33C3 - 27-30.12.2016 - Hamburg

33C3

Zitat

works for me
A commonly used phrase by software developers to indicate that the bug reported by a user is not repeatable on their machine, and will therefore receive no more attention. Usually connotes a dismissive approach, where anything that is not visible immediately to the developer is „someone else’s problem“ and is therefore not worth fixing.

Like no other, the year 2016 pointed out how well „works for me“ works for us.
It does not. Mutual hate, envy, insensibility and exclusion have driven us apart.

Feeling isolated and threatened, we turn further against each other, take less care of each other and worry even more about ourselves. And yet, we are never alone: Excessive surveillance is now politically normalized, if not for all then at least for those who are different, intractable, foreign.

Let’s break this vicious circle.
Let’s get together and live our utopia.
Let’s strive for something that works for all of us.

And let’s fight those, who will not let us!

Welcome to the party! :-)
Link: events.ccc.de
Link: 33C3 Wiki

Shut Up and Take My Money!

FinTechs increasingly cut the ground from under long-established banks’ feet. With a "Mobile First" strategy, many set their sights on bringing all financial tasks—checking the account balance, making transactions, arranging investments, and ordering an overdraft—on your smartphone. In a business area that was once entirely committed to security, Fintechs make a hip design and outstanding user experience their one and only priority. Even though this strategy is rewarded by rapidly increasing customer numbers, it also reveals a flawed understanding of security. With the example of the pan-European banking startup N26 (formerly Number26), we succeeded independently from the used device to leak customer data, manipulate transactions, and to entirely take over accounts to ultimately issue arbitrary transactions—even without credit.

Over the last few years, smartphones have become an omnipresent device that almost everybody owns and carries around all the time. Although financial institutions usually react conservatively to new technologies and trends, most established banks today offer their customers banking apps and app-based second-factor authentication methods. Fintechs, technology startups in the financial sector, pressure the tried and trusted structure of established banks, as they highlight the customer’s smartphone as the hub of their financial life. This business model is especially appealing to younger customers. FinTechs, however, also play an important role in the advancing downfall of important conceptual security measures. While the latter can be understood as the next step in the decay process of second-factor authentication, which was started with the introduction of app-based legitimization methods, FinTechs also reveal limited insights into conceptual and technical security. We have encountered severe vulnerabilities at the Berlin-based FinTech N26, which offers their smartphone-only bank account to many countries throughout Europe. Entirely independent of the used device, we were not only able to reveal N26 customers and to manipulate transactions in real-time but also to completely take over a victim’s bank account.

Link: fahrplan.events.ccc.de
Video: Shut up and take my money - media.ccc.de

Predicting and Abusing WPA2/802.11 Group Keys

We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.

First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.

Link: fahrplan.events.ccc.de
Video: Predicting and Abusing WPA2/802.11 Group Keys

Where in the World is Carmen Sandiego?

Travel booking systems are among the oldest global IT infrastructures, and have changed surprisingly little since the 80s. The personal information contained in these systems is hence not well secured by today's standards. This talk shows real-world hacking risks from tracking travelers to stealing flights.

Airline reservation systems grew from mainframes with green-screen terminals to modern-looking XML/SOAP APIs to access those same mainframes.

The systems lack central concepts of IT security, in particular good authentication and proper access control.

We show how these weaknesses translate into disclosure of traveler's personal information and would allow several forms of fraud and theft, if left unfixed.

Link: fahrplan.events.ccc.de
Video: Where in the World is Carmen Sandiego - media.ccc.de

Hacking the World

In this lecture I wish to reflect on the maturation of the security and hacking communities and their role in larger societal and political participation. We'll reflect on the predominant role that technology has been growing into our lives, and the responsibilities we have in nurturing it. After having spent the last years in researching, exposing, and preventing the electronic targeting of dissidents and journalists, I hope to synthesize my experience and suggest how to reconsider our tactics, the successes, and the failures, and hopefully draw some inspiration for a brighter future.

Computer systems were destined for a global cultural and economic revolution that the hacker community anticipated. We saw the potential, we saw it coming. And while we enjoyed the little time of reckless banditism, playing cowboys of the early interconnected age, we also soon welcomed the public realization that we were right all along, that information technology was going to change everything, and that information security was critical. Now, the Internet governs our lives.

Success always comes with strings attached.

The Internet morphed with us. Once an unexplored space we were wandering in solitude, now it has become a marketplace for goods, *the* vehicle for communication, as well as an instrument for control, and a field for battle.

We learned the many ways it was abused and broken. We learned the stories of those who were victims of the shortcomings of computer and network systems, and we realized how often and brutally they were turned into means of persecution against those who struggle for free speech and democracy around the world.

In this lecture I wish to reflect on the maturation of the security and hacking communities and their role in larger societal and political participation. We'll reflect on the predominant role that technology has been growing into our lives, and the responsibilities we have in nurturing it. After having spent the last years in researching, exposing, and preventing the electronic targeting of dissidents and journalists, I hope to synthesize my experience and suggest how to reconsider our tactics, the successes, and the failures, and hopefully draw some inspiration for a brighter future.

Link: fahrplan.events.ccc.de

In Search of Evidence-Based IT-Security

Applied IT security is largely a science-free field. The IT-Security industry is selling a range of products with often very questionable and sometimes outright ridiculous claims. Yet it's widely accepted practice among users and companies that protection with security appliances, antivirus products and firewalls is a necessity. There are no rigorous scientific studies that try to evaluate the effectiveness of most security products or strategies. Evidence-based IT security could provide a way out of the security nihilism that's often dominating the debate – however it doesn't exist yet.

From Next-Generation APT-Defense to Machine Learning and Artificial Intelligence: The promises of IT security product vendors are often bold. Some marketing promises are simply impossible, because they violate a fundamental theorem of computer science, the halting problem.

Many IT security professionals are skeptical of security appliances, antivirus software and other IT security products and call them snake oil. Furthermore security products often have security vulnerabilities themselves, which has lately been shown by the impressive work done by Tavis Ormandy from Google's Project Zero.

When there's disagreement about the effectiveness of an approach then rational people should ask for scientific evidence. However, surprisingly this evidence largely doesn't exist. While there obviously is a lot of scientific research in IT security it rarely tries to answer practical questions most relevant to users. Decisions are made in an ad-hoc way and are usually based on opinions rather than rigorous scientific evidence. It is quite ironic that given the medical analogies this field likes to use (viruses, infections etc.), nobody is looking how medicine solves these problems.

The gold standard of scientific evidence in medicine (and many other fields) is to do randomized controlled trials (RCTs) and meta-analyses of those trials. An RCT divides patients in groups and a treatment – for example a new drug – is compared against a placebo treatment or against the current best practice. Single trials are usually not considered sufficient, therefore meta-analyses pool together the results of all trials done on a particular question. There's no reason RCTs couldn't be applied to the question whether a particular security product works.

Evidence-based medicine is undoubtedly the right approach, but these methods aren't without problems. Publication Bias skews results, many studies cannot be replicated and the scientific publishing and career system is often supporting poor scientific practices. But this doesn't question the scientific approach itself, it just means that more rigorous scientific practices need to be implemented.

Unfortunately, in the few cases where controlled studies are done in the Infosec world they often suffer from the most basic methodological problems like being underpowered (too few participants), never being independently replicated or not measuring relevant outcomes. (There are a few studies on password security and similar questions.)

Applying rigorous science to IT security could provide a way out of the security nihilism that dominates the debate so often these days - “Everything is broken, everyone's going to get hacked eventually”. And by learning from other fields Evidence-Based IT Security could skip the flaws that rife other fields of science.

Link: fahrplan.events.ccc.de