Today I am live at the Zacon hacking conference.
I will be live blogging from here, don’t know yet if I will be remaining for the whol day (it will be going from 9am to 8pm.)
If this writeup seems ugly – it is. I am typing as the presenters speak so I might miss a lot and spelling will predictably be a mess. I will add and clean up as I have time.
Let’s dive in.
Welcomes
This is the second Zacon conference, and the attendance is 160 people. There were 29 talk submissions with 14 talks selected in the end.
Right now Zacon is free, but it is uncertain if it will remain free in future years. There are no vendors advertised and no sponsors mentioned. We get a free coffee (coffee counter supplied at door along with badge) and there are food for sale.
I was one of the lucky 90 who got a badge, will be proudly wearing it.
University of Joburg sponsored the venue.
Coffee sponsorship gets applause, and the introductions are done.
Time for the first speaker.
—————————————————————
Roelof Temming – Something about Tea
Talk 1: Things I wanted Andrew to do in his free time, which he did not
Automated Social Engineering
Automated social engineering. Looking at something like Metasploit that is completely automated.
The idea is that your autoreply address gets hidden by the most mail clients. If you have the reply-to address is different to the from address and the recipient hits reply and then send the reply to a recipient that is not intended. If you can inject a mail thread with a hidden autoreply you can receive all the responses in the thread to your mailbox.
Take this online -
Build a site with a report on how safe you are online.
This site asks a lot of semi related questions and then end the form with “how secure is your password” and users will enter their passwords.
1.2 Scan the Entire Internet
For every ip on the net determine open ports, Services, etc.
There are lots of ways to optimise, and with optimization is where the fun is.
Why would you want to do this? For one there is a benefit for geolocation services. Might even try triangulation of an IP address via traceroute. (The NSA took a patent out on this.)
The other benefit is that you have an instant list of the vulnerable servers on the internet. You can do a reverse whois on netblocks.
This has been done in 1999.
1.3 Storing Data in a pipe
You can store data in the actual link between two computers. Why not use the actual data in the pipe as a storage link between two servers, and keep your sensitive data in the actual bandwidth between your servers. If you can keep the data perpetually moving over the internet without actually storing it on a server anywhere.
Note – there are lots of things that can go really wrong here.
1.4 Start your own business
You can build a business resolving social network membership. If you can provide a service that tells someone where you can tell them which social networks an email address belongs/subscribes to.
Talk 2 – Things that Andrew actually did at work
Using a tool callt multivo (altivo – someone correct me) you can give it a phrase and it shows you on what webpages the phrase appears. You can then ask it what URLS this appears on.
Now you use a tool called “Name Identity recocnition” and it pulls out what is mentioned by whom. It now builds you a picture of how the information interconnects on the internet. You can now build a list of who get mentioned the most on webpages where your term is mentioned. Now you can look at their friends, and suddenly you can see who are involved with your search term and actually send data out relating to your search. You have a list of linked nodes and the people who are the most linked in these nodes you can place in the middle of your node view and you can actually try and find who is the most connected person within a sphere of influence.
Talk 3 – The ‘Moody’s Diners’ Conundrum
The question is, with the correct budged and enough time, can you hack anyone? Even the president of the US?
How would you protect the president? The current president embraces the Internet. If you attack someone who is high profile, an individual, the normal techniques go out the window. (Imagine the president getting a clean imaged drive every morning – if he gets compromised it is for one day only)
Attacking the network won’t work.
A drive by attack might not work.
(Wow I got lost with typing and him explaining how the whitehouse network works.)
Footprinting the networks gained nothing.
If you can find an IP for the network, you can do a search for that IP on the internet. Now you can find where these people have been. Using tools like multivo you can now build a picture of where an IP/user have been on the internet. Using these tools you can now build a profile of this network and the IP’s where they were and eventually you can deduce the president’s blackberrys IP address.
Domain – amithepresident.com
Summary
“they” are monitoring the internet. The idea is that the whitehouse is going on the internet looking for content relevant to them. Suddenly amithepresident.com turns into bait. If you monitor the user agents you can narrow it down to a version that you know is relevant to the president of the US, and you can have a real chance of having the President of the US visiting the site and you picking up the visit and making contact with his machine.
————————————————————————–
Stephen Kreusch – Data Loss Prevention
Stephen will be talking about Data Loss Prevention (DLP)
It is an industry term that refers to systems that monitor and protect data on a system and prevents loss of that data.
Most organizations adopt a phased approach to its implementation.
