Information security conferences are known to be attended because of several reasons. For some it’s the technical content, for others the networking potential and for some others simply meeting old friends. Pinpointing our motives is clearly a challenging task, but the following wrap-up ought to share our personal highlights of the week we spent visiting Black Hat USA 2014 and DEFCON 22 in Las Vegas.
After somewhat 18 hours of flight, some sleep and with the beautiful scenery of perpetual clear skies above Las Vegas we began what was to be an incredible week.
Black Hat USA 2014
Sui Generis Kick-Off by Dan Geer
The first day at Black Hat began with an outstanding keynote from Van Dan Geer about policy and policy makers, about software and liability, about users and developers.
Some people have come to accept bugs, bug-fixes and specially vulnerabilities as nothing new and a rather inevitable characteristic of the software industry; some others have talked about making developers accountable for their mistakes as most professionals would be. Geer’s keynote was a well put together analysis of the current state of the software industry and moreover the posture of the companies in regard to liability and some other topics which branch out like incident reporting, software abandonment and others.
It had nothing to do with your typical rant about the current state of our technological infrastructure or those in charge of its advancement, it was a portrait of well-thought alternatives, considerations and possible ways forward about an industry which doesn’t lack thinkers but constructive dialogs about the relationship of developers, their product and those who use it.
We highly suggest having a look at the transcript of the keynote which can be found [here].
Little Time, Much Awesomeness
There were literally dozens of interesting talks to choose from during Black Hat Briefings and would be worth mentioning; these are however the sessions which caught our attention the most followed by some interesting points and the respective resources.
Digging for IE11 sandbox escapes
Listening to James Foreshaw elucidate the inner workings of IE was a great way to start the day. As always the talk was both informative, funny and at times astonishing.
The talk revolved around escaping the IE sandbox environment as well as circumventing AppContainer restrictions introduced with Windows Enhanced Protected Mode (EPM), this being one of Microsoft’s security-flagship in Windows 8.1 seeing this defense mechanism fall short was really interesting.
This was a 10/10-would-attend-again talk. With all dexterity was the audience shown how using DLL injection in IE’s sandbox process and leveraging vulnerabilities in COM Objects to interact with the system, e.g. the registry, leads to an attacker being able to for example modify EPM definitions.
The relevant resources can be found in James’ Github profile.
ERNW @ Black Hat
Antonios, Ayhan, Enno and Matthias had been working hard on their presentations for the past weeks, so listening to their talks and seeing everything run smoothly was comforting. Especially when one considers the intrinsic risk associated with live demos, but hey, they like to live dangerously 😉
Antonios and Enno introduced their latest research regarding Intrusion Prevention Systems (IPS) evasion through IPv6 sorcery. Extension headers and other IPv6 novelties seemed like a good idea, and still do. It’s a shame however that their implementation is so hard to get right. So, if you feel like reading more about it have a look at the respective [whitepaper].
Ayhan and Matthias on the other hand talked about attacking energy management infrastructures employing Cisco’s proprietary protocol EnergyWise. The talk was a mix of the behind the scenes while reverse engineering the protocol, presentation of findings, attack vectors description and as usual the respective demos.
The best of both talks was the response of the attendees, which actively asked questions after the sessions and started some really good and enriching exchanges.
One Packer to Rule Them All
This talk was really entertaining to watch. It was well worth it listening to Alaeddine Mesbahi & Arne Swinnen talk about how their PE Packer achieved a 0% detection rate among leading antivirus and malware protection software, as well as how they managed to fool modern malware detection mechanisms which use code emulation and are employed by most of the big players. The talk and the whitepaper are surely more interesting that any summary would ever be, so be sure to have a look at their [whitepaper].
Internet Scanning – Current State and Lessons Learned
We all knew that the Internet was broken, is it really that hard to believe? Well, after Mark Schloesser’s talk there is absolutely no doubt, no doubt at all.
Although this talk wasn’t groundbreaking in the 0-day for you sense, it didn’t need to be. Getting lots of credentials through SNMP queries with the community string “public”? 10.000+ Telnet daemons dropping the client directly to a root shell? Thousands of internet-facing MSSQL instances revealing funny facts about themselves via UDP? The Internet is a colorful place, and this talk proved that statement. This session reminded us that there’s still a lot of awareness work to do and that sadly some people simply have no idea what their hardware and software actually does.
