- Slides for “A Dive in to Hyper-V Architecture & Vulnerabilities” with Joe Bialek and Nicolas Joly can be found here. (The link on the Black Hat site is still borked.)
- This isn’t an actual DEFCON 26 presentation, but it’s referenced in Vincent Tan’s “Hacking BLE Bicycle Locks for Fun and a Small Profit”, and I want to bookmark it for later: “Blue Picking: Hacking Bluetooth Smart Locks” by Slawomir Jasek.
- Slides for “Ring 0/-2 Rookits: Compromising Defenses” with Alexandre Borges are here.
- Also not a DEFCON presentation, but picked up by way of an Ars Technica story: “Fear the Reaper: Characterization and Fast Detection of Card Skimmers” by Nolen Scaife, Christian Peeters, and Patrick Traynor. In which the authors analyze a bunch of skimmers confiscated by NYPD…and then build a device that can detect skimmers, based on nothing more than the physical properties of how card readers work. Quote of the day: “Security solutions requiring significant behavioral changes are unlikely to be successful.”
- Content for “All your math are belong to us” with sghctoma is here: slides, white paper, and exploit code.
Archive for the ‘DEFCON’ Category
More Black Hat/DEFCON 26 updates.
Wednesday, August 15th, 2018DEFCON 26/Black Hat updates: August 14, 2018.
Tuesday, August 14th, 2018I apologize that I wasn’t able to post more coverage over the weekend: as I expected, it turned out to be fun, but packed.
I intended to post this yesterday, but I wasn’t able to find many updates on my lunch hour. Then I got stuck in a gumption trap late in the day at work, and basically came home and collapsed.
In retrospect, that was better, because this story broke late in the afternoon: Caesars Palace security was (in the opinion of at least some DEFCON attendees) a little too aggressive about searching rooms. More from Defiant, a company that was at DEFCON. Statement from Marc Rogers.
Also: badge related coverage if you care. Personally, I don’t need a stinking badge.
Black Hat updates:
- Putting this here for my IBM mainframe friend: “Mainframe [z/OS] Reverse Engineering and Exploit Development” by Chad Rikansrud.
DEFCON 26 updates:
- Haven’t found slides yet, but reference material for “Building Absurd Christmas Light Shows” with Rob Joyce is here.
- Also no slides that I’ve found for “You’d better secure your BLE devices or we’ll kick your butts!” with Damien Cauquil. But: his Twitter feed has an interesting link to “Exploiting BLE Smart Bulb Security using BtleJuice: A Step-by-Step Guide“, a blog post by Vaibhav Bedi (I think). What’s interesting about this post is that it covers the whole process of installing and configuring BtleJuice, “a framework to perform MiTM attacks on BLE devices”. Also: GitHub repo for Btlejack, “everything you need to sniff, jam and hijack Bluetooth Low Energy devices”.
- I’m excited about this one, though I haven’t had time to go through all of it yet: “Ridealong Adventures—Critical Issues with Police Body Cameras” by Josh Mitchell. Slides. five_oh_noes, a body camera scanner. More body camera related stuff.
- GitHub repo for “Breaking Smart Speakers: We are Listening to You” with Wu HuiYu and Qian Wenxiang. At the moment, this includes the presentation slides and Amazon Echo exploit code.
DEFCON/Black Hat updates: round 2.
Thursday, August 9th, 2018Another Ars story based on another Black Hat panel:
The presentation in question is “Understanding and Exploiting Implanted Medical Devices” by Billy Rios and Jonathan Butts. No slides or white paper yet, so I don’t want to comment very much. But: I do also want to point out this article, “The $250 Biohack That’s Revolutionizing Life With Diabetes“. Why? Well…
Some additional interesting looking work:
- “TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever” by Andrea Carcano, Marina Krotofil, and Younes Dragoni. “In 2017, a sophisticated threat actor deployed the TRITON attack framework engineered to manipulate industrial safety systems at a critical infrastructure facility. This talk offers new insights into TRITON attack framework which became an unprecedented milestone in the history of cyber-warfare as it is the first publicly observed malware that specifically targets protection functions meant to safeguard human lives.” Slides. White paper.
- “There will be Glitches: Extracting and Analyzing Automotive Firmware Efficiently” by a whole bunch of people.
- And it just wouldn’t be a security conference in 2018 without a Tesla attack: “Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars” by Ling Liu, Sen Nie, Wenkai Zhang, and Yuefeng Du. White paper is at the link: slides are broken.
