Archive for the ‘DEFCON’ Category

DEFCON 25 update: August 3, 2017.

Thursday, August 3rd, 2017

Mike the Musicologist tipped me off to this:

Marcus Hutchins, the guy who was in the news earlier this year for defusing the WCry malware, was detained in Las Vegas after DEFCON.

This is still an evolving story, but what I’ve seen from reliable sources (and CNN) is that Hutchins is under federal indictment and charged with creating another piece of malware: Kronos, described as a “banking Trojan”.

The best coverage I’ve seen of this so far is from TechDirt and ArsTechnica. I would keep an eye on those two sites for updates, as this story is still evolving.

DEFCON 25 updates: July 31, 2017.

Monday, July 31st, 2017

Things are going to be a little busy this week, but I do plan to keep an eye out for updates. In the meantime, please enjoy this latest set:

  • TJ Horner has a nice blog post up about his experiences hacking voting machines in DEFCON 25’s “Voting Village”.
  • “The Adventures of AV and the Leaky Sandbox” (Itzik Kotler and Amit Klein) didn’t catch my attention the first time around, but the abstract sounds intriguing: “In this presentation, we describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises whose endpoints have no direct Internet connection, or whose endpoints’ connection to the Internet is restricted to hosts used by their legitimately installed software. Assuming the endpoint has a cloud-enhanced antivirus product installed, we show that if the anti-virus product employs an Internet-connected sandbox in its cloud, it in fact facilitates such exfiltration.” Slides. White paper. GitHub repo.
  • GitHub repo (including slides and white paper) for the Marc Newlin/Logan Lamb/Chris Grayson presentation, “CableTap: Wirelessly Tapping Your Home Network”.
  • Here’s some stuff from “Tracking Spies in the Skies” (Jason Hernandez, Sam Richards, Jerod MacDonald-Evoy): North Star Post summary of their presentation. GitHub repo.
  • Slides from the David Robinson talk, “Using GPS Spoofing to control time”, are here. Slides contain links to code, per Mr. Robinson. I’ve only had a chance to take a quick look at this, but I’m fascinated.

DEFCON 25 updates: July 29, 2017.

Saturday, July 29th, 2017

Third round. I’m not proud. Or tired.

DEFCON 25/Black Hat updates: July 28, 2017.

Friday, July 28th, 2017

Round 2:

  • The white paper for “Free-Fall: Hacking Tesla from Wireless to CAN Bus” (Ling Liu, Sen Nie, Yuefeng Du) is here. Slides here.
  • Slides for “Exploiting Network Printers” (Jens Müller, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk) are here.
  • Found slides for “Breaking Electronic Door Locks Like You’re on CSI: Cyber” here. (I called this one wrong: no Bluetooth. Not a complaint, just an observation.)
  • This is one that I saw, overlooked, and now am intrigued by: “All Your SMS & Contacts Belong to ADUPS & Others“. “Our research has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers in China – without disclosure or the users’ consent.” Slides. White paper.
  • Slides for Vlad Gostomelsky’s “Hunting GPS Jammers”. I think this is one that really needs video, too.
  • “Intercepting iCloud Keychain” (Alex Radocea) slides.
  • And “The Future of ApplePwn – How to Save Your Money” (Timur Yunusov) slides.
  • And (hattip to Mr. Yunusov) “Jailbreaking Apple Watch” (Max Bazaliy). I haven’t compared these slides to the onea on the presentations server, just FYI.

Okay, lunch time is almost over, and I feel like I’ve done enough damage to the security community today. I’ll try to have more updates later today or tonight.

DEFCON 25/Black Hat updates: July 27, 2017.

Thursday, July 27th, 2017

Round 1:

Edited to add more:

  • Karla Burnett’s “Ichthyology: Phishing as a Science” is actually relevant to my professional life. White paper.
  • Slides and the white paper for “Hacking Hardware with a $10 SD Card Reader” (Amir Etemadieh, CJ Heres, and Khoa Hoang) are here.

Here’s your hat.

Wednesday, July 26th, 2017

Black Hat 2017 is just getting started.

