Blackhat thread

[Renegade]

There's a lot of very cool stuff out there with a huge amount of educational value in the blackhat arena. I figure that it might be good to have 1 thread for it.

I posted Chris Piaget's RFID hacking presentation a while back in another thread, but let's start with another:

Black Hat USA 2013 - Hiding @ Depth - Exploring, Subverting and Breaking NAND Flash memory

Layman's Summary:

You can create bad blocks then store data there (NAND memory). Bad blocks are ignored, so you are effectively invisible.

Utterly. Terrifying.

At one point he says, "which I'm not making public." Yeah... uh, we already got the point.

It's a great presentation, and well worth a watch for anyone interested in mobile security.

Linux and Android devs will find this interesting. He also makes reference to the panic_write() call, which is really wild. I had no idea that existed.

[SeraphimLabs]

You can create bad blocks then store data there (NAND memory). Bad blocks are ignored, so you are effectively invisible.

Utterly. Terrifying.

-Renegade (August 10, 2014, 09:08 AM)

And in use for more than a decade too! Its not just applicable to NAND memory. You can do this to CDs and DVDs as well.

In the old days when they were first getting pissy about copyrights and sharing games and software, I found that they had been using a rather clever antipiracy mechanism.

What they would do is create the CD to intentionally contain a couple of bad blocks.

In normal usage the drive would never attempt to access these blocks, as the software would elegantly skip around them. But when you tried to copy the CD it would get about 70% complete and then hang, taking so long to try and salvage data from the bad blocks that it would buffer underrun the burner and ruin the copy being made.

RFID is another scary can of worms in and of itself. If you even get close to being able to manipulate it without all kinds of licensing red tape, they are really quick to lawsuit you to death. Its inherently flawed in a very serious way, one that enables anyone with the right kind of equipment to read it at will. And its only a matter of time until viable designs for that equipment become well known to the public, rendering RFID a completely worthless concept.

[Renegade]

RFID is another scary can of worms in and of itself. If you even get close to being able to manipulate it without all kinds of licensing red tape, they are really quick to lawsuit you to death. Its inherently flawed in a very serious way, one that enables anyone with the right kind of equipment to read it at will. And its only a matter of time until viable designs for that equipment become well known to the public, rendering RFID a completely worthless concept.

-SeraphimLabs (August 11, 2014, 09:25 AM)

Yes - Chris Paget's Blackhat presentation shows how anyone can steal credit cards from up to 250 feet or so using RFID.

The Blackhat conference videos are really good for anyone interested in technology to watch. They really get down into the tech at a very low level and show some pretty surprising things.

I'm going to try to watch some over time and then post a tl;dr for people here.

[Contro]

The BlackHat Conference

 

is this ?
Seems more serious than The White House
 

The near place for me seems to be :

The premier conference on information security returns to the beautiful city
of Amsterdam, Netherlands in October, 2014. Professionals from all over
the world gather for two days of intense Trainings and two thought-provoking days of Briefings brought to you by some of the brightest minds
in the industry.

[Renegade]

The BlackHat Conference

 

is this ?
Seems more serious than The White House
 

-Contro (August 13, 2014, 07:34 AM)

Yep! That's it!

It's great watching some of the videos they release. Wicked amazing stuff. With an emphasis on "wicked".

And yes - infinitely better than the White House. These guys aren't delusional and thinking that they can toss chicken bones blessed by Keynes to root your phone. Hard core computer science there.

I generally need to rewind a bunch of places a few times to not miss stuff. They go pretty fast sometimes. I find it's best to download the vids & use a real video player rather than Youtube in a browser.

But even if you don't do security professionally, or even if you have no plans on doing anything with what they say, it's good to know.

e.g. Wrap your credit cards in foil unless you want to risk them being stolen electronically over the air.

Hmm... Sounds like there might be a market for a Faraday wallet!

[Contro]

 

But what prices !!!!!!!.
Surely I only must see only the videos . I am watching now the linked one.
 

BTW about rooting the mobile device. I have to reinitiate the mobile and decided not to download a lot of sofware now before i can root the device. But if I root I lose the warranty..... So.....
I can't do really "nothing" with my device. Installs is a danger and a work without an image security copy.....