defcon_22

DefCon == My Nerd Nirvana

Las Vegas is one of my favorite cities in the US. Why? Because I like flashing lights, loud noises and free drinks. I can now add one more thing about Vegas that I love (well at least once a year), DefCon! I finally had the privilege of going to my first DefCon this year, with arch enemy and best buddy Bryan Owens.

During my adventure, I saw approximately 3 hours of daylight during my 4 day trip, drank lots of scotch, lost 80 bucks gambling and most importantly learned a lot. This surprisingly low tech field trip yielded some decent and some what legible handwritten notes, so from my notebook to you I present a summary of my highlights of DefCon 22.

Went to DefCon And All I Got Was This Cool Ass Badge!

This year's badge is a full on Propeller microcontroller development board and was the main focus of this year's "Badge Challenge." The board is "based around the Propeller P8X32A 32-bit Multicore Microcontroller. The circuit consists of a Propeller (microcontroller, EEPROM, clock), an infrared LED and receiver for badge-to-badge communication, a bank of eight LEDs for visual feedback, four button touch pads and a USB circuit for data access and programming." [1] One of the coolest badge hacks I saw was a team that turned one into a flying drone! This little puppy is going to be a gift that keeps on giving all year round.

A Few Of My Favorite Things…

At DefCon there was definitely something for everyone. From lock picking to social engineering there were talks for all walks of hacker life. Entertaining, thought provoking and informative are just some words I'd use to describe the talks I attended. To make my rambling a bit more coherent and focused, below I discuss a some of my favorite talks by topic category. I also included a list of all the talks I attended by day at the end of this post. For more information on all DefCon 22 talks DefCon 22 Schedule.

Low Level Mayhem

The lower level talks were some of the most technical talks of the weekend as they got down into the technical weeds so speak. They were also by far some of the more interesting talks I attended. I personally think that hardware level exploits are the most interesting and in some ways the most scary. Though these exploits require more technical know how open source tools and software are making it little easier to gain this knowledge. These exploits are also harder to detect, and provide a wide range of software and hardware attack surfaces. Basically, if you can own the hardware you own the box!

Paging SDR (Xaphan & n00bz)

This talk was about intercepting and decoding data transmitted across the national pager networks. This data is transmitted using Pocsag/Flex protocols. The most surprising thing I learned in this talk was that the pager networks were in fact still alive and well and that the data is transmitted completely unencrypted (some of which is sensitive medical data)! Using open software like GNU Radio and Software Defined Radio dongle you can too can have all sorts of fun playing spy at home. A bit of a disclaimer, since this data is receive only you don't need a HAM radio license to listen though it maybe illegal to receive this data in your state. Check local laws before you start exploring.

This is pure data porn, because all data is transmitted in real time this could be an excellent source for data mining projects. One idea is that one could build a model for classifying topics of pager messages to spot trends of topics over time. This would be especially interesting to try in areas where big news stories are unfolding.

I couldn't wait to purchase this little darling after this talk, DVB-T USB 2.0. Thanks Hacker Warehouse for making my dreams come true.

RFIDler: Software defined RFID tool (Zac Franken & Adam Laurie - link[Aperture Labs])

Another sweet SDR related talk was given by the guys at Aperture Labs. They presented RFIDLer an open source platform for reading, writing, and emulating RFID tags.

RFIDLer combines a microcontroller (for handling the RF side of things) and software client that takes all the complexities out of getting started with RFID hacking. Given that most tools on the market that provide similar functionality are expensive, dev kits are vendor specific and RFID tech can have a steep learning curve, RFIDLer seems like a great way to get started.

For more information on RFIDLer and Aperture Labs:

USB 4 All: USB Security Issues (Jesse Michael & Mickey Shkatov)

This talk explored tools that can be used to monitor and exploit USB devices. Though security issues with USB are becoming a known art, I personally learned a lot in this talk about USB protocols and the means by which these devices can be exploited.

One common way for USB devices are exploitable is by using existing functionality that comes with the devices. Most modern gadgets have USB devices, and these devices have their own firmware and even processors all of which are separate from the CPU and operating system. It is this separation that make USB exploits so interesting because malware detection software can't see if the firmware has been updated. If this isn't scary enough the debugging and upgrade hooks are typically available and ready for use in these devices! Also, these hooks usually describe how to read and write to/from EEPROM (non-volatile memory used to store data). Using these mechanisms one can figure out all they need to know to exploit a host of USB devices and the gadgets they reside in.