There’s some overlap with DEFCON 25. For example, hacking wind farm control networks and the SHA-1 hash talk are on both schedules. But there are also a few things unique to the Black Hat 2017 schedule:

The same rules for the DEFCON post apply here: if you’re a presenter who wants some love, or if you want me to follow a specific talk, leave a comment.

DEFCON 25: 0 day notes.

Tuesday, July 25th, 2017

I’m not going again this year. Maybe next year, if things hold together. But if I were going, what on the schedule excites me? What would I go to if I were there?

Thursday: neither of the 10:00 panels really grab me. At 11:00, maybe “From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices” but I’m at best 50/50 on that. At 12:00, I feel like I have to hit the “Jailbreaking Apple Watch” talk. “Amateur Digital Archeology” at 13:00 sounds mildly interesting.

Not really exited by anything at 14:00. At 15:00, I suspect I would end up at “Real-time RFID Cloning in the Field” and “Exploiting 0ld Mag-stripe information with New technology“. And 16:00 is probably when I’d check out the dealer’s room again, or start getting ready for an earlyish dinner.

Friday: 10:00 is sort of a toss-up. THE Garry Kasparov is giving a talk on
The Brain’s Last Stand” and as you know, Bob, chess is one of my interests. On the other hand, there’s also two Mac specific talks, and Kasparov’s talk is probably going to be packed: I suspect I’d hit “macOS/iOS Kernel Debugging and Heap Feng Shui” followed by “Hacking travel routers like it’s 1999” (because I’m all about router hacking, babe). Nothing grabs me at 11:00, but I do want to see “Open Source Safe Cracking Robots – Combinations Under 1 Hour!” at 12:00:

By using a motor with a high count encoder we can take measurements of the internal bits of a combination safe while it remains closed. These measurements expose one of the digits of the combination needed to open a standard fire safe. Additionally, ‘set testing’ is a new method we created to decrease the time between combination attempts. With some 3D printing, Arduino, and some strong magnets we can crack almost any fire safe.

13:00: “Controlling IoT devices with crafted radio signals“, and “Using GPS Spoofing to control time” at 14:00. (I do want to give a shout-out to the Elie Bursztein talk, “How we created the first SHA-1 collision and what it means for hash security“, though.)

Do I want to go to “Phone system testing and other fun tricks” at 15:00? Or do I want to take a break before “Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods“:

As we introduce each new attack, we will draw parallels to similar wired network exploits, and highlight attack primitives that are unique to RF. To illustrate these concepts, we will show each attack in practice with a series of live demos built on software-defined and hardware radios.

And then at 17:00, “Cisco Catalyst Exploitation” is relevant to my interests. However, I don’t want to dismiss “The Internet Already Knows I’m Pregnant“:

…EFF and Journalist Kashmir Hill have taken a look at some of the privacy and security properties of over a dozen different fertility and pregnancy tracking apps. Through our research we have uncovered several privacy issues in many of the applications as well as some notable security flaws as well as a couple of interesting security features.

Saturday: Nothing at 10:00. At 10:30, maybe “Breaking Wind: Adventures in Hacking Wind Farm Control Networks” because why not?

I have to give another shout-out to “If You Give a Mouse a Microchip… It will execute a payload and cheat at your high-stakes video game tournament” but I’m personally more interested in “Secure Tokin’ and Doobiekeys: How to Roll Your Own Counterfeit Hardware Security Devices” at 11:00. (“All Your Things Are Belong To Us” sounds pretty cool, too, but I’d probably wait for the notes/repos/etc. to be released rather than attending in person.)

Oddly, there’s really nothing that grabs me between 12:00 and 15:00. At 15:00, “Tracking Spies in the Skies” mildly intrigues me (mostly for the ADS-B aspect), while at 16:00 I’m really excited by “CableTap: Wirelessly Tapping Your Home Network” (more home router hacking! Hurrah!)

