The Cost of Networking @ Blackhat

Posted by Gunter Ollmann on March 29, 2008 at 12:29 PM EDT.

The second day of Blackhat Amsterdam proved to be just as good as the first, with the afternoons presentations generally being of more interest to me than the mornings (my perception may have been unduly tainted by the previous evenings late night meanderings and consumption of fermented liquids with the usual flock of pentesters).

Intercepting Mobile Phone/GSM Traffic

The first talk to stand out to me was “Intercepting Mobile Phone/GSM Traffic” by David Hutton and Steve. The room was pretty full and the back row was consumed by various media with camera’s in tow. Having not heard all the rumors etc. about the talk, I was a little surprised that so many people were interested in GSM interception and breaking A5.1 – after all, the theory and proof points have been around for over a decade now.

They did a great job outlining the historical security flaws concerning GSM, and their observational decodes of current GSM handshaking processes revealed that mobile operators don’t appear to be following their own advice on securing critical data (such as the pain-text IMSI number of the handset).

For the last couple of years I’ve been talking about illegal GSM/GPRS interception, with the primary vectors relying upon active equipment (e.g. cell-boosters, nanocell stations, etc.) and degrade attacks. Their completely passive cracking of GSM calls was very interesting because they are able to do it with only a few data packets and were able to make use of rainbow-tables to accelerate the actual cracking of the A5.1 encryption. So, hats off to these guys.

While the GSM side is very interesting and completely noteworthy, I think that perhaps the most important part of their presentation was actually their use of FPGA boards (Field-programmable gate array) to radically accelerate the generation of their rainbow-tables. For example, using a single high-speed PC it would have taken 33,235 years to generate the table (550,000 A5.1’s per second). Using 68 FPGA boards mounted in a custom chassis they did it in 3 months (at 72,533,333,333 A5.1’s per second).

It’s significant because this is (now) a very public case of how “off-the-shelf” FPGA hardware can be used to boost specialized cracking processes by many orders of magnitude.  Given the fact that these processing technologies are relatively cheap (and getting both faster and cheaper), I’d recommend companies take a much closer look at the key lengths of the encryption systems they currently use – and reevaluate the amount of time that attackers will need to crack their systems in the future.
I’d also point out that it’s definitely worth bearing in mind that (in most cases) today’s encrypted traffic can be recorded and then cracked by the attacker at their leisure. So you should factor in how long any data (especially classified communications transmitted over wireless interfaces) will need to remain confidential – and that Moore’s law is way too conservative.

Investigating Individuals and Organizations Using Open Source Intelligence

The other talk I found very interesting (and capped off two days of Blackhat) was titled “Investigating Individuals and Organizations Using Open Source Intelligence”, delivered by Roelof Temmingh and Chris Böhme.

Having come from a penetration testing background, I’ve always relied upon passive information gathering techniques to start the ball rolling for any engagement. Roelof and Chris have managed to take this to the next stage and made it much more personal by automatically linking public information stores (such as that from social networking sites) to extract personal information – effectively paving new ways for effective social engineering and manipulation of Web 2.0 social/collaborative networks.

Granted, there may be some legal gray-areas – such as breaking fair-use and terms-of-use clauses at some social sites – but, at the end of the day, it’s not like the bad guys are actually going adhere to the rules, so it’s important that professional security researchers be allowed to examine these areas (I mention that point because Roelof and Chris managed to get a few ‘Cease and Desist Trespassing’ letters from some well known Web 2.0 sites).

I found the most interesting aspects of their talk to be about the use of imaginary virtual friends and the subsequent creation of entirely fake virtual communities.
For several years the X-Force have monitored the manipulation of search page-rank manipulation of organized cybercrime units. Today, with drive-by-malware and man-in-the-browser attack vectors, page-rank manipulation has fast become one of the most dangerous and insidious attack propagation vectors. With the worldwide news event of Benizar Bhutto’s assassination, the public got the first real taste of how criminals can leverage page-rank manipulation to infect browsers as they search for news and background history on key events (e.g. for a period of time, the first few links returned by popular search engines pointed to malicious hosts serving up exploit code and infecting visitors with botnet agents).

What Roelof and Chris managed to do in their talk was to clearly show how the creation of even “dumb” AI processes can govern an army of completely virtual identities, bypass current generation “is it a real human” tests, and manipulate community ratings (e.g. guarantee that a particular movie will be ranked number one). Which in turn can be used in very profitable ways – e.g. what happens if you’re the movie’s producer? Higher ranking equals more viewers and higher box-office revenues (in fact some people would argue that the precedent has already been set and has been happening for decades with the music industry’s Top-40 listings).

With cyber criminals proving adept at following the money, I have little doubt that somewhere around the world someone is already coding up the first generation of AI virtual identity agents in preparation for distribution to existing botnets.

That's yet another “blade” to existing botnet malware and a low-hanging-fruit vector for making money – governed only by the imagination of the criminals.

    Copyright 2001-2008 © Gunter Ollmann