Archive for the ‘DEFCON 18’ Category

DEFCON 18 updates.

Tuesday, August 10th, 2010

I’m actively going back and adding links to my original DEFCON 18 posts as they become available and/or I find them.

However, I know some people use RSS to read WCD, and don’t automatically get updated posts in their feed.  So I’m also going to try posting lists of updates I’ve added, at least for the DEFCON 18 stuff.

DEFCON 18 day 1:

DEFCON 18 day 2:

If you’re aware of links I’ve missed so far (and by the way, thanks Gremlin), or if there’s a talk you saw that I haven’t covered, please feel free to leave comments.

After action report: Las Vegas, NV.

Wednesday, August 4th, 2010

I covered a lot of stuff in my previous travel report, so this will mostly just be updates.

  • Project e worked spectacularly well at DEFCON. This is the first chance I’ve had to really push the battery life, and I was able to get an good 12+ hours out of the battery without running it totally dry. (This was with the machine set to “powersave” and putting it into “standby” or “hibernate” when I was in the dealer’s room, or driving around with Mike the Musicologist and Andrew. Continuous usage with the wireless would have been more like 6+ hours, I think, which is still pretty impressive.)
  • My one regret is that I forgot my Alfa external WiFi adapter. I would have enjoyed playing with that at the convention.
  • The 5.11 bailout bag also worked out well for lugging around Project e and various other equipment. Again, I was able to carry a pretty good load, including the laptop, charger, books, a couple of bottles of water,  the small camera, and miscellaneous other necessities.
  • MtM has the Nikon with him and has been taking a lot of photos. As you saw below, I did use the Nikon to take some Gehry photos. When I have more time, I’m going to put up an expanded and annotated Flickr photo set; I did some side-by-side experiments with aperture priority vs. automatic exposure.
  • Food in Las Vegas was, without exception, pretty darn good. The worst meal I had (at the Four Kegs) was still better than average (and I didn’t order the stromboli, which is the house specialty). We also had a very good (if loud) tapas meal at Firefly* on Paradise, the usual wonderful meal at Lotus of Siam, the previously mentioned dinner at Shabu-Shabu Paradise, and a Moroccan meal at Marrakech. (I had not previously had Moroccan food, so I can’t comment on how authentic it was. I certainly enjoyed my meal, and the belly dancer didn’t hurt.)

    Vegas does have something of a shortage of good breakfast places outside of the casinos (and even inside of the casinos, if you’re not looking for a buffet). We had several good breakfasts at Blueberry Hill on Flamingo and one excellent breakfast at The Egg and I on Sahara. I know that MtM and Andrew went to a good Italian place in New York, New York while I was at the convention, and I’ll let them comment on that.
  • Between Tucson and Las Vegas, the refurbished Kindle I ordered arrived, and it went on this trip. I’m sure I’ll have more to say about the Kindle later on, but my first impression is “Meh”. I did manage to read John Clark’s Ignition! in PDF format and a Project Gutenberg MOBI format copy of Heart of Darkness without too much trouble, but my experiences with other PDF files and eBooks have been inconsistent.
  • On the other hand, I finished, and highly recommend, Ubuntu for Non-Geeks 4th Edition and am almost finished with Cisco Routers for the Desperate 2nd Edition (also recommended). No Starch Press rocks. And the coupon code “DEFCON18” will get you a 30% discount. And they’re running a half-price sale on all e-books.
  • My Southwest experience this time was much more pleasant. No misplaced bags, and no flight delays. One thing that was particularly unusual was going through the security line in Las Vegas; I had, literally, no wait. Just walked straight up to the TSA agent and got in line for the metal detector. It took longer to take my shoes off and the laptop out than it did to get through the rest of security.

My thanks to, in no particular order, the DEFCON 18 staff and presenters, No Starch Press, UNIX Surplus, SEREPick, Lotus of Siam, Shabu-Shabu Paradise, Sarah at the iBar in the Rio, and the unknown belly dancer at Marrakech.