At 17:00:

In this talk, we explore the security of one of the only smart guns available for sale in the world. Three vulnerabilities will be demonstrated. First, we will show how to make the weapon fire even when separated from its owner by a considerable distance. Second, we will show how to prevent the weapon from firing even when authorized by its owner. Third, we will show how to fire the weapon even when not authorized by its owner, with no prior contact with the specific weapon, and with no modifications to the weapon.

You have my attention.

(Related article from Wired. Presenter’s Twitter feed.)

Sunday: “I Know What You Are by the Smell of Your Wifi“, followed a little later by “Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years“.

Weirdly, after that, there’s nothing that interests me until the closing ceremonies at 16:00. (Though I might go to “Man in the NFC” if I was there.)

This seems like a very low-key year, and I’m not sure why. I don’t see any Bluetooth related stuff, and very little lock related. Perhaps I should be glad I’m skipping this year.

Anyway, you guys know the drill: if you see a talk you’re interested in, leave a comment and I’ll try to run it down. If you’re a presenter who wants to promote your talk, leave a comment and I’ll try to give you some love.

Curses!

Tuesday, July 25th, 2017

DEFCON 25 is this week, and it snuck up on me. I was expecting it to start next week.

I guess this means I have to get the schedule analysis up in a hurry. I think I can get it done by Wednesday night; or at least get the Thursday/Friday parts of it up, and Saturday/Sunday up by Thursday night.

Is there anything that leaps out at me from a quick once-over? No “hippie, please!” panels that I noticed this year. Also no badge contest or mystery challenge.

(Also, I’m reorging the DEFCON tags. I think this should be transparent to everyone.)

Actually, they can read your poker face.

Wednesday, October 26th, 2016

Or at least your cards.

This is a presentation that I overlooked from DEFCON 24, but the authors have now been blogging.

For somewhere between $1,300 and $5,000, you can buy a device that helps you cheat at poker.

The technology is quite interesting. It isn’t just “disguised” as a phone: the device is actually a fully functional Android phone, with a custom ROM and app that controls the cheating portion.

Ironically, there is a hardcoded backdoor password in the app, which makes this security measure pointless if you know the backdoor password.

How does it work? Hidden camera, concealed infrared LEDs, and…

What makes the whole thing work is the use of a special deck in which the four edges of each card are marked with IR-absorbing ink. As a result, when this marked deck is illuminated by the IR LEDs, the spots of ink absorb the IR, creating a sequence of black spots…
The sequence of black spots created by the IR illumination, illustrated in the photo above, is read remotely by the cheating device to infer a card’s suit and value. You can think of those markings as invisible barcodes.

So yes, you do need to slip in a marked deck. But the people who will sell you the phone will also sell you pre-marked decks, which are designed to look like they haven’t been messed with. And apparently the phone will pair with Bluetooth based audio and haptic feedback devices, so you don’t even have to be looking at the display.

And yes, because it is based on marked cards, it will work with card games other than poker, too. (High-end bridge cheating? Chris Christie, call your office, please. Sorry, little joke there.)

The post that’s up now is just the first one in a promised series: I’ll try to link to the other ones as they go up.

DEFCON 24 updates: August 11, 2016.

Thursday, August 11th, 2016

“SITCH – Inexpensive, Coordinated GSM Anomaly Detection” doesn’t just have slides up. Or a whitepaper.

It has an entire freaking website. Which does include, yes, slides and whitepaper. (Thanks to SecBarbie on Twitter for this.)

Slides for the Tamas Szakaly “Help, I’ve got ANTs!!!” talk are here. And his GitHub repo is here.

Good stuff is going up on the Black Hat 2016 briefings site, too. I haven’t had a chance to go through all of the abstracts yet, but my current favorite is: “Does Dropping USB Drives In Parking Lots And Other Places Really Work?”. Slides here, code here, blog post here, no spoilers here.

DEFCON 24 updates: August 8, 2016.

Monday, August 8th, 2016

More on Blue Hydra.

Sunday, August 7th, 2016

Earlier, I wrote “It runs! It works! Mostly. Kind of.”

I’ve been banging on Blue Hydra in my spare time since Thursday, and I stand by that statement. Here’s what I’ve run into so far.