That’s all I’ve been able to turn up today. More tomorrow, I hope.
Black Hat 2018/DEFCON 26 0 day updates.
Thursday, August 9th, 2018Some of yesterday’s Black Hat presentations:
- “Stress and Hacking: Understanding Cognitive Stress in Tactical Cyber Ops” by Celeste Paul and Josiah Dykstra.
- “Reversing a Japanese Wireless SD Card – From Zero to Code Execution” by Guillaume Valadon. And here’s the GitHub repo.
- “Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community” by Christian Dameff and Jay Radcliffe.
- “Open Sesame: Picking Locks with Cortana“. “Exploiting the ‘Open Sesame’ vulnerability attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges.”
Some others that I didn’t get to the first time around:
- “Software Attacks on Hardware Wallets” by Alyssa Milburn and Sergei Volokitin. “…we show how software attacks can be used to break in the most protected part of the hardware wallet, the Secure Element, and how it can be exploited by an attacker.” Slides. White paper.
- “Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers” with a whole big bunch of folks. “…we show that it is possible to recover the original leaked signal over large distances on the radio. As a result, variations of known side-channel analysis techniques can be applied, effectively allowing us to retrieve the encryption key by just listening on the air with a software defined radio (SDR).” Slides. White paper.
Ars Technica has a story up in advance of Justin Shattuck’s “Snooping on Cellular Gateways and Their Critical Role in ICS” presentation later today:
There are a couple of other presentations from yesterday that sound interesting on second look, but the links to them are currently broken. Also, I haven’t had a chance to read through all of these yet: I did give a quick skim to “Stress and Hacking” and “Reversing a Japanese Wireless SD Card” and look forward to a more careful read of both.
I think I’m going to try to post a second update later this evening if the broken links are fixed and/or new content is available. We should also be getting close to the point where the DEFCON 26 media server has preliminary versions of the presentations up…
Edited to add: DEFCON 26 presentations are now live on the DEFCON media server.
DEFCON 26/Black Hat 2018 preliminary notes.
Sunday, August 5th, 2018DEFCON 26 and Black Hat 2018 start up later this week. Again, I’m not going, but I do feel like I’m inching closer to making a return. Full-timers from my group have been sent to Black Hat in the past, so who knows what’s going to happen next year?
What would I do if I was there? A quick skim of the Black Hat briefings schedule doesn’t show a whole lot that really jumps out at me. I’d probably just be hitting targets of opportunity, with a few exceptions:
- “Stress and Hacking: Understanding Cognitive Stress in Tactical Cyber Ops” by Celeste Paul and Josiah Dykstra, because cognitive stress under pressure is something I’m interested in and has wider implications.
- “Reversing a Japanese Wireless SD Card – From Zero to Code Execution” by Guillaume Valadon.
- “Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community” by Christian Dameff and Jay Radcliffe, for obvious reasons.
- “Open Sesame: Picking Locks with Cortana“, with Amichai Shulman, Ron Marcovich, Tal Be’ery, and Yuval Ron. The lockpicking in this case looks less like actual physical lock sport: “In this presentation, we will reveal the “Open Sesame” vulnerability, a much more powerful vulnerability in Cortana that allows attackers to take over a locked Windows machine and execute arbitrary code.”
- “Applied Self-Driving Car Security” because Charlie Miller and Chris Valasek.
What about DEFCON 26? After the jump…
DEFCON 25 update: August 3, 2017.
Thursday, August 3rd, 2017Mike the Musicologist tipped me off to this:
Marcus Hutchins, the guy who was in the news earlier this year for defusing the WCry malware, was detained in Las Vegas after DEFCON.
This is still an evolving story, but what I’ve seen from reliable sources (and CNN) is that Hutchins is under federal indictment and charged with creating another piece of malware: Kronos, described as a “banking Trojan”.
The best coverage I’ve seen of this so far is from TechDirt and ArsTechnica. I would keep an eye on those two sites for updates, as this story is still evolving.
DEFCON 25 updates: July 31, 2017.
Monday, July 31st, 2017Things are going to be a little busy this week, but I do plan to keep an eye out for updates. In the meantime, please enjoy this latest set:
- TJ Horner has a nice blog post up about his experiences hacking voting machines in DEFCON 25’s “Voting Village”.
