DEF CON 24 (2016) Report Version 1a (2016-08-07)

POC: Steve Holden, [email protected], www.technewsradio.com, @technewsradio ​ ​ ​ ​ ​ LICENSE: Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) ​ ​

These are my own personal notes taken at DEF CON 24. This includes notes from talks I attended in person (marked with a *), but also my analysis of key information from slides that were provided on the CONFERENCE DISC (these are limited at v1a). Updated notes will be periodically posted as time permits.

Corrections, suggestions, comments, etc are welcome. I also have similar reports from DEF CON 18, 19, 20, 21, 22, & 23

These notes include links to external sites. Most of the sites have been validated but there could be some issues. Each talk is linked to the Official HTML version of the DEF CON program (https://DEF CON.org/html/DEF ​ CON-24/dc-24-schedule.html). Presenations (those on the CONFERENCE DISC & those that were presented without ​ being on the DISC) should ultimately end up at: (https://media.DEF CON.org/DEF%20CON%2024). ​ ​ Thursday, August 4, 2016

Workshops (did not attend any of these): ● Machine Duping 101: Pwning Deep Learning Systems - Clarence Chio ​ ● Maelstrom - Are You Playing with a Full Deck?... - Shane Steiger ​ ● Beyond the MCSE: Red Teaming Active Directory - Sean Metcalf ​ ● Weaponize Your Feature Codes - Nicholas Rosario (MasterChen) ​ ● Real time bluetooth device detection with Blue Hydra - Zero_Chaos & Granolocks ​ ● Hacker Fundamentals and Cutting Through Abstraction - LosT ​ Friday, August 5, 2016

Feds and 0Days: From Before Heartbleed to After FBI-Apple - Jay Healey ​ ● No slides

*DARPA Cyber Grand Challenge Award Ceremony - Mike Walker & Dr. Arati Prabhakar ​ ● No slides ● Automated vulnerability patching and exploits ● Teams worked to keep services up and take down other teams services ● Very interesting visualizations (Blue lines for code working correctly, and then red/black lines for code being exploited or not running as expected) ● Formal Verification (verifying code example: http://smaccmpilot.org/) ● Cyber Fast Track was the start http://www.infosecurity-magazine.com/news/darpa-says-goodbye-to-hacker-friendly-cyber-fast/ ● Review of DARPA projects: biohacking, autonomous vehicles, synthetic biologies, next grand challenge (spectrum specific - radio networks with embedded AI). ● DARPA is focus on “trust” - how do you trust data, systems, networks, etc. ● Teams (lowest to highest): CRSPY, JIMA, GALATICA, RUBEUS, MECHANICAL PHISH, XANDRA ($1 million), Mayhem ($2 million) ● Teams were tested against reference Proof of Vulnerability (PoV)

Introduction the Wichcraft Compiler Collection : Towards universal code theft - Jonathan Brossard (endrazine) ​ ● No Slides

BSODomizer HD: A mischievous FPGA and HDMI platform for the (m)asses Joe Grand (Kingpin)&Zoz ​ ● Slides on conference disc

Compelled Decryption - State of the Art in Doctrinal Perversions - Ladar Levison ​ ● Slides on conference disc

*Project CITL - Mudge Zatko & Sarah Zatko ​ ● No slides (need to get the slides) ● CITL = Cyber Independent Testing Lab ● A quantifying software risk as a measurement of workload imposed upon the adversary ● http://www.cyber-itl.com/ ● Examining 100+ applications, examining expolits on applications vs. OS. ● Review of LINUX installations (OS + applications) - bell curve - Firefox (73) vs. Chrome (80) with 0 being super hackable. ● Office suites are in the 35-50 range. ● Firefox is really low (softer target) in Mac OX where Chrome is higher and Safari in the middle. ● Windows 10 is much higher (safer) overall but more 3rd party applications the attack surface gets smaller ● Measures: Static Analysis (Binaries) ○ Complexity (code size, branch density, stack adjustments, cyclomatic complexity) ○ Application Armoring (Compiler, Linker, Loader) ○ Developer Hygiene (POSIX/ANSI functions) ● Dynamic Analysis -> Exploitability, Disruptability, Runtime Complexity. ● Files on OS is another attack vector being researched … many major files have risky functions associated with them. ● There are also some functions in an OS that can not be completely fortified (Linux is better than Mac OS). ● You need to look at both executables but also the actual source code (example of Anaconda - DARPA software for doing big-data analytics libraries and packages) ○ The total customer list is major people: Fortune 100, DOD, etc. ○ Each OS has a different set of issues ○ 600+ binaries ○ Some binaries in the LINUX were based on using 2005 version of GCC vice the more secure latest version of GCC ● More data is planned for later release in 2016 and 2017 ● Not working on a pass/fail score but something that can be compared against products.

