has been launching DDoS attacks. More recently a new Mirai variant has been launching application-layer attacks since it’s source code was uploaded to a GitHub account and adapted.

Hajime is a much more complex botnet than Mirai as it is controlled through peer-to-peer propagating commands through infected devices, whilst the latter uses hard-coded addresses for the command and control of the botnet. Hajime can also cloak its self better, managing to hide its self from running processes and hide its files from the device.

The author can open a shell script to any infected machine in the network at any time, and the code is modular, so new capabilities can be added on the fly. It is apparent from the code that a fair amount of development time went into designing this worm.

So where is this all going? So far this is beginning to look like a cyber battle of Good vs Evil. Or it’s a turf war between rival cyber-mafias. Only time will tell.

Hacking A Device That Lives Inside The Matrix

[Gerardo Iglesias Galván] decided he wanted to try his hand at bug-bounty hunting — where companies offer to pay hackers for finding vulnerabilities. Usually, this involves getting a device or accessing a device on the network, attacking it as a black box, and finding a way in. [Gerrado] realized that some vendors now supply virtual images of their appliances for testing, so instead of attacking a device on the network, he put the software in a virtual machine and attempted to gain access to the device. Understanding the steps he took can help you shore up your defenses against criminals, who might be after more than just a manufacturer’s debugging bounty.

Continue reading “Hacking A Device That Lives Inside The Matrix”