usefulfor.com/security » Events

DEFCON 17: a late write up

etd — Wed, 19 Aug 2009 14:36:07 +0000

This year's DEFCON was quite amazing, apparently 10k people showed up in the Riviera for it. This is a late write up because everybody knows already about the fake ATM and the RFID reader near the Wall of Sheep, on the other hand, not everybody knows about other things that also took place. By the way, this is how the back side of one of the ATMs at the conference looked like:

The truth is that you would need 2 or 3 duplicates to get to do all the stuff that you want to do. There are just too many talks, contests and random stuff going on that it is not possible to cover it all. Anyway, below is a breakdown of the talks I managed to get in.

Day 1

Welcome to Defcon 17 & the Making(and Hacking) of the Defcon Badge
An intro to the conference and to the Hardware specifications this year's badge had. Checkout the picture of the badge below, it is quite cool with a PIC, a microphone and a multi-LED controller. I still need to find out more about the winners of the hardware hacking contest.
Q & A with Bruce Schenier
You cannot read Schenier's blog and miss the first opportunity to find out whether he is human or cyborg. I had to be there. A lot of his answers were something like "as I wrote in 200x, blah blah"... which I guess is fair enough. He pitched his SHA-3 algorithm submission but nothing else was really ground-breaking (apart from his funky hat - does anyone have a picture?).
I missed the More Tricks for Defeating SSL by Moxie Marlinspike (abstract - blackhat slides)
Apparently this particular talk was really good and I missed it, damn you DEFCON schedule! I need to find
out more, but the guy found a way around OCSP (a certificate revocation protocol introduced with SSLv3 certificates) that would let an attacker to mitm SSL without the user's browser presenting the funny warning.
Kenshoto on the organisation of the CTF contest
Kenshoto is the team that held the CTF contest for the past 4 years. They gave a breakdown of the network / OS infrastructure they had to set up to be able to monitor all the teams and at the same time prevent the teams from hacking the CTF infrastructure for their profit.

It was a good overview and they also presented some of the challenges that they put the teams through in previous editions. It got scary when they started talking about the time you had to code your shellcode in Morse code or using white spaces and tabs...
Subverting the World of Warcraft API by Christopher Mooney and James Luedke (abstract)
Blizzard has changed the rules and doesn't allow programmatic decision making in the game. This guys found a way around this update and created a library that let them use the old functionality and also some of the newly introduced blizzard-only special APIs. They released a library that can be used to create helper characters able to do programmatic decision making
That Awesome Time I was Sued for Two Billion Dollars by Jason Scott (abstract)
Yes, I did rise my hand when he asked us if we were in the talk for it's title! A good talk about the personal quest of a crazy guy suing Jason Scott (from textfiles.com) over a file in the site. The guy first
released a book in exchange of a donation "if you think it is worth it" and then withdrew the release and forbade "the Internet" from using the book quite funny, and really entertaining speaker.

Day 2

"Smart" Parking Meter by Joe "Kingpin" Grand, Jake Appelbaum and Chris Tarnovsky (abstract)
Hardware hacking parking meter systems. They found out that the communication protocol between the meter and the smartcard was upside down (the meter provided a password and asked the smartcard to verify it, the meter asked the smartcard to decrease its value when time passed, etc.).

Very interesting, more if we take into account that most of the meters are used in a number of countries so, it may be worth
going through the slides. They didn't release code to prevent getting into trouble with the San Francisco transport authority.
Air Traffic Control by Righter Kunkel (abstract)
The talk provided good insight on how air traffic control operates and also about the details of the next generation of
protocols for locating planes that is going to be deployed to replace traditional radar systems. On the other hand, during the talk, the speaker was going to present a denial of service against the control tower of a standard commercial airport. It boiled down to submitting a web form multiple times and hoping that the amount of paper printed by the tower's needle printer would overwhelm the staff and slow down operations
RFID MythBusting by Chris Paget (abstract)
It was a bit of a vendor pitch of Chris' new company (check it out! ;0). On the other hand, almost all of his demos didn't work "due to hardware failures". Bad things happen to live demos at conferences that is why we saw quite a few pre-recorded ones...

