Monday, December 31, 2007

24c3 quick roundup

Originally posted on geekbazaar.
  • Lightning talks - consisting of 5 minute talks. The one that I liked best was regarding Mac OS X widgets. The idea is that since these widgets have access to the system() function and make use of Web 2.0 stuff most of the times, a simple injection (JSON injection / Cross site scripting) has further implications compared to normal web applications. This means that such flaws can easily give remote system access. The speaker (Thomas Roessler) then showed a gmail widget that was vulnerable to such attack. It would be interesting to find out if such vulnerabilities can also be present in the iPhone.
  • Just in Time compilers - breaking a VM. Interesting mostly because it shows what can be done with Just in time compilers and that includes not just Java but also other stuff like javascript and actionscript.
  • Modelling Infectious Diseases in Virtual Realities - a scientific talk which shows how a disease in a virtual reality, in this case it is WoW (world of warcraft) can be used to further understand modelling of infections and recovery. The speaker also gave ideas on how this knowledge can be used to efficiently contain an infection and also suggestions to Blizzard to reintroduce infections in WoW.
  • Toying with barcodes - just watched this one. Excellent stuff. The talk was very flowing and had a good sense of humor injected as well. The speaker (FX) showed how security is really underestimated in the technology that is probably most used to track physical objects - barcodes. He picked on postal services, automated dvd rental systems, newspapers showing 2d barcodes, and a few other examples.
  • "Building a hacker space" - some of the original ccc founders gave their ideas on what to do and what not to do if you want to start a hacker group. Stuff like providing the guests with ample caffeinated drinks .. fun and quite motivational I guess.
  • Making cool things with microcontrollers - where the speaker (Mitch) kept referring to his sexiest toy.. a mind bendin, hallucination inducing spectacles. Worth a watch.
  • Port scanning improved presents a very reasonable scenario where Phenoelit needed to build a faster port scanner which does nothing else but scan. Faster than nmap - in fact the talk was full of comparisons with nmap and showed how the authors of the tool went around congestion control.
  • DIY Survival by Bre of make magazine was totally hilarious. Gives a few excuses to add to the growing number of gadgets in the store room.
  • Crouching Powerpoint, Hidden Trojan: I didn't manage to get there from the start, but this talk details the findings of one researcher. Technically, nothing new came out of it really but it's always good to hear of unique accounts or experiences in the field of targeted attacks.
  • Not exactly a talk .. but the Phonoelit party was pretty kewl. Very geekfriendy ;-)

Friday, December 28, 2007

24c3 photos

Quick note: put up some photos from the first day @ 24c3 on my flickr account.

Wednesday, December 19, 2007

Whats brewing on the SIPVicious front

Been quite for a while, but that does not mean that I've been resting. Instead I've been looking into fingerprinting SIP devices and not relying on the User-agent header to identify the a SIP network element's name.

This means that SIPVicious tools will soon be able to guess the name of the device. What's important is that the tools will be able to maintain do this without sacrificing speed and efficiency. Expect more news on this.

Other than that, I'm looking at how to integrate the dns stuff with svmap - things like the SRV records and ENUM.

And.. last but not least.. I've been working on an article for Hakin9 magazine which explains a lot of behind the scenes when it comes to how SIPVicious tool suite works.

Tuesday, December 11, 2007

Password policies for PBX servers

Password policies form an important part of computer security. Unfortunately a large number of VoIP PBX servers do not apply any policies when it comes to authentication. Because of the lack of such security mechanisms, bruteforce attacks are a viable way to attack PBX servers. Svcrack, which is part of the SIPVicious tool suite, demonstrates this.

Of course, vendors and developers should be cautious when implementing features that can cause a denial of service. For example, the Account Lockout policy (available in Microsoft's AD and other systems) allows anyone to deny service to another user. This is not such a good idea especially in the case of something as "real time" as the phone service.

On the other hand, trotting or slowing down authentication might be a solution to limit the chance of attackers guessing the password in a reasonable time. Password complexity should also be enforced to hinder brute-force and dictionary attacks.