Critical.IO and Scan.IO host the results of Mark’s research as well as previous work done in the never-ending journey of “scanning all the things”.
In case you are wondering about the slides, they can be found [here].
The Arsenal
Among the many smaller events which took place parallel to the talks the “Black hat arsenal” was definitely a great place to discover new interesting tools being developed by the community and get to know the teams behind them a bit better. Usual suspects as BeEF and Burp were of course present, but we also had a look at some less widespread projects like Dradis, the Volatility Framework and the Zed Attack Proxy from OWASP.
Most of said projects have been out for a while now, but is always good to be reminded of what one might be missing. This is especially true for the Dradis project, which surely ought to make information sharing between team members during engagements much easier.
Old Friends, New Perspectives
Las Vegas never sleeps, or so we are continually told, thus after Black Hat’s talks were over we set ourselves to share a dinner with some other fellow researchers and old friends. It was a great gathering filled with laughs and good memories. Rodrigo Branco’s story about how his home ended with power cables all around in the name of science or Kate’s and Patrick’s tale about the hardships of getting their code to work were, as was to be expected, highly entertaining! Thanks go to all of you gals and guys, for making that evening a memorable one.
There were some really good talks and workshops at Black Hat this year, some informative and some ground-breaking, some bizarre ones taught you how to jailbreak your Jeep ( A Survey of Remote Automotive Attack Surfaces ) and some other like the Kaizen CTF got us erratically looking for clues and the next flag in a race against time in order to unveil the actors and details of a terrorist plot.
At this point Black Hat was over and we thought that this was definitely an event worth visiting. Our visit had at that point however nothing but begun.
DEFCON 22
With a one day flight and Black Hat behind us a visit to DEFCON was of course in the agenda of those of us who remained in Las Vegas. The flesh was feeling weak and still with jet-lag but the soul longed for some more epic talks, so on to the Rio Hotel and Casino!
Friday morning was spent visiting the vendor area, buying some books and talking to some cool people in the industry which we didn’t get the chance to talk to during Black Hat.
DEFCON’s vendor area was all one could ask for, great books, t-shirts, pick-sets and antennas everywhere! But most important, people which weren’t at all reluctant to start a conversation about their latest project and future enterprises. Oh, and how to forget your typical white van with crappy “Free Candy” signs and funny inflatable pineapples and rubber ducks with a moustache everywhere!
Among some of our exchanges, some of us got to talk to Vivek Ramachandran from SecurityTube.net and Raphael Mudge from the Armitage project. As the DEFCON etiquette dictates, stickers and kind words were exchanged and we headed to have a look at the villages. Although we missed the first day of DEFCON, we were pretty sure the best lied ahead of us.
If deciding which events at Black Hat we were going to attend was a hard decision, the same decision was impossible at DEFCON. There were just so many incredibly skilled people teaching interesting stuff. We kind of simply went off to the villages in order to have a look around, after that we mostly attended talks and sat at the lounge playing with the badge.
The Villages
This was a great decision, the content being presented at the villages was relevant and there was something for everyone. Topics ranged from basic 802.11 hacking to how to choose your perfect antenna and presentations about some pretty advanced tricks with HackRF. Since interest in Software Defined Radio (SDR) has been skyrocketing, chances are that you too are interested in the topic, so be sure to check out the videos compiled by the guys at the DEFCON22 Wireless Village.
The Crypto and Lock picking Villages were nice events as well, lots of information and fun. The people at the Crypto-Village did a great job putting together an agenda which would both educate the attendees about the potential of using cryptography as means for achieving privacy in an age when data breaches and indiscriminate surveillance aren’t science fiction anymore.
Pwning ISPs Like a Pro
When one mentions the word auto configuration what most people think about is cost reduction and administration ease, as it turns out this is not always the case. The TR-069 or Customer-Premises Equipment(CPE) WAN Management Protocol is a standard thought to make, among other things, the provisioning of devices owned by service providers and delivered to customers easy. Fooled by this promise, some of the biggest tech giants have deployed millions of end-devices with TR-069 support unknowingly putting themselves, and their customers, in danger.
In this interesting talk Shahar Tal showed how the adoption of TR-069 has been gaining momentum with around 147 million online devices supporting it. It was shown also shown that behind “zero-configuration” there is actually a lot going on. Remote management, monitoring, diagnostics, configuration and firmware deployment are possible and present, as expected, interesting attack vectors both against the customer and the ISPs. You know, if the good guys can, the bad guys can too.
He then turned to the Auto-Configuration Server (ACS) and showed how ACS are the single point of failure offering a gate into both the ISPs’ infrastructure and the customer’s network. Everything from MACs, SSIDs and credential harvesting to a total control of a customer’s gateway configuration are just some examples of what an attacker would be after. And so the maelstrom began.
Numerous ACS providers with poor quality software, poor documentation and almost no community looking after TR-069’s “advancements” make up for perfect preys. What came after was a killing spree of slides showing ACS solutions using basic digest authentication here, base64 encoding for credentials there, not validating certificates and having common bugs like local file inclusion and other usual suspects which eventually lead to remote code execution. In short, one ACS “to rule them all”.
This was both an interesting and wake-up call kind of talk, and it should have been like this for some of the ISPs present, at least we hope it was.
The latest version of Shahar’s presentation at DEFCON22 can be found [here].
Is This Your Pipe?
The octocat is flawless they said, continuous integration they said, don’t worry they said.
We’ve all witnessed how building software has gone from running GCC, javac or a simple make script, which to be fair weren’t always that simple :), to a complex medusa of Maven or Jenkins or Github or Jira Bamboo or Puppet or Vagrant. The list goes on and on since automatizers gonna automatize.
Listening to Kyle Kelley & Greg Anderson go through the different attack scenarios was quite amusing, since some think that integrating the latest buzzword in their development lifecycle will make them more productive but leave the security characteristics of their shipping process and their overall security posture unchanged.
With great power comes great responsibility, we all heard that as we grew up. It wasn’t supposed to be, with great power comes permission to upload your keys to GitHub.
For those looking for some friday entertaiment, the slides are hosted [here].
The Internet of Fails
The quest for total automation has been going on for a while. Gadget vendors have been apparently running out of ideas, and following their flawless logic they have turned to everyday objects in order to sprinkle some cheap circuits and development boards and make them “intelligent”. This automation craziness and the pwnage playground which is being prepared were the topics of the session presented by Mark Stanislav and Zach Lanier.
They showed real examples of vulnerable Internet-of-(broken)-Things-ready devices which at best were the result of poor engineering efforts or sheer ignorance. From PGP keys being embedded in the firmware of the device itself, to unauthenticated CGI scripts, hardcoded credentials and poorly implemented APIs.
The wonderland which constitutes the internet is coming to your webcam, doorbell, toaster, and even your remote-controlled-egg-checker-machine. You have been warned.
Luckily, they are trying to improve the situation through their initiative: Build It Securerly.
Find the slides [here], get a good laugh and get your tin-foil hat out of your drawer.
There where way too many enriching talks for us to summarize them all, but hopefully this has given you a glance in the great event DEFCON always is.
Be sure to check the archive of DEFCON 22 if you’d like to get the materials once they get published.
The Badge, The Crazy Badge Challenge
We got our hands on the pamphlet and the badge and as soon as we had some time to hydrate ourselves and sit down after a busy saturday at DEFCON. Afterwards we tried our luck at some of the puzzles. As time passed between running the different .spin files on our crazy badge, dusting off our ROT13 knowledge, learning about Erdős–Woods numbers and trying to get some meaning out of several pictures we had. We got to the point were sleeping was no longer a choice and so we let our badge be. Sunday was spent attending some other talks, wandering through the Las Vegas S Blvd. and getting some much deserved rest.
Gladly for us who didn’t make it all the way, Jason Hall and Brett Buerhaus posted a nicely done write-up about how they achieved to solve all the steps of the badge challenge. It’s an incredible read, so be sure to have a look at it at [here].
The End
After another long day flying and some due rest we all are finally back in Heidelberg. We can only say that being in Las Vegas and attending Black Hat and DEFCON was an invaluable opportunity to meet friends, exchange ideas regarding technical and not so technical aspects of information security and what not. In short, InfoSec conferences were as always just a place to have a great time with great people.
As we all know, one conference ends and the preparations for another one begin. This time it will be our turn to be hosts since as usual TROOPERS15 will take place here in Heidelberg next march. Everything is set for a wonderful week of workshops and talks! We’re really looking forward to meeting you up here in Heidelberg next year. So, if you want to join us, be sure to check out the already open “enthusiast” registration at http://troopers.de.
Thanks for passing by and have a great day,
Jayson S.