uncompiled.com

http://www.notacon.org/prereg.html

Forwarded from: Froggy

Tyger and I are having a ball here at the Grand Traverse Frag Fest in
Traverse City, Michigan! To celebrate this event, Notacon 2011
registration is now open! There are a few changes from previous years,
including some modest price increases. New this year, groups can
register and pay online. Also, we are introducing a limited number of
reduced rate “starving hacker” tickets intended to help those in our
community without the financial means to do so. We hope this will enable
us to increase the scope and breadth of knowledge and creativity within
the community and make Notacon 8 the best Notacon ever!

To help make Notacon 8 the best yet, we are pleased to announce that the
event has moved to the Hilton Garden Inn in downtown Cleveland nearby to
Progressive Field. The new location offers us many new and exciting
opportunities, including expanded conference space, better parking
options, exemptions for energy drinks sponsorships (Can you say BAWLS?)
and exemptions for outside food after hours. In addition, the new space
has renovated rooms containing a refrigerator, microwave and other
amenities not found at our previous venue. A booking link to register
hotel rooms will be announced shortly.

And finally, some of you may have wondered about the future of a demo
party at Notacon. Worry not, we have major plans and announcements
coming in the near future. We will put together a new tightly integrated
party that will be bigger and better than anything done previously at
our event! The North American demoscene lives!

Notacon registration information: http://www.notacon.org/prereg.html

- Froggy

Source

A researcher at the DefCon hackers’ meet has demonstrated kit for spoofing GSM base stations, allowing even those on a limited budget to intercept phone calls and text messages.

The audience attending the talk by Chris Paget were able to see their own handsets transferring to his spoofed base station, with calls receiving a recorded message explaining that the security had been compromised, Associated Press reports. The demonstration would presumably have been a lot less impressive if Las Vegas had better 3G coverage.

The basis of the attack isn’t new: the attacker sets up a base station advertised as belonging to a compatible network operator and handsets locally switch to the stronger signal. In a live attack the base station then connects to the real cellar network and passes authentication tokens back and forth as though it wasn’t there.

GSM communications are supposed to be encrypted between the genuine network at the handset, but in some countries strong encryption isn’t allowed so the network informs the handset not to encrypt the communications. The handset is supposed to pop up a warning when this happens, but doesn’t, so rogue base stations can ask the handset not to encrypt anything and then listen in.

The 2G GMS standard does not mandate mutual authentication – the handset must prove its identity to the network, but the network is not required to return the favour. That’s always made 2G networks open to this kind of abuse; the only difference is that the kit to do it has got a lot cheaper over the years. 3G standards do require such authentication, so they are immune from this kind of attack.

During the demonstration, Paget pointed out that one could jam the 3G signal (at 2.1GHz), forcing handsets to drop back to 2G and open themselves to the vulnerability. That’s true, but will cease to be possible (or at least will get a lot more difficult) once operators start deploying 3G technology on the 2G frequencies.

“GSM is broken – it’s just plain broken,” said Paget during the demonstration, though he could have added that the standard is no more broken than it was yesterday – the break just got cheaper to exploit.

Source

Two researchers at the Black Hat conference in Las Vegas on Thursday exposed 24 ways hackers can hijack seemingly secure browser sessions.

Robert Hansen and Josh Sokol demonstrated methods attackers can use to take over users’ accounts or assume control of a website without the need for any exploits, due to the way browsers implement “HTTPS.” HTTPS, a combination of the Hypertext Transfer Protocol with the SSL/TLS Protocol, allows a website owner to encrypt a session using a digital certificate.

For any of the two dozen attacks to work, however, a criminal would have to have assumed control of a user’s computer via a man-in-the-middle (MITM) exploit, by which an attacker intercepts communications between two systems.

But the researchers wanted to show that HTTPS protection alone won’t stop bad things from happening.

For example, the pair detailed an attack known as “session fixation” that takes advantage of the fact that banks using HTTPS don’t change a user’s cookie after they login — they simply mark it as valid. As a result, an attacker with MITM control could visit the bank site ahead of the user and set the cookie, essentially logging in the crook as the legitimate user.