DEF CON Welcome & Badge Talk - L0sT & The Dark Tangent ​ ● No slides

DEF CON 101 - Meet the Feds - Jonathan Mayer & Panel ​ ● No slides

Honey Onions: Exposing Snooping Tor HSDir Relays - Guevara Noubir & Amirali Sanatinia ​ ● Slides are on conference disc

BlockFighting with a Hooker -- BlockfFghter2! ​ ​ ● No slides ● https://github.com/K2/EhTrace ● This can be used for attack HyperVisors

*CAN i haz car secret plz? - Javier Vazquez Vidal & Ferdinand Noelscher ​ ● No slides ● Chip hacking is something that is new, internal data, OEM specifics ● Protocols (CAN Bus): UDS, TP2.0 (tunneling ● CANBadger Hardware overview ($25) ● CANBadger (supports UDS, TP2.0, RAW CAN / Man In The Middle (MITM) support) ● Enables: protocol analysis, MITM (drop frames, manipulate bytes, etc) ● They also came up with a CANBadger server that can connect and manage multiple CANBadgers (capture data, etc) ● New solutions on newer cars iare working on OEM security tools so these enables testing these technologies (SecurityAccess Hijack) ● You can also mess with Insurance Tracking Dongles (use OBD2 data, and can mess up GPS reporting) / DEMO: Andriod car interface looks like it is driving around but the car is not running. ● You can also use the CANBadger as an emulator for testing, development, etc. ● Code will be on GITHUB. The are also doing some training sessions at DEF CON. ● @fjvva, @s1ckcc

411: A framework for managing security alerts - Kai Zhong ​ ● Slides are on conference disc

Frontrunning The Frontrunners - Dr. Paul Vixie ​ ● No slides ● https://twitter.com/paulvixie

*Cheap Tools for Hacking Heavy Trucks - Six_Volts & Haystack ​ ● Slides are on conference disc ● There is going to be a github whitepaper and source code soon ● Diesel Pickup Trucks work a lot like most cars ● Truck “stuff” very compatible and interoperable (electronics can speak with each other) ● Telematics: logs, navigation, Windows embedded, cellular network, CANs, etc. ● These are very expensive so they built a TRUCK IN A BOX (v1 = $10K) ● Recreated networks and sensors and some control units with fake units (like accelerator pedal) ● Protocols: J1708, J1939 ● Connectors: DLC/DLA ● Software release Truck Duck using BeagleBone https://truckhacking.github.io ​ ● Demo of exploit (some fuzzing, static analysis)

Research on the Machines: Help the FTC Protect Privacy & Security - Terrell McSweeny & Lorrie Cranor ​ ● Slides are on conference disc ● Looking for ideas related to securing IOT ● On Twitter @McSweenyFTC

*(Ab)using Smart Cities: the dark age of modern mobility - Matteo Beccaro & Matteo Collura ​ ● No slides ● Contact info: @_bughardy_ @eagle1753 ● Review of smart city capabilities (linking of previously disconnected systems ● Transportation focus: traffic, lighting, parking, transportation (rail, bus, etc) → these are then communicating to the citizen ● There is also “shared” transport: ride sharing, car sharing, bike rental, etc. ● Architecture: physical (at the edge), to the cloud (API, mgmt), then to the client (hardware/software/services) ● Deep dive into a smart parking meeting. Hardware overview, firmware analysis, debug interfaces (USB, NFC) ○ The software on the smart parking meter communicating back to the cloud is pretty wide open and able ○ Demo of changing price time, fare, time used, or minimum frame ● Deep dive into bike rental services (NFC or Mobile app for checkout and then a check in procedure) -- mobile app has no obfuscation with Multiple SQL injections (APIs) and hardcoded vendor credentials (very easy to replay attack the NFC cards) ● What is next: surveillance systems, traffic light systems, whole city (they are looking for a hotel) ● Slides are supposed to be posted to https://www.opposingforce.it/ per the presenters ​ ​

