Wednesday, July 28, 2010

BlackHat USA 2010: How to Turn ATMs Into Jackpotted Slots, Basejump the GSM, Lift Malware Developer's Fingerprints & Face Our Existential Dilemma

BlackHat USA 2010: How to Turn ATMs Into Jackpotted Slots, Basejump the GSM, Lift Malware Developer's Fingerprints & Face Our Existential Dilemma

By Richard Power

Flying into Las Vegas at dawn for the first day of BlackHat USA 2010, I once again felt the poignancy of this extraordinary place. From the original Ocean's Eleven (1960) to Martin Scorsese' Casino (1995), from Howard Hughes to Hunter S. Thompson, Las Vegas is the stuff of legends.

As I walked to the taxi stand, I wondered, which is more remarkable, the incredible heat and dryness of this desert, or the incredible flow of energy and water demanded to sustain this desert city?

And, of course, in Las Vegas, all around you, every moment of the day, the sun beats down, offering all the energy you would need to negate the heat it generates; and of course that energy is yet to be tapped.

Ah, the human folly.

Now the subject of human folly provides an excellent segue way to the cyber security scene here at the end of the first decade of the 21st Century.

In his opening remarks of Jeff Moss (the man who launched BlackHat way back when), made an important point: “We are all heads’ down, working on technical, specific problems. Everyone once in awhile it is probably a pretty good idea to get an idea about ‘what’s the bigger world we are all operating in, what is the larger context we do this for, is it for society, or your business, or your personal advancement? ... What security problems have we fundamentally solved? I can’t really think of any real big things we have killed. Can we send e-mail securely? I don’t think so. Can we write a packet securely? Can we browse the Web securely? No. But we’ve got 50,000 new vendors, and lots of widgets. I am trying to understand what is the incentive? How do we solve these larger problems that are so fundamental, the underpinnings of everything we do? For our country and for every country in the world the Internet is an engine for innovation and commerce. And yet , we do not seem capable of putting the energy forth to secure the fundamental underpinnings .. In whatever endeavor you are in I want you to think about how we can fix the underlying fundamentals."

Moss' creation, BlackHat continues to evolve, year after year, both as an important industry event and as an invaluable technical resource.

Here are some highlights from three of the sessions that I found compelling.

The Grugq, who lives in Thailand, and works as a senior security researcher for Singapore-based Coseinc, spoke on "Base Jumping: Attacking the GSM Baseband and Base Station."

The Grugq gave an overview of the GMS protocol and infrastructure, and then explained some GSM attacks: RACHell, in which the attacker floods the BSS with requests and prevents everyone from using that cell, IMSI Flood, in which the attacker overloads the HLR/VLR infrastructure, and prevents everyone from using the network, and IMSI DETACH, in which the attacker sends multiple Location Update Requests, including a spoofed IMSI, and prevent a SIM from receiving calls and SMS.

In his understated conclusions, Grugq observed: "GSM is no longer a walled garden. GSM spec has security problems. Expect many more issues as OSS reduces costs for entry."

Greg Hoglund of HBGary, Inc. spoke on "Malware Attribution: Tracking Cyber Spies and Digital Criminals."

Hoglund suggested that in a world where "the largest computing cloud" is "controlled by Conficker," we should be paying more attention to the creators of such malicious programs: "Attribution is about the human behind the malware, not the specific malware variants; and that the focus must be on human influenced factors."

He went on to show that on a spectrum of intelligence sources regarding the originators of malware, ranging from "nearly useless" (e.g., blacklists) to "nearly impossible" (physical surveillance/HUMINT), "Developer Fingerprints" (e.g.,"IDS signatures with long‐term viability") occupied a "Sweet Spot."

Hoglund offered some compelling evidence that malware attribution was "possible through forensic toolmarking combined with both open and closed source intelligence."

Barnaby Jack, Director of Research at IOActive Labs, spoke, to an overflowing audience, on "Jackpotting Automated Teller Machines Redux."

To loud laughter from the audience, Jack cited the disturbing words of Windows CE developer, Thomas Fenwick: “We were concerned about protection, but not about security. We weren’t trying to design an airtight system like Windows NT.”

Then Jack proceeded to take us step by step through turning a stand-alone ATM machine into the equivalent of a Vegas slot machine that had hit the jackpot, and highlighting the tools he has developed to do so, Scrooge, his own rootkit, and Dillinger, his own remote attack and administration tool, which allows for "management of unlimited ATMs."

By the end of Jack's stunning presentation, the two ATMs on the stage were spitting out dollar bills to uproarious applause.

What a compelling metaphor for the state of cyber security in the last year of the first decade of the 21st Century.

Jack offered some suggestions in terms of countermeasures, including "offer upgrade options on physical locks," and "implement trusted environment."

See Also

From Parking Meters to the Cloud, from SMS to Smart Grids ... Is Everything Broken? -- Report from Black Hat Briefings (Las Vegas 2009)

And Other CyBlog Conference Coverage ...

SOUPS 2010: Insight into Usable Privacy & Security Deepens at 6th Annual Symposium

Notes on TIW 2010: The Builders & Building Blocks of Trustworthy Infrastructure

CyLab Research has Powerful Impact on 2010 IEEE Security & Privacy Symposium

RSA 2010: Lost in the Cloud, & Shrouded in the Fog of War, How Far Into the Cyber Future Can You Peer? Can You See Even Beyond Your Next Step?

Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More! -- A Report from the 18th USENIX Security Symposium (Montreal, 2009)

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

RSA Conference 2009: Summary of Posts