Special thanks to my high-speed, low-drag travel companions in the primary, Mike the Musicologist and Andrew “Porous concrete? What were they thinking?” Wimsatt.

DEFCON 18 notes: Day 3.

Wednesday, August 4th, 2010

“The Search for Perfect Handcuffs… and the Perfect Handcuff Key“: It seems that Sunday morning at DEFCON has become the default time for the lock picking and other physical security panels. Sometimes this bugs me a little; I can only sit through so many panels on compromising high security locks with common household objects before my eyes glaze over and I leave for the dealers room. It isn’t that these panels aren’t interesting, but three in a row…

Anyway, I say all that to say that this presentation from TOOOL was one of the better Sunday morning lock bypass presentations I’ve seen at DEFCON. Deviant Ollam and his crew gave a comprehensive overview of handcuffs, how they work, and how they can be defeated. Some key points:

  • A group of Dutch hackers managed to defeat the high security Dutch handcuffs by taking a photo of the key (hanging off someone’s belt) and using a 3D printer to duplicate it. The key can be found here.
  • You can shim many handcuffs with paper, believe it or not. Paper money (especially European paper money, which in many cases is more like plastic or Tyvek than paper) works especially well for this, as currency is generally designed to be tear resistant.
  • Handcuffs are generally a pretty simple mechanism. If they aren’t double-locked, it’s really easy to “shim” them (force a flat piece of metal, or something like that, down between the pivoting ratchet arm and the cuff itself), or pick the lock with something like a paper clip. (You know what really works well for a cuff pick? The sort of U-shaped metal arm that comes on those steel binder clips you can buy at Office Depot.)
  • If the cuffs are double-locked, it makes shimming and picking attacks harder. One way to defeat double-locking is the “whack attack”; slam the cuffs against a hard surface, and inertia will pop the double-lock locking bar back into the unlocked position.
  • It doesn’t take a lot of strength to break handcuffs. Breaking them is just a matter of binding the chains up. Once you’ve done that, it’s just leverage and simple physics to break the chain.
  • You can also rough up the chain with a small easily concealed diamond saw blade to make it easier to break. The folks at SEREPick sell such a thing; you can hide it in the seams of your clothes, in a belt, in the top of a shoe…
  • There’s a lot of design variation in handcuffs, which can cause problems, especially if you’re trying to find a universal handcuff key. Keyway sizes, size and number of pawls…lots of things can cause problems.
  • The TOOOL folks have collected a bunch of cuffs, so they got as many as possible together, took very precise measurements of the keys, and came up with a single “universal” handcuff key that opened all the cuffs they were able to try. No, they don’t sell it, but diagrams and measurements for the key were part of the presentation. The easiest thing to do, according to the presenters, is to start with a Smith and Wesson handcuff key, as that’s closest to the final dimensions of the universal key. After that, all you need is some minor cutting and filing which can be done with a Dremel tool.

(I suspect there are some people who are going to ask “Why would you want to break out of handcuffs? And don’t you feel bad about sharing this information with criminals?” In the first place, the criminals have already learned all these tricks at one of our many institutes of higher education. In the second place, the bad guys are starting to use things like handcuffs and zip ties to restrain their victims; you might as well learn how to defend yourself.)

“Electronic Weaponry or How to Rule the World While Shopping at Radio Shack“: I’ll cut some slack for this guy being a first time presenter, but this was a “Meh” panel for me. It was heavy on the theory of things like RF jamming and EMP attacks, but short on practice. Most of the theory I already knew, so there wasn’t a whole lot there for me. At the end, he did demonstrate a “sound cannon”, which was interesting. It did not, however, even approach the “annoying” level for me, much less the “weapon” one, though the presenter was running it without amplification.

