Europen Spring 2006 - Report
Europen is a conference organized by group of users of open systems. It usually happens twice a year (spring and autumn) somewhere deep in the lovely nature of czech forests, in a place where network connectivity is an unknown term.
During the three days of conference, you can freely concentrate on very interesting topics being discussed there, meet your former (and possibly future) coleagues and friends, refresh your brain, and refill the batteries.
Due to a lack of time, I had only one spare day to spend there this spring, nevertheless , the topics were really mind provoking.
Updated 2006-05-28: Added missing presentation of XEN
Botnets (Bot Networks) by Helena Nikodymova from BIS
Helena started a day with an interesting talk explaining terms like bot, botnet, zombie, trojan horse, keylogger, …, and their roles in todays hacking world.
She presented some rather unusual facts (at least for me) that include:
- It is being estimated that seven percents of all computers connected to the internet are under control of hackers (zombies connected into botnets).
- These are mostly used to send SPAM, but also to generate DDoS (Distributed Denial of Service) attacks against companies that are required to pay a ransom to protect themselves. Such companies usually never admit that.
- Almost all hacking activity is coordinated to generate some kind of profit by renting botnet power.
Helena also cited several Symantec statistics from 2005 that include:
- It usually takes 5 days to develop an exploit for some known vulnerability (for which the patches are available). Yet 14 days after the patches are announced some big companies are being infected since their systems remain unpatched.
- It takes around 1 hour to get infected when connecting plain unpatched Windows XP Pro to the internet (the same applies for Windows 2003 Server).
- There is around 10000 computers being infected every day by some kind of virus.
- There is around 1400 DDoS attacks happening every day.
Rootkits by Zdenek Riha from Faculty of Informatics, Masaryk University
Zdenek introduced the term rootkit and explained very well its purpose, strenghts, and weaknesses. He went into some interesting technical details on how the rootkits are implemented under Linux and Windows, what are the techniques used to detect and remove them. He talked in particular about:
- syscall_table patching in Linux, live kernel patching via /dev/kmem.
- rootkit loading via kernel module and how to hide module from listing and protect it from unloading.
The results were as usual:
- Do not use modular kernel (if only this was possible and convenient in reality).
- Never go live without Tripwire, and some kind of IDS.
Things pretty standard and well known in IT, how many admins actually do them?
He also noted that (logically) most current rootkits already use (or will use) HTTP traffic (with proper syntax) to control the machines. Such communication is virtually undetectable on the internet nowadays. Worse things to come.
Crypto HW resistance by Vaclav Lorenc from Faculty of Informatics, Masaryk University
Vaclav introduced various crypto HW solutions used nowadays, from chip cards, and USB tokens, to HSMs (hardware security modules).
He presented several experiments that were done by various groups on the internet to see how difficult it is for example to dissasemble USB token, analyze its contents, detect the PIN, steel the private keys for certificates, and eventually reprogram the token and package it back so that the affected person does not recognize anything has happened.
It is always nice to see what is possible using state of art technology and appropriate know how.
Using USB tokens in real by Michal Prochazka from Faculty of Informatics, Masaryk University
Michal shared with us their experience while deploying USB tokens as the primary authentication medium for users of Metacentrum GRID. He explained the resoning behind choosing the USB tokens (standards, opensource support, easy to plug everywhere, …) and steps they needed to take in order to get USB tokens working in all required software components (kerberos notwithstdanding).
LiveCDs and their usage by Michal Vyskocil from Faculty of Informatics, VUT, Brno
Michal went into a lot of technical details explaining how the live CD is implemented, what support is needed from the kernel and the bootloader, and what is the current state of affairs.
He touched topics like compressed filesystems, overlay filesystems (support writing on top of read-only media), and flash filesystems (optimized for NAND flash memories).
Finally he showed a list of live cds available on the (opensource) market, including some Linux based Live CDs, OpenSolaris based Live CDs, and some Live CDs demoing experimental features (Kororaa Xgl live CD).
Aggregation analysis in network traffic logs by Marek Kumpost from Faculty of Informatics, Masaryk University
Marek had a really interesting talk about the usage of aggregation analysis to detect similar user behavior in various network related contexts. He had explained the algorithms that can be used to perform aggregation analysis and what are their weaknesses.
He is at the moment trying to detect the same user being connected from various network nodes by observing his behavior (patterns in web server visits, patterns in SSH usage, etc.).
Using aggregation analysis you can sort your users into behavioral classes and use their similarity to customize UI for them, offer them things other like or do, etc.
Amazon is actually the most well known example of aggregation analysis usage. It suggests you the books you would probably like to buy and read by comparing your behavior and shopping patterns with the other people.
Using PERL for network device administration by Stepan Bechynsky from Microsoft
Stepan first introduced the WWW::Mechanize and HTML::TokeParser modules for Perl programming language.
Later he continued by explaining how powerful these modules can be when used to batch-manage lot of cheap network devices like printers and WIFI access points that can be configured only by using usually half-broken HTTP+HTML+JavaScript web interface.
Very nice talk and creative way to solve the brokenes of cheap devices and their lack of proper SNMP support.
I am really looking forward to see how WWW::Mechanize will handle all of these AJAX based user interfaces that are just starting to pop around.
Using XEN by Michal Svamberg from University of West Bohemia
XEN is a virtual machine monitor, allowing you to run semi virtually multiple (guest) operating systems side by side on the same hardware.
Guest operating systems require slightly modified kernel (to run on top of XEN), and almost all operating systems used nowadays are available to run on top of XEN.
Microsoft Windows have been proven to run, but modifications to NT kernel are not publicaly available. You can however virtualize Linux, or Solaris, or various BSD systems without any problem.
Michal described where is XEN used on ZCU, showed us live demo of virtualization, and explained their experience with live migration of virtual systems among physical hardware machines.
Pretty impressive results of four seconds downtime while migrating a web server under heavy load are definitely an argument to go ahead with XEN.
May 26, 2006 Conferences, EN, Opensource