Network DLP
Network has fewer integration points so can be rolled out quicker.
(ugh I am running behind now – most of this talk I amplaying catchup – struggled with a dodge 3g connection…)
Endpoint and storage DLP
Endoint SLP cannot deploy agents to systems you don’t already own and manage.
If you have data to protect you will need to be able to match the data you have with the records you have of this data. If something changes you will need to know this in order to protect yourself against data loss.
(Incidentally – Gwibber does not like switching connections. It goes ballistic maxing my CPU out…)
Typical DLP Criticisms
- Doesn’t prevent leaks. (Yes and no – there are ways to deal with that.
- DLP is complex to implement and maintain
- DLP Systems generate too many false positives. A poorly authored system will generate too many false positives. When you use keywords and phrases alone you can run into this problem. You need to use fingerprinted data.
- DLP is expensive (so is losing your data)
- DLP can be bypassed – any system can be bypassed. You can use various techniques to make this harder. You can catch a fingerprinted document, but you cannot catch if someone takes a screenshot of a document and mails that out.
- DLP won’t deliver the expected value, won’t meet your expectations.
As security professionals we focus on the vulnerabilities. DLP is really in your face. It forces you to act. It is different to present someone who is not IT inclined with a DLP report as opposed to saying “our system is vulnerable to SQL injection.”
DLP helps you find a lot of problems, but does not necessarily help you fix those problems. DLP is security awareness in practice. You can use a good DLP system to educate your users as to your policy and where they might be breaking it.
Summary
Every organization has some information they don’t want to have monitored, and that they don’t want to have leaked. People need to be aware what you are monitoring. Talk to the people who make these decisions. Monitoring one type of violation often reveals another. Most DLP incidents highlight weak business processes rather than malicious intent. DLP cannot magically identify sensitive information.
———————————————————————————-
Todor Genov – DNSSEC 01 With a Pinch Of Salt
What is DNSSEC
It is DNS with a public key crypto. It is good for authenting a response origin. We have some sort of guarantee where a donial of existince originated from
How does it work
Each zone has a public/private key. There are new resource records to take into account. RRSIG – RR data crypto record, DNSKEY – Zone Public Keys.
DS Record is used to delegate trust. Secure pointer to child KSK. NSEC and NSEC3 – authenticated denial of existence.
RR Sers
It is the building block of DNSSEC
(Shocked to find that in a room of geeks there is not ONE lazer pointer.)
You can now practice query validation, you now have a trust anchor. You have now got a DNS key that has been verified outside of DNS.
Chain of trust: Starts at a trust anchor, can be delegated to child zones.
The .za and .com zones is not trusted. If you can trust the root zone you can begin to build trust down to the other zones.
There are less than 20TLDs that are singed.
With a signed TLD you can have a verifiable crypto chain and you can know the data can be trusted between two zones.
Caching DNS servers
You now have a Validating Cache – once the full chain of trust is authenticated you can cache that on your server.
You have to provide a non validating cache.
Denial of Existence – NSEC
Nsec creates a chain of non existence between RRs in a zone. (dig doesnotexist.se NS)
Some zones may not be considered secure or safe,
NSEC3 creates a chan of non-existence between hashes of RRs in a zone. NSEC3 response returns hash salt and number of iterations used. (dig idontexist.org NS)
NSEC3 adds a lot of workload on authoritative and caching DNS servers.
Pitfals of DNSSEC
Zone files are no longer human-modifiable
ZSK and KSK lifetime expiration
(This is turning DNS into a mess of note <= verbatim quote from Todor.)
Requires parent zone to be authenticated.
Lookside Validation (DLV)
*RFC5074
For the 80% of zones that are not encrypted yet. (dlc.isc.org)
Useful for early adopters, workaround for zaDNA’s lack of DNSSEC
Already configured on at least one of ZA’s ISP’s caches.
Summary
Add the +dnssec to the standard DIG command.
What kind of demand is there from client base. Response – non technical people are not aware of this yet. The value added to this is the banks jumping on the bandwagon. Addresses a design flaw in DNS. Demand is not really there right now from the client base.
That is it for the first session.
We are now breaking till 11:00am. Will be back with more ZaCon goodness after the break.
No related posts.
LinkUp (1)
Nathan Smith (1)
Olga Roac (1)
Quintin (1)
Rice Cooker (1)
Ronda Peterson (1)
Sticky Scissors (1)
Top Ten Tablet Re... (1)
Comments
Leave a comment Trackback