Archive for the ‘DEFCON 19’ Category

DEFCON 19 update.

Monday, January 16th, 2012

I have not been able to watch it yet (Vimeo is blocked at work) but video of Deviant Ollam’s “Safe to Armed in Seconds: A Study of Epic Fails of Popular Gun Safes” presentation from DEFCON 19 is up.

You can find the video (along with comments from various folks, including Ollam) at the Everyday, No Days Off blog.

DEFCON 19 update #1.

Wednesday, August 10th, 2011

Added links to the following presentations:

DEFCON 19 notes: day 3.

Tuesday, August 9th, 2011

“Earth vs. The Giant Spider”: This was described as a collection of weird, bizarre, freaky, and unusual hacks compiled by the presenters during penetration tests. I figured this would probably be a high energy, lots of fun, lots of laughs panel. I ended up kind of disappointed. Maybe high energy is too much to expect at 10 AM on DEFCON Sunday, but the presenters seemed curiously subdued. (This may have had something to do with non-functional equipment that resulted in them having to drop the live penetration test portion of the presentation.)

As for the hacks…well, okay, owning an entire country’s credit card processing (bypassing the firewall by sending packets from source port 0) is kind of cool. Getting cheap food from a restaurant chain by hacking a Javascript that communicates with a 3rd party server, and doesn’t validate data being sent from the restaurant’s website to the server? Meh. The story about cloning the support mailbox on an old ROLM PBX (default field service user ID/password) which ended up with the penetration testers doing Checkpoint support for one of the corporate users? Mildly funny. The other hacks (doing a HTTPS man in the middle attack with a self-signed certificate, and using information gathered that way to hijack a session to an external VPN by cloning cookies; high-def IP cameras with undocumented default accounts located right over keyboards, Oracle session hijacking), well, maybe you just have to have been there.

As for the “Caucasian-American love hack” (in which they were able to guess an admin’s password from his profile on an Asian-American dating site), I felt more pity for the poor admin, who was probably just looking for love (and not even in all the wrong places) rather than admiration for the penetration testers. Sorry, guys: I know your intentions were good, but this didn’t click with me. It may just have been a personal thing: YMMV.

“Seven Ways to Hang Yourself with Google Android”: An excellent presentation by Yekaterina Tsipenyuk O’Neil (Fortify) and Erika Chin (UC-Berkeley) about the major mistakes programmers making developing Android applications. Specifically:

  1. “Intent spoofing”. Basically, “intents” are a type of message Android uses for inter-application communications, intra-application communications, and system event messages. Android intents can be either “explicit”, where the intent is directed to a specific destination or “implicit”, where the destination isn’t specified and Android decides where the intent should be delivered. The issue is that many developers just use implicit intents, which makes it possible for someone to write a malicious application that creates intents requesting some sort of change in state, and send those intents to other applications that use implicit intents.
  2. SQL query string injection. Yes, you can build a malicious app that queries Android’s SQLite database and (possibly) returns data the app otherwise wouldn’t be able to see.
  3. “Unauthorized intent receipt”. Very similar to #1, except instead of requesting a change in state, the malicious app harvests information from public intents intended for other non-malicious applications.
  4. “Persistent messages: sticky broadcasts”. Android has the capability to send broadcast intents to applications (more specifically, to components of applications that are set up to receive broadcast intents). There are some issues with this. The first issue is that any application registered to receive broadcast intents will get all broadcast intents; there’s no way to restrict broadcast intents to specific receivers. It is also possible to create “sticky” intents, which hang around after they are delivered, and are even rebroadcast to new receivers that are enabled in the future. And with the proper permissions, a malicious application can also remove “sticky” intents, possibly before they are received by the intended recipients.
  5. Insecure storage. Files on the SD card can be read by the entire world. Files created by an application (which might contain things like, oh, I don’t know, passwords?) persist even after the application is deleted, and can be accessed by other, possibly malicious, applications.
  6. Insecure communications. Basically, developers need to get into the habit of acting like their mobile applications are web applications, and use similar best practices; don’t send passwords in cleartext, for example.
  7. Overprivileged applications. Developers have a tendency to request more permissions than their app really needs. For example, an application that just displays images doesn’t need the “camera” permission; only an application that actually uses the camera to collect images needs that permission. One of the interesting facts that came out of this portion of the presentation was how Android’s developer documentation handles explaining permissions and what they represent. Quoting the presenters: “Android 2.2 documents permission requirements for only 78 out of 1207 API calls. 6 out of 78 are incorrect. 1 of the documented permissions does not exist.”

