Day 2 started with “Draw Me A Trojan” by Yuval Polevoy / RSA. Polevoy spoked about advanced multilayered trojan. Trojan uses several techniques for hiding itself from the AV-software. Overall very informative presentation of modern malware.
Next was “Finding Flame” by Constin G. Raiu (twitter: @craiu). Raiu presented connections between Flame, Stuxnet, Gauss and Duqu malware. Estimation of total development costs of Flame is between $10-$50 million. Costs for calculating the MD5 collisions utilized in Flame are $1.4-14$ million. There are traces of several teams developing different modules for Flame. Raiu is an experienced speaker who can spice up the presentation with jokes etc. Really enjoyed.
After lunch break I attended to “SAP Slapping” by Dave Hartley (twitter: @nmonkee) from MWR InfoSecurity. Hartley presented SAP systems from penetration tester’s perspective. There is lot of attack surface at most SAP systems because of misconfigurations. This was totally new area in the infosec for me.
Fourth one I attended was “Burping up the serialized communication” by Miika Turkia / Nixu. Miika presented Burp Pro plug-in that he created with Ruby for testing serialized java fat client – server communication. Miika also presented one “zero-day” vulnerability in java. He has reported it already to Oracle two years ago.
Day ended with Solving the T2’12 Challenge.
I am attending to T2 infosec conference this year and here is a wrap-up of the first day.
T2 is a small yet really high profile international conference at Helsinki, Finland. There are only 99 seats available each year, so it is really great opportunity to have a word or two with speakers if you want to. This is my first time at T2.
Day started with opening words from the organizer Tomi Tuominen.
Keynote was given by Rick Falkvinge (twitter: @falkvinge) the founder of the Pirate Party movement. Falkvinge is a good speaker. He spoked about early stages of the Pirate Party, how to make a change and few words about leadership. Good keynote.
Then we moved to something more technical. Second speaker was Felix FX Lindner of Recurity Labs GmbH. He had studied Huawei VRP platform used in Huawei routers. Results: huawei copied code from Cisco IOS platform, session hi-jacking of web-UI, buffer overflow that could be used for owning the router and last but not least hardcoded passwords. Not the kind of list you would like to hear from your router provider.
Next I was attending was “Secure exploit payload staging” by Georg Wichersky from CrowdStrike. Georg talked about their attendance to Defcon 2011 CTF. Interesting story about obfuscation, encryption etc. they used at the competition. Quite technical stuff.
After lunch I attended to Stonesoft / Olli-Pekka Niemi session about testing IPS systems. Session was called “Game of Lies”. Olli-Pekka pointed out some problems that most of the IPS providers are not handling properly. It seems to be possible to bypass most of the IPS systems by using evasion. This is not detected in normal certification testing these days. Stonesoft has recently released their testing system for public use. Interesting points there.
After the coffee break it was time for the last presentation. Presentation was titled PinPadPwn and was presented by Nils of MWR InfoSecurity. MWR guys had bought bunch of used pinpads from various sources like eBay and studied security. Results were impressive: it is basically possible to run own code stored in specially crafted smart card in the pinpads. Nice three demos were presented two of the a live. Hope these demos can be found on-line soon.
I left after the drinks and networking (great conversations by the way). Some of the attendees headed for dinner after that.
Great first day, really looking for tomorrow.
Ryan Naraine’s blog post about day 1: https://www.securelist.com/en/blog/208193917/T2_12_Huawei_Routers_Pin_Pad_Terminals_Under_Security_Scrutiny
Article complexity: This article is intended for normal internet user.
Without going deep into mathematics basically password strengt is a combination of password length, character set (special characters, capital and lower-case letters, numbers etc.) and randomness. Strong passwords tend to be hard to remember and you should have different password to every service. In this post I will preset three methods that could help you remember strong passwords.
Warning: If you are not absolutely sure what you are doing be extra careful with the sites that provide “test your password strength” – services. Services like that might be created for phishing your password.
Write them down! – (F-Secure/Annika method)
This method is fully explained in F-Secure Safe and Savvy blog. Basic idea is to have part of your service dependent password at paper and remembering a secret “PIN” that is added to this password. Thoughts behind this idea are good but there are couple of things to notice:
- I recommend using much longer password and PIN than presented in that blog post
- In case of password breach at one of the services you should change password to all services since PIN is exposed. This can be really frustrating.
Overall this method provides means for good passwords.
Password managers like LastPass and 1Password can store strong passwords and you only have to remember one password to use all your passwords. Password managers are really good solution, but there are also some issues:
- You are fully dependent on the password manager – cloud solutions bring some help but adds concerns related to all cloud services.
- There is a single point of failure possibility – all your data is behind one password. Leakage of that password exposes all your passwords.
Passphrases are like passwords that consists of words instead of letters. Here is an example: ThoseThreePonysArePinkAndReallySmall! That is an actual phrase that can be remembered. However it does not offer good randomness, so better passphrase would be: ShirtSunWavesLivingSafeTreeAdsDoorPopularity? This is better since it has more randomness (not completely random words though) but not as easy to remember. If you want to add some complexity you could use several languages and special characters. Couple notes:
- Not all the services accept really long passwords (unfortunately)
- You should use totally different words for each services and this could lead to original problem (hard to remember)
As seen there is no silver bullet for the problem. I hope that this blog post brought some help for you when dealing with your passwords. I will continue the hunt for good solution and keep you updated!