How to Make Your Own DEF CON Black Badge - Badge Hacker Panel ● Slides are on conference disc ● Mickey Shkatov (@Laplinker) Intel Advanced Threat Research ● Michael Leibowitz (@r00tkillah) Senior Trouble Maker ● Joe FitzPatrick (@securelyfitz) Instructor & Researcher, SecuringHardware.com ● Dean Pierce (@deanpierce) Security Researcher, Intel ● Jesse Michael (@jessemichael) Security Researcher, Intel ● Kenny McElroy (@octosavvi) Hacker

Sentient Storage - Do SSDs Have a Mind of Their Own? - Tom Kopchak ​ ● Slides are on conference disc

*How to design distributed systems resilient despite malicious participants - Radia Perlman ​ ● Slides on conference disc ● Radia Perlman, EMC, [email protected] ​ ● Crowdsourcing can be attacked by a single person (whitepaper link) ● Things that don’t work but do: wikipedia, ebay (in the most part) ● Trust models - bad or dishonest or confused certificate authorities (CA) [good/bad] ○ Monopoly ○ Oligarchy (most browsers today) ○ Etc … (see slides) ● Review of her proposed recommended model (CA’s by namespace) … leverage by a DNS (creating a bi-direction key authentication between parent <> child) ● Cross-certification (a.com <-> xyz.com) ● Network routing for these CA validations (Link State, Reputation) ● Extra presentation: causing the human to misbehave: ○ Typing username/password ○ We are from Microsoft and your machine is infected? [EventViewer - warnings and errors] ○ Trade off of usability vs. security ○ User authentication (special characters, #s, etc.) / Rules?!? ○ Security questions ○ Annoying security rules (changing passwords, reset password, best practices, etc.) ○ We don’t want more user training. ○ Quote “Humans are incapable of securely storing high-quality cryptographic keys…” in Network Security: Private Communications in a Public World”

A Monitor Darkly: Reversing and Exploiting Ubiquitous… - Ang Cui ​ ● No slides

Direct Memory Attack the Kernel - Ulf Frisk ​ ● Slides are on the conference disk

Anti-Forensics AF - int0x80 ​ ● Slides are on the conference disk

How To Remote Control An Airliner: Security Flaws in Avionics - Sebastian Westerhold ● Cancelled ● No slides

Slouching Towards Utopia: The State of the Internet Dream - Jennifer S. Granick ​ ● Slides are on the conference disc

*The Remote Metamorphic Engine: Detecting, Evading, Attacking the AI and Reverse Engineering- Amro ​ Abdelgawad ● Slides are on conference disc ● Looking at code that could not be reverse engineered ● Randomization (stacks, encryption) [end up with probability analysis] / Isolation ● REMOTE = do not keep the code local (stored remotely) ● MUTATION/MORPHED (FLUX MUTATION) [something remote and something local] ● Remote & Local operate via challenge and response ● The challenges to look for (see list in the slides) ● See slides for signature evasion techniques (these are not resistant to reverse engineering) ● AI tools need to be “slowed” or making it very expensive to run ● See slides for what the capabilities of his “Flux Mutation” idea ● If all functions end up what it is morphed ends up looking the same (structure looks all the same).

NPRE - Eavesdropping on the Machines - Tim "t0rch" Estell & Katea Murray ​ ● Slides are on the conference disc

Robot Hacks Video Games: How TASBot Exploits Consoles with Custom Controllers - Allan Cecil (dwangoAC) ​ ● Slides are on the conference disc

*Side-channel attacks on high-security electronic safe locks - Plore ​ ● Slides are on the conference disc ● [email protected] ● Looking at UL Type 1 High-security locks ● Attack starts at looking at the power distro and how it communicates (oscilloscope) ● Very good demos ● Example videos ● GSA locks are much more secure

