diff --git a/presentation.md b/presentation.md index b7e1e78..df7e6a4 100644 --- a/presentation.md +++ b/presentation.md @@ -1,121 +1,133 @@ % 33C3recap % Jean-Baptiste Aubort; EPFL//SI//SCITAS % \today # 33C3 ![](./res/33C3.png) ## Chaos Computer Club & Communication Congress * 33th Chaos Communication Congress in Hamburg * One of the oldest and still active Hacker group, Chaos Computer Club * Advocates Freedom of information, human right to communication, etc * They've raised a number of security concerns to the public and the politics in Germany * BTX bank transfer in 1984 * Fingerprint copy of a german minister (from coffee cup) * ... # 33C3 ![Congress is +10k visitors, +2k volunteers, 50k clubmate bottles](./res/congress.png) # 33C3 ## Predicting and Abusing WPA2/802.11 Group Keys * https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8195.html * Flaw in the 802.11 standard RNG description * Proposed RNG is expository only, vague description * If entropy is low, wait for traffic "a little bit" * If the time is not available, just use 0 * A lot of vendor still implements the RFC as is * Some use uptime of router as source of random, uptime is leaked in beacons * Entropy collected only when RNG is called * A lot of other interesting attacks like * Injecting unicast traffic in broadcast frames * Some RC4 downgrade attack * Proposition: * Use background noise for RNG # 33C3 ## You can -j REJECT but you can not hide: Global scanning of the IPv6 Internet * https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8061.html * IPv4 scanning has been done for years, using ZMap for instance * IPv6 scanning is impractical, address space is too big -> 7.5x10^23 years to scan * Why scanning ? * Research: how the internet is evolving, what machines are available then disapear, ... * Security: what machine are vulnerable to a specific attack (typically Heartbleed) * How to uncover IPv6 use, some ideas and experimentations * Service logs (CDN, DNS server, ...) -> hard to optain and very limited representation * Reverse DNS ! * Reverse DNS probes the DNS tree until there's a NXDOMAIN response (=error) * -> problems * dynamic reverse zone (preallocated PTR) * dns server not respecting rfc and answering with nxdomain instead of noerror -> some solutions * pick some random addresses in the range, if they exist, a good change it's preallocated * pre-seed using bgp and don't start at the root (so he skips some of the faulty server) # 33C3 ## Gone in 60 Milliseconds * https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/7865.html * Exploiting AWS Lamba, a service for running function (Node, Java, Python, C#) in Amazon * A function is executed in a container that is terminated after the call * No user to escalate, read only filesystem, strict permission * Amazon creds in environment, usually limited in scope, but in practice lots of people allow a lot of perm * /tmp is actually preserved accross execution (for perf reasons), among other things (for 4mn30 max apparently) * Function history using some namespace for tagging (dev/prod), can be used to have persistence of code * Exaushting function memory will prevent logging (covering tracks) * -> Mackenzie AWS Lambda infection toolkit https://github.com/Miserlou/Mackenzie # 33C3 ## Intercoms Hacking * https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8027.html * Some modern intercoms use GSM to call the resident by phone * Attacks: * Mobile attacks (rogue gsm tower) -> clients use the strongest signal * Downgrade attack to force 2G (3G/4G are more secure than 2G) by jamming 3G/4G * Find the number of the intercom by pressing a button to call a resident * You can open the door by faking incoming number and sending the opening cmd by SMS * Replace resident number by a surtaxed number (0900) ?? -> get rich * The intercom can be configured by SMS # 33C3 ## Memory Deduplication: The Curse that Keeps on Giving * https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8022.html * Deduplication is used to reduce memory usage, for instance in a virtual machines host * Introduces a side channel, allowing to sneak other processes memory * Attacks * Cross-Vm leak, break aslr -> by measuring time of write of a known librairy * Intra-process read + write (browser + JS) -> dedup+rowhammer * Ex. flipbits in ssh public key to a key that can be reconstructed * Ex. flipbits in gpg key and apt repo url to hijack package updates * It uses rowhammer, a physical memory bug due to cell density in DRAM, discoverd in 2015 # 33C3 ## Talking Behind Your Back * https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8336.html * Near-ultrasound beacons are everywhere, can be used for: * Cross-device tracking (disseminated by ad company in their ad sdk) * Audience analytics, proximity marketing * Syncronized content * Device pairing * Freqency: 18kHz-20kHz, no standard. ~7m with low error rate. Audible by animals # 33C3 +* Space track + +## The Moon and European Space Exploration + +* https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8406.html +* The boss of ESA advocating for the Moon exploration + +## Eavesdropping on the Dark Cosmos + +* https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8245.html +* Gravitational waves and dark matter + ## The Universe Is, Like, Seriously Huge * https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/7861.html