Chaos Communication Congress Chaos Communication Congress

Chaos Communication Congress

Mobile phones and embedded systems - the major topics of the annual conference.

- + Text size
Print

The 30th edition of the Chaos Communication Congress was held this year.

The event, which took place in Hamburg from 27 - 30 December, attracts researchers and enthusiasts from all over the world in the security field, who are primarily concerned with two major topics that have always characterised this conference.

Every year, the number of participants increases: this year the event was attended by about 9,000 people and the hosting venue was further extended, providing access to new areas of the premises.

Trend topic

Trends emerging during the conference include:

  • reduction in the vulnerability of publicly released software: it is now common practice to no longer release details about vulnerabilities or software exploitation.
  • "responsible disclosure", adopted by almost all security researchers. It involves contacting vendors affected by vulnerabilities in advance and, only after patches have been released, publishing the results of any analyses. However, attack software is not generally released and if this were to happen, it has weakened functions or requires certain skills in order to operate, therefore it can only be used by those who have similar know-how to its developers.

Important talks

During the conference, some particularly interesting talks were given. For example, the talk by Karsten Nohl and Luca Melette provided new updates on their research into the vulnerability of SIM cards and GSM security. New software has been released to analyse the security of SIM cards (this new software looks for vulnerable sectors on a locally attached card), make assessments of GSM networks and upload data on the website gsmmap.org. The website collects data from users worldwide in order to map the security of operators within the same country.
In the talk on "Electronic Bank Robberies”, two researchers reported on malware for ATM. The novelty of this talk lies in the fact that a real case of in-the-wild malware was reported and not laboratory experiments, as seen in the past. The analysis made by researchers revealed the emergence of a huge criminal organisation behind the development and exploitation of this malware.

Finally, J. A. Halderman gave a talk on mass scanning (portscan) techniques. The American researcher has developed a tool called ZMAP, which allows the entire Internet to be scanned in a very short time (about 45 minutes). After making a large number of scans, some security analyses were made for SSH and HTTPS, revealing various vulnerabilities linked to the generation of random numbers (SSH) and to CA hierarchy for x509 (HTTPS).