Another interesting note from this talk is that Jess and Mickey mentioned that in their security research they have seen USB devices that had been compromised before leaving the manufacture…yikes!

Some tools discussed in the talk:

  • Total Phase Beagle 5000 / 480 (usb 2.0 only) - protocol analyzers, can be used only for observations not injection.
  • Facedancer - allows usb emulation endpoints
  • Daisho (3.0 capable) - monitor and inject, high speed, can be used to perform man in the middle attacks
  • USB Proxy
  • LibUSB - software only, write tools to access usb devices, send requests etc.

Summary of Attacks Against BIOS and Secure Boot (Intel Security)

This was by far the most technically challenging talk to follow, but I am really glad I braved through it. In this talk the guys from Intel Security shared how one could completely bypass secure boot and other BIOS level exploits. I definitely won't try to describe everything covered in the talk but my main take away was that most of these exploits have to do with pointing BIOS processes to an unsecured space. They also discussed how to perform system analysis, forensics and steps to take to secure systems.

In the talk they used CHIPSEC. "CHIPSEC is a framework for analyzing security of PC platforms including hardware, system firmware including BIOS/UEFI and the configuration of platform components. It allows creating security test suite, security assessment tools for various low level components and interfaces as well as forensic capabilities for firmware."

For more information on CHIPSEC:

Snooping, Spying and Other Stuff

Do you ever get the feeling your being watched? If so, you probably are. In this section I discuss some of the talks I attended that where the topics were all about either collecting (or stealing) data on people.

Municipal Mesh Networks (Dustin Hoffman & Thomas (TK) Kinsey - Exigent)

With police budgets shrinking more and more municipalities are employing the use of Mesh Networks to provide a force multiplier to combat these shrinking budgets. Mesh Networks are cheap to implement using common off the shelf hardware. These networks can be used to monitor traffic and public spaces, two-way audio communication as well as motion sensors.

In this presentation the speakers examined a fully operational and egregiously unsecured network. One almost amusing, yet serious security issues they discovered was that the network traffic was completely unencrypted and had an SSID (yes the SSID was being broadcasted) of "police department." This presentation's live demo was thwarted by the city suddenly turning on WEP encryption (yes you read that right) 72 hours before their presentation…so there was no live demo :(

Other possible threats they observed on this network:

  • Being able to observe live streams of video from various cameras in the network
  • Being able to subscribe yourself via multicast
  • Could make use of attacks such as packet flooding, DDOS, and ARP spoofing
  • Being able to "legitimately" joining the network with your own hardware (that they were able to easily purchase on Ebay)
  • Video manipulation

Though it may be amusing to chuckle at the lack of security in this network it demonstrates some serious problems. Our tax dollars are going to install these networks and because budget strapped municipalities don't have the resources to perform their own security audits they have no clue if the vendors and contractors they hired to set up these networks are doing so with security in mind.Lack of security in these networks ultimately can offer a backdoor into the rest of a municipality's network, which in the wrong hands could mean potentially serious problems for everyone.

More on wireless mesh networks:
http://computer.howstuffworks.com/how-wireless-mesh-networks-work.htm

Stolen Data Markets: An Economic and Organization Assessment (Dr. Thomas Holt, School of Criminal Justice at Michigan State University)

Data breaches have become commonplace and attempts to break up networks for buying and selling this data have had mixed results at best. In this talk Dr. Holt discussed the qualitative and quantitative approach of assessing forums by which stolen data is bought and sold. In his research he found that there are various levels of organization in the data markets and that trust among buyers and sellers proved to very important…which is a bit ironic.

Highlights from this talk:

  • There are various products offered: Dumps, CVVs, bank accounts, "fulls" (what data is called when it includes all info associated with an account such as email address, PayPal, Ebay account info), cash out services (i.e. cloning ATM cards), money laundering, personal documents, skimmers.
  • Data dumps and CVVs are the most popular products sold.
  • The more organized the market the higher the prices…these are also the harder forums to infiltrate
  • Canadian and European data dumps are more expensive than American dumps, primarily because there is a much higher supply for American data on the market.
  • Online currency systems are the method of choice of payment.
  • Customer service is extremely important. Some forums have rating systems (much like Ebay) for buyers and sellers, and some actually offer product testing typically by forum moderator / administrator.
  • Paypal accounts are very cheap to purchase.
  • It is more lucrative to be a seller than a buyer, where a seller of stolen data dumps can make upwards of $2 Million dollars.
  • By studying these networks and understanding how they operate researchers can determine better ways to disrepute them.