- “The Adventures of AV and the Leaky Sandbox” (Itzik Kotler and Amit Klein) didn’t catch my attention the first time around, but the abstract sounds intriguing: “In this presentation, we describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises whose endpoints have no direct Internet connection, or whose endpoints’ connection to the Internet is restricted to hosts used by their legitimately installed software. Assuming the endpoint has a cloud-enhanced antivirus product installed, we show that if the anti-virus product employs an Internet-connected sandbox in its cloud, it in fact facilitates such exfiltration.” Slides. White paper. GitHub repo.
- GitHub repo (including slides and white paper) for the Marc Newlin/Logan Lamb/Chris Grayson presentation, “CableTap: Wirelessly Tapping Your Home Network”.
- Here’s some stuff from “Tracking Spies in the Skies” (Jason Hernandez, Sam Richards, Jerod MacDonald-Evoy): North Star Post summary of their presentation. GitHub repo.
- Slides from the David Robinson talk, “Using GPS Spoofing to control time”, are here. Slides contain links to code, per Mr. Robinson. I’ve only had a chance to take a quick look at this, but I’m fascinated.
DEFCON 25 updates: July 29, 2017.
Saturday, July 29th, 2017Third round. I’m not proud. Or tired.
- Slides from Salvador Mendoza‘s “Exploiting 0ld Mag-stripe information with New technology” are here. I think this is the most current version, but I welcome correction.
- Here’s the slides for “macOS/iOS Kernel Debugging and Heap Feng Shui” (Min(Spark) Zheng).
- Mikhail Sosonkin has a series of blog posts up describing vulnerabilities in the HooToo TM6 travel router. I believe this is a longer version of the same material from his “Hacking travel routers like it’s 1999” talk, but I haven’t had a chance to sit down and compare the blog posts with the slides.
- I have yet to find new material on “Open Source Safe Cracking Robots – Combinations Under 1 Hour!” but there’s a BBC article here. Worthy of note, to me: “For example, if one dial is set to open at 14, using 15 and 13 will work as well. It meant the robot could check every third number, making it possible to quickly test the remaining combinations much faster than a human being.” No disrespect intended to the presenters, but that’s exactly the Feynman/Los Alamos technique. (I think they used a different method for getting the number off the third dial, to be fair.) “The only thing we learn from history, is that we learn nothing from history.”
- David Robinson and ZX Security have a GitHub repo up. Here’s NMEAsnitch, a Python tool to detect GPS spoofing. Here are some other related (and some unrelated) tools courtesy of ZX Security.
- GitHub repo for “Snide” Owen’s “Phone system testing and other fun tricks” containing the slides and extras.
- EFF whitepaper, “The Pregnancy Panopticon”, by Cooper Quintin. This is the basis for the Cooper Quintin/Kashmir Hill talk “The Internet Already Knows I’m Pregnant”.
DEFCON 25/Black Hat updates: July 28, 2017.
Friday, July 28th, 2017Round 2:
- The white paper for “Free-Fall: Hacking Tesla from Wireless to CAN Bus” (Ling Liu, Sen Nie, Yuefeng Du) is here. Slides here.
- Slides for “Exploiting Network Printers” (Jens Müller, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk) are here.
- Found slides for “Breaking Electronic Door Locks Like You’re on CSI: Cyber” here. (I called this one wrong: no Bluetooth. Not a complaint, just an observation.)
- This is one that I saw, overlooked, and now am intrigued by: “All Your SMS & Contacts Belong to ADUPS & Others“. “Our research has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers in China – without disclosure or the users’ consent.” Slides. White paper.
- Slides for Vlad Gostomelsky’s “Hunting GPS Jammers”. I think this is one that really needs video, too.
- “Intercepting iCloud Keychain” (Alex Radocea) slides.
- And “The Future of ApplePwn – How to Save Your Money” (Timur Yunusov) slides.
- And (hattip to Mr. Yunusov) “Jailbreaking Apple Watch” (Max Bazaliy). I haven’t compared these slides to the onea on the presentations server, just FYI.
Okay, lunch time is almost over, and I feel like I’ve done enough damage to the security community today. I’ll try to have more updates later today or tonight.
DEFCON 25/Black Hat updates: July 27, 2017.
Thursday, July 27th, 2017Round 1:
- Nitay Artenstein has a blog post up at the Exodus Intelligence site covering his “Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets” talk at Black Hat.
- Slides from Jason Staggs’ Black Hat version of “Adventures in Attacking Wind Farm Control Networks” are up on the Black Hat site.