He also planed to break the world record on RFID reading distance which didn't happen and also planed on having a huge cloning setup in the conference to show how easy is to clone cards and that it doesn't matter how short range the devices are, but that didn't happen either. If everything works next time, it's going to be amazing, don't miss it!
Sniff Keystrokes with Lasers/Voltmeters by Andrea Barisani and Daniele Bianco (abstract)
This one was really good. They used two different methods to sniff keystrokes:
- Measuring voltage in a distant power socket: it seems that the PS2 keyboard introduces measurable variations in the power consumption of ATX power supplies. This can be measured from distant sockets (over 15 meters away).
- Using a laser microphone to detect keystroke vibrations. Aiming a laser microphone to a reflective surface of the laptop could enable the vibrations caused by hitting the keys to be detected from the distance.
Both methods then required the statistical analysis about language patterns and common key combinations already introduced in previous research.

Day 3

Managed Code Rootkits by Erez Metula (abstract)
Now you are talking. Really, really good talk on subverting the lower levels of the virtual machine that runs the managed code. From tinkering with variables of the JVM and including additional JAR files in the load path to a pretty crazy strong encryption bypass for .NET assemblies.

Apparently there is a folder under %windir% where the assemblies are and if you put your modified dll in the right sub folder the CLR wouldn't complain about the signature... I need to go through it to verify the issues, but all the demos were quite scary.
dradis Framework by etd (abstract - slides)
It was good A fair amount of people went to the talk and the Q&A session was interesting.

Finally we got the chance to present the dradis Framework to a broader community. A new release of the framework (2.3) was published and I did a demo showing all the features available interface, import, tool output upload, export, etc. I didn't record a video for 2.3 however checkout the demos section for some screencasts of the tool.

It was a shame that the talk was just before maligno's Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data (abstract) because I had to leave to the Q&A room.
USB Attacks: Fun with Plug & 0wn by Rafael Dominguez Vega (abstract)
Rafa presented on the methodology to perform a security review of the USB stack from pure hardware based to pure software based techniques including virtual devices, qemu and a few fuzzing tricks. It was really good, unfortunately for political reasons he could not disclose the specific driver in which the vulnerability was found, although it was one of the stock drivers bundled with the Linux kernel.

Interesting thought: the issue can be triggered with USB over IP which is also enabled by default in the latest kernels...

What Happens in Vegas Stays in Vegas

There is so much more to DEFCON 17 than what I managed to fit in in this already lengthy post... I hope to be able to make some time and write a follow up on the social / events / people side of things. Good night.

DeepSec 2008

rdv — Thu, 18 Dec 2008 11:20:13 +0000

DeepSec 2008 took place in Vienna in November. For a period of two days attendees enjoyed a good set of talks, a good atmosphere and had the chance to talk to different people from different security backgrounds.

I was invited to present my 'Behind Enemy lines' research, which mainly focused on different attack techniques that are currently affecting a large number of administrative web interfaces.

The slides of this presentation can be found here: [1]

More information about this research can be found in the following white paper: [3] [4]

DEFCON 16 – Las Vegas 2008

editor — Thu, 21 Aug 2008 14:46:32 +0000

hack-fu by Matt Hillman

Last week I attended DEFCON 16 in Las Vegas. I went last year as well, so I knew to expect the huge throngs of people, the strange mix of young, old, and crazy-haired and all the usual antics that happens when you gather around 7 thousand hackers in one place.

There's a lot to do at DEFCON besides attending presentations, but this year I was there for business not just pleasure, so I went on a presentation-attending marathon. I must admit that this year there were less "wow" moments as far as the talks were concerned, but there were still some decent talks ands of course lots of opportunities to catch up with friends and acquaintances from around the world.