Breaking And Entering

If it's on the network a box can be comprised. In this section I will discuss some of the talks that highlight this fact.

Attacking The Traveling Salesman: Point of sale attacks on airline travelers (Alex Zacharis and Tsagkarakis Nikolaos)

Though it's known POS systems are like sitting ducks for would be thieves but this POS attack discussed in this talk is unique in that it sought to profile travelers. Research were able to easily hack a kiosk at an international airport that allows users to buy WiFi credits, make voip/video calls and scan e-ticket barcodes / QR codes to check flight status.

Some of the attack vectors they discovered:

  • Alt+Tab actually worked from the kiosk's keyboard (yep it's a Windows 7 terminal)!
  • Bad sanitation of user input from keyboard, which also allowed for executing basic windows commands.
  • Admin module was pretty easy to access.
  • USB port easily accessible.
  • Able to control the webcam to take photos of travelers.
  • Able to install malware that would take traveler data such as name, e-ticket number which could then be used to create your own mobile e-ticket using the travelers info. Because some network calls contained certain traveler info and this scanned info is decoded and presented in RAM it was prime for scrapping. This would work quite well since they typically do not check identification at the gate when boarding the plane.

Tips offered for securing POS systems:

  • Use strong passwords
  • Keep systems patched and up to date
  • Limit access to the Internet and disable remote access for terminal.
  • Install (and keep updated) antivirus software.

During their research they reported some initial issues they found and were thanked by with denial by airport officials. Eventually they were allowed to come and demonstrate their findings and eventually some measures were taken to secure the terminals though it took over a month for even the USB port and support for Alt+Tab to be fixed.

This talk definitely had a creepy factor to it given how easy it was for them to attach this terminal. The security weaknesses found not only could compromise the security of travels but the airport as a whole as it provieds a gateway to the rest of the airport's network.

Mass Scanning The Internet! (Robert Graham, Paul McMillan and Dan Tentler)

Apparently performing a massive port scan of the entire Internet is not only possible but can be done with in the span of a work day thanks to tools like masscan. In this talk they gave potential "digital explorers" tips and tricks to get started with web-scale port scanning research. Port scanning whether used for black or white hat purposes can enable you to find open ports and potentially hackable systems. With over 65,000 ports to explore you are bound to find something interesting.

A few words of caution about port scanning:

  • Be prepared to respond to abuse complaints…maintain a list of IP addresses / ranges to exclude from your scans.
  • Be prepared for your ISP to be pissed at you (and perhaps even terminate your service).
  • Some sensitive IP ranges such as those used by government agencies should be avoided unless you are looking for trouble.
  • Things such as becoming friendly with your ISP, using a port scanning friendly host, or performing spoof scanning via the use of a burner phone for example are some ways you can start safely exploring the world of mass port scanning.

A Survey of Remote Automotive Attack Surfaces (most entertaining! - Dr. Charlie Miller & Chris Valasek)

Your car is just a network of computers and all the cool features such as GPS, parking assistance, WiFi, Bluetooth, allow for a very hackable vehicle which offers a wide array of attack surfaces. This talk received my "most entertaining talk at DefCon 22" award. As hilarious as they were informative Charlie and Chris presented the anatomy of a remote attacks as well as discussed automotive network of several manufacturers. They also showed some pretty sweet demo videos of their hacking escapades.

I am now pretty interested in getting the network specs of my Mini (a.k.a "Kit"). If you want to know more about their research, the tools they used and how you can get started in automative research, see the links below:

Privacy Matters! - Dark Mail (DIME) (Ladar Levison & Stephen Watt)

Though this was the most sobering talks I attended, it was also the most inspiring. Ladar Levison who is best known for being the founder of LavaBit, a secure email platform which he shut down instead of handing over the keys (literally) to his castle due to inquires from federal government, that would have allowed them to decrypt all the mail on his servers. No matter what you think of him or this case personally, you have to admit this was a ballsy move and he clearly is put his money where his mouth is.

