|The Cost of Networking @ Blackhat : 2008 : Frequency-X Blog : Blog : Home|
The Cost of Networking @ Blackhat
The second day of Blackhat Amsterdam proved to be just as good as the first, with the afternoons presentations generally being of more interest to me than the mornings (my perception may have been unduly tainted by the previous evenings late night meanderings and consumption of fermented liquids with the usual flock of pentesters).
Intercepting Mobile Phone/GSM Traffic
The first talk to stand out to me was “Intercepting Mobile Phone/GSM Traffic” by David Hutton and Steve. The room was pretty full and the back row was consumed by various media with camera’s in tow. Having not heard all the rumors etc. about the talk, I was a little surprised that so many people were interested in GSM interception and breaking A5.1 – after all, the theory and proof points have been around for over a decade now.
They did a great job outlining the historical security flaws concerning GSM, and their observational decodes of current GSM handshaking processes revealed that mobile operators don’t appear to be following their own advice on securing critical data (such as the pain-text IMSI number of the handset).
For the last couple of years I’ve been talking about illegal GSM/GPRS interception, with the primary vectors relying upon active equipment (e.g. cell-boosters, nanocell stations, etc.) and degrade attacks. Their completely passive cracking of GSM calls was very interesting because they are able to do it with only a few data packets and were able to make use of rainbow-tables to accelerate the actual cracking of the A5.1 encryption. So, hats off to these guys.
While the GSM side is very interesting and completely noteworthy, I think that perhaps the most important part of their presentation was actually their use of FPGA boards (Field-programmable gate array) to radically accelerate the generation of their rainbow-tables. For example, using a single high-speed PC it would have taken 33,235 years to generate the table (550,000 A5.1’s per second). Using 68 FPGA boards mounted in a custom chassis they did it in 3 months (at 72,533,333,333 A5.1’s per second).
It’s significant because
this is (now) a very public
case of how “off-the-shelf”
FPGA hardware can be used to
boost specialized cracking
processes by many orders of
magnitude. Given the
fact that these processing
technologies are relatively
cheap (and getting both
faster and cheaper), I’d
recommend companies take a
much closer look at the key
lengths of the encryption
systems they currently use –
and reevaluate the amount of
time that attackers will
need to crack their systems
in the future.
Investigating Individuals and Organizations Using Open Source Intelligence
The other talk I found very interesting (and capped off two days of Blackhat) was titled “Investigating Individuals and Organizations Using Open Source Intelligence”, delivered by Roelof Temmingh and Chris Böhme.
Having come from a penetration testing background, I’ve always relied upon passive information gathering techniques to start the ball rolling for any engagement. Roelof and Chris have managed to take this to the next stage and made it much more personal by automatically linking public information stores (such as that from social networking sites) to extract personal information – effectively paving new ways for effective social engineering and manipulation of Web 2.0 social/collaborative networks.
Granted, there may be some legal gray-areas – such as breaking fair-use and terms-of-use clauses at some social sites – but, at the end of the day, it’s not like the bad guys are actually going adhere to the rules, so it’s important that professional security researchers be allowed to examine these areas (I mention that point because Roelof and Chris managed to get a few ‘Cease and Desist Trespassing’ letters from some well known Web 2.0 sites).
I found the most
interesting aspects of their
talk to be about the use of
imaginary virtual friends
and the subsequent creation
of entirely fake virtual
What Roelof and Chris managed to do in their talk was to clearly show how the creation of even “dumb” AI processes can govern an army of completely virtual identities, bypass current generation “is it a real human” tests, and manipulate community ratings (e.g. guarantee that a particular movie will be ranked number one). Which in turn can be used in very profitable ways – e.g. what happens if you’re the movie’s producer? Higher ranking equals more viewers and higher box-office revenues (in fact some people would argue that the precedent has already been set and has been happening for decades with the music industry’s Top-40 listings).
With cyber criminals proving adept at following the money, I have little doubt that somewhere around the world someone is already coding up the first generation of AI virtual identity agents in preparation for distribution to existing botnets.
That's yet another “blade” to existing botnet malware and a low-hanging-fruit vector for making money – governed only by the imagination of the criminals.