Here's a list and some comments of the talks I attended:

Day 1

Time-Based Blind SQL Injection Using Heavy Queries
By: Chema Alonso and Jose Parada

Nice little technique to perform blind SQL injection without the use of delay functions, but instead creating queries which tax the database enough for a noticeable delay to be seen. Nothing ground breaking, but nifty.

Links:

Digital Security: A Risky Business
By: Ian Angell (aka the "Angell of Doom")

A fantastic speaker, and an unusual presentation for DEFCON, dealing with some of the myths and fallacies of the high tech world.

Security and anonymity vulnerabilities in Tor: past, present and future
By: Roger Dingledine

There always seems to be a talk like this at DEFCON now, and its usually pretty interesting. This talk looked back at past Tor vulnerabilities, through to today, and suggested where further problems may lie. Tor's unusual architecture always makes this a fascinating listen.

New Tool for SQL Injection with DNS Exfiltration
By: Robert Ricks

This talk demonstrated a technique and a tool to extract data through an SQL injection vulnerability by tunnelling the data through DNS. This makes for fast extraction as more data can be extracted with each query than in traditional blind SQL injection techniques. The DNS exfiltration method is not new, but Rickses tool targets Oracle which, as far as I know, no practical tool did before.

Anti-RE Techniques in DRM Code
By: Jan Newger

Fascinating look at some of the devious techniques DRM code uses to make it harder to reverse. Slides featured a pixelated section of a diagram to avoid revealing the full DRM algorithm.

NMAP-Scanning the Internet
By: Fyodor

Really enjoyed this one. I hadn't seen Fyodor present before and he is a very engaging speaker. His talk contained some interesting metrics based on his mammoth scans of large parts of the internet, allowing him to give advice on the most efficient scan options. He also added a variety of very nice features to nmap to be released soon.

Keeping Secret Secrets Secret and Sharing Secret Secrets Secretly
By: Vic Vandal

The talk focused mainly on issues surrounding stenography.

Virtually Hacking
By: John Fitzpatrick

John is a colleague of mine, so naturally I went to heckle this presentation In all seriousness though it’s an interesting talk about VMware security. He released some scripts to manipulate VMware in some very interesting ways.

Day 2

RE:Trace: The Reverse Engineer's Unexpected Swiss Army Knife
By: David Weston and Tiler Beauchamp

This was a great talk, and one I will probably use in some future research of mine. RE:Trace is a ruby framework written around DTrace which allows you to do some kung-fu to help in reverse engineering and exploit writing. Includes some very nice integration with IDA Pro.

Hacking Desire
By: Ian Clarke

Not what I expected, but interesting nonetheless, the talk focussed on how systems can build a predictive picture of what users like.

Feed my SAT Monkey
By: Major Malfunction (aka Adam Laurie)

Hacking satellites. Do I need to say anymore? Well ok, no sending data to satellites here, but interesting insight into the world of hunting for interesting signals. Including tcp/ip data that you "wouldn't believe".

Is that a unique credential in your pocket or are you just pleased to see me?
By: Zac Franken

If you've never seen someone take a silicone cast of their hand to fool a hand scanner, you haven't lived.

VulnCatcher: Fun with Vtrace and Programmatic Debugging
By: atlas

This talk shows techniques for programmatically finding when an exploitable bug "likely" occurred during fuzzing, so you can hone in on the truly interesting crashes quickly. Included an amusing interruption in which atlas was attacked by a fully automatic nerf gun.

Introducing Momentary Faults Within Secure Smartcards/Microcontrollers
By: Christopher Tarnovsky

Some of this talk was a bit over my head (I'm a software monkey at heart), but it was quite amazing to see how you could physically mess with circuits on a chip to bypass certain restrictions. Included live, participatory demonstration!

