English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

29c3 Hamburg / DE

Stefano Ortolani
Kaspersky Lab Expert
Posted January 08, 09:41  GMT
Tags: Conferences, Exhibitions, Malware Technologies
0.3
 

The last week of 2012 marked the 29th installment of the Chaos Communication Congress. Organized by the Chaos Computer Club (CCC), the congress is an annual conference on technology and its impact on society. Although the scope may look quite loose, both lectures and workshops typically revolve around privacy, freedom of information, data security and other hacking issues. Needless to say, it has always been a great success; huge, considering that black-hat sized events here in Europe are not that common. Take, for instance, the fact that this year the congress had to be held in Hamburg, as Berlin could not offer a congress center fit enough to host more than 6000 attendees. Trust me, this number was not an exaggeration at all!

Congress Center Hamburg by night. Congress Center Hamburg by night.

I admit my expectations were quite high: after four long years of scientific symposia going back to more technical venues was indeed putting my brain in hunger-mode. However, having experienced what it means organizing events for medium sized scientific conferences, I was honestly puzzled about turning a huge building such as the Congress Center of Hamburg in a functional place ready to host lectures, workshops, and hack spaces. Boy I was wrong to be worried about it. The event lasted 4 whole days (from the 27th to the 30th) with an impeccable organization: not only were all lectures and workshops flawlessly organized, streamed, and chaired; but also all open spaces were collectivized and used for all kind of hacking purposes, from playing CTF to entry-level courses on the Arduino platform.

The speakers on the other hand could take advantage of extremely well-sized rooms, with the most important talks having available an auditorium able to host more than 2000 people. Nevertheless, I have to say I was forced to learn one thing pretty fast: if you are interested in a topic, and that topic happens to be quite a hot one, well, be ready to get to the room at least 15 minutes before show-time; seriously, being on time never worked; any room, regardless of the capacity, was liable to get full. Believe me, I was really thankful for the flawless streaming infrastructure (watching a talk on my laptop that was taking place just few meters away was indeed paradoxical :) ).

Jacob Appelbaum on stage. Jacob Appelbaum on stage.

The first day's line up was respectable. The keynote was given by Jacob Appelbaum, known for his contributions to "The Tor Project", and also former spokesperson for WikiLeaks. After the usual introductions, he explained the reasons of this year's congress' zeitgeist "Not My Department". We all have heard this sentence at least once in our lives; usually uttered to belittle other people's arguments, it has always been used as an example of a closed mindset at work. Jacob's point was that this attitude is even more detrimental in an inter-connected world. What is the use of a privacy-preserving bill if our data flows through the routers of oppressive governments potentially assembling huge data sets about our lives? A new level of awareness is therefore suggested.

The day climaxed at night with a talk about SCADA systems and their exposure to network attacks. It is a bit weird to say it, but based on the speaker 's analysis many critical infrastructures (highly clustered in countries such as Spain and Italy, ouch!) are still vulnerable as I write. The talk, besides responsibly disclosing some vulnerabilities of the software controlling the PLCs (e.g., Simatic WinCC), highlighted once again how these infrastructures are run and controlled by unpatched, if not extremely outdated, operating systems (I am not going to sugar-coat it, some analyzed machines were running Windows 95 yes!); I will really welcome the day when best practices to protect SCADA systems (like those that ENISA and its spin-off E3PR are working on) will be finally enforced.

The second day offered another impressive line-up. The talk that interested me most was about an analysis of the HTTPS protocol and recent breaches and malpractices at some Certificate Authorities. I guess we all remember what happened with the Dutch CA Diginotar: the breach was kept silent, and for entire weeks web browsers kept trusting certificates which allowed attackers to intercept communications of Iranian residents (for an extensive analysis see 1, 2). A quite unique and interesting argument of the talk was whether such CAs should be considered (like some banks in the recent on-going economic crisis) too big to fail, and therefore new regulations should be imposed, effectively changing the governance of the HTTPS ecosystem. Arguably not "the" panacea against all the systemic vulnerabilities of the HTTPS protocol (see here), but possibly a considerable step towards an emergency response team for Diginotar-like cases. On a totally different note, the talk also highlighted that no solution for netbooks forcibly applying windows updates currently exists :)

Unexpected Windows Update happens. Unexpected Windows Update happens.

Due to my former interests in memory analysis for malware detection, I was also intrigued by the talk "Defeating Windows Memory Forensic"; besides covering the current literature (please, do check "Shadow Walker - Raising the bar for Rootkit Detection", if you haven't yet) the speaker presented Dementia, a tool to hide kernel objects such as processes or threads data structures from forensic applications like Memoryze. I had some technical concerns with respect to its validity (especially considering that forensic approaches via minimalistic hypervisors have been proven viable); on the other hand, it was indeed notable to see that to some extent it is possible to deceive forensic tools by means of techniques running in user-space; no need to be a kernel rootkit to pull it off.

The real cherry on top was, however, a technical talk entitled "The future of protocol reversing and simulation applied on ZeroAccess botnet". Honestly, I was totally unaware of the open source tool Netzob; what it does is both nifty and ingenious: it attempts to reverse a binary protocol (it must not be encrypted though!) by means of machine learning techniques; although not completely automatic (the reverser needs to help the tool into inferring the correct grammar of the protocol), it surely provides an advantage over hours spent staring at hex dumps. I am planning to play a bit with it the next coming days, so expect a quick blog post real soon!

Besides the talks, I've also had the opportunity to talk with several security experts with different backgrounds. Trust me when I say that this is half of the value of conferences such as CCC; highly recommended especially if you need a couple of informed opinions about what you've worked on. Waiting for 30c3 now!!


1 comments

mark117

2013 Mar 24, 02:04
0
 

Chaos Computer Club (CCC)

Hi Stefano Ortolani

Thanks for such an informative and intresting read,looks like there is also going to be some pretty cool new tools for you to look at as well,
i like the sounds of the Netzob protocol reverser
Cheers
mark117

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog