It’s Sunday evening, surrounded by sand and mountains, the glitz and glamour of Las Vegas twinkles a fond farewell to thousands of hackers as they head home from DEF CON's 20th anniversary gathering.
Plenty has changed since Jeff Moss (AKA "The Dark Tangent") gathered some friends for a bit of fun during the summer of 1992. Def Con, for example, has moved around a bit, having outgrown (or worn-out their welcome depending on who you ask), three hotels since its start.
This year, the Rio played host to thousands of people. Everyone from hardware hackers, programmers, artists, security professionals, law enforcement, and the curious converged at the hotel for a weekend of barely controlled chaos. This sea of people, their status somewhat represented by the color of their badge, wandered the halls and moved from room to room, each one with a goal to share and learn. Def Con isn’t like Black Hat, the corporate security gathering with a somewhat edgier tone than the RSA Conference. Def Con is a destination for many, the one time of year they can learn and unwind among friends.
SecurityWeek spent the weekend in Las Vegas and wandered the halls of Def Con with many others. Here is a brief recap of the weekend, as well as an update to a previous story.
Hackers and the NSA
General Keith Alexander, the head of the NSA, helped kick Def Con 20 into high gear with the first major talk of the weekend. However, he also piqued a bit of curiosity among the hackers because he is the highest ranked government official to speak at the conference. Many of those who went to view his talk, or attempted to watch it on DCTV (Def Con TV), did so for that reason alone.
Unfortunately, most were disappointed by the time he finished. Many of those who spoke to SecurityWeek felt that the General was talking down to them, and pandering to the crowd. His encouragement for hackers to help the government “like some sort of super crew of patriotic hackers” was scoffed at over drinks at iBar on Friday evening.
Those in the professional side of the InfoSec community noted that his talk on Friday was a watered down version of one he presented last year at the RSA Conference, and just last week at the Aspen Security Forum in Aspen. In both cases, they had valid points.
Many were skeptical about the General’s claim that the NSA wasn’t collecting data on Americans. As it turns out, Wired’s Kim Zetter needed less than a day to get someone who had insider knowledge to go on record and dispute his claims. William Binney, who is a former technical director at the NSA, said he left the NSA “because they started spying on everybody in the country.”
[For those not aware, an on the record talk for many Def Con attendees is rare, even for speakers or panelists when not on stage. Simply put, people who attend Def Con value their privacy and just don’t talk to reporters on the record that often.]
Moving on to other items of note from Def Con:
Marlinspike Develops Tool to Crack MS-CHAPv2
Moxie Marlinspike, a famed security researcher and cryptography guru, released the tools and instructions needed to crack sessions using MS-CHAPv2. Most enterprises use MS-CHAPv2 for their PPTP VPNs, and WPA2-Enterprise traffic.
The first tool, ChapCrack, can be used after a packet capture is obtained with MS-CHAPv2 handshakes in it, to parse the relevant credentials. These credentials are actually a single DES key, which can be sent to the second tool – CloudCracker. Once CloudCracker delivers, and it will, the output can be combined with ChapCrack and the entire packet capture is decrypted.
MS-CHAPv2 has been proven to be vulnerable to dictionary attacks, so the assumption within the IT world was to simply use harder-to-guess credentials, which might not fall to a passive dictionary attempt. This four step process, and the tools available here, should be all the encouragement an IT shop needs to alter their methods a bit. Microsoft, who developed MS-CHAPv2, said they are investigating the issue.
Hackable Huawei Routers
In a talk on router hacking, Recurity Labs’ Felix (FX) Lindner told those in attendance that for the 20th anniversary of Def Con, the gift was China. The talk focused on the fact that Huawei routers were easily compromised.
FX and Gregor Kopf – only focused on routers from Huawei that are used in the home and office, because the equipment used by telecommunications firms was unavailable. Still, they share the same framework the researchers noted, so the big boxes are likely just as vulnerable.
However, the AR series from Huawei (AR18 and AR29) that was tested is marketed for SMBs and smaller networks. Presently, the vulnerable hardware is found in Asia and the Middle East, but that could change if Huawei gets their way, as they are pushing for expansion in Europe and the U.S.
The firmware on the two models tested were found to be vulnerable to trivial exploits; including session hijacking, and stack / heap overflows. One vulnerable function within the firmware of the routers, named ‘sprintf’, has more than 10,000 calls to it, meaning there are plenty of ways to target it.
FX, who blasted Huawei for not having an easily accessible security contact, hopes that disclosure of the flaws forces the company to fix the problems and will act as a wake-up call to their customers. Even if this happens however, the company doesn’t notify customers of new firmware releases, and bug fixes remain undocumented.
Rakshasa – a PC backdoor that is undetectable and nearly impossible to remove
Jonathan Brossard, a noted security researcher who is also the CEO of French security firm Toucan System, gave a talk during both Black Hat and Def Con that focused on a type of Malware that could replace the BIOS (or take it over) as well as infect other peripheral devices.
The malware, named Rakshasa, is a proof-of-concept, and it only exists in a lab. Brossard details his work with the malware in a paper released after his talk, which describes the hardware backdoor in detail. While this area of attack isn’t new (there have been plenty of examples where the BIOS has been targeted), Brossard takes things a step further. Anything that the BIOS has to communicate with, any peripheral such as a NIC, sound card, or CD-ROM, can also be compromised by Rakshasa. If the BIOS infection is cleaned, then it can be infected again from one of the external sources, such as the NIC.
“Unfortunately, there is no simple fix for this: making computers immune to hardware backdooring would require radical modifications of their architecture, which would result in breaking backward compatibility. It is worth noticing that even the most up to date technologies such as TPM and full disk encryption cannot prevent backdooring by someone in the supply chain,” the paper explains.