DEFCON 17: a late write up
This year's DEFCON was quite amazing, apparently 10k people showed up in the Riviera for it. This is a late write up because everybody knows already about the fake ATM and the RFID reader near the Wall of Sheep, on the other hand, not everybody knows about other things that also took place. By the way, this is how the back side of one of the ATMs at the conference looked like:
The truth is that you would need 2 or 3 duplicates to get to do all the stuff that you want to do. There are just too many talks, contests and random stuff going on that it is not possible to cover it all. Anyway, below is a breakdown of the talks I managed to get in.
Day 1
- Welcome to Defcon 17 & the Making(and Hacking) of the Defcon Badge
An intro to the conference and to the Hardware specifications this year's badge had. Checkout the picture of the badge below, it is quite cool with a PIC, a microphone and a multi-LED controller. I still need to find out more about the winners of the hardware hacking contest.
- Q & A with Bruce Schenier
You cannot read Schenier's blog and miss the first opportunity to find out whether he is human or cyborg. I had to be there. A lot of his answers were something like "as I wrote in 200x, blah blah"... which I guess is fair enough. He pitched his SHA-3 algorithm submission but nothing else was really ground-breaking (apart from his funky hat - does anyone have a picture?).
- I missed the More Tricks for Defeating SSL by Moxie Marlinspike (abstract - blackhat slides)
Apparently this particular talk was really good and I missed it, damn you DEFCON schedule! I need to find
out more, but the guy found a way around OCSP (a certificate revocation protocol introduced with SSLv3 certificates) that would let an attacker to mitm SSL without the user's browser presenting the funny warning. - Kenshoto on the organisation of the CTF contest
Kenshoto is the team that held the CTF contest for the past 4 years. They gave a breakdown of the network / OS infrastructure they had to set up to be able to monitor all the teams and at the same time prevent the teams from hacking the CTF infrastructure for their profit.
It was a good overview and they also presented some of the challenges that they put the teams through in previous editions. It got scary when they started talking about the time you had to code your shellcode in Morse code or using white spaces and tabs...
- Subverting the World of Warcraft API by Christopher Mooney and James Luedke (abstract)
Blizzard has changed the rules and doesn't allow programmatic decision making in the game. This guys found a way around this update and created a library that let them use the old functionality and also some of the newly introduced blizzard-only special APIs. They released a library that can be used to create helper characters able to do programmatic decision making
- That Awesome Time I was Sued for Two Billion Dollars by Jason Scott (abstract)
Yes, I did rise my hand when he asked us if we were in the talk for it's title! A good talk about the personal quest of a crazy guy suing Jason Scott (from textfiles.com) over a file in the site. The guy first
released a book in exchange of a donation "if you think it is worth it" and then withdrew the release and forbade "the Internet" from using the book
quite funny, and really entertaining speaker.
Day 2
- "Smart" Parking Meter by Joe "Kingpin" Grand, Jake Appelbaum and Chris Tarnovsky (abstract)
Hardware hacking parking meter systems. They found out that the communication protocol between the meter and the smartcard was upside down (the meter provided a password and asked the smartcard to verify it, the meter asked the smartcard to decrease its value when time passed, etc.).
Very interesting, more if we take into account that most of the meters are used in a number of countries so, it may be worth
going through the slides. They didn't release code to prevent getting into trouble with the San Francisco transport authority. - Air Traffic Control by Righter Kunkel (abstract)
The talk provided good insight on how air traffic control operates and also about the details of the next generation of
protocols for locating planes that is going to be deployed to replace traditional radar systems. On the other hand, during the talk, the speaker was going to present a denial of service against the control tower of a standard commercial airport. It boiled down to submitting a web form multiple times and hoping that the amount of paper printed by the tower's needle printer would overwhelm the staff and slow down operations
- RFID MythBusting by Chris Paget (abstract)
It was a bit of a vendor pitch of Chris' new company (check it out! ;0). On the other hand, almost all of his demos didn't work "due to hardware failures". Bad things happen to live demos at conferences that is why we saw quite a few pre-recorded ones...
He also planed to break the world record on RFID reading distance which didn't happen and also planed on having a huge cloning setup in the conference to show how easy is to clone cards and that it doesn't matter how short range the devices are, but that didn't happen either. If everything works next time, it's going to be amazing, don't miss it!
- Sniff Keystrokes with Lasers/Voltmeters by Andrea Barisani and Daniele Bianco (abstract)
This one was really good. They used two different methods to sniff keystrokes:
- Measuring voltage in a distant power socket: it seems that the PS2 keyboard introduces measurable variations in the power consumption of ATX power supplies. This can be measured from distant sockets (over 15 meters away).
- Using a laser microphone to detect keystroke vibrations. Aiming a laser microphone to a reflective surface of the laptop could enable the vibrations caused by hitting the keys to be detected from the distance.
Both methods then required the statistical analysis about language patterns and common key combinations already introduced in previous research.
Day 3
- Managed Code Rootkits by Erez Metula (abstract)
Now you are talking. Really, really good talk on subverting the lower levels of the virtual machine that runs the managed code. From tinkering with variables of the JVM and including additional JAR files in the load path to a pretty crazy strong encryption bypass for .NET assemblies.
Apparently there is a folder under
%windir%where the assemblies are and if you put your modified dll in the right sub folder the CLR wouldn't complain about the signature... I need to go through it to verify the issues, but all the demos were quite scary. - dradis Framework by etd
(abstract - slides)
It was good
A fair amount of people went to the talk and the Q&A session was interesting.Finally we got the chance to present the dradis Framework to a broader community. A new release of the framework (2.3) was published and I did a demo showing all the features available interface, import, tool output upload, export, etc. I didn't record a video for 2.3 however checkout the demos section for some screencasts of the tool.
It was a shame that the talk was just before maligno's Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data (abstract) because I had to leave to the Q&A room.
- USB Attacks: Fun with Plug & 0wn by Rafael Dominguez Vega (abstract)
Rafa presented on the methodology to perform a security review of the USB stack from pure hardware based to pure software based techniques including virtual devices, qemu and a few fuzzing tricks. It was really good, unfortunately for political reasons he could not disclose the specific driver in which the vulnerability was found, although it was one of the stock drivers bundled with the Linux kernel.
Interesting thought: the issue can be triggered with USB over IP which is also enabled by default in the latest kernels...
What Happens in Vegas Stays in Vegas
There is so much more to DEFCON 17 than what I managed to fit in in this already lengthy post... I hope to be able to make some time and write a follow up on the social / events / people side of things. Good night.
Popularity: 2% [?]