Another scenario, known as “delayed pop-up,” involves a user who visits a website, such as a bank, and clicks on a link to go the SSL-protected version of the site. This opens a second tab, but if the attacker has control of the first tab, he is able to change the other HTTPS tab to redirect users to malicious executables or authentication forms.

Still, the reliance on MITM makes the scenarios Hansen and Sokol demonstrated unlikely to happen on a widespread scale, they said.

“You’d have to be a very determined attacker,” Hansen said. “And determined attackers have a lot of other avenues for attack.”

He did say that while “the world is not crashing,” website owners and users should take the threats seriously as they have the potential to threaten secure electronic commerce. Potential mitigations include the browser makers offering tab, port and cookie sandboxing controls.

Hansen added that there are likely “hundreds” of other similar vulnerabilities.

Source

Cyber terrorists have a number of ways to mount a major cyber attack on U.S. Internet infrastructure due to the general instability of its base, the director of the agency in charge of protecting the federal government’s IT network said Wednesday.

“With decades of IT infrastructure built to support changing technologies, there is little ability to baseline the entire infrastructure within the United States,” said Randy Vickers, director of the United States Computer Emergency Readiness Team (US-CERT), in an interview Wednesday. “This variety of platforms and applications provides many possible vectors by which to attack infrastructure.”

Vickers is scheduled to join other IT leaders from government agencies for a panel to discuss the threat of cyber war and how to deter it at the Black Hat security conference in Las Vegas on Thursday.

US-CERT is a division of the Department of Homeland Security (DHS) responsible for responding to and defending against cyber attacks for the federal government’s IT infrastructure. It also is in charge of sharing information and collaborating with state and local governments as well as the private sector to protect critical infrastructure in the U.S.

Vickers said that critical infrastructure is not likely to become less prone to attacks anytime soon. He cited ongoing changes in the IT landscape — such as cloud computing and an increasingly mobile workforce — as conditions that only open up infrastructure to more threats.

“The environment is only going to increase in complexity, and as more threat capabilities are developed the risk to our information infrastructure that we are so heavily dependent upon also increases,” he said.

To achieve its goal to keep an eye on federal networks, the DHS is currently deploying an intrusion-detection and security system called EINSTEIN 2, Vickers said. The system is currently operational at 12 of 19 federal agencies, providing US-CERT with, on average, visibility into more than 278,000 indicators of potentially malicious activity per month, he said.

EINSTEIN 2 should be fully deployed at the federal government by the end of the year, after which the DHS will take security to the next level with EINSTEIN 3, Vickers said.

EINSTEIN 3, developed by the National Security Agency, is the third phase of the Comprehensive National Cybersecurity Initiative (CNCI), and will provide intrusion prevention on top of EINSTEIN 2′s intrusion-detection capability, he said. The first phase of the system — EINSTEIN 1 — is currently in deployment as system that gathers information about network traffic.

US-CERT first revealed details about EINSTEIN 3 in March. At the time, the DHS said the system will do real-time, deep packet inspection and make decisions based on threats by examining network traffic at the edge of federal agency networks.

This activity will redirect agency Internet traffic to DHS cybersecurity systems, which will determine which traffic might be associated with cyber threats and how to respond, they said. The DHS worked with a commercial Internet service provider to do a test deployment of EINSTEIN 3 earlier this year. Vickers said these types of private-public partnerships will continue as the federal government continues to work to secure its network infrastructure against cyber attacks.

“At the end of the day, the architecture for the dot-gov’s cyber perimeter defense will be hybrid of government and private technologies,” he said.

Source

LAS VEGAS–A security researcher has found a slew of fundamental problems with the way that modern browsers are designed and built, leading to serious questions about the security of these applications and the way that they handle SSL sessions.

The research, done by Robert Hansen of SecTheory, shows that browsers such as Firefox, Internet Explorer and Chrome have a number of architectural problems that can essentially negate the security that SSL is meant to provide for sensitive Web transactions. The techniques that Hansen has developed, which he demonstrated at the Black Hat conference here Thursday, give an attacker the ability to do any number of nasty things to a target machine, including forcing the download of an executable file, overwriting the URL field in the browser and overwrite secure HTTPS cookies with non-secure cookies.