- I don’t see slides for Colin O’Flynn’s “Breaking Electronic Door Locks Like You’re on CSI: Cyber” yet, but he does have a blog post up talking about some of his findings.
- Slides and the white paper from Ruben Santamarta’s “Go Nuclear: Breaking Radiation Monitoring Devices” are up.
- This is one I kind of overlooked, but it could be interesting: Thomas Brandstetter’s “(in)Security in Building Automation: How to Create Dark Buildings with Light Speed”. White paper. Slides.
- No more conference CDs at DEFCON. But here’s the presentations directory on the DEFCON 25 media server. You can also torrent presentations and workshops.
- To save you a small amount of trouble: here’s the (preliminary) version of the slides for “Popping a Smart Gun”.
Edited to add more:
- Karla Burnett’s “Ichthyology: Phishing as a Science” is actually relevant to my professional life. White paper.
- Slides and the white paper for “Hacking Hardware with a $10 SD Card Reader” (Amir Etemadieh, CJ Heres, and Khoa Hoang) are here.
Here’s your hat.
Wednesday, July 26th, 2017Black Hat 2017 is just getting started.
There’s some overlap with DEFCON 25. For example, hacking wind farm control networks and the SHA-1 hash talk are on both schedules. But there are also a few things unique to the Black Hat 2017 schedule:
- “Breaking Electronic Door Locks Like You’re on CSI: Cyber“. (Hey, didn’t they cancel that?) I suspect there may be some Bluetooth involved here.
- “Hacking Hardware with a $10 SD Card Reader“. I would enjoy watching this, and will enjoy reading about it, but I lack the hardware skills to actually do this.
- “Go Nuclear: Breaking Radiation Monitoring Devices“
- “Intercepting iCloud Keychain“. The use of the words “would have” in the abstract makes me think Apple’s already patched this issue, but you never know…
- “The Future of ApplePwn – How to Save Your Money“. “We’ll present a specially developed opensource utilities which demonstrates how hackers can reconnect your card to their iPhone or make fraudulent payments directly on the victim’s phone, even without a jailbreak.”
- “Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets“. If memory serves, this got a lot of recent attention.
- “Hunting GPS Jammers“. Radio. GPS. There.
- “Attacking Encrypted USB Keys the Hard(ware) Way“.
- “Exploiting Network Printers“.
- “Free-Fall: Hacking Tesla from Wireless to CAN Bus“. Based on the abstract, it looks like Tesla has already fixed the issues, but the process of finding and exploiting them might still be interesting.
The same rules for the DEFCON post apply here: if you’re a presenter who wants some love, or if you want me to follow a specific talk, leave a comment.
DEFCON 25: 0 day notes.
Tuesday, July 25th, 2017I’m not going again this year. Maybe next year, if things hold together. But if I were going, what on the schedule excites me? What would I go to if I were there?
Thursday: neither of the 10:00 panels really grab me. At 11:00, maybe “From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices” but I’m at best 50/50 on that. At 12:00, I feel like I have to hit the “Jailbreaking Apple Watch” talk. “Amateur Digital Archeology” at 13:00 sounds mildly interesting.
Not really exited by anything at 14:00. At 15:00, I suspect I would end up at “Real-time RFID Cloning in the Field” and “Exploiting 0ld Mag-stripe information with New technology“. And 16:00 is probably when I’d check out the dealer’s room again, or start getting ready for an earlyish dinner.
Friday: 10:00 is sort of a toss-up. THE Garry Kasparov is giving a talk on
“The Brain’s Last Stand” and as you know, Bob, chess is one of my interests. On the other hand, there’s also two Mac specific talks, and Kasparov’s talk is probably going to be packed: I suspect I’d hit “macOS/iOS Kernel Debugging and Heap Feng Shui” followed by “Hacking travel routers like it’s 1999” (because I’m all about router hacking, babe). Nothing grabs me at 11:00, but I do want to see “Open Source Safe Cracking Robots – Combinations Under 1 Hour!” at 12:00:
13:00: “Controlling IoT devices with crafted radio signals“, and “Using GPS Spoofing to control time” at 14:00. (I do want to give a shout-out to the Elie Bursztein talk, “How we created the first SHA-1 collision and what it means for hash security“, though.)
