29c3 Hamburg / DE

The last week of 2012 marked the 29th installment of the Chaos Communication Congress. Organized by the Chaos Computer Club (CCC), the congress is an annual conference on technology and its impact on society. Although the scope may look quite loose, both lectures and workshops typically revolve around privacy, freedom of information, data security and other hacking issues. Needless to say, it has always been a great success; huge, considering that black-hat sized events here in Europe are not that common. Take, for instance, the fact that this year the congress had to be held in Hamburg, as Berlin could not offer a congress center fit enough to host more than 6000 attendees. Trust me, this number was not an exaggeration at all!

Congress Center Hamburg by night. Congress Center Hamburg by night.

I admit my expectations were quite high: after four long years of scientific symposia going back to more technical venues was indeed putting my brain in hunger-mode. However, having experienced what it means organizing events for medium sized scientific conferences, I was honestly puzzled about turning a huge building such as the Congress Center of Hamburg in a functional place ready to host lectures, workshops, and hack spaces. Boy I was wrong to be worried about it. The event lasted 4 whole days (from the 27th to the 30th) with an impeccable organization: not only were all lectures and workshops flawlessly organized, streamed, and chaired; but also all open spaces were collectivized and used for all kind of hacking purposes, from playing CTF to entry-level courses on the Arduino platform.

The speakers on the other hand could take advantage of extremely well-sized rooms, with the most important talks having available an auditorium able to host more than 2000 people. Nevertheless, I have to say I was forced to learn one thing pretty fast: if you are interested in a topic, and that topic happens to be quite a hot one, well, be ready to get to the room at least 15 minutes before show-time; seriously, being on time never worked; any room, regardless of the capacity, was liable to get full. Believe me, I was really thankful for the flawless streaming infrastructure (watching a talk on my laptop that was taking place just few meters away was indeed paradoxical 🙂 ).

Jacob Appelbaum on stage. Jacob Appelbaum on stage.

The first day’s line up was respectable. The keynote was given by Jacob Appelbaum, known for his contributions to “The Tor Project”, and also former spokesperson for WikiLeaks. After the usual introductions, he explained the reasons of this year’s congress’ zeitgeist “Not My Department”. We all have heard this sentence at least once in our lives; usually uttered to belittle other people’s arguments, it has always been used as an example of a closed mindset at work. Jacob’s point was that this attitude is even more detrimental in an inter-connected world. What is the use of a privacy-preserving bill if our data flows through the routers of oppressive governments potentially assembling huge data sets about our lives? A new level of awareness is therefore suggested.

The day climaxed at night with a talk about SCADA systems and their exposure to network attacks. It is a bit weird to say it, but based on the speaker
‘s analysis many critical infrastructures (highly clustered in countries such as Spain and Italy, ouch!) are still vulnerable as I write. The talk, besides responsibly disclosing some vulnerabilities of the software controlling the PLCs (e.g., Simatic WinCC), highlighted once again how these infrastructures are run and controlled by unpatched, if not extremely outdated, operating systems (I am not going to sugar-coat it, some analyzed machines were running Windows 95 yes!); I will really welcome the day when best practices to protect SCADA systems (like those that ENISA and its spin-off E3PR are working on) will be finally enforced.

The second day offered another impressive line-up. The talk that interested me most was about an analysis of the HTTPS protocol and recent breaches and malpractices at some Certificate Authorities. I guess we all remember what happened with the Dutch CA Diginotar: the breach was kept silent, and for entire weeks web browsers kept trusting certificates which allowed attackers to intercept communications of Iranian residents (for an extensive analysis see 1, 2). A quite unique and interesting argument of the talk was whether such CAs should be considered (like some banks in the recent on-going economic crisis) too big to fail, and therefore new regulations should be imposed, effectively changing the governance of the HTTPS ecosystem. Arguably not “the” panacea against all the systemic vulnerabilities of the HTTPS protocol (see here), but possibly a considerable step towards an emergency response team for Diginotar-like cases. On a totally different note, the talk also highlighted that no solution for netbooks forcibly applying windows updates currently exists 🙂

Unexpected Windows Update happens. Unexpected Windows Update happens.

Due to my former interests in memory analysis for malware detection, I was also intrigued by the talk “Defeating Windows Memory Forensic”; besides covering the current literature (please, do check “Shadow Walker – Raising the bar for Rootkit Detection”, if you haven’t yet) the speaker presented Dementia, a tool to hide kernel objects such as processes or threads data structures from forensic applications like Memoryze. I had some technical concerns with respect to its validity (especially considering that forensic approaches via minimalistic hypervisors have been proven viable); on the other hand, it was indeed notable to see that to some extent it is possible to deceive forensic tools by means of techniques running in user-space; no need to be a kernel rootkit to pull it off.

The real cherry on top was, however, a technical talk entitled “The future of protocol reversing and simulation applied on ZeroAccess botnet”. Honestly, I was totally unaware of the open source tool Netzob; what it does is both nifty and ingenious: it attempts to reverse a binary protocol (it must not be encrypted though!) by means of machine learning techniques; although not completely automatic (the reverser needs to help the tool into inferring the correct grammar of the protocol), it surely provides an advantage over hours spent staring at hex dumps. I am planning to play a bit with it the next coming days, so expect a quick blog post real soon!

Besides the talks, I’ve also had the opportunity to talk with several security experts with different backgrounds. Trust me when I say that this is half of the value of conferences such as CCC; highly recommended especially if you need a couple of informed opinions about what you’ve worked on. Waiting for 30c3 now!!

29c3 Hamburg / DE

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox