DefCon 18 is the computer security conference in Las Vegas following the Black Hat conference, famous for releasing many important exploits that force software and systems providers, telecommunications companies to fix low level security issues that effect us all. It’s a huge reverse engineering, hacking and intellectual critique fest. Many federal agencies, contract providers, reverse engineers, genius kids and other rogues (like me) appear to enjoy the deep virtual and human packet inspection. Highlights from DefCon 18: http://www.defcon.org/ 1) Docsis Docsis (most recent is 3.0) is the modem protocol for cable modems which includes channel bonding capabilities that vastly expand regular cable data transfer capabilities beyond T1 speeds. A firmware upgrade with a linux based stack to most commonly available cable modems allows for “network diagnostics”, which vastly expands speed via interface bonding, channel security and much more. Defcon 16 showcased various modifications and techniques to gain free and anonymous cable modem internet access. Analyzed and discussed were the tools, techniques, and technology behind hacking DOCIS 3.0. Haxomatic USB JTAG/SPI firmware was released by programmer Rajkosto & SBHacker and updated DOCSIS 3.0 hacked firmware for TI puma5-based cable modems was made available. *Blake Self* is most widely known for co-authoring the first commercial encrypted instant messenger with Dr. Cyrus Peikari while at VirusMD. He has also worked as a SIPRNET Administrator, Department of Defense Red Team Analyst, and R&D at various corporations including Airscanner and Ontario Systems. He currently works in the automated data collection industry as well as doing research for S2ERC (http://www.serc.net). *Bitemytaco* is a well-known person in the DOCSIS research community and one of the root admins at SBHacker.net, the largest modem hacking community in the world. He funded the development of Haxorware (coded by Rajkosto) - the most popular and innovative diagnostic cable modem firmware ever released. He also coordinated the development of the current hacked SB6120 firmware and released it to the public on Christmas 2009. Taco has been researching cable modem networks since 1998 and has been involved in the modem hacking scene for many years. "DOCSIS: Insecure By Design" was presented at DEFCON 16 by Taco along with teammates Blake of SERC and devDelay of SBHacker. History: Docsis is at the heart of Net Neutrality legislations: http://www.wired.com/threatlevel/2010/04/net-neutrality-throttle/ Sniffing Cable Modems from DefCon 16: https://media.defcon.org/dc-16/video/Defcon16-Guy_Martin-Sniffing_Cable_Modems.m4v Quote: “Unless you steal the cable you are “testing”, the laws for expanding cable services exist in the grey area we all work within”. 2) WPA2 Hole 196: Using the inherently broken GTK handshake to bypass security (and user encapsulated network isolation keys) in WPA2 (full toolset released), allowing for instant transparent Man in the Middle attacks using multicast,unicast and broadcast packets, (works once you have a shared network session [5 minutes to crack any WEP/WPA/WPA2 using BackTrack4/Aircrack-ng (7 minutes with MAC address filtering or hidden SSID)]; Hole 196 allows for instant exploits of all user services once sharing and Enterprise WPA2 system and includes the addition of only 4 lines of code to existing exploit tool-chains to target openly transmitted GTK keys. Excerpt: AirTight Networks (a wireless security vendor) presented a demo of a new WPA2 vulnerability that affects even 802.1X-authenticated networks. Several press releases note the attack uses information of a vulnerability found on page 196 of the IEEE 802.11 wireless specification. *Possible attacks:* - Compromise authentication server (AS) which participates in key distribution - Compromise pairwise (individual station) keys - Reuse of GTK (only for broadcast/multicast) - Spoof AP or authentication server (AS) for MITM attack - Implement an 802.1X EAP method which is insecure (ie EAP-MD5) and compromises the keys - Attack on TKIP (versus CCMP) *The documented 802.11 standard vulnerability:* Page 196, Section 8.5 Keys and Key Distribution Under that section is this paragraph: NOTE—Pairwise key support with TKIP or CCMP allows a receiving STA to detect MAC address spoofing and data forgery. The RSNA architecture binds the transmit and receive addresses to the pairwise key. If an attacker creates an MPDU with the spoofed TA, then the decapsulation procedure at the receiver will generate an error. GTKs do not have this property. http://www.networkworld.com/news/2010/073010-airtight-wpa2-vulnerability.html 3) Powershell automatic Metasploit and Meterpeter exploits: Powershell comes in Windows 7 by default (cannot be disabled), and is a powerful command line addition to Windows applications allowing for bypassing even .Net and .dll protection. Hopefully, Windows users are protected by adequate network OSI layers, as this application allows for instant integration with Metasloit/Meterpreter/FastTrack tools for point and click exploits. http://www.defcon.org/html/defcon-18/dc-18-speakers.html#Kennedy * * *Feel free to attend the Phoenix Linux User’s Group HackFests 2nd Tuesday of Every Month 18:30-20:00 at the Cowden Center at JCL hospital in North Phoenix for a video replay of these presentations and the complete seminars. * We will be showcasing the actual video (produced professionally at DefCon) of all the sessions all year long. -- IvedaXpress.com Systems Engineer Office: (480)307-8712 AT&T: (503)754-4452 "Faith is, at one and the same time, absolutely necessary and altogether impossible. " --Stanislav Lem