SECURITY

Hal Berghel DEFCON 16 REVISITED A HACKERS PARADICE

For those of you who don't made tools made from filed hacksaw blades as I I've had "issues" with Google's business practices already know about Defcon recall. The art of lock picking seemed like good since its infancy. For one thing, the harvesting of (defcon.org), it's the most fun, and I had a considerable stash of dull hack- copyrighted material from networks without well known, and so far as I saw blades, so I was off to the races with a 99- recognition of author's rights really irritated me. I know the largest, "hacker" cent Wal-Mart padlock. It took me a few weeks threatened to sue one of my publishers several years conference in the world. It's to open it the first time, but once I got the hang ago if they didn't protect my copyright aggressive- held every August in Las of it I found I could do it in a few seconds. In ly and stop Google from harvesting my work. Vegas the week after its short order, I was up to cheap deadbolts from Google seemed to be of the view that anything on smaller cousin, the Blackhat Home Depot. the Internet can be appropriated without recogni- conference (blackhat.com). The Defcon and In the intervening decade, locksport (what the tion of ownership or payment of royalty. The prob- Blackhat Conferences have produced many of the enthusiasts call what they do) has reached lem that many of us had with Google was that they vulnerability announcements that have shaken the unimagined heights. At Defcon 16, the big news generated advertising revenue from content that IT world over the past few decades. You may recall was a vulnerability in 3rd generation Medeco was appropriated from information providers who the media frenzy over Michael Lynn's revelation in locks - considered to be the best-of-breed in gov- posted the content solely for individual and non- 2005 that Cisco's IOS contained a shellcode and ernment and corporate security. What makes commercial use. Fortunately, an ever-growing remote execution vulnerability that prompted these locks so interesting, and difficult to pick, is community of copyright lawyers finally disabused Cisco to sue Lynn and Blackhat (cf. www.infowar- that they use three levels of security. Like all Google from continuing that practice. rior.org/users/rforno/lynn-cisco.pdf). Many of the tumbler/pin locks, the pins raise and lower to the Today, Google engages in the more subtle, and presenters are shared by both conferences. Defcon shear line to allow the tumbler to turn. But with what I consider more insidious, practice of retain- is the more popular conference and appeals to a Medeco locks, each pin rotates individually and ing personal information about users (e.g., names, broader audience. For that reason I've chosen to also slides into different positions in the pin set. email addresses, billing information, IP address, cover it in this column. For anyone with a mechanical bent, Medeco URLs, date and time of request, browser type and Defcon is the public face of a relatively private locks are a thing of beauty! Needless to say, two language - basically anything they can get their community of geeks (in a positive sense of the Defcon presenters demonstrated how one could hands on. (cf. google.com/privacy.html)). Let's be term). Organizers include people with monikers pick this heretofore bastion-quality lock. One specific here: if you use any Google service, a like Dark Tangent, Kingpin, and Pyr0, while con- used a homemade tool crafted from guitar wire record of that use and any personal information tributors include N.N.P, jur1st, and Major and a hollow tube filled with K-B Weld. The about you that Google can extract from that use is Malfunction. The pseudonyms are pretty harmless second presenter, Marc Tobias, discussed more recorded in a Google database! nowadays, as most of the insiders seem to know sophisticated tools and achieved the same result. In order to make their job easier, Google uses each other personally. In the old days, however, To give you an idea of how serious some folks "helplets" called Google Gadgets. That's where pseudonyms played a much more important role take this work, Tobias has published a 1,400 Gmalware comes in. These gadgets have been in the hacker community in maintaining hacker page tome on the subject! I was impressed to say shown to have vulnerabilities that put users at con- anonymity. But that was before the commercial the least. For those interested in additional infor- siderable risk. This risk was discussed in a Defcon Internet became a business necessity and federal mation, several websites serve the locksport com- presentation entitled "Xploiting Google Gadgets: legislation made computer and Internet hacks a munity, such as www.locksport101.com and Gmalware and Beyond" by Robert Hansen and felony. Of course 9/11 made hacking an even larg- security.org in particular were touted by the Tom Stracener. Hansen (aka 'Rsnake') apparently er blip on 3-letter agency's radar. So, the latest speakers at Defcon. [FYI: presenters stated that was the first to document this in a 2007 blog. Defcons are more restrained and politically respon- they gave Medeco time to release a patch kit for According to Hansen, this vulnerability was sible, but still quite interesting. I've selected a few their locks that overcome the vulnerability before reported to Google over a year ago but remains presentations from this year's event that may be of making it public!] unpatched. Why? Hansen conjectured that the interest to you. rather steep downside accrues to the user and not Weaponizing Google to Google, and the source of the malicious code is Locksport Rules! I heard a new term at Defcon, "Gmalware" - which a 3rd party rather than Google, so it's not their Lock picking has always fascinated me. My first stands for Google Malware. Google seems to be fol- problem. It would appear to me that Google's cul- acquaintance dates back to a presentation in an lowing Microsoft in terms of propriety and predato- pability akin to that of a property owner who's cre- early Defcon in the past century. The speaker ry disintermediation department, with equal dis- ated a "convenient nuisance." In any case, Hansen's demonstrated his lock picking skills with home- dain from the privacy and open source zealots. point seems convincing to me.