(Edited to add 8/10/2011: I’ve added a link to the final version of this presentation.)

“Build your own Synthetic Aperture Radar”: So this wasn’t as dangerous as I expected (the radar is low-power) and it wasn’t quite as awesome as I expected. But this was a decent presentation on radar technology, starting with an overview of basics and proceeding onwards to discussion of a homebrew radar system.

One minor problem with this presentation was that the presenter (Michael Scarito) had converted his system to use a custom-built data acquisition board (previous versions used a sound card and MATLAB) and didn’t have build documentation for that board prepared yet. However, much of Mr. Scarito’s work is based on other work done at MIT. The slides for the talk are not currently online, as far as I know, but here’s a link to a MIT Open Courseware presentation that gives exact, step-by-step detail, parts lists, and other resources for a very similar project (cited by Mr. Scarito in his presentation).

Wireless Aerial Surveillance Platform”: UAVs are fun. UAVs that have onboard computing power to crack WEP encryption are more fun. UAVs that add the ability to spoof cellular base stations are even more fun. UAVs that have the ability to communicate with a remote server and offload heavier computational tasks (like attacking WPA) are perhaps the most fun of all. Note: the link above doesn’t go to slides, but to the build blog maintained by the two presenters (Mike Tassey and Rich Perkins). The build blog provides a lot more detail than the presentation, and includes resource links. Very well done, gentlemen.

“SCADA & PLCs in Correctional Facilities: The Nightmare Before Christmas”: Borepatch posted a few days ago about a presentation at Black Hat on SCADA vulnerabilities. You could consider this the other shoe dropping.

Summary: many prisons and jails depend on programmable logic controllers (PLCs) to do things like unlock and unlock cell doors. Usually, these PLCs are all controlled from a central control center, so all you have to do, once you find a PLC vulnerability to exploit, is to get your exploit code into the central control center.

“But they aren’t connected to the Internet, right?” Sometimes they are: the systems need to get updates, or send information to other systems, or communicate with other people (food service vendors, for example). Sometimes the systems aren’t connected to the Internet, but other systems they connect to are. (The presenters cited one example where someone was able to upload arbitrary files to the wireless system on a patrol car, and from their to a central jail control system.) Someone could carry an exploit in on a USB drive.

“But the people who run these systems don’t go out to arbitrary sites, right?” The presenters cited examples, from their personal experience, of correctional institution employees watching videos on the Internet, checking GMail accounts, etc. Friend the right correctional institution employee on Facebook…

“But they couldn’t do anything bad, right? I mean, if they open the cell door, the control panel shows it, and won’t the guards catch them?” As for the guards catching them, I remember a story from Pete Earley’s book The Hot House: Life Inside Leavenworth Prison about an inmate who got hold of some clothes and a clipboard: he walked completely out of Leavenworth posing as a prison inspector. As for the control panel showing it, the presenters demonstrated an exploit that allowed a PLC controlled switch (think a door latch) to be open, while the PLC control software thought the switch was closed. (Video of this exploit is supposed to be on YouTube, but I can’t find it right now.) And opening jail doors isn’t the only thing you could do; you could also disrupt prison operations by trying to open all the doors at once. This would cause a massive power surge, and possibly destroy the system. (Generally, the doors open in a “phased” fashion, so you’re not trying to draw that much power at one time.) Or you could force the doors locked. Imagine the Mexican Mafia subverting a prison PLC system so they can force all the door locks for cells belonging to Aryan Brotherhood members closed at once. A squirt of rubbing alcohol or some other volatile liquid into each cell, toss in a match…

(“Christ, what an imagination I’ve got.” Spot the reference, win a cheese.)

(Edited to add 8/10/2011: I’ve added a link to a white paper by the presenters that pretty well summarizes their presentation and findings.)

That concludes my DEFCON 19 roundup. As more of the presentations get online, I’ll be adding links to them, and there will probably be one or two update posts. If you attended a panel I missed at DEFCON 19, and think it is worth linking to, please feel free to mention it in the comments. Responses from presenters are also welcome, especially if I mis-represented or misunderstood a point.

DEFCON 19 notes: day 3 coming soon.

Monday, August 8th, 2011

Closing ceremonies ran a little long last night, and I went to bed pretty much immediately after they ended. I seem to be coming down with a cold or allergies or some sort of creeping DEFCON crud.

Please bear with me; I’m about to check out and leave for the airport, but I’ll have the notes for the last day up as soon as I possibly can.

DEFCON 19 notes: day 2.

Sunday, August 7th, 2011

What the well-dressed gun blogger is wearing at DEFCON 19:

Thanks, Sean!

“Safe to Armed in Seconds: A Study of Epic Fails of Popular Gun Safes“: Confession time. I didn’t just watch this panel, I actually volunteered for part of it. I don’t think that compromised  my objectivity, but better to be up front about it.

Deviant Ollam’s presentation concentrated on the smaller handgun safes, specifically the GunVault Microvault MV500, the BioBox, and the LokSAF PBS-001. Summarizing:

  • All of these safes have some sort of keypad or biometric locking system, with a keyed tubular lock as an override.
  • The Microvault and BioBox tubular locks were easy to pick with a tubular picking tool; the Microvault was a little more difficult to pick, while the BioBox basically flew open instantly. The LokSAF tubular lock was much more difficult to pick; Ollam himself hadn’t been able to pick it, but an audience volunteer managed to pick the LokSAF lock during the presentation. (Nobody had tried the Bic pen exploit on these locks.)
  • Using a long thin object, like a straightened paper clip or a lock pick, it is possible to compromise the BioBox from outside without unlocking it; basically, you can fool the BioBox sensors into thinking the device is open, which puts it into a mode that allows you to reprogram the BioBox sensor and open the safe.
  • Ollam and company were able to fool the fingerprint reader on the LokSAF, but it took some work. The basic method is to take an impression of the finger using dental alginate, then use a rubber molding compound (readily available at hobby shops) to take a cast of the impression. That cast can be substituted for a finger and used to open the LokSAF. Part of the panel was going to be a live demonstration of this using fingerprints from audience volunteers (of which your obedient servant was one); however, it took much longer than expected for the molding compound to set up, and that demo was pushed out until much later. Ollam did have video of this exploit working, though. There are some obvious questions, such as: how practical is this if you have to get a finger impression in dental alginate first? Answer: it may be possible to extend this exploit to use just a standard fingerprint, and watch for that presentation next year.

“DIY Non-Destructive Entry“: I missed this and “Battery Firmware Hacking” because I was still caught up in stuff from the gun safes panel. Sorry.

“Smile for the Grenade! ‘Camera Go Bang!’“: Nice guys, good presenters, total failure. The basic idea was to build a clone of military throwable/launchable video camera systems, using off-the-shelf parts (including the perfectly legal and not a destructive device at all 37mm grenade launcher) at a fraction of the cost. This looks like it could be a promising project, but the presenters only started working on it three months before the con, and only did their first test run the weekend before DEFCON. It didn’t go well; the powder they used to load their grenades was apparently defective, and they got no video. While it is interesting to see how small (and cheap!) wireless video cameras have gotten ($20 for the cameras they used, and $80 for the receiver), this is a presentation that should have been shelved for a future DEFCON.

“This is REALLY not the droid you’re looking for…”: From those wonderful folks who brought you Android rootkits, yet another Android exploit. Summary: because of Android’s design, and Google’s lack of strict enforcement of their user interface guidelines, it is possible to build an app that:

  • runs in the background as an Android service.
  • uses APIs from other applications to display login screens from those apps.
  • captures credentials the user enters into those login screens.
  • forwards the captured information to…say, a server in China.
  • override the normal behavior of the “back” button, so the user doesn’t suspect there is a problem.
  • and, because Android doesn’t have a standard “switching apps” visual animation, the user further doesn’t suspect there’s a problem.

This is a very high level summary; the authors went into much more detail about how to build this kind of application in their talk. And it’s not really easy to fix the problems that enable an application of this sort without changing both the Android OS and the way Google/the Android Market does things.

DEFCON 19 notes: day 1.

Saturday, August 6th, 2011

“Welcome and the Making of the DEF CON 19 Badge”: didn’t bother going. I don’t care much about the making of this year’s badge.

“WTF Happened to the Constitution?”: perfectly fine talk. Except for some of the case law theprez98 referenced, pretty much everything he covered was already familiar to me from “The Agitator” and “Hit and Run”. That’s not his fault, though, and I’m sure a lot of what he covered was new to the rest of the audience. I was also previously unaware of The Assault on Privacy, and will have to add that to my blogroll.

“From Printer To Pwnd”: This was a fun little talk, covering multi-function printers and the vulnerabilities they introduce into networks. Basically, people get sloppy with these devices and fail to do things like change default passwords; also, many of these devices have bugs in the embedded firmware. The presenter, Deral Heiland, demonstrated some interesting attack vectors: “malformed” URLs which allow you to bypass authentication on certain devices, “information leakage” attacks which allow you to get useful information (like passwords) out of the web admin pages, “forced browsing” attacks which allow you to grab device address books (which may also contain passwords), and “passback attacks” which trick the device into communicating with an attacker (for example, using LDAP configuration script testing). All of this culminated in the release of Praeda, an automated toolkit for attacking multi-function devices. The latest version can be found here: I don’t have a link to the slides, but will add one when I do.

“Black Ops of TCP/IP 2011“: You know how people talk about wanting the old funny Woody Allen back? This was the old funny Dan Kaminsky back; the guy who does deep arcane magic with TCP/IP packets and DNS.

His talk broke down roughly into three parts:

  1. Bitcoin. Short summary: Bitcoin is remarkably secure (“there are entire classes of bugs that are missing”) but it isn’t anonymous, and doesn’t scale well. Kaminsky found a way to basically build a file system on top of BitCoin (BitCoinFS) and also outlines ways of breaking BitCoin anonymity. In the process, Kaminsky also outlined a serious flaw with the Universal Plug and Play (UPNP) protocol used by many wireless routers.
  2. IP spoofing. Kaminsky was running a little behind (it took a while to fill the Penn and Teller theater) and was speeding through this portion of his talk. Rather than attempting to give detailed summaries of how all this stuff works at the low TCP/IP level, I’ll suggest you check out the slides.
  3. Net neutrality. Kaminsky’s developed two tools: N00ter and Roto-N00ter, designed to detect ISPs playing silly buggers with packets (for example, giving preference to packets destined for Bing over packets destined for Google).

“And That’s How I Lost My Eye“: the funniest panel I went to today. Deviant Ollam, Bruce Potter, and Shane Lawson wanted to see if it was possible to destroy a hard drive in less than 60 seconds such that the data was unrecoverable, without setting off alarms or damaging any nearby humans, and without spending a lot of money on something like the SEMShred.

Ollam took the explosives/incendiary part of the equation. His results can be summarized as: it might be possible to use explosives, especially the popular “boomerite” type explosives used in exploding targets, to destroy a hard drive. But playing around with explosives, especially when you’re activating them electronically, is a good way to attract the attention of unpleasant people with badges. Apparently, those same people have no problems with explosives triggered by a rifle bullet, so if you want to affix an M1A above your server with a ton of “boomerite” below, go ahead…

Chemical methods didn’t work out very well either. Cobalt isn’t highly reactive, and the type of acids that can quickly dissolve a hard drive platter aren’t easily available at Home Depot and don’t play well with people and other living things. There were a lot of slides of vats of acid doing nothing to hard drive platters.

