The annual Black Hat and Defcon conferences in Las Vegas can basically be described as the mecca for hackers, security execs and cyber crime fighters.
With so many crackers and hackers in one place, even the most security savvy conference attendees have reason to be scared. Fortunately for us, one of our favourite security gurus, CMS Consulting Inc. CEO Brian Bourne, likes to live dangerously.
He headed down to Las Vegas to cherry pick the best content and speakers he could find for the upcoming Security Education Conference in Toronto (SecTor). Bourne, who’s also the founder of the annual Toronto-based security event, was joined by Bruce Cowper, chief security advisor with Microsoft Canada Co.
Both security experts covered the event for our Security Insider page. Here’s some of the highlights.
Bruce Cowper on SMS exploits
If you haven’t seen the news about a bug in the iPhone OS, enabling it to be compromised through specially crafted SMS messages, it makes interesting reading. The idea that you can simply SMS someone and “pwn” their phone is a pretty scary one. Having attended the technical session at BlackHat, I wanted to weigh in on the conversation and give some context.
The specially crafted SMS message exploits is not exactly a new one. We have for years been able to alter phones, our providers do this regularly, and interact without a user knowing. What makes this one so interesting is that it is not limited just to the iPhone, nor is it hard to achieve if you use the tools created by researchers Charlie Miller and Collin Mulliner.
As a bit of background, the exploit uses a flaw on many implementations of smart phones (Apple’s iPhone, Google’s Android and Microsoft’s Windows Mobile) that when they received specific commands embedded in SMS messages, they either cause an application on the device to crash, which causes a Denial of Service, or full remote control.
In the case of each type of phone, the commands are specific and so you not only need to know the phone number, but also the type of device. Once they know those things, Miller and Mulliner were able to successfully demonstrate their attacks. In the DoS case of the iPhone and Android devices, the flaws are (were in Apple’s case as they tell us it has been patched) able to crash components of the operating systems and cause the phones to disconnect themselves from the network and reconnect.
Keep in mind that most providers queue SMS messages and so when the phone comes back online, it may receive another message. In some cases user interaction is required to reset the phone. In the Windows Mobile case, the operating system was not vulnerable, an HTC application included a flaw that was exploitable.
As I am sure you can imagine, taking remote control of a device was somewhat more complex and exploited a memory issue in the way that multi part text messages are handled to enable the attackers to inject their code in to the machine through heap spraying and then executing that code through the buffer underflows. The process could mean sending hundreds of text messages to a single phone, but interestingly enough the user may not see many or indeed any of these due to the way the systems handle incomplete text messages.
In summary, the thing to think about is that these are not really trivial matters to find and exploit from scratch, but at the end of the day when was the last time you updated your phone?
Brian on attending security conferences
It turns out that even with the best intentions, writing daily updates from BlackHat and Defcon is a very difficult endeavour. Clearly I failed at it this year with only a single first day post. The truth is that there’s just too much going between the two events.
Each event is packed with great content and any time you find between sessions or in the evenings is taken up with parties and meetings.
There are just too many smart people in one place to spend time blogging at the computer. It’s often referred to as the “hallway track”, but it’s certainly one of the most useful aspects of any good conference. The hallway track isn’t bound by any rules or restrictions and there is much to be learned.
You might say “I don’t need to go to the conference – I can download the presentations online”, and you’d be half correct. There’s no copy of the hallway track online, and it’s the reason to make sure you attend in person. Having said that, there is much said in the hallway track that isn’t suitable for a blog or press – but if you want a look at what research people are doing, it’s the place to be.
Bruce on SSL attacks
It is day one of BlackHat for me and I thought I would take in two presentations on a similar topic. The first presenter was Moxie Marlinspike and his talk on ‘More tricks to defeating SSL in practice’ was focused on how Man In The Middle attacks could be used to fool us into believing we were safe and secure online.
The second session was by our good friend Dan Kaminski. Dan is well known for his recent DNS exploits and his session included some interesting twists on how to defeat the SSL attacks through things like DNSSEC.
Essentially both talks were on the trust-worthiness of the SSL (X.509) certificates we use every day. The theory is that a certificate is issued by a trusted source. That source ultimately has a root certificate that our computers can verify the certificate we have been presented with (for example at your bank’s Web site) through a chain. In many cases this root certificate belongs to companies like Thawte and VeriSign, or even your government. Moxie’s talk included a discussion of older attack vectors and as we all know, the oldies in many cases are still the goodies.
The attacks included Certificate Chaining and SSL Stripping where in the event of a Man In The Middle attack, you essentially intercept the connection and either issue your own certificates to fool the Web browser (Certificate Chaining) or strip off the SSL component of the URL request (SSL tripping) to fool the user in to believing they are using a secure connection when they may not be. Okay, to exploit this, you would likely have to use something like ARP or DNS poisoning to affect the MITM attack.
That is all well and good, but what about simply issuing your own certificates.
In this case both talks focused on how you can generate certificates for sites you don’t own. For example, I want to generate a certificate for a bank – www.anybank.com (this name is referred to as the Common Name or CN). However, if I simply request a certificate, the administrative contact at that site will be contacted to verify the certificate creation and hopefully not allow a certificate to be issued. So how can I get that validation request to be sent to me?
Well it seems the trick is in the way that a number of the automated systems parse the strings for in the request you submit. Now I request a certificate for www.anybank.com (where /0 is a NULL, which is often used to terminate a string and I am the admin for mydomain.com). Many systems will parse this string and say that the domain the certificate is being requested for is actually mydomain.com. I get the email and validate the request. The trick is that when the domain name is parsed for the Common Name (CN) many systems will return www.anybank.com as the NULL character acts as a string terminator.
It seems that other control characters can also be effective such as the tilde and even wildcards (*). For example, requesting a certificate for */0mydomain.com potentially could issue you with a certificate for any domain.
Both talks discussed these challenges at length, but Dan went somewhat further to suggest that many attacks could be defeated through using things like Extended Validation (EV) certificates and DNSSEC. He definitely explained it better than I could hope to so I suggest looking up the discussions online on these topics.