In all, Hansen found 24 problems before he decided to stop looking. “I had basically had to stop the research because there were just too many issues. I didn’t have time to deal with anymore,” Hansen said.

A big part of the problem, Hansen said in an interview, is that browsers don’t enforce policies that would isolate the tabs in an open browser from one another. This allows an attacker who can control one of the tabs, say a normal non-SSL session, to also affect content in the other tabs, even if they’re using SSL. Hansen identified several techniques that enable him to watch an SSL-protected session and glean a lot of information about what the user is doing, based on timing certain parts of the Web session and knowing how long it takes for part of a site to load. He also can tell whether a user is logged in on a given site and use a specific technique to log the user out so he can then watch the login operation and steal the credentials.

“When you look at it, what does SSL really offer? What this means is that for the average user, against a determined adversary, there really is no protection,” said Hansen, who presented his findings at the Black Hat conference here Thursday. “People give SSL and TLS a lot of credit, when it shouldn’t have any at all.”

SSL is the main transport security used by millions of Web sites to protect data being sent from browsers to Web servers. It’s been shown to be vulnerable to a number of different attacks, including several man-in-the-middle attacks, which could be used in conjunction with some of Hansen’s techniques to completely compromise a supposedly secure Web session.

“The most important thing is that if an attacker can map out the domain ahead of time, he can get a really good feel for how the site is built,” Hansen said. “If there’s a side channel, I can force them to precache some of the content on the page so that I don’t see that again when they reload the page. Then, the only thing you’re seeing are the things that are interesting to the attacker. You can map out the user’s flow around the site and the attacker can force the user to make an SSL connection to them so they can tell which SSL and HTTP headers are being sent in which direction. It’s about narrowing down the number of bytes that are interesting.”

As troubling as the problems that Hansen found are, he emphasized that they don’t mean that the sky is falling.

“You still need to be a man in the middle first and there are probably easier ways to attack people once you are, but there are a lot of issues here,” he said. “If there was better jitter and padding in SSL, a lof of this wouldn’t even be possible.”

Source

Looking deeper within malware yields fingerprints of the hackers who write the code, and that could result in signatures that have a longer lifetime than current intrusion-detection schemes, Black Hat 2010 attendees will be told next week.

Analysis of the binaries of malware executables also reveals characteristics about the intent of the attack code that could make for more efficient and effective data defenses, says Greg Hoglund, CEO of HBGary, whose briefing “Malware Attribution: Tracking Cyber Spies and Digital Criminals” is scheduled for the Las Vegas conference.

Hoglund says this analysis uncovers tool marks — signs of the environments in which the code was written — that can help identify code written by a common person or group based on what combination of tools they use.

For example, his research looked under the covers of one malware executable whose fingerprint included use of Back Orifice 2000, Ultra VNC remote desktop support software, and code from a 2002 Microsoft programming guide. Each program was slightly modified, but the information available amounted to a good fingerprint.

The malware was a remote access tool (RAT), and RAT generators such as Poison Ivy could have created unique RAT code for each use, but that’s not the route this attacker chose. tifying this RAT in other instances of malware can link groups of malicious code to a common author or team, Hoglund says.

He has found that these fingerprints last a long time. Once written, the binaries themselves are altered only infrequently, so employing these fingerprints as malware signatures will be more useful for longer periods. “The bad guys don’t change their code that often,” Hoglund says.

A traditional antivirus platform tifies variants of malware. This research can anchor a new form of intrusion detection that analyzes malware deeply to find these fingerprints and to assign it to a threat group based on the intent of the malware, he says.

For instance, if the malware is designed to steal credit card numbers from individuals, a corporation might rank it as a lower threat to the corporation than malware that seeks to steal the company’s intellectual property, he says.

“You are not going to succeed in keeping the bad guys out of your network,” Hoglund says. “But if you can detect them as early as possible, you can prevent losses.”

During his talk, Hoglund says he will exhibit graphs that cluster half a million pieces of malware his team has examined on a graph according to how closely their fingerprints match. He says he hopes to demonstrate that the sources of these 500,000 examples number relatively low — in the hundreds rather than the thousands, he says.

If that’s the case, using these fingerprints as signatures by which malware is detected, intrusion-detection engines could focus on filtering them rather than the wrappers in which they are sent. That would mean a more stable library of signatures since the attackers are slow to change their code. These IDS signatures would work better over a longer period.

To do this the IDS needs to be on endpoints where the code executes and can be seen in the memory of the computer as a human-readable text. At the network layer, a packed executable would not reveal these attributes.

At the conference, Hoglund plans to release a tool called Fingerprint that analyzes and compares the similarities among the underlying artifacts found in different pieces of malware. Businesses could use the tool to determine what identifiable attacker wrote the code and what its intent is.

That in turn can give businesses an idea of whether they are under a concerted assault from a common group rather than being the victim of random attacks. Using this type of analysis, Hoglund says he found that one identifiable attacker was responsible for targeting the Department of Defense as well as a particular military base five years before.

That indicated the attacker was the same, and use of a Chinese-language development environment indicated the attacks came from there. Some of the source code used was exact copies of code traded on China hacker sites.

Source

2010 ACM Cloud Computing Security Workshop (CCSW) at CCS

9 October 2010, Hyatt Regency Chicago

http://crypto.cs.stonybrook.edu/ccsw10

Dear Colleagues,

The CCSW submission website is up! Please submit your papers at

http://hotcrp.cylab.cmu.edu/ccsw10/

CCSW is back! The 2009 workshop was a tremendous success, with 80+
people in the audience, several sponsors (NSF, Microsoft), 5 invited
talks (Whitfield Diffie, Ian Foster, Peter Mell, Lenore Zuck, Kristin
Lauter) and excellent papers. This year we hope you will join us in yet
another successful event.

This year’s SPEAKERS (preliminary list) are:

——–

Leendert van Doorn
AMD Senior Fellow

Eric Grosse
Google Security Engineering Director

Steve Riley
Amazon Web Services Sr. Technical Program Manager

Michael Waidner
IBM Chief Technology Officer for Security
IBM Distinguished Engineer

——–

Notwithstanding the latest buzzword (grid, cloud, utility computing,
SaaS, etc.), large-scale computing and cloud-like infrastructures are
here to stay. How exactly they will look like tomorrow is still for the
markets to decide, yet one thing is certain: clouds bring with them new
untested deployment and associated adversarial models and
vulnerabilities. CCSW aims to bring together researchers and
practitioners in all security aspects of cloud-centric and outsourced
computing, including (but not limited to):

+ secure resource virtualization
+ secure data management outsourcing
+ practical privacy & integrity for outsourcing
+ foundations of cloud-centric threat models
+ secure computation outsourcing
+ remote attestation mechanisms
+ sandboxing and VM-based enforcements
+ trust and policy management in clouds
+ secure identity management mechanisms
+ web service security paradigms and mechanisms
+ cloud-centric regulatory compliance
+ business & security risk models and clouds
+ cost & usability models and their interaction with security in clouds
+ scalability of security in global-size clouds
+ trusted computing technology and clouds
+ binary analysis of software for remote attestation and cloud protection
+ network security mechanisms for clouds
+ emerging cloud programming models security
+ energy/costs/efficiency of security in clouds

We would like to especially encourage novel paradigms and controversial
ideas that are not on the above list. The workshop is to act as a
fertile ground for creative debate and interaction in security-sensitive
areas of computing impacted by clouds.

CCSW is soliciting full papers of up to 12 pages and short papers of up
to 6 pages. Submissions must be in double-column ACM format with a font
no smaller than 10 point (note: pages must be numbered). Only PDF files
will be accepted. Submissions not meeting these guidelines risk
rejection without consideration of their merits. Accepted papers will be
published by ACM Press and/or the ACM Digital Library.

*** Both research and position/vision/white papers are invited ***

Submissions must not substantially overlap with papers that have been
published or that are simultaneously submitted to a journal or a
conference with proceedings. All authors and their affiliations must be
listed.

Proposals for panels are also solicited. The proposals are to be
concise, up to 2 pages in length, describe the handled topics, name
potential panelists and briefly scope the panel for CCSW. Disruptive and
controversial panels are particularly encouraged.