Day 3

Malware Detection Through Network Flow Analysis
By: Bruce Potter

Its not as if you can not go to a Bruce Potter talk. He started off with some insightful comments about the security industry generally, and moved on the to main topic of discussion, showing how best to analyse network flow from a security analysts point of view, as opposed to a purely operational concerned person. Before the talk, Bruce took part in a small TF2 lan game that was stuck up on the big screen as we filed in.

Advanced Software Armouring and Polymorphic Kung-Fu
By: Nick Harbour

Nick Harbour had developed a pretty cool packer which used some amazing
techniques to screw with analysis of the disassembly. My favourite was
instructions that jump half way into their own bytecode at which point
new meaningful instructions emerge.

DNS
By: Dan Kaminsky

If I have to explain this one, you must have been living under a rock. I actually only caught the second half, as the line to get in to his talk was insanely long. But he spoke for almost 2 hours and I managed to hear some of his comments on the implications of easy DNS poisoning. Afterwards, he gave out cookies!

Race-2-Zero Unpacked
By: Simon Howard

A dissection of the controversial Race-2-Zero contest in which participants had to get various malware past virus scanning engines.

Toaster, a Modular NetBSD Rootkit
By: Anthony Martinez and Thomas Bowen

The guys seemed quite nervous in this presentation, but the material behind it was an interesting look at how they implemented this BSD rootkit.

Malware RCE: Debuggers and Decryptor Development
By: Michael Ligh and Greg Sinclair

This demo driven presentation looked at techniques and tips for effectively analysing malware samples.

en-Testing is Dead, Long Live the Pen Test
By: Taylor Banks and Carric

An insightful look at the history and development of pentesting, its roots in hacker culture, what went wrong, and how to progress into the future.

Summary

I really enjoyed The Pen-Test is Dead Long Live the Pentest as it tied in quite closely with what I am seeing myself and the changes we are making at MWR InfoSecurity. On a technical level my favourite talks were probably RE:Trace, Anti-RE Techniques in DRM Code and Polymorphic Kung-Fu. I wish I had got to see Jason Scott's talk, he has to be one of my favourite speakers, but his talk wasn't technical and as I was there on company time I decided to take in the technical talks on at the same time instead.

Black Hat Europe 2008

etd — Wed, 02 Apr 2008 08:46:02 +0000

I have just arrived from Black Hat Europe 2008 in Amsterdam (this one, not this one). It has been a cool experience, not exactly what I expected but really interesting.

Briefings were held during the 27^th and 28^th of March, and the presentations are available for download. If you want to see what the chef recommends just keep reading...

Here is the list of presentations I attended:-

Day 1

The Keynote by Ian O. Angell: Digital Security: a Risky Business.
Client-side Security by Petko D. Petkov.
Side Channel Analysis on Embedded Systems by Job DeHaas.
CrackStation by Nick Breese.
Exposing Vulnerabilities in Media Software by David Thiel.
The Fundamentals of Physical Security by Deviant Ollam.

Day 2

Mobile Phone Spying Tools by Jarno Niemela.
LDAP Injection & Blind LDAP Injection by Chema Alonso & Jose Parada Gimeo.
DTRACE: The Reverse Engineer's Unexpected Swiss Army Knife by David Weston & Tiller Beauchamp.
Intercepting Mobile Phone/GSM Traffic by David Hulton & Steve.
Hacking Second Life by Michael Thumann.
Investigating Individuals and Organizations Using Open Source Intelligence by Roelof Temmingh & Chris B

Favourites

Intercepting Mobile Phone/GSM Traffic. Mind blowing, these guys have been researching the topic for 5 years and they have found a software/hardware combination that makes GSM cracking a piece of cake.
Investigating Individuals and Organizations Using Open Source Intelligence. Paterva is a nice tool, but the most interesting/scary part of the presentation was the little brainstorming session by Roelof Temmingh on how datamining, online presence and the sources of information may evolve in the future.
The Fundamentals of Physical Security. All your locks are belong to us.

There were more business people than nerds but more nerds than girls . Google was recruiting, Microsoft was nowhere to be seen and there was punch and pie all day long.