Confidence 2009 in Cracovia

19/05/2009 Written by Boris Mutina (minor)

Once again I was lucky to attend really per­fect secu­rity con­fer­ence and here are some notes from there. Con­fi­dence is the one really high-​profile con­fer­ence in Cen­tral Europe. The strongest “mag­nets” this year were Bruce Schneier and Joanna Rutkowska. Here are few notes from this event.

Day 1
Since I didn’t knew any­thing about the road recon­struc­tion that is tak­ing place now in Poland, I arrived to the con­fer­ence venue too late and missed those “magnets”.

Adrian Pas­tor “A Pentester’s Guide to Credit Card Theft Tech­niques”
As the name of the pre­sen­ta­tion says, Adrian tried to explain con­fused pentester’s feel­ings with PCI DSS and explain­ing weak points when com­par­ing to con­ven­tional pentest.

Mario Hei­derich “I thought you were my friend Mali­cious markup, browser issues and other obscu­ri­ties”
Very inter­est­ing pre­sen­ta­tion show­ing new ele­ments affect­ing the browser secu­rity in the mean­ing of the code exe­cuted by the browser (and bypass­ing IDS, IPS and WAF using com­mon html code). He showed few dif­fer­ent pos­si­bil­i­ties to trig­ger XSS using ele­ments of code (XML, SVG fonts…). The most inter­est­ing part was the trig­ger­ing XSS by using pre­pared and mali­cious GIF image (actu­ally con­tain­ing JS inside).

Pavol Lup­tak “Pub­lic trans­port SMS ticket hack­ing”
If you travel with the pub­lic trans­port in some cities, you can buy a ticket using the SMS mes­sage, shortly you should receive SMS response with con­fir­ma­tion code. Using this kind of attack, there is just one phone con­nected to hacker’s server that is send­ing request for ticket and dis­trib­ut­ing its con­fir­ma­tion code in a spoofed mes­sage not over SMS but over TCPIP using the data con­nec­tion to any­body who may be request­ing it because of the inspec­tion. Work­ing attack method was pre­sented, with descrip­tion of nec­es­sary tools, attack frame­work etc. From my point of view, one of the best pre­sen­ta­tions at Con­fi­dence. Happy Birth­day, Pavol!

Mar­tin Mocko “Race to Bare Metal: UEFI and Hyper­vi­sors”
As the name states, UEFI — Uni­fied Exten­si­ble Firmware Inter­face and it’s fea­tures was described as a next gen­er­a­tion of hard­ware “BIOS”. Since all the HW ven­dors are now try­ing to use UEFI, we will hear a lot about it in the future. UEFI can con­tain fea­tures for boot time, like disk sup­port, USB sup­port, work­ing TCPIP stack. All is writ­ten in C lan­guage and mod­u­lar. Inter­est­ing part comes, that UEFI has to be loaded first before any other (maybe also chip embed­ded and mali­cious) sys­tem hyper­vi­sor does. Nev­er­the­less even the UEFI is loaded, attacker still can try to add new dri­ver to be loaded before UEFI enters from boot mode to run­time mode. He also pre­sented secret and undoc­u­mented func­tions for UEFI in Vista.

Day 2
Jacob Appel­baum - “Tor Net­work”
He explained sta­tus of TOR project, how it works, what fea­tures except anonymi­sa­tion TOR has, and how can TOR help to peo­ple that have trou­bles accesing cer­tain web­sites (even for human rights activists). I had after this pre­sen­ta­tion good talk with Jacob mostly about pos­si­bil­ity of eaves­drop­ping on TOR net­work and the inci­dent that hap­pened, when pass­words from embassies leaked by eaves­drop­ping on TOR. Thanks for your time, Jacob.

Rich Smith “VAASe­line: VNC Attack Automa­tion Suite”
As the name of the pre­sen­ta­ton tells, Rick pre­sented about the VNC and RFB pro­to­col used by VNC. He showed also all in one work­ing solu­tion allow­ing auto­mated actions to be taken on VNC systems.

Alexei Kachalin “Effi­ciency Esti­ma­tion of Net­work Secu­rity Sys­tems of Global Net­works.”
Very inter­est­ing pre­sen­ta­tion about cre­at­ing a frame­work, that could sim­u­late viral out­break in the mon­i­tored net­work. While this project is still in prepa­ra­tion, it can be use­ful when mon­i­tor­ing client’s net­work for illicit activities.

Michael Kemp “Rootk­its are awe­some: Insider Threat for Fun and Profit”
As Michael appeared on the stage, I was sure, this guy will make a great pre­sen­ta­tion. He pre­sented about the risks of DLP soft­ware (data loss pro­tec­tion) made by most of antivirus ven­dors and it’s behav­ior like a rootkit. He pointed out that such soft­ware requires to stop anti-​* soft­ware for instal­la­tion, it can­not be detected by antivirus soft­ware, anti­rootkit etc… so basi­cally it is a “unde­tectable” rootkit. Then he showed on real exam­ple how such soft­ware is actu­ally a detectable rootkit, what reg­istry entries it makes, what files it calls and uses and how to detect it and prove, that it is actu­ally a rootkit.

More infor­ma­tion about COn­fi­dence 2009 can be found on
http://​2009​.con​fi​dence​.org​.pl/​o​-​c​o​n​f​i​dence


Share this content: