hack0r.net

It has been a while since I made my last posting, but i hope i can add some content again in the near future.

On thursday, 12.07.2007, the CIPHER 3 took place and we as the CInsects participated in it. For those under you, who doesn’t know what this is finds here a little summary what a CTF is. I had more or less voluntarily agreed to set up our infrastructure, but, as it is in live, hadn’t as much time as I thought I would have. So partly therefore and partly because we always seem to start a little confused we started pretty slow and ranged in the last few places. But as the end got closer we slowly made it more towards the top. In the finish spurt we wrote some obviously pretty good advisories, which brought us to the lead in the advisory section and aggrandised us to the 4th position in the end. We were really excited about this result, since nobody bargained for such a good place after our mulled start.

The results and some statistics will be available next week on the CIPHER 3 homepage. Very interesting is the fact, that the first 6 teams are from Germany. So Germany seems to be getting the country of hackers … erm … I mean security experts ;). Well, possibly it this is only, because it is organized and held by a german team. Here is the final scoreboard. If you are interested in which team is from where and representing whom just compare the numbers with those on the CIPHER 3 homepage.

I want to thank here again Lexi and his crew for making such a cool event possible, taking all the time it needs to prepare it and keeping calm if the players complain when something doesn’t work the way wanted. Naturally I would thank all the other participants too. It was a great game and I hope everyone enjoyed it as much as we did. :)

Update: Stats are available here.

Popularity: unranked [?]

This weekend the Informatiktage 2007 took place. It was pretty cool and interesting. As I wrote before i attended to the workshop “Security in online banking” which was held by Hans-Peter Dünnwald, Matthias Stoffel and Eberhard Stickel. They were from the “Sparkasseninformatikzentrum” and “Hochschule der Sparkassen-Finanzgruppe”. We were only 5 attendees, so it was a rather relaxed. The workshop was divided into three parts. One on the first day and two on the second.

The first one started a little boring and confused, because only one of three people who should present this workshop were there first and the one who was present was pretty ill. The two other arrived short before the end, they had some meetings. He began the workshop with the basics of cryptography, like what is symmetric and asymmetric encryption and stuff. Most of us already heard and/or read almost everything we were told.

The evening program was called networking. But no we didn’t play computer games. It was more to get in contact with other students and the representatives of the companies that were presenting the workshops or sponsoring the whole congress. And there was free beer, which almost got fatal for me.

On the second day three of us, including me, were able to give a short lecture about our submissions. Too bad Georg and I were a little late, because I had to find a copyshop, which was able to print a black and white poster for under 20 Euro, so we didn’t see the first half of “Rainbow table Cracking”. My lecture was about XSS and Session Riding. I did mostly a live presentation of how it works and then enumerating known countermeasures. Unluckily I seem to have liked talking about XSS too much, so there were only 5 minutes left to talk about Session Riding and so this part got a little chaotic.

The part of the Sparkasse was much more interesting than the day before. They told us about their experiences and way of handling with security and it’s breaches. I was just a little disappointed about their comment on requiring javascript to be able to reach the Haspa onlinebanking section. They only said “Yes I do agree with you. But you always have to choose between security and functionality/design”. Yes i do agree with them, but please choose security if it comes to my money. Well, they told me the new Haspa website is already launched and I just had a look at it and yeah they fortunately did change it. The workshop topic of this second part was basically about the ways the guys with the dark hats do their stuff. It was primarily about phishing techniques, since this is the way the most damage is done.

Between the second and third part of the workshop the poster session took place. I had the feeling, that it got some more attention on the first day and so in the main we did talk to the owners of our neighbouring posters. But maybe it was just because my poster was that ugly and/or uninteresting. I wouldn’t wonder about that too much. I created it in the middle of a night and the print was done by zooming an A4 print to an A1 format, which is not necessarily the best thing to do. But it saved me 10 Euro.

The last part began with the third lecture. It was about trusted computing in mobile environments. The third part then was then mainly about taken precautions and upcoming hardware, used by the Sparkasse. In the near future there will be a small chipcard reader available, that generates a special TAN out of the current EC card and som values of the transaction. But I don’t like the idea too much, because, if I loose my EC card, someone else might be able to generate TAN numbers out of it.

All in all it was really fun. This was one of the seldom chances get to know students from other universities and cities. It gave us the chance to build up connections between individuals with similar interest and, which may be even more interesting not that similar interests and thus a different point of view. I also learned some things about the ways Computer Science is handled in other cities, which was as well pretty interesting.

Popularity: unranked [?]

A few days ago we submitted a paper to the GI, which is originally a part of an abstract M4z and I did for a seminar. They accepted it, what means it will be printed in their magazine. That alone is nothing too cool, since it is more or less a summary of webbased vulnerabilities, but the really cool thing is, that we will be going to Bonn from the 29th to the 31st of March for a workshop at the Informatiktage 2007. And getting even better, the journey as well as the hotel will be getting paid.

We could choose between several different topics. I clearly decided to attend “Security in Online-Banking”, since it was the only security related.
It seems to be held by someone who is at least related to the “Sparkasse” and I am really interested in their point of view. The Haspa, which is Hamburgs branch of the Sparkasse, needs javascript activated to even be able to reach their online banking service. I do not get why they are doing this?! It does not look too security concerned to me. Well they got TANs, so it is not all that easy to ride the session and transfer money to my own account. But there may be other things, that could be modified. And moreover this urges even security aware people to activate javascript and therefore being vulnerable to potential XSS vulnerabilites.
I guess I will be looking what may be done with Session Riding on their site before then. Perhaps I also find some XSS possibility, but this does not appear too likely after a first look.

If you got something similar or even found already a vulnerbaility, please let me know. Maybe it will arise a bit more of their attention when someone is discussing it with them in person.

However, none the less I am really looking forward to this.

Popularity: unranked [?]