Friday, March 7, 2014

RootedCON Chronicle: Day 1

The RootedCON congress, which is the biggest security event in Spain, started yesterday. 


An event that is commonly used by researchers and companies to disclose new vulnerabilities and / or tools, studies of several months (or years) ending with its moment of glory in the official presentation in front of more than one thousand people from the industry.

In fact this Rooted 2014 is far from its beginning as a basic security fair five years ago. Very productive five years, with the creation of several annexes projects such as cycles of workshops and laboratories, and with the intention of arranging a new date outside Madrid area.

The first paper was presented by Francisco Jesús Gómez (@ffranz) and Juan Carlos Diaz (@ttlExpired), who introduced Sinfonier, a OSINT (Open Source Intelligence) software. A tool for obtaining knowledge from data available on the network. An evolution of Yahoo Pipes, where each module can be developed graphically by the client, and whose only limits are set by the creativity of who is at the controls.

Alfonso Muñoz (@mindcrypt) took the stage to talk about JANO, a research project of this PhD on real applications of cryptography for natural language. An explosion of slides about various methods that he had to face for obscure information within texts apparently written by a human. A constant fight between machines (the Alfonso's generator itself against spam services), with a detailed study of the weight of words, synonyms, types and their ability to hide information.

Is having a WiFi network with a pay-wall an unconquerable method? As you've deduced, it clearly does not, as the work of Pau Oliva (@pof) shows, an application for Android that lets you skip the pay-walls (intermediate payment pages to access WiFi networks, increasingly present in public places) in the simplest possible way. Browse one by one all possible IPs that may be connected, and when it finds another user, spoof its MAC address and IP to impersonate him. To countermeasure it, it would be enough if these services restricted IPs requests from other users to stop working. Something that almost none does today.

Antonio Ramos spoke of risk analysis, about how the perceptual biases affect us when making a reliable risk plan. He spoke about the main problem that the project management methodologies find when they have to be applied on computing developments. The methodologies are developed for complicated systems, not complex. A complex system requires trial and error, not strictly applying a standard. In computer security, there are no valid standards. That's the reason why Ramos make his bid for agile methodologies: Short term plans, to include the client in the equation and being continually testing.

How is an APT (Advanced Threat persist) born and developed? To Raj Shah it has 6 distinct cycles.

- Reconnoiter, obtaining the best possible knowledge.

- Arming yourself with the weaknesses you find.

- Infiltrating into the system.

- Exploiting vulnerabilities.

- Controlling the system, climbing permission, and finally…

- Filtering the information obtained. That's the big problem that critical services and large organizations face, and it is really hard to control.

The it came the turn of the guys from @fluproject, Juan Antonio Calles (@jantonioCalles) and Pablo González (@pablogonzalezpe), who made a tour of the statistical history of malware and cyber attacks, to stop at one of the most effective strategies to control citizenship: low-cost botnets, using thousands of mobile terminals. What can a simple flashlight app do? Of course, enlighten where there is insufficient light, but also send information to the server about our device's sensors (geoloation, IP, time, ...), to take pictures, to record conversations, to track close connections, to jump into WiFi networks and spoof who is connected to them, or even make calls DDoS attacks (managing one of those botnets to get out of service our target's device).

Late in the evening Alberto Cita continued with a deep study on Skype security today. A mass communication service used, apparently based on the benefits of P2P and proprietary data encryption, but it has been neglecting security since it was purchase by Microsoft. The current versions sent part of the information by SSL, making them susceptible to script MITM attacks. Simply entering the operating system of the victim a CA (even if signed by the user, since it apparently makes no validation) to read conversations in plain text, obtain sensitive data from involved people (user ID, password hashed, ...) and even recover files sent.

Jorge Bermudez's talk was very interesting and amusing. He is attorney specializing in telematics offenses who gained prominence thanks to the respect that a charge like this holds, and soon won the public favor. Bermudez told us about what their job is. From the difficulty of applying a law from decades ago to a much more dynamic environment. About the need of hacking the rules, to make the bad boys pay for their actions, and the good ones go unpunished. And about the value of establish links between computer security researchers and prosecutors, as each of them needs the other.

The day finished with the Rooted Panel. A roundtable between military and state agencies, private companies and researchers on the present and future of cyber weapons.

During the day today, we will be covering the event on Twitter.


We invite you to rate our posts, to leave your comments and to share them on social networks. Also, if you want you can follow us on our profiles. At the sidebar, you’ve got the links ;-)


Post a Comment