DOCSLIB.ORG

DEF CON 24 (2016) Report Version 1A (2016-08-07)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
DEF CON 24 (2016) Report Version 1A (2016-08-07) DEF CON 24 (2016) Report Version 1a (2016-08-07) POC: Steve Holden, [email protected], www.technewsradio.com, @technewsradio ​ ​ ​ ​ ​ LICENSE: Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) ​ ​ These are my own personal notes taken at DEF CON 24. This includes notes from talks I attended in person (marked with a *), but also my analysis of key information from slides that were provided on the CONFERENCE DISC (these are limited at v1a). Updated notes will be periodically posted as time permits. Corrections, suggestions, comments, etc are welcome. I also have similar reports from DEF CON 18, 19, 20, 21, 22, & 23 These notes include links to external sites. Most of the sites have been validated but there could be some issues. Each talk is linked to the Official HTML version of the DEF CON program (https://DEF CON.org/html/DEF ​ CON-24/dc-24-schedule.html). Presenations (those on the CONFERENCE DISC & those that were presented without ​ being on the DISC) should ultimately end up at: (https://media.DEF CON.org/DEF%20CON%2024). ​ ​ Thursday, August 4, 2016 Workshops (did not attend any of these): ● Machine Duping 101: Pwning Deep Learning Systems - Clarence Chio ​ ● Maelstrom - Are You Playing with a Full Deck?... - Shane Steiger ​ ● Beyond the MCSE: Red Teaming Active Directory - Sean Metcalf ​ ● Weaponize Your Feature Codes - Nicholas Rosario (MasterChen) ​ ● Real time bluetooth device detection with Blue Hydra - Zero_Chaos & Granolocks ​ ● Hacker Fundamentals and Cutting Through Abstraction - LosT ​ Friday, August 5, 2016 Feds and 0Days: From Before Heartbleed to After FBI-Apple - Jay Healey ​ ● No slides *DARPA Cyber Grand Challenge Award Ceremony - Mike Walker & Dr. Arati Prabhakar ​ ● No slides ● Automated vulnerability patching and exploits ● Teams worked to keep services up and take down other teams services ● Very interesting visualizations (Blue lines for code working correctly, and then red/black lines for code being exploited or not running as expected) ● Formal Verification (verifying code example: http://smaccmpilot.org/) ● Cyber Fast Track was the start http://www.infosecurity-magazine.com/news/darpa-says-goodbye-to-hacker-friendly-cyber-fast/ ● Review of DARPA projects: biohacking, autonomous vehicles, synthetic biologies, next grand challenge (spectrum specific - radio networks with embedded AI). ● DARPA is focus on “trust” - how do you trust data, systems, networks, etc. ● Teams (lowest to highest): CRSPY, JIMA, GALATICA, RUBEUS, MECHANICAL PHISH, XANDRA ($1 million), Mayhem ($2 million) ● Teams were tested against reference Proof of Vulnerability (PoV) Introduction the Wichcraft Compiler Collection : Towards universal code theft - Jonathan Brossard (endrazine) ​ ● No Slides BSODomizer HD: A mischievous FPGA and HDMI platform for the (m)asses Joe Grand (Kingpin)&Zoz ​ ● Slides on conference disc Compelled Decryption - State of the Art in Doctrinal Perversions - Ladar Levison ​ ● Slides on conference disc *Project CITL - Mudge Zatko & Sarah Zatko ​ ● No slides (need to get the slides) ● CITL = Cyber Independent Testing Lab ● A quantifying software risk as a measurement of workload imposed upon the adversary ● http://www.cyber-itl.com/ ● Examining 100+ applications, examining expolits on applications vs. OS. ● Review of LINUX installations (OS + applications) - bell curve - Firefox (73) vs. Chrome (80) with 0 being super hackable. ● Office suites are in the 35-50 range. ● Firefox is really low (softer target) in Mac OX where Chrome is higher and Safari in the middle. ● Windows 10 is much higher (safer) overall but more 3rd party applications the attack surface gets smaller ● Measures: Static Analysis (Binaries) ○ Complexity (code size, branch density, stack adjustments, cyclomatic complexity) ○ Application Armoring (Compiler, Linker, Loader) ○ Developer Hygiene (POSIX/ANSI functions) ● Dynamic Analysis -> Exploitability, Disruptability, Runtime Complexity. ● Files on OS is another attack vector being researched … many major files have risky functions associated with them. ● There are also some functions in an OS that can not be completely fortified (Linux is better than Mac OS). ● You need to look at both executables but also the actual source code (example of Anaconda - DARPA software for doing big-data analytics libraries and packages) ○ The total customer list is major people: Fortune 100, DOD, etc. ○ Each OS has a different set of issues ○ 600+ binaries ○ Some binaries in the LINUX were based on using 2005 version of GCC vice the more secure latest version of GCC ● More data is planned for later release in 2016 and 2017 ● Not working on a pass/fail score but something that can be compared against products. DEF CON Welcome & Badge Talk - L0sT & The Dark Tangent ​ ● No slides DEF CON 101 - Meet the Feds - Jonathan Mayer & Panel ​ ● No slides Honey Onions: Exposing Snooping Tor HSDir Relays - Guevara Noubir & Amirali Sanatinia ​ ● Slides are on conference disc BlockFighting with a Hooker -- BlockfFghter2! ​ ​ ● No slides ● https://github.com/K2/EhTrace ● This can be used for attack HyperVisors *CAN i haz car secret plz? - Javier Vazquez Vidal & Ferdinand Noelscher ​ ● No slides ● Chip hacking is something that is new, internal data, OEM specifics ● Protocols (CAN Bus): UDS, TP2.0 (tunneling ● CANBadger Hardware overview ($25) ● CANBadger firmware (supports UDS, TP2.0, RAW CAN / Man In The Middle (MITM) support) ● Enables: protocol analysis, MITM (drop frames, manipulate bytes, etc) ● They also came up with a CANBadger server that can connect and manage multiple CANBadgers (capture data, etc) ● New solutions on newer cars iare working on OEM security tools so these enables testing these technologies (SecurityAccess Hijack) ● You can also mess with Insurance Tracking Dongles (use OBD2 data, and can mess up GPS reporting) / DEMO: Andriod car interface looks like it is driving around but the car is not running. ● You can also use the CANBadger as an emulator for testing, development, etc. ● Code will be on GITHUB. The are also doing some training sessions at DEF CON. ● @fjvva, @s1ckcc 411: A framework for managing security alerts - Kai Zhong ​ ● Slides are on conference disc Frontrunning The Frontrunners - Dr. Paul Vixie ​ ● No slides ● https://twitter.com/paulvixie *Cheap Tools for Hacking Heavy Trucks - Six_Volts & Haystack ​ ● Slides are on conference disc ● There is going to be a github whitepaper and source code soon ● Diesel Pickup Trucks work a lot like most cars ● Truck “stuff” very compatible and interoperable (electronics can speak with each other) ● Telematics: logs, navigation, Windows embedded, cellular network, CANs, etc. ● These are very expensive so they built a TRUCK IN A BOX (v1 = $10K) ● Recreated networks and sensors and some control units with fake units (like accelerator pedal) ● Protocols: J1708, J1939 ● Connectors: DLC/DLA ● Software release Truck Duck using BeagleBone https://truckhacking.github.io ​ ● Demo of exploit (some fuzzing, static analysis) Research on the Machines: Help the FTC Protect Privacy & Security - Terrell McSweeny & Lorrie Cranor ​ ● Slides are on conference disc ● Looking for ideas related to securing IOT ● On Twitter @McSweenyFTC *(Ab)using Smart Cities: the dark age of modern mobility - Matteo Beccaro & Matteo Collura ​ ● No slides ● Contact info: @_bughardy_ @eagle1753 ● Review of smart city capabilities (linking of previously disconnected systems ● Transportation focus: traffic, lighting, parking, transportation (rail, bus, etc) → these are then communicating to the citizen ● There is also “shared” transport: ride sharing, car sharing, bike rental, etc. ● Architecture: physical (at the edge), to the cloud (API, mgmt), then to the client (hardware/software/services) ● Deep dive into a smart parking meeting. Hardware overview, firmware analysis, debug interfaces (USB, NFC) ○ The software on the smart parking meter communicating back to the cloud is pretty wide open and able ○ Demo of changing price time, fare, time used, or minimum frame ● Deep dive into bike rental services (NFC or Mobile app for checkout and then a check in procedure) -- mobile app has no obfuscation with Multiple SQL injections (APIs) and hardcoded vendor credentials (very easy to replay attack the NFC cards) ● What is next: surveillance systems, traffic light systems, whole city (they are looking for a hotel) ● Slides are supposed to be posted to https://www.opposingforce.it/ per the presenters ​ ​ How to Make Your Own DEF CON Black Badge - Badge Hacker Panel ● Slides are on conference disc ● Mickey Shkatov (@Laplinker) Intel Advanced Threat Research ● Michael Leibowitz (@r00tkillah) Senior Trouble Maker ● Joe FitzPatrick (@securelyfitz) Instructor & Researcher, SecuringHardware.com ● Dean Pierce (@deanpierce) Security Researcher, Intel ● Jesse Michael (@jessemichael) Security Researcher, Intel ● Kenny McElroy (@octosavvi) Hacker Sentient Storage - Do SSDs Have a Mind of Their Own? - Tom Kopchak ​ ● Slides are on conference disc *How to design distributed systems resilient despite malicious participants - Radia Perlman ​ ● Slides on conference disc ● Radia Perlman, EMC, [email protected] ​ ● Crowdsourcing can be attacked by a single person (whitepaper link) ● Things that don’t work but do: wikipedia, ebay (in the most part) ● Trust models - bad or dishonest or confused certificate authorities (CA) [good/bad] ○ Monopoly ○ Oligarchy (most browsers today) ○ Etc … (see slides) ● Review of her proposed recommended model (CA’s by namespace) … leverage by a DNS (creating
Load more

Recommended publications
  • Program & Exhibits Guide
    FROM CHIPS TO SYSTEMS – LEARN TODAY, CREATE TOMORROW CONFERENCE PROGRAM & EXHIBITS GUIDE JUNE 24-28, 2018 | SAN FRANCISCO, CA | MOSCONE CENTER WEST Mark You Calendar! DAC IS IN LAS VEGAS IN 2019! MACHINE IP LEARNING ESS & AUTO DESIGN SECURITY EDA IoT FROM CHIPS TO SYSTEMS – LEARN TODAY, CREATE TOMORROW JUNE 2-6, 2019 LAS VEGAS CONVENTION CENTER LAS VEGAS, NV DAC.COM DAC.COM #55DAC GET THE DAC APP! Fusion Technology Transforms DOWNLOAD FOR FREE! the RTL-to-GDSII Flow GET THE LATEST INFORMATION • Fusion of Best-in-Class Optimization and Industry-golden Signoff Tools RIGHT WHEN YOU NEED IT. • Unique Fusion Data Model for Both Logical and Physical Representation DAC.COM • Best Full-flow Quality-of-Results and Fastest Time-to-Results MONDAY SPECIAL EVENT: RTL-to-GDSII Fusion Technology • Search the Lunch at the Marriott Technical Program • Find Exhibitors www.synopsys.com/fusion • Create Your Personalized Schedule Visit DAC.com for more details and to download the FREE app! GENERAL CHAIR’S WELCOME Dear Colleagues, be able to visit over 175 exhibitors and our popular DAC Welcome to the 55th Design Automation Pavilion. #55DAC’s exhibition halls bring attendees several Conference! new areas/activities: It is great to have you join us in San • Design Infrastructure Alley is for professionals Francisco, one of the most beautiful who manage the HW and SW products and services cities in the world and now an information required by design teams. It houses a dedicated technology capital (it’s also the city that Design-on-Cloud Pavilion featuring presentations my son is named after).
    [Show full text]
  • A Review of Detection of USB Malware Dr
    ISSN XXXX XXXX © 2017 IJESC Research Article Volume 7 Issue No.7 A Review of Detection of USB Malware Dr. Sunil Sikka1, Utpal Srivastva2, Rashika Sharma3 Associate Professor1, Assistant Professor2, M.Tech Student3 Department of Computer Science & Engineering Amity University Haryana, India Abstract: USB device is a very common device now days and because of its user friendly nature and ease. It is used by massive group of people. The hackers are taking advantage of this technology and planning a malware inside the usb device. It is also one of generally focus technologies by hackers. The usb with a malware is known as BAD USB; generally the malware is present in the firmware of the usb so it remains undetectable. As the firmware of the device is not scanned by the system and other applications. This flaw is the serious risk to our operation system as the malware can be undetected and it can come easy into our operating system (OS), without even the knowledge of the users. Keywords: Bad USB, Malware, HID (Human Interface Device), Firmware, Operating system (OS), USB, CMD I. INTRODUCTION device that communicates over USB is susceptible to this attack. We observe that the root cause of the Bad USB attack is a lack Hackers can easily plant a malware in the usb device and that of access control within the enumeration phase of the USB usb with a malware is known as “Bad USB”. Recently security protocol. researchers have disclosed this vulnerability and hackers are taking full advantage of this by planting a malware in the USB 1.1 BUILDING A BAD USB DEVICE device.[L] The malware remains undetected as it is present in the 1.
    [Show full text]
  • 2013  2013 5Th International Conference on Cyber Conflict
    2013 2013 5th International Conference on Cyber Conflict PROCEEDINGS K. Podins, J. Stinissen, M. Maybaum (Eds.) 4-7 JUNE 2013, TALLINN, ESTONIA 2013 5TH INTERNATIONAL CONFERENCE ON CYBER CONFLICT (CYCON 2013) Copyright © 2013 by NATO CCD COE Publications. All rights reserved. IEEE Catalog Number: CFP1326N-PRT ISBN 13 (print): 978-9949-9211-4-0 ISBN 13 (pdf): 978-9949-9211-5-7 ISBN 13 (epub): 978-9949-9211-6-4 Copyright and Reprint Permissions No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence ([email protected]). This restriction does not apply to making digital or hard copies of this publication for internal use within NATO, and for personal or educational use when for non-profit or non- commercial purposes, providing that copies bear this notice and a full citation on the first page as follows: [Article author(s)], [full article title] 2013 5th International Conference on Cyber Conflict K. Podins, J. Stinissen, M. Maybaum (Eds.) 2013 © NATO CCD COE Publications Printed copies of this publication are available from: NATO CCD COE Publications Filtri tee 12, 10132 Tallinn, Estonia Phone: +372 717 6800 Fax: +372 717 6308 E-mail: [email protected] Web: www.ccdcoe.org Layout: Marko Söönurm Legal Notice: This publication contains opinions of the respective authors only. They do not necessarily reflect the policy or the opinion of NATO CCD COE, NATO, or any agency or any government.
    [Show full text]
  • The A-Z of Programming Languages: AWK
    CS@CU NEWSLETTER OF THE DEPARTMENT OF COMPUTER SCIENCE AT COLUMBIA UNIVERSITY VOL.5 NO.1 WINTER 2008 The A-Z of Programming Languages: AWK Professor Alfred V. Aho talks about the history and continuing popularity of his pattern matching language AWK. Lawrence Gussman Professor of Computer Science Alfred V. Aho The following article is reprinted How did the idea/concept of language suitable for simple It was built to do simple data with the permission of the AWK language develop data-processing tasks. processing: the ordinary data Computerworld Australia and come into practice? processing that we routinely (www.computerworld.com.au). We were heavily influenced by As with a number of languages, GREP, a popular string-matching did on a day-to-day basis. We The interview was conducted just wanted to have a very by Naomi Hamilton. it was born from the necessity utility on UNIX, which had to meet a need. As a researcher been created in our research simple scripting language that Lawrence Gussman Professor would allow us, and people of Computer Science Alfred V. at Bell Labs in the early 1970s, center. GREP would search I found myself keeping track a file of text looking for lines who weren’t very computer Aho is a man at the forefront savvy, to be able to write of computer science research. of budgets, and keeping track matching a pattern consisting Formerly the Vice President of editorial correspondence. of a limited form of regular throw-away programs for of the Computing Sciences I was also teaching at a nearby expressions, and then print all routine data processing.
    [Show full text]
  • The Art of Invisibility: the World's Most Famous Hacker Teaches You How
    Copyright Copyright © 2017 by Kevin Mitnick Foreword copyright © 2017 by Mikko Hypponen Cover design by Julianna Lee Author photograph by Tolga Katas Cover copyright © 2017 by Hachette Book Group, Inc. Hachette Book Group supports the right to free expression and the value of copyright. The purpose of copyright is to encourage writers and artists to produce the creative works that enrich our culture. The scanning, uploading, and distribution of this book without permission is a theft of the author’s intellectual property. If you would like permission to use material from the book (other than for review purposes), please contact [email protected]. Thank you for your support of the author’s rights. Little, Brown and Company Hachette Book Group 1290 Avenue of the Americas, New York, NY 10104 littlebrown.com twitter.com/littlebrown facebook.com/littlebrownandcompany First ebook edition: February 2017 Little, Brown and Company is a division of Hachette Book Group, Inc. The Little, Brown name and logo are trademarks of Hachette Book Group, Inc. The publisher is not responsible for websites (or their content) that are not owned by the publisher. The Hachette Speakers Bureau provides a wide range of authors for speaking events. To find out more, go to hachettespeakersbureau.com or call (866) 376-6591. ISBN 978-0-316-38049-2 E3-20161223-JV-PC Contents Cover Title Page Copyright Dedication Foreword by Mikko Hypponen Introduction | Time to Disappear Chapter One | Your Password Can Be Cracked! Chapter Two | Who Else Is Reading Your E-mail? Chapter