Organizers ———————————————————

STEERING

Kristin Lauter, Microsoft
Adrian Perrig, Carnegie Mellon
Radu Sion, Stony Brook (chair)
Gene Tsudik, UC Irvine
Moti Yung, Google Inc.

CHAIRS

Adrian Perrig, Carnegie Mellon University (PC co-chair)
Radu Sion, Stony Brook University (PC co-chair)

COMMITTEE (preliminary)

Steven Bellovin, Columbia
Christian Cachin, IBM Zurich
Jan Camenisch, IBM Zurich
Bogdan Carbunar, Motorola Labs
Jeff Chase, Duke
Mihai Christodorescu, IBM Research
Weidong Cui, Microsoft Research
George Danezis, Microsoft Research
Xuhua Ding, Singapore Management University
Maria Dubovitskaya, IBM Zurich
Philippe Golle, Palo Alto Research Center
Markus Jakobsson, Parc
Yuecel Karabulut, SAP Office of the CTO
Yongdae Kim, University of Minnesota at Twin Cities
Kristin Lauter, Microsoft
Wenke Lee, Georgia Tech
Di Ma, University of Michigan – Dearborn
Patrick McDaniel, Penn State University
Peng Ning, NC State University
Cristina Nita-Rotaru, Purdue University
Dave O’Hallaron, Intel Research / CMU
Alina Oprea, RSA
Dimitris Papadias, Hong Kong University of Science and Technology
Anand Rajan, Intel
Tom Ristenpart, UCSD
Reiner Sailer, IBM Research
Pierangela Samarati, University of Milano
Matthias Schunter, IBM Zurich
Elaine Shi, PARC
Dawn Song, UC Berkeley
Wade Trappe, Rutgers University
Leendert Van Doorn, AMD
Giovanni Vigna, UCSB
Cliff Wang, US Army Research Office
Nicholas Weaver, International Computer Science Institute Berkeley
Peter Williams, Stony Brook University

Source

2600 Magazine presents The Next HOPE, the eighth conference in the 16 year history of the Hackers On Planet Earth series. It will happen at the Hotel Pennsylvania in the middle of New York City from July 16-18, 2010, and will be the largest creative technology conference on the U.S. East Coast.

Personal privacy will be the focus of a key project at The Next HOPE, when hackers unveil the next generation of a technology that could send privacy advocates into panic mode, and enforcer-types into nirvana.

Conference attendees will see first hand where human tracking by commercial and government interests may be headed when they are offered an active RFID conference badge.

Participation in RFID tracking is completely voluntary. If you wish, you can request an electronics-free “unpopulated” badge at registration, or simply remove the battery from your “populated” RFID badge at any time. There will be a limited number of the full-featured badges, so register early to be guaranteed to receive one.

RFID devices are increasingly being embedded into new clothing, handbags, footwear, mobile phones, credit cards, passports, and even tires. Some say this technology is only for “inventory control” and “security” –but The Next HOPE will give you an opportunity to decide for yourself, as you play with uses, abuses, and countermeasures in the OpenAMD system.

OpenAMD will also show the promise and the dark side of familiar social media sites and how they fit into theme of personal privacy when combined with other database and tracking technologies.

The entire project is Open Source, and developers worldwide are invited to create their own apps before and during the conference with the newly released Public API. The possibilities are endless, and all attendees will be part of the fun in this hacker version of massive scale installation art.

For more information, including API documentation, visit http://amd.hope.net or contact the OpenAMD team via amd@hope.net

Source

Detroit’s first-ever Cloud Camp drew well over 100 attendees to Compuware Corp.’s 15th-floor auditorium Wednesday night to hear the latest trends in putting applications on the Internet instead of in individual computers.

Dozens of Cloud Camps have been held all over the world since the first in Indianapolis, Ind. 18 months ago. They’re billed as an “unconference” where most of the content comes from the participants themselves.

Wednesday night’s event began with “lightning round” five-minute presentations from several cloud computing experts. Kicking off the festivities was Bob McDonough, cloud computing lead architect from the Michigan Department of Technology, Management and Budget.

McDonough said the state excels at offering high-performance, highly available services — but also at a high cost. It’s looking at cloud computing for other applications where there’s a “good enough” service option, and to eliminate rogue cloudsourcing.