It’s also hard to destroy a drive physically. Hole saws, spade bits, and grinders did nothing.

The presenters did discover that a combination of a salt solution and electricity could strip the plating off of ceramic platter drives. But that didn’t work on aluminum platter drives.

What finally did work was fire. Propane and MAPP gas (which you can’t get in the US any more) will melt aluminum, but it’s hard to apply those to a spinning drive and have it melt; the spinning drive tends to dissipate heat. The presenters were working on an automated solution involving a glow plug, propane, and an Arduno, but ran out of time before they could finish that project.

However, you don’t have to melt a drive to render it unreadable; you only have to heat it to the Curie point. That’s not quite as spectacular as a spinning drive throwing off chunks of molten aluminum, but it will work. (However, if I understand Wikipedia right, the Curie point of colbalt is 1100 degrees C, and the melting point of aluminum is 660 degrees C. So I’m not sure what that buys you.) I wonder:

  • Could you come up with some sort of inductive heating method for hard drives?
  • I also wonder, thinking about Deviant Ollam’s approach, what would happen if you fired a nail gun loaded with the right kind of nails into a spinning hard drive at close range? I wonder if Snoop ever tried that. (I also wonder if a nail gun at close range would trigger “boomerite”.)

“Key Impressioning“: I can’t give this panel a fair evaluation. In brief, impressioning consists of sticking a blank key into a lock, moving the blank up and down, removing it, noting where the lock pins hit the key, filing down the contact points, and repeating the process until all the pins reach the proper depth and you have a working key. The presenter gave a live demo of this process, and was impressively quick at it.

The problems I had with this panel were:

  • the camera that was set up for the demo did a poor job of showing the actual process.
  • the sound was off for over half the panel. Combined with tbe presenter’s accent, that left me able to make out about one out of every four words he said. I’m sure he’s an okay guy; I just couldn’t see what he was doing, or hear much of what he said.

0 day DEFCON 19 (and related random) notes

Thursday, August 4th, 2011

So far, things have been relatively smooth. Just a few minor problems; I left a couple of things behind in Austin, but nothing that I can’t make do without.

There have been a couple of slightly unpleasant surprises. I discovered yesterday that one of my other favorite restaurants in Las Vegas, the Tillerman, abruptly closed in February. Google turned up this account of events from the Las Vegas Weekly: there’s a lot I disagree with in it (the neighborhood doesn’t strike me as being particularly sketchy, for example) but it is the best account I’ve been able to find.

I do have a badge, and I only had to wait in line two hours to get it. The other slightly unpleasant surprise, though, was that DEFCON decided that electronic badges are “passé”: this year’s badges are inert hunks of titanium, tied in with some sort of “puzzle based reality game”. (Joe Grand’s big enough to take care of himself, but the reference to “gameboy on a string” in the DEFCON program seems to me to be a nasty, though perhaps unintended, slap.)

Last night, I decided to try a place I’ve been driving past and thinking of trying since…oh, about 2000 or so. Yes, I know they’re a chain, but have you ever been to a Lawry’s The Prime Rib? Did you even know Lawry’s had restaurants, or were you just familiar with their seasoning salt? (There’s four Prime Ribs in the US: Vegas, Chicago, Beverly Hills, and Dallas.)

Having finally crossed that off my list, I have to say I’m glad I went. The Prime Rib’s an interesting place; the decor (at least in Vegas) reminds me of photos I’ve seen of Chasen’s and other old star hangouts in Los Angeles. And the whole experience has a certain…theatricality to it that’s missing from pretty every restaurant in existence today. Your waiter preps your salad in a spinning salad bowl at the table. When you’re ready for your meal, a carver comes by with a massive polished steel cart and cuts your prime rib off of what must be at least half a cow right in front of you. Plus there’s mashed potatoes and honest-to-Ghu Yorkshire pudding served with it. I think my late stepfather would have loved this place. He was a big prime rib fan, but I think he also would have gotten a kick out of the whole sort of…vintage experience, is the best way I can think of to describe it.

