Security Experts:

Dispatches from DEFCON 24

DEFCON 2016 Summary

Last time, dear reader, I endured the haze of cigarette smoke and moderate-to-severe liver cirrhosis to bring you dispatches from the 2016 BlackHat USA conference at Mandalay Bay in Las Vegas. One mile and 45 minutes later, I checked into the Paris Hotel to drink in another year of the premiere Hacker convention, DEFCON. Let me don my roving reporter hat and provide you with some color in case you weren’t there.

Where possible, I am providing links to the slide decks (in PDF format) for the conference. These are hosted at the DEFCON media server, here.

How to Remote Control an Airliner

I made sure to get into the room early to see this talk. How exciting was this going to be? Chris Roberts was nearly thrown in jail for lightly fiddling with the avionics last year, so I was expecting fireworks. 

But, alas, the talk appeared to be cancelled last minute. The official word was “...the um, speaker could uh, not be with us.” My few probes to the goons about the backstory turned up nothing; they were admirably tight-lipped. The sentiment among attendees was “yeah, that was probably too controversial.”

But a little googling suggests that maybe the official reason might have been true after all

How to Cheat at Poker Like James Bond

The avionics talk that was cancelled due to the controversy was replaced with this standby talk. It was actually a couple of French researchers taking apart a very commercialized poker cheating kit from China. The kit would use a modified Samsung phone’s IR camera to read coded strips of IR from the side of a deck of cards. It would then tell you the top two cards (8 of hearts, 9 of spades).

Obviously you’re going to get the crap beat out of you if your phone is on the table saying things like that, so the kit included a relay system using Bluetooth to a lanyard around your neck, which would then communicate via RF to a minuscule receiver in your ear.

The researchers had discovered this kit after one of their acquaintances got taken at a poker game. First they tried to buy it from Eastern Europe, but the seller wanted 5,000 euros. They tracked the original manufacturer down to China and bought it for $1,500 USD.

The modified phone had a secured kernel (no debugging abilities), and the seller sent the activation code separately so that no one but the buyer could activate the fake phone software. 

The researchers though, discovered the backdoor default password. Entertaining talk that filled the time nicely.

Executing a 4 Terabit DDoS for $5 (PDF)

Around the turn of the century I kept hearing about this thing called “the Internet2.” Always wondered what happened with that.

Turns out the Internet2 is alive and well. It is a research network that connects mostly universities and research stations (very much like the original Internet)! But this one is very high bandwidth, using dedicated fiber lines between the nodes. There are 970 nodes and the average node has 12.5 TB RAM and twelve 2.5 Ghz cores.

The presenter, Luke Young, was a well-spoken young man who worked as a student with one of the nodes. He was self-effacing, but the dude could hack.

Young found enough vulnerabilities within the node controller software to get himself a root shell on the node. This involved hacking through PHP, XML, and like five other technologies that I stopped writing down. Once he had the node under his control, he created a botnet of the five highest Internet2 bandwidth nodes nearby.

The firepower of his little Internet2 botnet was about 3.7 Tb/s. He experimented with it by DDoSing his dorm-room computer, but ended up taking out the whole dorm for days and getting an angry email from the campus service provider.

He compared his theoretical attack capability to one of the largest known DDoS attacks of all time, the Spamhaus attack of 300Gbps. His would have been 12 times as powerful. And he pointed out that the Spamhaus attack was just DNS reflection. Because he was root on these systems, he could send 3.7 Tb/s of legitimate HTTP requests, which would be very difficult to filter.

He also did all the right things by notifying all the software maintainers of the code and then helping them fix it. Some of the bugs he fixed himself, since he found them in open-source code. So no one could use the hacks that he showed at the talk to launch the same attack. They’d have to find a different way in.

In reality, now that I think about it, launching a layer 7 attack of that magnitude from only 5 nodes (where the cross connects happen between Internet1 and Internet2) would merely result in someone blocking those individual 5 subnets. So the threat isn’t as dire as one might imagine.

Great talk, though.

Paul Vixie: Frontrunning the Frontrunners

Personally, I don’t care what the talk is about, I will always go see Paul Vixie. Other fields, such as architecture, botany, and metallurgy, have to celebrate long dead industry founders, if they even know who they are. In computer science, our fathers are STILL HERE and still giving talks! See them when you can.

Dr. Vixie’s company, Farsight, slurps up huge data feeds from providers around the world. Not sure what they do with all that data, but the subject of this talk was mining DNS NXDOMAIN (not found) records, of which they receive 200,000 per second. ‘Frontrunning’ is the practice of registering a domain name that you shouldn’t have in front of the true owner of that domain. Kind of like high-frequency trading for DNS.

Vixie analyzed gazillions of NXDOMAIN records but found that only a miniscule fraction are frontrunners or typo-squatters. He did find lots of activity around payment systems, such as frontrunners registering names like ‘PayPal-help-desk.com’ from which they would then launch a phishing campaign.

Vixie offers to share data with any researcher who is going to use it for non-commercial (and beneficial) research: Internet Superheroes, in his words. If you are one of them, contact Farsight.

Abusing Smart Cities

A pair of young Italians put on an excellent talk about the security of the infrastructure of smart cities. They gave the impression they work in the IOT systems within one of the large Italian cities.

They showed several good slides on how endpoint sensors communicate to central nodes, from there to command centers, and from there to feed into the main aggregation control that monitors the whole city.

Then they proceeded to show how to hack different endpoint devices:

● How to hack personal parking meters to get free parking

● How to steal bicycles from the shared bicycle pools

The talk really ended there; they were just hacking low-value individual assets, not really abusing a smart city. Still fun; see if it you can.

Monitor Darkly: OSD Hacking

What caught my eye about this talk was the following question: “Did you know there are multiple x86 CPUs that control your 24” desktop monitor?”

Actually, I didn’t know, but the question is pregnant with power; I used to program x86 assembly back before germs. What if you could control the programming of those on-board CPUs? You could do all kinds of mischief against the user.

Presentation-wise, this was the most hilarious talk I saw at DC24. Lots of references to being drunk while researching these embedded x86 CPUs. Excellent graphics, delivery, and a live demo at the end.

The demo inserted the green EV-validated lock for a site that didn’t have a certificate. This has little to do with F5’s business, but it was a cool hardware hack.

Evasion Mitigation on iOS 9

In a whirlwind talk, the researcher @mbazaliy took us through how iOS protects memory pages. It uses two mechanisms. 

1. Never allow a page to be writeable and executable at the same time. 

2. Ensure that all pages are code-signed; the validation for which happens on each page-fault as the page is loaded into memory. 

By using a combination of kernel calls, the researcher was able to load unsigned code into memory. For the hardcore among you, it was basically this:

● Hook the fcntl call.

● Make a writeable, non-executable copy of that page.

● Modify the copy to skip code-signing verification on load.

● Mark the copied page as executable and non-writable.

● Lock the copy (so it never generates a page fault and never gets validated).

● Map fcntl call to the modified, locked copy.

Ta-da! For his demo, he took an unsigned binary of flappy-bird and loaded it on to a non-jail-broke iPhone 6S Plus. Super cool, hardcore talk.

My only questions are, did Apple know about this before the con? And does this still work?

Esoteric Infiltration (PDF)

Pentester Willa Riggins conducted a survey in 2012 on /r/netsec, and 82% of respondents thought preventing data exfiltration was a critical task. Okay, so how hard is it to stop data from leaving? Well, exfiltration depends on how much effort the exfiltrator is willing to expend. Riggins categorizes exfiltration into three categories.

Easy, and obvious, exfiltration methods include sending to Dropbox, Google drive, or OneDrive. These are white listed by many organizations.

Discreet exfiltration methods include sending data to Facebook posts. Or, better yet, create a Facebook Group—you can transfer files with that. Riggins says only send to Twitter as a last resort because re-assembly is a PITA, given the 140 character limit.

Extreme exfiltration methods require some hardware. An Xbee 900mhz Long Range Mesh Network can transmit 28 miles away, but requires you to get dongle into DC. In a non-tempest environment, an attacker could use HAM radio systems (don’t do that, that’s illegal).

Given all this, according to Riggins, blue teams should: 

● Block servers from accessing dropbox, onedrive, facebook, etc.

● Baseline traffic, watch for anomalies (why is that server sending 2 Gigs at 4am)?

● Block egress by ports, even for east-west traffic.

But ultimately, if an attacker tries hard enough, they can evade exfiltration detection. It’s a question of how they want to work. Some tools make it easier. Riggins is working on a Python framework called ‘Squirrel’ which can help them. I mean, to help pentesters.

That’s a Wrap

I’ve been attending since DEFCON 7, so I guess that’s 17 years. You should see my T-shirt collection. DEFCON 24 was one of the better ones—yeah there were a few glitches, such as manufacturing problems (again) with the cool hardware badges. Looking forward to doing it all again next year.

view counter
David Holmes is an evangelist for F5 Networks' security solutions, with an emphasis on distributed denial of service attacks, cryptography and firewall technology. He has spoken at conferences such as RSA, InfoSec and Gartner Data Center. Holmes has authored white papers on security topics from the modern DDoS threat spectrum to new paradigms of firewall management. Since joining F5 in 2001, Holmes has helped design system and core security features of F5's Traffic Management Operating System (TMOS). Prior to joining F5, Holmes served as Vice President of Engineering at Dvorak Development. With more than 20 years of experience in security and product engineering, Holmes has contributed to security-related open source software projects such as OpenSSL. Follow David Holmes on twitter @Dholmesf5.