Why cloud computing? Simple, McDonough said — “Humans cost money.” Also, he said, it improves the state IT workplace to remove routine scut work from employees and give it to machines, reserving for humans work that is challenging and satisfying. Cloud applications are also fast and easy to deliver.

David Giard of Sogeti gave a brief overview of Microsoft’s Azure cloud application delivery system.

He said cloud computing makes sense financially, because you only pay for what you use, and from a flexibility standpoint, because applications can be rapidly scaled up in giant data centers if there’s a surge in demand — and dialed down just as quickly.

Cheng-Zhong Xu of Wayne State University’s cloud and Internet computing lab gave a presentation on the rising complexity of managing cloud computing, but said virtualization and the ever increasing power of data centers will help.

John Willis of Opscale spoke on the idea of treating an operations infrastructure as if it was code, while Kevin Dangoor of Mozilla Labs presented on Bespin, a Web site that’s a code development environment — essentially you can write your applications anywhere you can get Internet access, easing collaboration. Check it out at http://bespin.mozillalabs.com.

Finally, Compuware demonstrated a very cool application called Cloud Sleuth that measures Web speeds, a key ingredient in the success of Web-offered cloud applications. Research shows any response lag of any online application of more than four seconds frustrates users and costs its owner revenue.

You can put your own cloud applications to the test at http://www.cloudsleuth.net.

The event then continued with an “unpanel.” Leaders asked the crowd who considered themselves a cloud expert — four people raised their hands and were immediately dragooned into serving on the panel. Then the crowd was solicited for 10 questions for the unpanel.

The event was to conclude with breakout sessions on topics created by the crowd at the time, followed by networking.

More at http://www.cloudcamp.org/.

Source

As online attacks increase in severity and reach, targeting everyone from Google to the Pentagon, leading security experts and government officials met last week in Dallas at the EastWest Institute’s first annual Cybersecurity Summit.

The goal of the conference: to find common solutions to cybercrime and other online attacks, which of course respect no national boundaries.

Step one, then, was to introduce policymakers and experts from around the world, to begin creating the relationships and transparency needed to make this happen. “How can you do partnerships with private industry, how can you do it with other governments when everything’s behind a veil of secrecy?” said White House Cybersecurity Coordinator Howard Schmidt.

The next step, however, will be more challenging. “Breakthrough solutions will require the effective integration of technical, business, legal, defense and international policy competencies on a level that has not happened so far,” wrote attendee Ikram Sehgal, a defense and political analyst and EastWest board member, in The News, a Pakistani newspaper. “Nations are thinking too parochially about their online security to collaborate on crafting global cyber regulations.”

Top of the cybersecurity agenda for many governments: how to prevent “nightmare” infrastructure attacks against “electricity, power grids, transportation, airplanes, water supply, finance, the banking system [and] the health system,” said Patrick Pailloux, director general of the French Network and Information Security Agency. His biggest nightmare? “That we don’t have enough time to prepare us for the nightmares.”

Such infrastructure attacks are ongoing, and at least in the United States, on the increase, said retired Air Force lieutenant-general Harry Raduege, now chairman of Deloitte’s Center for Cyber Innovation. “We have experienced a number of attacks against the financial sector, on the power grid and against our defense capability,”

Curiously, given the infrastructure worries, of the roughly 450 invited attendees present, only one hailed from the industrial control systems community, said critical infrastructure security expert Joe Weiss. “I was the one. That’s absolutely typical — there wasn’t one single electric utility there, not even the one headquartered in Dallas, and there wasn’t one single control system supplier.”

At issue — for a meeting intended to find global solutions to information security challenges — is the fact that safeguarding control systems against attackers requires a different approach to securing PCs or networks. For starters, Windows-based security products won’t help. “All the devices that sense things — temperature, pressure, flow and things like that — are not Windows, those are proprietary, real-time or embedded, and there’s no security there.” Furthermore, seemingly rote IT activities, like installing antivirus on a control system, can actually create a denial of service. “Who needs hackers?” he said.

Infrastructure defenders, stay tuned: After bringing the above disconnect to the summit organizations’ attention, Weiss received an assignment: to get the control systems community involved in next year’s Cybersecurity Summit in London.

Source