I’ve never really thought of Las Vegas as a bookish town, but Lawrence tipped me off to two vintage bookstores that I visited today. I heartily endorse both of them, and strongly recommend that you visit both. Doing so is pretty easy, as they’re basically right across the street from each other.

I’m sorry I didn’t catch the name of the gentleman who runs Greyhound’s Books, but he came across to me as someone who’s very much worth knowing. I wouldn’t describe him as “kind”, as I so often describe others; he seems intolerant of the rude, the willfully ignorant who wish to remain so, and others who would waste his time. (While I was there, he literally chased one person out of the store for using a cell phone.) But for the serious and polite book shopper, this store is a delight. He seems to be very strong on mystery, military history, and history in general. His food and cooking selection also seemed strong to me; he had the only copy of Cross Creek Cookery I’ve seen in probably five years of searching. (The owner also writes, along with other folks, at Books of Worth, an entertaining site I was previously unaware of.)

I didn’t want to press for details (I’m not sure it is any of my damn business) but Amber Unicorn Books appears to be related in some way to Greyhound’s Books. I didn’t have as much interaction with the owners there as I did with the Greyhound’s Books owner, but they certainly seemed like very nice folks. Amber Unicorn appears to be stronger in paperbacks, especially genre paperbacks, but also has a good stock of history, mystery, and law/true crime.

One thing that really struck me about both stores; the folks at both knocked 10% off the total of my purchases for no apparent reason, other than (I guess) I was reasonably polite and didn’t use my cellphone or urinate on their rugs. They didn’t have to do that, and it was very much appreciated.

(And it helped, especially at Amber Unicorn. They had a copy of Skeeter Skelton’s Good Friends, Good Guns, Good Whisky, a book I didn’t even know existed until today. I’ve written before about the gun writers I read growing up; I remember Skelton’s stories with great fondness. Especially the one reprinted in this volume about Dobe Grant and his crate full of Colt Single Action Army parts. When I read that for the first time, man, I wanted a vintage Single Action Army. Still do, come to think of it. I don’t want to say what I paid for that book; let’s just say “Nostalgia is a moron” and leave it at that.)

If you’re a serious book person, you have to visit both of these stores if you’re ever in Las Vegas.

-2 Day DEFCON notes

Tuesday, August 2nd, 2011

Lawrence pointed out that I hadn’t trolled the crowd for panel suggestions yet, and the schedule is up. Here’s the stuff I’m tentatively planning to see.

I’m open to requests, but I won’t make promises.

All apologies.

Wednesday, July 27th, 2011

I feel bad about this, especially since some folks like South Texas Pistolero apparently think I’m worth reading. (Thank you, sir.) But there’s just not a lot going on right now that’s worth blogging about. I blame the heat. And the vertical integration of the broiler industry.

I guess I could point to yet another reason to carry your damn guns, people!

Or yet another example of the police being indistinguishable from armed thugs.

Or I could put up a nifty photo of myself in one of Sean Sorrentino’s “Project Gunwalker” shirts, which he’s reopened orders for (and which you can now get with a pocket, even) but I haven’t picked up mine from the PO Box yet.

I could also ask what kind of fascist country we’re living in, when a judge expresses doubts about the credibility of an accused murderer.

I suppose I could also ask if it’s actually legal for mariachi bands to collude over the fees they charge; doesn’t that strike folks as being a violation of anti-trust law?

I’ve got a post I’m working on about the egg roll problem, but I’m still doing research on that.

The good news is, we’re only a week away from DEFCON 19, which I do plan on blogging. In that vein, if anyone has recommendations for places to eat in Las Vegas, please drop me an email or leave them in the comments. A trip to Lotus of Siam is required, of course, but I’m looking for something to eat on the other four nights I’ll be there.

Edited to add: Hey, while I’m thinking of it, I do want to point folks to this discussion at Battleswarm. I haven’t had a lot to say about Breivik, mostly because other smarter bloggers are saying it all. But for some reason I’m awfully darn curious about his weaponry; I think maybe because the gun in that photo is so blinged up I wouldn’t be shocked to find out that it’s identical to the ones carried by Food Court Team Six.