Security Featured Article

Typically, one goes to DEFCON to get the scoop – what’s going on, what’s going to be compromised, and what the security industry should worry about in 18 months. At least, that’s the justification for four days in Las Vegas that appears on corporate training request lists. There is always the unforeseen that makes for entertaining stories – this year it was the thieves that picked the wrong time to put a fake ATM in the lobby next to thousands of curious security practitioners.

 

The maturation of the security community has resulted in a change of focus for DEFCON. It is no longer about information wanting to be free, or undercover officers monitoring a fringe community. Organized crime has realized very real dollars can be made by exploiting vulnerabilities, and information that aids them in this effort is equally valuable. To that end, the talks on defeating the Secure Sockets Layer were very well attended.

 

The most well-received talk (aside from Adam Savage of Mythbusters fame) was given by Moxie Marlinspike on SSL insecurity. E-Commerce is heavily dependent upon SSL, and unfortunately the same elemental problem still exists. SSL is simply a connection between two points that is reasonably well encrypted. Unfortunately, determining who or what those end points actually are, well, that’s always been the challenge. A major change was the release of Extended Validation certificates for SSL. The criteria for this certificate (the kind that turns your browser bar green) involves verification of a physical location or office as well as specific information typically gleaned from articles of incorporation. The two main goals are to increase the potential level of trust an end user has in conducting e-commerce with a merchant as well as decrease the likelihood of man in the middle attacks by malicious attackers. However, the success or failure of EV SSL or regular SSL is both predicated on the trust of the Certificate Authority.

 

In the security space, we call that a single point of attack. Moxie discovered a vulnerability with input validation when obtaining a certificate from most CAs. Specifically, the use of a NULL character in the signing request. Browsers ignore the information after the NULL character in typical SSL implementations. CAs ignore the information before the request, only checking the root domain to ensure it is an authorized request. By leveraging this in a MITM attack, the connection can still be easily spoofed on both ends, again, allowing an attacker access to cleartext information such as credit card numbers, usernames and passwords, and more.

 

EV SSL continued to take a beating. Mike Zusman identified a way to potentially trick a non-technical user into believing that the EV SSL connection had not been intercepted. He used a self-signed “standard” SSL certificate to proxy the connection and all that is seen on the end-user side is a temporary change or flicker of the green EV SSL bar. Zusman has included this capability in his sslsniff tool (which can also generate the certificates on the fly). The demonstration of his talk is online and can be found at http://stub.bz/sslrebinding - well worth the five minutes or so to watch.

           

In addition to the attacks on SSL, there were two presentations that I found very interesting: hacking the air traffic control system and outsmarting smart parking meters. The air traffic control presentation was useful for a single tidbit of information related to NexGen, the replacement for radar tracking being driven by the Federal Aviation Administration. NexGen uses GPS and relies heavily on the information provided by the transponder in the cockpit. The one with the off switch. The data is sent to the ground from the transponder and contains the aircraft identifier, altitude, and the latitude/longitude of the aircraft. Of course, it isn’t encrypted, allowing anyone with the right equipment to decode and plot aircraft. As part of the use of this system may be for automated landing systems, the field tests in Juneau have suddenly gotten a great deal more interesting.

 

I’m from Chicago, where our joy about new parking meters is well known, hence my attendance at Joe Grand’s talk on so-called “smart” parking meters. After acquiring example parking meters to reverse engineer from eBay (News - Alert), he and his partners successfully created an “infinite smartcard” to be used in San Francisco’s parking system. Fortunately, Chicago doesn’t currently use the smart card system, so I haven’t been tempted. However, their analysis of the general technology points to multiple potential avenues of exploration: wireless connectivity via radio or General Packet Radio Services (GPRS) as well as infrared. I look for more interesting discussions on this topic from the group.

 

DEFCON 17 was subtly different than other times I have attended. Perhaps it was the lack of lawsuits and ego clashes that have marked the other conventions. Richard Thieman said it best in his talk on hacking the human machine when he remarked about how old the crowd was getting – late 20s and up. All the cool kids aren’t hacking computers any longer – biohacking is the new frontier. Even the articles are the same. Just remove the “bio” from these titles and the pattern is clear: “Biohacking: harmless hobby or global threat?” “The worry of biohacking” “The genre of biopunk” “DIY genetic engineering” - well, maybe not that last one. What does this mean over the long term? I think as more security practioners get co-opted by corporate America, and as corporate America continues its drive to place the computing power that was once the sole province of major corporations in the hands of the end user, the edgy DEFCON crowd will continue its migration from hard-core hackers to softer “security researchers.” The challenge-seekers will move on to other pursuits that aren’t as well defined while those that remain in the security space will find the formerly fringe DEFCON absorbed into its corporate sibling, the Black Hat conferences.