    [Show full text]
  • Black Hat USA 2012 Program Guide
    SUSTAINING SPONSORS Black Hat AD FINAL.pdf 1 6/30/12 8:12 PM C M Y CM MY CY CMY K Black Hat AD FINAL.pdf 1 6/30/12 8:12 PM SCHEDULE WELCOME TABLE OF CONTENTS Schedule . 4-7 Welcome to Las Vegas, and thank you for your participation in the growing Black Hat community. As we celebrate our 15th anniversary, we believe that the event Briefi ngs . 8-24 continues to bring you timely and action packed briefi ngs from some of the top Workshops . 21 security researchers in the world. Security saw action on almost every imaginable front in 2012. The year started Turbo Talks . 23 with a massive online protest that beat back US-based Internet blacklist legislation Speakers . 25-39 including SOPA and PIPA, echoed by worldwide protests against adopting ACTA in the European Union. Attackers showed no signs of slowing as Flame Keynote Bio . 25 replaced Stuxnet and Duqu as the most sophisticated malware yet detected. The Floorplan . 40-41 Web Hacking Incident Database (WHID) has added LinkedIn, Global Payments, eHarmony and Zappos.com while Anonymous and other politically motivated groups Arsenal . 42-51 have made their presence known in dozens of attacks. Special Events . 52-53 No matter which incidents you examine—or which ones your enterprise must C respond to—one thing is clear: security is not getting easier. The industry relies upon Stay Connected + More . 54 M the Black Hat community to continue our research and education, and seeks our Sponsors . 55 guidance in developing solutions to manage these threats.
    [Show full text]
  • The ONE! One Schedule to Rule Them All!
    The ONE! One Schedule to Rule them All! Welcome to the "One Schedule to Rule them All!". Thank you for your interest by using this. This is an attempt to make things easier for you, the DEF CON attendee, to figure out the when/what/where during the chaos of DEF CON 29. It started out simple. I had a Kindle and wanted an ebook of the schedule so I didn't have to wear out the paper pamphlet by pulling it out after every talk to figure out where to go next. Back then there was only the main DEF CON tracks, not really any Villages, and production of the ebooks were easy. Over time the Village system developed with a resulting multiplication in complexity, both for attendees and for my production. The offerings no longer include epub and mobi formats and instead now include html, csv, PDF, ical, public Google calendar, and mysql dump format files. Hopefully you'll find something of use. The intent is still to be a resource to answer the question at the end of an hour of "What's next?" As a general rule I do not include: • Off-site events • Blatent vender pitch events • Nonspecific timed events. Unfortunately this means the contests aren't on the regular schedule. • DEF CON events are emphasized, so BSides Las Vegas and BlackHat tend to not show up Be sure to check out the Links section at the bottom of this. Most all of the events listed here were derived from these links and a Infoboot data feed.
    [Show full text]
  • Hacking Printers: MIT’S Printers Security Analysis
    Hacking Printers: MIT’s Printers Security Analysis Kritkorn Karntikoon Cattalyya Nuengsigkapian Korrawat Pruegsanusak [email protected] [email protected] [email protected] Suchan Vivatsethachai [email protected] May 16, 2018 Contents 1 Introduction 2 2 Background 2 2.1 Network Printer System . .2 2.2 MIT Printing System . .3 3 Security Analysis 3 3.1 Security Goals: the CIA Triad . .4 3.2 User Roles and Access Levels . .4 3.3 Attacker Model . .4 3.4 MIT printers . .5 4 Attacks and Proof of Concept 6 4.1 Direct and Unlimited Printing . .6 4.2 Data Manipulation . .6 4.3 Denial of Service (DoS) Attack . .8 4.4 Miscellaneous Attacks . .9 5 Other Attempts 11 5.1 Reverse Engineering Small Binary . 11 5.2 Executing Command in Printer OS . 11 6 Security Recommendations 13 6.1 Administrator Advice . 13 6.2 Printer Manufacturer Advice . 15 7 Conclusion 16 1 1 Introduction As MIT students, we print documents almost everyday. With MIT’s printers, we print everything from problem sets to lecture notes and even confidential document. But precisely because printing on campus has become very quick and convenient, most of us have not even questioned about the security of MIT printing system. In fact, any of us could immediately perform a simple attack. To print a document, one simply sends it to MIT server printer and fills in a Kerberos name. As a result, an attacker could just order a spam document to any Kerberos they want. Such attacks in the past motivate us to research into the security of MIT printer and network printer system in general.
    [Show full text]