30 WINTER 2009 DEFCON 16 REVISITED: A HACKERS PARADICE

The Defcon and Blackhat Conferences have produced many of the vulnerability announcements that have shaken the IT world over the past few decades.

The risk has to do with Cross-site Scripting list below is just a smattering potpourri of topics conference. Needless to say, the FAA and local law (aka XSS) which is a code injection attack that covered. enforcement were really not keen on the idea and affects web sessions. XSS is now the leading Hill's hopes were quickly dashed prior to the event. web-based attack vector. Though there are • A website that allows you compromise Internet A second controversial presentation came from many varieties of XSS, the one that affects kiosks some MIT students who were pulled off the program Google gadgets is the arbitrary execution of • A tool that supports SQL injection of Oracle by order of a US District Court. Their talk, "Anatomy javascript within the Gadget. databases of a Subway Hack," showed how to subvert the fare The general idea is this. First, Google gadg- • How Google harvesting can target celebrities payment system on Boston subways. Ironically, by the ets support javascript by nature. One of the rea- and politicians time the Court issued a "prior restraint" order on sons for this is the online monitoring men- • LAN link-layer vulnerabilities that still exist in Saturday, August 16, 2008, Defcon had already dis- tioned above. These javascripted gadgets allow the enterprise tributed the author's PowerPoint slides to all regis- Google to track user behavior. But the XSS vul- • A new rootkit for NetBSD trants. Within a few hours the information had pene- nerability offers hidden "features" as well for • Electronic billboard hacking trated more of cyberspace than economy and good the javascript executes whenever a browser acti- • Sniffing cable modem traffic taste would recommend. vates the gadget: if a corrupted gadget (mal- ware) can be substituted for the intended gadg- We would be remiss without reporting two that Social Experience et (that's what XSS is all about) the gadget may caught our eye as well as that of law enforcement. Defcon is not a typical scientific or technical confer- become "weaponized" - read that as "hostile to The scheduled presentation on War-Ballooning ence. If you attend Defcon in the future, don't expect the user." went off without a hitch. The same could not be a user-centric experience. No checks or credit cards Two points seem incontrovertible to me: said of planned launch of the test platform. War- taken - just cash. No receipts. For the $120 admis- first, javascript support is required by Google ballooning is one of the later incarnations of war sion you get a goofy electronic badge and the oppor- to support its own mischievous logging goals driving - a mobile platform for detection, analysis, tunity to hear some interesting speakers if you can (cf. www.google.com/analytics) and will con- and possible capture of Wi-Fi transmissions. make locate and "interpret" the scarce signage. tinue for the foreseeable future. Second, the Defcon has supported war driving competitions Expect a surplus of hubris and hyperbole with a XSS/javascript vulnerability is real and there for quite a few years, but the use of balloons was shortage of humility. doesn't seem to be much a Google gadgeteer thought to be a new twist on the old theme. Defcon is a social experience as much as a meet- can do to protect from it. As if that isn't The presenter, Rick Hill, had apparently ing. There is a "Leet" (geek speak for elite) skills com- enough, the next pair of speakers on the stage launched a prototype in Virginia this past June. petition, Hacker Jeopardy, a guitar hero competi- showed how XSS could be used to attack social The prototype consisted of both directional and tion, speed lockpicking competitions, "capture the networks! Maybe a future mantra will be "get- omni-directional 801.11 antennas, a security cam- flag" hacking contests, scavenger hunts, a wardriving ting Facebook out of your face." era, and a WAP, tethered by a fiber optic link to competition, the Black and White ball, and so forth. ground. The biggest obstacle was not the technol- If you don't mind maneuvering through somewhat Newsworthy ogy, but the approval process. Hill had sought per- ill-behaved crowds at times, Defcon remains a fun Three days of Defcon produced much more inter- mission to "fly" this war-balloon 150 feet above the place to learn about a very different perspective on IT esting information that we can discuss here. The Riviera Hotel (Defcon HQ) in Las Vegas during the than one would find near the enterprises water cool- ers and boardrooms.

Hal Berghel is Associate Dean of the Howard R. Hughes College of Engineering at UNLV and Advertising in G&L makes you revenue. Reading G&L makes you Director of the new UNLV School of Informatics. profitable. At the end of the day, G&L just makes good sense. Join us for He is also Director of the Identity Theft and the next issue by calling us today at 702.547.4545 or email us at Financial Fraud Research and Operations [email protected]. Spend wisely. Center. His consultancy, Berghel.Net, provides security and management services to govern- ment and industry.

Subscribe free at www.gamingandleisuremagazine.com and you could win $500! See website for details. 31