The breakfast at Blackhat was not that great, had some bread with jam and juice (I really missed the egg and bacon breakfast from yesterday). The opening by Jeff Moss was great, and the place was packed. I have heard later that we were about 2000 attendees at the conference.
The most noteworthy talk during the day was Jack Barnaby's presentation on how he developed the hacks for the ATM machines. The whole story how he hot hold of them was hillarious in it self, but then it got scary. The keys needed to access the computer that sits on the big honking safe can be bought directly from the vendor's website and they will use the same key for all the ATM's they ship unless specified otherwise. The computer on the ATMs he aquired (shipped to his /home/ adress) were running Windows CE (IIRC), and the Windows CE has not gotten the same attention as Windows server and client OSs have so they were vulnerable.
Jack developed a tool to communicate with the remote managment facility (which can be reached by IP and POTS networks) and discovered that there was a flaw in how access was authenticated, making it possible to bypass the whole authentication requirement. Once connected he could do things like uploaded new firmware. The new firmware he uploaded had some extra functionality; he could use the built-in cardreader as an skimming device, so pulling the ATMs parts to check if there is any extra devices commonly use in normal skimming attacks is useless. He could also walk up to the machine and insert a special ATM cardreader (ie the ATM is programmed to give an admin console when it is inserted) to make it spit cash (which also is a funtion you can tell it to perform from the admin console remotely).
The other hack was to insert an USB device, reboot the ATM and let it boot up from the USB stick and just make it empty its content. Very cool find, and the ATM vendors have had over 18 months to fix this (the talk got pulled last year when the vendors pressured Barnaby's employeer, that problem was resolved by a change of employeer).
The other noteworthy presentation of the day was Sammy's talk "how I meet your girlfriend", were he, among other things, reduced PHP's session cookie from 160 bits to just 20 bits, which it totally reasonable to bruteforce.
The most noteworthy talk during the day was Jack Barnaby's presentation on how he developed the hacks for the ATM machines. The whole story how he hot hold of them was hillarious in it self, but then it got scary. The keys needed to access the computer that sits on the big honking safe can be bought directly from the vendor's website and they will use the same key for all the ATM's they ship unless specified otherwise. The computer on the ATMs he aquired (shipped to his /home/ adress) were running Windows CE (IIRC), and the Windows CE has not gotten the same attention as Windows server and client OSs have so they were vulnerable.
Jack developed a tool to communicate with the remote managment facility (which can be reached by IP and POTS networks) and discovered that there was a flaw in how access was authenticated, making it possible to bypass the whole authentication requirement. Once connected he could do things like uploaded new firmware. The new firmware he uploaded had some extra functionality; he could use the built-in cardreader as an skimming device, so pulling the ATMs parts to check if there is any extra devices commonly use in normal skimming attacks is useless. He could also walk up to the machine and insert a special ATM cardreader (ie the ATM is programmed to give an admin console when it is inserted) to make it spit cash (which also is a funtion you can tell it to perform from the admin console remotely).
The other hack was to insert an USB device, reboot the ATM and let it boot up from the USB stick and just make it empty its content. Very cool find, and the ATM vendors have had over 18 months to fix this (the talk got pulled last year when the vendors pressured Barnaby's employeer, that problem was resolved by a change of employeer).
The other noteworthy presentation of the day was Sammy's talk "how I meet your girlfriend", were he, among other things, reduced PHP's session cookie from 160 bits to just 20 bits, which it totally reasonable to bruteforce.
No hay comentarios:
Publicar un comentario