Breaking the Internet of Vibrating Things… - follower & goldfisk ​ ● No slides

101 Ways to Brick your Hardware - Joe FitzPatrick & Joe Grand ​ ● Slides are on the conference disc

*Samsung Pay: Tokenized Numbers, Flaws and Issues - Salvador Mendoza ​ ● Slides are on the conference disc ● Review of the token format and how it is defined. ● Review of some of the APIs available ● Review of some of the 20+ databases (dbs) that are part of the Samsung Pay (some using standard passwords) ● You can backup all the database and remotely review them in other tools ● Great hardware demos (capturing via demo mode a token and then replaying that token to buy something)

Mr. Robot Panel - Kor Adana, Dark Tangent, & Marc Rogers ​ ● No slides

*Hacking Next-Gen ATM's From Capture to Cashout - Weston Hecker ​ ● No slides ● Demo’d at DEF CON ● Review of EMV, Carder Systems, and Automating Cashout ● Credit Cards can be purchased by Zip Code ● Credit Card data will continue to be expanded (RFID, EMV, etc) ● Review of the 30 second information flow that bad guys are doing to get all the info they need to send a request to a remote ATM ● Relies on shimmed ATMs as the place the captures a card/tokens ● So you use your card at a POS that is compromised and then they build out a new “packet” to send to the ATM to get it to spit out cash ● Automated systems La-Cara (rise of the machine) [picture on Facebook of some guys who did a cash run on ATMs spitting out cash] ● La-Cara is a “physical” ATM interface tool to get cash out without a human ● Keypad module uses Audiano ● To do this research he also had to build out his own Banking Backend ● Automated capturing the PIN and software defined radios (OpenCV) ● Japanese and Chinese ATMs can have up to $10K limits

Sk3wlDbg: Emulating all (well many) of the things with Ida - Chris Eagle ​ ● Slides are on the conference disc

Malware Command and Control Channels: A journey into darkness - Brad Woodberg ​ ● Slides are on the conference disc

Saturday, August 6, 2016

*How to overthrow a Government - Chris Rock ​ ● Slides are on the conference disc ● Biggest threat #2 is hackers … we should be #1 ● Simon Mann (mercenary) was a consultant

I Fight For The Users, Episode I - Attacks Against Top Consumer Products - Zack Fasel & Erin Jacobs ● Slides on the conference disc

Developing Managed Code Rootkits for the Java Runtime Environment - Benjamin Holland (daedared) ● Slides on the conference disc

Escaping The Sandbox By Not Breaking It - Marco Grassi & Qidan He ● No slides

Jittery MacGyver: Lessons Learned from Building a Bionic Hand out of a Coffee Maker - Evan Booth (Fort) ● Slides are on the conference disc

Light-Weight Protocol! Serious Equipment! Critical Implications! - Lucas Lundgren & Neal Hindocha ● Slides are on the conference disc

*Picking Bluetooth Low Energy Locks from a Quarter Mile Away - Anthony Rose & Ben Ramsey ​ ● Slides are on the conference disc ● Background: lockpicking, electronic engineer, not a coder, Bluetooth low energy research ● The vendors don’t seem to care. They contacted 12 vendors and only 1 responded back. ● Review of the Bluetooth Low Energy specification and hardware details ● 3 billion devices being made a year: security products (deadbolts, bike locks, ATM locks, Airbnb, Lockers, Gun Cases, etc) ● Review of hardware used (passive design): ubertooth one (made by Michael Ossman), usb dongle, raspberry pi, antenna (~$200) ● This could be used also on a drone (gps plotting) ● Review of some war driving (40 minutes): 4 locks, Nest, fitbit, etc. ● The four that haven’t been break: August Doorlock (hard coded password), Kwikset Kevo Doorlock (bluetooth is great but easy to break physically), Node Padlock, Master Padlock ○ AES encryption ○ 2 factor encryption ○ No hard-coded passwords ○ Long passwords ○ Randomization ● Slides: broke up how locks were broken by category: plaintext, very small password length requirements (brute force), replay attacks (even with encryption), fuzzing (create error state & open), decompiling Android APKs into readable code, web server backend (you can defeat this to make a fake version of the lock and then the user gives you the credentials), random nonce (guess the next key) ● Usually Bluetooth is on three channels so you need three passive systems ● There is some Python code available ● Find: Tile, Trackers, etc. via this hardware ● In the future: two rogue devices between the phone and the lock. (because the apps are running all the time and will respond to the rogue devices as if they were approved). ● Code: BlueFinder (determine distance between bluetooth devices) ● http://www.merculite.net

Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools - Wesley McGrew ● Slides are on the conference disc

Bypassing Captive Portals and Limited Networks - Grant Bugher ● Slides on the conference disc

*Stargate: Pivoting Through VNC To Own Internal Networks - Yonathan Klijnsma & Dan Tentler ​ ● Slides are on the conference disc ● This could be used for information gathering of servers. ● IOT: creating new versions of products now completely connected insecurely ● VNC servers used by bad guys can be found easily on the Internet (watch them work?) ● VNC is running on public systems, medical systems, and open to exploit ● Stargate proxy issues with getting to localhost via Google search (demo) … also able to turn off whitelist via URL (some code is on GitHub to try out) ● When you fail to boot the kernel then good things can happen for the exploiter

CANSPY: A Framework for Auditing CAN Devices - Jonathan-Christofer Demay & Arnaud Lebrun ● Slides are on the conference disc

Attacking Network Infrastructure to Generate a 4 Tb/s DDoS for $5 - Luke Yo ● Slides are on the conference disc

Retweet to win: How 50 lines of Python made me the luckiest guy on Twitter - Hunter Scott ● Slides are on the conference disc

*pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad ● Demo: No Jtag, Homemade bootloader ● As system is booting you can get it not load primary and 2nd load area and you can then get to the bootloader (by interrupting FLASH storage with electrical system poking) [aka GLITCHING] ● Inject a fault condition and get to a state that can be exploited ● How to do this: HW storage, you need to monitor the boot process (serial), data sheets from the vender, inspect failure modes, get boot timing understood ● You are looking for some place the developer left a way to get back to a default known stage for their own troubleshooting ● DEFENSE: Reset to a secure state or to “brick” state, stay out of debug mode when in production, you can also better design the hardware to make poking harder, boot fast (under 1 second) ● http://www.carvesystems.com

Six Degrees of Domain Admin … - Andy Robbins, Rohan Vazarkar, Will Schroeder ● Slides are on conference disc

*MouseJack: Injecting Keystrokes into Wireless Mice - Marc Newlin ​ ● @marcnewlin ● Slides are on the conference disc ● Mouse/Key sniffer and injecter ● Review of the vulnerabilities: injection, sniffing, forced pairing, macro programming, and DoS (a lot of primary product companies have issues with their products) ● Review of prior research ● Mouse/keyboard radio talks to the USB dongle radio that translate these to USB keyboard/mouse ● Initial focus on Logitech products. Mouse reports are not encryptions. ● Used SDR for initial research but the speed between mouse and dongle is very fast (to fast for the code) ● Story about Logitech mouse hijacking at last DEF CON ● You can bring up the a keyboard on Windows 8.1/10 - and then move the mouse around to type into Windows … not very practical as it takes a lot of time to type a bunch of characters. ● Keyboards are encrypted … but you can look at what is encrypted and match that to what you got on the unencrypted character. ● Then created an SDR decoder and looked at the protocols. ● Basic chip Nordic nRF24L family (~4 models) with AES crypto ● Logitech: enables fixing bugs in the dongle but not the mouse/keyboard. Also 2010 dongle will work with a 2015 mouse (and vice versa) / some keys are not encrypted like music sound up/down, reviews of the packet format ● Review of several different mice (Logitech, Microsoft, Amazon, , Lenovo, etc) ● Lenovo has a DoS problem that isn’t fixable in current models but future models should be protected ● Also working on remote radio dongle software and hardware (check out CrazyRadio PA) ● MouseJack Android App coming soon

Cunning with CNG: Soliciting Secrets from Schannel - Jake ● Slides are on the conference disc

NG9-1-1: The Next Generation of Emergency Ph0nage - CINCVolFLT & AK3R303 ● Slides are on the conference disc

Weaponizing Data Science for Social Engineering: Automated E2E spear phishing on Twitter - Delta Zero & KingPhish3r ● Slides are on the conference disc

Universal Serial aBUSe: Remote physical access attacks - Rogan Dawes & Dominic White ● Slides are on the conference disc