With Dark Mail (a.k.a DIME) Ladar proves that he is still very passionate about security and email privacy. In addition to discussing his experience in the LavaBit case Ladar and Stephen discuss there plans for a system that will place private key management and encryption at the hands of end users instead of the mail servers. It also will minimize the leakage of metadata.

If you are interested in learning more about Dark Mail or you are interested in helping Ladar and Stephen build it see the link below:
https://www.darkmail.info/

All Talks I Attended (By Day)
Thursday

  • Threat Level Collection: Building Threat Intel Network
  • RFIDler: Software defined RFID tool

Friday

  • Paging SDR
  • Framework for piggy-back fuzzing and tool development
  • USB 4 All: USB Security Issues
  • Stolen Data Markets: An Economic and Organization Assessment
  • Attacking The Traveling Salesman: Point of sale attacks on airline travlers
  • Municipal Mesh Networks
  • Ephemeral Software Communication (Silent Circle, Wicker, Glimpse)
  • Dark Mail (a.k.a DIME)

Saturday

Security & You: Why Privacy Still Matters

One of the things my field trip to DefCon confirmed for me is that privacy still matters...

SkyNet is only cool when you are the builder. In the age of mass surveillance, data breaches and unlimited access to cat videos; it may feel like we are fighting a losing battle of preserving our privacy and cilvil liberties. Some of the most prevalent topics of discussion not only at DefCon but in the security community in recent times has been privacy protection and preserving one's anonymity not only online but off-line. With the beans being spilled about the NSA's mass surveillance programs by Edward Snowden and the every growing popularity of always own video surveillance in public places it is hard to not be discouraged and down right paranoid.

This paranoia is growing not only for those with "something to hide" but it's growing for the everyday citizens that feels they are constantly being watched, judged and sized up. This paranoia isn't without merit and as consumers, citizens of the world, and especially as entrepreneurs and technical professionals we have a responsibility to push for checks and balances to be put in place so that our security at home, though it is gravely important doesn't mean eroding our civil liberties and building a cloud of distrust over our tech companies to the point where it dampens one of the brightest stars of our economy. In an industry where data is king, especially at the enterprise level this "security at all cost" mantra could have a devastating affect financially on our industry.

The days of thinking of security as a nice to have are over. The rules of engagement have definitely changed. As entrepreneurs, especially those of us looking to build data centric, commercial / consumer facing applications securing that data is paramount. Issues like data breaches can not only tarnish your brand, hence building distrust among your customers it can ruin your business. Even issues like having a set protocol for handling data requests from government agencies is important. This protocol should also be transparently communicated to your customers and those that do business with you. One of the points raised in a few DefCon talks was you can't hand over what you don't store. Meaning if you don't store data about your users there will be nothing to hand over if you are issued a request for that data. If your business depends on storing and using user's data you better have plan for how to deal with these requests; no talk at DefCon drove this point home more than Ladar Levison's sobering Dark Mail (a.k.a DIME) talk.

What Can We Do?

Protecting one's privacy isn't just about keeping "secrets" it is also about protecting one's freedom of speech and civil liberties, things which our founding fathers declared were rights of all citizens. We all agree that the fighting bad guys and protecting our freedoms are important but how does it make sense to give up freedoms in order to protect those same freedoms?

So you maybe saying well, man this also sounds good but what can I do? We can all stay vigilant as citizens, technical professionals and entrepreneurs. We can also take our nerd hats off and work to educate those that are less technical than ourselves about how they can protect themselves online. We can also support organizations such as the Electronic Frontier Foundation is a non-profit organization working to protect everyone's cilivil liberties online. I joined the EFF while I was at DefCon and not only did I get a cool t-shirt, in a small way I'm helping the EFF resort balance to the force.

Conclusion

This was a great experience and I can't wait to attend next year. I walked a way with a renewed enthusiasm for technology and the security space. A few talks gave me some ideas for new personal projects including one of which is building a security testing lab at home so I can continue to learn and safely explore without the threat of jail time lol.

I would like to thank the hard working folks that made DefCon possible. If you would like to learn more about the conference and all the good stuff surrounding it check out the the link to the DefCon site in the resources section.

References

[1] Tech Specs for DefCon 22 Badge

Resources