Sunday, March 9, 2014

RootedCON Chronicle: Day 3

Yesterday, the last day of the RootedCON. One of the largest conferences of Spain computer security, and that as we mentioned in previous articles, CIGTR cover day to day.

PabloYglesias-Rooted2014

A Rooted which is now in its fifth year, and took on Saturday to get the creeps, and incidentally demystify this popular saying that the last day is the least significant.



What have we seen? As a Manu Quintans and Frank Ruiz showing how to steal credentials bank cards always aided by reverse engineering and great creativity. A Aladdin Gurbanov be recorded on video and jokingly explaining the operation of magnetic cards, and how easy it is to duplicate: “All this is only for educational purposes”, narrated the speaker, with a Russian accent, as we drew from his back pocket a few blank cards.

Is it too little? Then sit in the chair, which comes Hugo Teso (@hteso), computer security researcher has found a way to attack commercial aircraft (and say commercial, because military agencies have "suggested" not to mention its sector) apply classic vulnerabilities client-server environments (XSS, injection,...). Change the flight path, altering the autopilot...

Still you are not shaking? Well you should, because José Pico (@LAYAK) and David Perez had to four ways to attack terminals connected to 3G networks ¡3G! Your own data network. Needless to them to enter public WIFIs. That discounting the contribution of Berástegui Borja (@Bberastegui), an expert on crash public screens. From advertising marquees, through terminals gelding internet access airports, or, of course, ATMs.

Raul Siles (@raulsiles) continues his personal crusade against Apple. Why do we prevent a downgrade (back to previous versions) in iOS? Because that would allow the Jailbreak, which has associated the ability to install applications outside the market, and therefore outside the radar of the company's business. Yet control enabled this work has since iOS5 (two to three years) being a simple Man In The Middle, forcing the control to think that there is a newer version, changing only the date, and can be installed on your default we want. Take further associated imminent danger. The ability to APTs politicians or executives, preventing its terminals are updated, and then allowing to take advantage of known vulnerabilities to spy.

Instant messaging, as the talk of media today, has also had its place in the Rooted. Jaime Sánchez (@segofensiva) and Pablo San Emeterio (@psaneme) do a little tour of the safety of these tools focusing on WhatsApp and the limited control of spam, can make DDoS based massive collapse of thousands of messages characters from the same token (ie with a client, we can collapse the phones of thousands of users that Android will have serious problems accessing the application, and iOS is very likely to have to reboot and uninstall).

And did not want to end without mentioning critical infrastructure. Because if all the above is not enough to cause nightmares, Juan Vazquez (@_juan_vázquez_) and Julian Vilas (@julianvilas) outlining a comprehensive study on security protocols implemented in SCADA (critical industrial remote access systems), concluding that most of them are traceable and have outdated ports and open channels or directly with administrator

Having seen, it is surprising that no mishaps still occur more.

---

We invite you to rate our posts, to leave your comments and to share them on social networks. Also, if you want you can follow us on our profiles. At the sidebar, you’ve got the links ;-)

0 comments:

Post a Comment