The README is pretty clear, and I didn’t have any problems installing the required packages. (I don’t have an Ubertooth, so I skipped that one. We’ll come back to the Ubertooth later.)

First problem, which was actually very tiny: I know next to nothing about Ruby, other than that cartoon foxes are somehow involved, so the phrase “With ruby installed add the bundler gem” was more like “I don’t speak your crazy moon language”. Google cleared that up pretty quickly: the magic words are gem install bundler.

Next problem: running bundle install resulted in an error stating that it couldn’t find the Ruby header files. It turns out that, while my Ubuntu installation had Ruby 2.1 installed, it didn’t have the ruby-dev package installed. sudo apt-get install ruby-dev fixed that issue.

Next problem: the SQLIte Ruby gem failed to install when I ran bundle install. It turns out that I also needed the sqlite3-dev package as well. And with that installed, the bundle built, and I could do ./bin/blue_hydra.

Which gave an error stating that it didn’t have permissions to open a handle for write. Okay, let’s try sudo ./bin/blue_hydra (because I always run code from strangers as root on my machine; everyone knows strangers have the best candy). And that actually worked: Blue Hydra launched and ran just fine. In fairness, this may be a configuration issue on my machine, and not an issue with the software itself.

In playing with it, I’ve found that it does what it claims to do. Sort of. It’s been able to detect devices in my small lab environment with Bluetooth discovery turned off, which is impressive. I also like the fact that it stores data into an SQLite database; other Bluetooth scanning tools I’ve played with didn’t do that.

However, it seems to take a while to detect my iPhone; in some instances, it doesn’t detect it at all until I go into Settings->Bluetooth. Once I’m in the Bluetooth settings, even if I don’t make a change, Blue Hydra seems to pick up the iPhone. Blue Hydra also has totally failed to detect another smart phone in my small lab environment (and I have verified that Bluetooth was both on and set to discoverable.)

Now, to be fair, there may be some other things going on:

  • I’ve also observed previously that Bluetooth under Ubuntu 15.10 didn’t work very well. At all. So at one point on Saturday, just for giggles, I upgraded Project e to Ubuntu 16.01.1 LTS. And shockingly (at least for me) Bluetooth works much much better. As in, I can actually pair my phone with Ubuntu and do other Bluetooth related stuff that didn’t work with 15.10. That seems to have mitigated the discovery issues I was seeing with Blue Hydra a little, but not as much as I would have liked. (Edited to add 8/8: Forgot to mention: after I upgraded, I did have to rerun bundle install to get Blue Hydra working again. But the second time, it ran without incident or error, and Blue Hydra worked immediately aftewards (though it still required root).)
  • I was using the Asus built-in Bluetooth adapter in my testing. Also just for giggles, I switched Blue Hydra to use an external USB adapter as well. That didn’t seem to make a difference.
  • In fairness, Blue Hydra may be designed to work best with an Ubertooth One. The temptation is great to pick one of those up. It is also tempting to pick up a BCM20702A0 based external adapter (like this one) partly to see if that works better, partly because I don’t have a Bluetooth LE compatible adapter (and this one is cheap) and partly because the Bluetooth lock stuff is based on that adapter. (Edited to add 8/8: I’m also tempted by this Sena UD100 adapter. It is a little more expensive, but also high power and has a SMA antenna connector. That could be useful.)
  • It may also be that I have an unreasonable expectation. Project e is seven years old at this point, and, while it still runs Ubuntu reasonably well, I do feel some slowness. Also, I think the battery life is slipping, and I’m not sure if replacements are available. I’ve been thinking off and on about replacing it with something gently used from Discount Electronics: something like a Core i5 or Core i7 machine with USB3 and a GPU that will work with hashcat. Maybe. We’ll see. Point is, some of my issues may just be “limits of old hardware” rather than bugs.
  • And who knows? There may very well be some bugs that get fixed after DEFCON.

tl, dr: Blue Hydra is nice, but I’m not yet convinced it is the second coming of Christ that I’ve been waiting for.