“Breaking Bluetooth By Being Bored”: Dunning (who also built Vera-NG, a Bluetooth and WiFi sniping rifle) presented a series of tools for banging on Bluetooth. These tools included:

  • SpoofTooph, a utility for cloning and spoofing Bluetooth devices. SpoofTooph can also be run in a logging mode, where it will collect data on devices it encounters.
  • The Bluetooth Profiling Project, which uses programs like SpoofTooph to collect Bluetooth device profiles for analysis. (For example, which device addresses correspond to which manufacturer?)
  • vCardBlaster, a utility for running a denial of service attack against a Bluetooth device by flooding it with vCards.
  • Blueper, which sends a stream of files over Bluetooth. You can send files to multiple devices in range, or target a single device and flood it with files. This is interesting because many devices cache received files before asking the user to accept them; if you push a continuous stream of files to one of those devices, you can fill up internal storage and possibly crash the device.
  • pwntooth, a suite of automated Bluetooth testing tools.

As a side note, after some banging around (mostly to resolve dependencies) I managed to compile and install SpoofTooph on Project e. So far, I’ve only tested it in my lab environment, but it seems to work as designed. This is one of the reasons I love going to DEFCON, as there’s nothing like that moment when you say “Holy f—ing s–t, that f—ing f—er actually f—ing works! S–t!”

There was no final attendance figure announced at the closing ceremonies. According to Joe Grand’s badge documentation, there were 7,000 electronic badges made, and those went fast. I would not be shocked if there were 15,000 people at DEFCON this year, and from what I saw in the closing ceremonies, a lot of those folks were attending for the first time.

The big piece of news from the closing ceremonies is that, after four years at the Riveria, DEFCON is moving to the Rio next year. My hope is that the move will make it easier to get into the more popular panels (DEFCON apparently will be using the Penn & Teller Theater at the Rio), and provide more room to move around. (And maybe even more room for vendors.)

Coming up later on: the final after action report and thank-yous.

DEFCON 18 notes: Day 2.

Sunday, August 1st, 2010

Saturday was kind of a rough day at DEFCON 18. But then, Saturday is always a rough day at DEFCON.

I don’t feel it’d be fair to review or summarize the “Extreme-range RFID Tracking” panel; I came in about 20 minutes late. (We lingered a bit over a very good breakfast at Blueberry Hill.) What I was able to gather is that Padget’s set a new record for long distance RFID reading, and that upping the radio power works for increasing RFID reading range up to a point. (Edited to add 8/10/2010: added link to Black Hat 2010 version of paper. Here’s a link to Paget’s blog entry about the session.)

I was not able to get into “Jackpotting Automated Teller Machines Redux” due to extreme overcrowding. (Edited to add 8/9/2010: The Black Hat website has what purports to be MP4 video of Jack’s version of the presentation at Black Hat 2010. I have not sat down and watched it yet.)

I did attend the “This is not the droid you’re looking for…” panel, mostly because I was camping out for the next talk. This panel turned out to be more interesting than I expected; the presenters demonstrated a proof-of-concept rootkit for Android phones that allows you to do all sorts of fun stuff; grab contact information, grab SMS messages, grab location information (all three of these are stored in SQLite databases on the Android), and even make phone calls from the phone. The presenters haven’t weaponized the attack yet, but claim it should be easy to do so.

Practical Cellphone Spying“: Another nifty panel. Padget discussed the concepts behind IMSI catching, and gave a live demo of cellphone interception on the AT&T network. The key takeaway here for me was that the same technology used by law enforcement to intercept calls is now coming down to the point where it will be wrapped in a turnkey package and sold to people with more questionable motivations. (Edited to add 8/10/2010: added link to Paget’s blog entry which includes slides.)

How to Hack Millions of Routers“: I went to this because Lawrence put in a special request. The short version is that a large number of commercially available routers (such as those used by Verizon FIOS) are vulnerable to a clever attack using DNS rebinding and load balancing. Heffner has also released a tool that automates this attack. (This is another Black Hat talk that got a lot of attention in the press; the link above includes a copy of Heffner’s white paper which details the attack vector.)

(Edited to add 8/9/2010: I’ve added a link to Heffner’s Black Hat version of this talk, which as far as I can tell, is pretty similar to the DEFCON 18 version.)

I didn’t attend either “Hacking with Hardware: Introducing the Universal RF Usb Keboard Emulation Device – URFUKED” or “Programmable HID USB Keystroke Dongle: Using the Teensy as a Pen Testing Device“. (Edited to add 8/10/2010: added a link to the Teensy project from the Irongeek website. The bottom of that page has a link to the DEFCON presentation. I’ve also added a link to for the USB Keyboard Emulation Device; that directory appears to contain a copy of the presentation, plus code.)

Instead, I left a little early, had a very nice sake fueled dinner at Shabu-Shabu Paradise in Henderson (a restaurant I enthusiastically endorse), sidecars at the iBar in the Rio (sadly, we did not get to play with the Microsoft Surface), and Penn & Teller.

The three of us saw Penn and Teller back in 2006, and we wondered how much the show had changed since then. Mike the Musicologist estimated that about 50% of the show was new; I think the percentage is a little higher than that, but my memory may be faulty. I was not unhappy that they ended the show with the .357 magnums; the bullet-catching illusion fascinates me, and I’m still trying to figure out how Penn and Teller do it. (Jim Steinmeyer’s The Glorious Deception: The Double Life of William Robinson, aka Chung Ling Soo is a very good history of the bullet-catching illusion, and yet another book I strongly recommend to anyone with even a casual interest in the history of magic.)

The other thing we all noticed is that Penn and Teller’s show has become a bit more explicitly political; in addition to the .357 magnum closer, which has always included 2nd Amendment references (and big kudos to P&T for reciting the Four Rules), the show also included references to flag burning, the Chinese Bill of Rights (“What Chinese Bill of Rights?” Exactly.) and the stupidity of the TSA. Penn and Teller even sell the Security Edition of the Bill of Rights in their gift shop for a lousy $5. (Quote: “We want McCarran Airport to be flooded with these.”) Not that any of us were bothered by the politics; I think all three of us lay claim to at least some form of Libertarianism. And if you’re the kind of person who would take offense at Penn and Teller’s politics, I won’t tell you “don’t go”; I’ll tell you “go, and have your world view challenged”.

(I’d also like to give Penn and Teller kudos for keeping gift shop prices low. Both Andrew and I picked up DVDs of the Teller-directed “Macbeth” for only $10. Teller, if you’re reading this, thanks for signing my copy. And for everything else you do, too.)

DEFCON 18 notes: Day 1.

Sunday, August 1st, 2010

I’m running a little behind, between running around with Andrew and Mike the Musicologist, and some technical issues (DEFCON 18 has a secure wireless network, but it hasn’t been stable), but I’ll post updates when I can. I’ll also add links to the presentations as they go live, or as I find them. If you have questions, I’m willing to try to answer them, but I’d suggest you email the presenter first. If you are a presenter who wants to respond to my comments, I welcome that.

“Build a Lie Detector/Beat a Lie Detector”: This was the first presentation I attended; it was a pretty awful one. The presenters started 15 minutes late and opened with a crappy rap performance (differing tastes in music, fine, but when you’re running 15 minutes behind schedule, the rap should be the first thing to go). Once they actually got going, they spent too much time on a general history of justice systems and of the polygraph. When they did finally get to the technical aspects of their presentation, it amounted to “Oh, yeah, we built this lie detector based on this paper these other guys posted” (with, to be fair, some minor modifications). I walked out of this presentation before the end, which is something I rarely do at DEFCON.

Build your own UAV 2.0 – Wireless Mayhem from the Heavens!“: On the other hand, Renderman and his partner did an excellent job with this one And not just because they played “Thunderstruck” before the presentation started (playing music is okay, even if I don’t like your choice of music (and I like “Thunderstruck”), as long as you start on time), or because they started on time, or because they actually had video of their UAV launching rockets. (Edited to add 8/10/2010: added link to DEFCON 18 slides and video on Gremlin’s website.)

Key takeaways for me from this one:

  • You have two choices for stabilization systems. Thermopile based systems work in the infrared range and are very cheap, but have problems in certain weather conditions. Inertial based systems are more expensive, but offer all-weather capability, and are rapidly coming down in price.
  • Arduino based control systems dominate at the moment, but there’s some interest in developing systems based on the Beagle Board.
  • There’s off the shelf Zigbee based hardware that can easily be used for telemetry, and offers a 10-12 mile range.
  • You can get cheap and decent video out of board cameras, but transmitting video is a harder problem; for good range, you need to work on frequencies that require an amateur license.
  • GPS systems with a 10 Hz refresh rate are down to $80 or so. Most of the GPS systems I’ve dealt with have a 1 Hz refresh rate, which isn’t good enough for UAV use; it was news to me that faster systems are that cheap now.
  • Foam airframes are cheap and easy to repair.
  • Practical UAV applications, other than launching rockets; warflying with kismet, communications relay (imagine a UAV that could hover on station and serve as a repeater in areas of poor radio coverage), search and rescue (imagine a UAV that could survey a wide area looking for signs of a lost hiker, or recon an area where a search and rescue beacon was picked up), and post-disaster recon. I hadn’t thought much about that last one, but now that Renderman’s brought it up, I find that exciting. The theory here is: you send your UAV into areas that your disaster relief staff haven’t physically visited, and it returns good quality imaging of exactly what the damage is and how accessible the area is (have the roads collapsed? Are they under water?). From that, you can develop priorities (damage in this area doesn’t look too bad, we can hold off for a day; these people look like they need immediate help) and plans to get needed resources into the area.

“Exploiting Digital Cameras”: Another solid presentation. Basically, Isacson and Ortega did some clever banging on the firmware of the Canon Powershot series of cameras, found that these cameras have an embedded interpreter, documented that interpreter, and developed some simple exploits using it. The exploits are somewhat limited; you can’t launch malware on an attached computer, for example, but you can do things like turn on the microphone, display arbitrary images on the camera, and modify EXIF data.

“DCFluX in: Moon-bouncer”: A decent presentation on the theory and practice of radio communication using moon-bouncing, satellites, and other methods. I’m going to gloss over the details of his talk and refer you to the presentation when it goes up, as there was a great deal of technical information in it related to historical and amateur radio usage; I’m not sure the majority of my readers are that interested in ham radio, and those who are would be better served getting their information from the source.

Black Ops Of Fundamental Defense: Web Edition“: So here’s a high-level summary of Kaminsky’s talk. Now that the DNS root certificates are digitally signed, we have the ability to use DNSSEC and the Domain Keys Infrastructure (DKI) to do all kinds of cool stuff, including end-to-end email authentication (so you can be sure that the email you got from Bank of America is actually from Bank of America, and not from some random Nigerian), and to do these things in a scalable way.

Kaminsky’s new company, Recursion Ventures, is building (and plans to release shortly) a set of tools that will allow for the easy deployment of DNSSEC. Kaminsky also gave a brief overview of how DNSSEC works, and touched on a few interesting points related to his research. (For example, not only is it possible to run DNS over HTTP, but Kamisky’s figures show performance over HTTP is actually better than normal DNS.)

(Edited to add 2: The link above goes to a page on Recursion Ventures web site where you can view the slides from Kamisky’s version of this talk at Black Hat 2010. I did not see the Black Hat version of this talk; I do not believe the DEFCON 18 version was significantly different. It may have been shorter, and there is some Black Hat specific material in those slides. Also, I’m aware the actual title (“Black Ops of Fundamental Defense: Introducing the Domain Key Infrastructure”) differs from the title in the DEFCON 18 schedule; I chose to stick with the DEFCON title to make cross-referencing easier.)

Edited to add: I’m sorry if anyone is disappointed, but I did not go to the “Weaponizing Lady GaGa, Psychosonic Attacks” panel.

0 Day DEFCON 18 notes.

Thursday, July 29th, 2010

This year, I got in on Wednesday, which reduced the stress level considerably. Mike the Musicologist met me here; Andrew “Swordfish Trombone” Wimsatt is flying in tonight.

Mike and I had a pretty good (and cheap!) dinner Wednesday night at Four Kegs, which some of you may recognize from “Diners,  Drive-Ins, and Dives“.

DEFCON 18 panels that I may, or may not, attend, but will point out for Lawrence‘s benefit:

Weaponizing Lady Gaga, Psychosonic Attacks

I’ve already missed the “Hardware Black Magic: Designing Printed Circuit Boards” and “Go Go Gadget Python: Introduction to Hardware Hacking” panels, but I figure most of the information from those is on the DEFCON 18 CD.

Panels I want to attend:

I’m torn between the annual “Making of the Badge” panel, and the “How To Get Your FBI File (and Other Information You Want From the Federal Government)” panel. If I do get moving that early, I suspect I’ll end up at the latter one.

Build a Lie Detector/Beat a Lie Detector“. My desire to attend this is mostly based on nostalgia. When I was a young boy, my dad gave me several of the Radio Shack 50-in-1/100-in-1/250-in-1 electronic kits for Christmas. One of the projects in those was always a lie detector, and I always built that project.

Build your own UAV 2.0 – Wireless Mayhem from the Heavens!” How could anyone not go to that panel?

Exploiting Digital Cameras“. Another panel that seems designed to push multiple buttons on my user interface at once.

DCFluX in: Moon-bouncer“. Looks like it could be a fun panel on alternative methods of communication in a critical situation, like moon-bounce (something I’ve heard of from the amateur radio community).

Black Ops Of Fundamental Defense: Web Edition“. Dan Kaminsky. Again, enough said.

Extreme Range RFID Tracking“. I haven’t gotten that deep into RFID hacking yet (though I might change that this year), but I’m interested in this long-range low-power radio device stuff. Also, this is one of two Padget talks I want to see.

Jackpotting Automated Teller Machines Redux” The Black Hat version of this talk is already getting a lot of attention.

I’m having trouble deciding between “This Needs to be Fixed, and Other Jokes in Commit Statements“, which sounds like it could be very funny, and “Insecurity Engineering of Physical Security Systems: Locks, Lies, and Videotape“; I have a lot of respect for Tobias’ work.

Practical Cellphone Spying” is the other Padget talk I want to see.

We Don’t Need No Stinkin’ Badges: Hacking Electronic Door Access Controllers“: besides the title reference, this might make good background for that novel. I’m also considering “Wardriving the Smart Grid: Practical Approaches to Attacking Utility Packet Radios” as another possibility; I’d really like to see both.

Physical Security : You’re Doing It Wrong!” Well, if he’s going to talk about how to get vendors to take you to lunch, sure!

Physical Computing, Virtual Security: Adding the Arduino Microcontroller Development Environment to Your Security Toolbox“. I’ve been thinking about getting into microcontroller hacking, and this seems like it might be a good introduction to the Arduino (which is one of the environments I’ve considered).

Hacking with Hardware: Introducing the Universal RF Usb Keboard Emulation Device – URFUKED” and “Programmable HID USB Keystroke Dongle: Using the Teensy as a Pen Testing Device“: it sounds like there could be a lot of overlap between these two panels.

The Search for Perfect Handcuffs… and the Perfect Handcuff Key“. You never know when you might need to get out of a pair of handcuffs…

I haven’t decided between “Attack the Key, Own the Lock“, which sounds like it may be a rehash of some panels at previous DEFCONs, and “Constricting the Web: Offensive Python for Web Hackers“, which pushes the Python button.

Electronic Weaponry or How to Rule the World While Shopping at Radio Shack“. Not a lot of information on the DEFCON site; I’ll probably go and leave if I get bored.

Breaking Bluetooth By Being Bored“. I’m fascinated by Bluetooth attacks, so this is a must-see for me.

Panels I won’t be attending:

Getting Root: Remote Viewing, Non-local Consciousness, Big Picture Hacking, and Knowing Who You Are“. The usual hippie horse-pucky.

Any suggestions from anyone else who may be attending? Or presenting? Or wanted to go, but couldn’t?