Do I want to go to “Phone system testing and other fun tricks” at 15:00? Or do I want to take a break before “Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods“:
And then at 17:00, “Cisco Catalyst Exploitation” is relevant to my interests. However, I don’t want to dismiss “The Internet Already Knows I’m Pregnant“:
Saturday: Nothing at 10:00. At 10:30, maybe “Breaking Wind: Adventures in Hacking Wind Farm Control Networks” because why not?
I have to give another shout-out to “If You Give a Mouse a Microchip… It will execute a payload and cheat at your high-stakes video game tournament” but I’m personally more interested in “Secure Tokin’ and Doobiekeys: How to Roll Your Own Counterfeit Hardware Security Devices” at 11:00. (“All Your Things Are Belong To Us” sounds pretty cool, too, but I’d probably wait for the notes/repos/etc. to be released rather than attending in person.)
Oddly, there’s really nothing that grabs me between 12:00 and 15:00. At 15:00, “Tracking Spies in the Skies” mildly intrigues me (mostly for the ADS-B aspect), while at 16:00 I’m really excited by “CableTap: Wirelessly Tapping Your Home Network” (more home router hacking! Hurrah!)
At 17:00:
You have my attention.
(Related article from Wired. Presenter’s Twitter feed.)
Sunday: “I Know What You Are by the Smell of Your Wifi“, followed a little later by “Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years“.
Weirdly, after that, there’s nothing that interests me until the closing ceremonies at 16:00. (Though I might go to “Man in the NFC” if I was there.)
This seems like a very low-key year, and I’m not sure why. I don’t see any Bluetooth related stuff, and very little lock related. Perhaps I should be glad I’m skipping this year.
Anyway, you guys know the drill: if you see a talk you’re interested in, leave a comment and I’ll try to run it down. If you’re a presenter who wants to promote your talk, leave a comment and I’ll try to give you some love.
Curses!
Tuesday, July 25th, 2017DEFCON 25 is this week, and it snuck up on me. I was expecting it to start next week.
I guess this means I have to get the schedule analysis up in a hurry. I think I can get it done by Wednesday night; or at least get the Thursday/Friday parts of it up, and Saturday/Sunday up by Thursday night.
Is there anything that leaps out at me from a quick once-over? No “hippie, please!” panels that I noticed this year. Also no badge contest or mystery challenge.
(Also, I’m reorging the DEFCON tags. I think this should be transparent to everyone.)
Actually, they can read your poker face.
Wednesday, October 26th, 2016Or at least your cards.
This is a presentation that I overlooked from DEFCON 24, but the authors have now been blogging.
For somewhere between $1,300 and $5,000, you can buy a device that helps you cheat at poker.
The technology is quite interesting. It isn’t just “disguised” as a phone: the device is actually a fully functional Android phone, with a custom ROM and app that controls the cheating portion.
How does it work? Hidden camera, concealed infrared LEDs, and…
What makes the whole thing work is the use of a special deck in which the four edges of each card are marked with IR-absorbing ink. As a result, when this marked deck is illuminated by the IR LEDs, the spots of ink absorb the IR, creating a sequence of black spots…
The sequence of black spots created by the IR illumination, illustrated in the photo above, is read remotely by the cheating device to infer a card’s suit and value. You can think of those markings as invisible barcodes.
So yes, you do need to slip in a marked deck. But the people who will sell you the phone will also sell you pre-marked decks, which are designed to look like they haven’t been messed with. And apparently the phone will pair with Bluetooth based audio and haptic feedback devices, so you don’t even have to be looking at the display.
And yes, because it is based on marked cards, it will work with card games other than poker, too. (High-end bridge cheating? Chris Christie, call your office, please. Sorry, little joke there.)
The post that’s up now is just the first one in a promised series: I’ll try to link to the other ones as they go up.
DEFCON 24 updates: August 11, 2016.
Thursday, August 11th, 2016“SITCH – Inexpensive, Coordinated GSM Anomaly Detection” doesn’t just have slides up. Or a whitepaper.
It has an entire freaking website. Which does include, yes, slides and whitepaper. (Thanks to SecBarbie on Twitter for this.)
Slides for the Tamas Szakaly “Help, I’ve got ANTs!!!” talk are here. And his GitHub repo is here.
Good stuff is going up on the Black Hat 2016 briefings site, too. I haven’t had a chance to go through all of the abstracts yet, but my current favorite is: “Does Dropping USB Drives In Parking Lots And Other Places Really Work?”. Slides here, code here, blog post here, no spoilers here.