*Hacker-Machine Interface - State of the Union for SCADA HMI Vulnerabilities - Brian Gorenc & Fritz Sands ​ ● Slides are on the conference disc ● The vendors are focused on equipment and not software (US, German, Italian, China) ● There are a lot vendors and there is mergers/acquisitions so that disclosure much harder ● Human machine interfaces: situational awareness and control ● These should be isolated but be aware that air gap alone is not enough ● Stuxnet > BlackEnergy ● ICS-CERT (review of organization and focus) ● The HMI systems are still very vulnerable and no secure development life-cycle (poor design, no mitigations, no understanding of basic OS being their host) ● See slides for a review of documented vulnerabilities and details on each types ● Demos of vulnerabilities are very good

SITCH - Inexpensive, Coordinated GSM Anomaly Detection - ashmastaflash ● Slides are on the conference disc

*Forcing a Targeted LTE Cellphone into Unsafe Network - Haoqi Shan & Wanqiao Zhang ​ ● Slides are on the conference disc ● Review of several research threads for tricking or denial of service to LTE phones ● Review of hardware and software (open source) you can use to setup LTE networks ● Review of some potential countermeasures

Playing Through the Pain? - The Impact of Secrets and Dark Knowledge - Richard Thieme ● No slides

Exploiting and attacking seismological networks.. Remotely - Bertin Bervis Bonilla & James Jara ● Slides are on the conference disc

Phishing without Failure and Frustration - Jay Beale ● Slides are on the conference disc ● Layer 8 = the human ● Good checklist/cookbook on how to run a phishing exercise at your work

"Cyber" Who Done It?! Attribution Analysis Through Arrest History - Jake Kouns ● No slides

*DIY Nukeproofing: a new dig at "data-mining" - 3AlarmLampScooter ​ ● Slides are on the conference disc ● Review of history of nuclear weapons and powers ● Some policy discussion ● There was an EMP event during Johnston Atoll testing that killed a large number of satellites ● There maybe the ability to enrich “atomic material” via lasers ● There are some options for protecting electronics not turned on but running systems are much harder to protect.

I've got 99 Problems, but LittleSnitch ain't one - Patrick Wardle ● Slides are on the conference disc

A Journey Through Exploit Mitigation Techniques in iOS - Max Bazaliy ● Slides are on the conference disc

*All Your Solar Panels are belong to Me - Fred Bret-Mounet ​ ● Slides are on the conference disc ● Review of the Tigo Energy Max. System ● Look at it via KisMac (connected to my network and nearest open access point) ● Attack service: Open Access Point, httpd, serial point, DNS, SSH, DHCP, UPD port 5002 ● Some attack surfaces examined (physical, website, etc.) ● Database wigle.net (open access points) ● Hydra rockyou.txt list is great ● Netcat is actually on the device - easily root and also able to add user accounts ● Device also has OpenVPN and connects to all the other systems from the vendor in another subnet ● The company turned off all his access after he wanted to disclosure. ● It turns out he did have a developer build (and so did 1000s other people) ● Once he got linked to the right person, his research was better received. These IOT devices do a lot of reporting in logs (so be smart - research air gapped)? ● With the OpenVPN situation there is a lot of potential problems that could have been done. ● These devices could be spying/botnet/anonymizer on your own networks ● These kits are neat: https://store.particle.io/ ​ ● Need my own network and an IOT network

Ask the EFF - Panel ● No slides

Esoteric Exfiltration Willa Cassandra Riggins (abyssknight) ● Slides are on the conference disc

Drunk Hacker History: Hacker Stories Powered by C2H6O for Fun & Profit - Panel ● No slides

*Abusing Bleeding Edge Web Standards for AppSec Glory - Bryant Zadegan & Ryan Lester ​ ● Slides are on the conference disc ● New standards are increasing at a very high rate ● Knowledge of these standards is low ● Development of these new standards are potentially very fragile ● SubResourceIntegrity (SRI) - zone of trust (code in a CDN) / skipped demo but source code is available ● One of the new Rapid Key Rotation/Content Pinning standards could allow you (as a bad guy) to take out a website for hours by doing what they call HPKP Suicide ● github.com/cyph/appsec-glory

Crypto State of the Law - Nate Cardozo ● No slides

Sticky Keys To The Kingdom: Pre-auth RCE Is More Common Than You Think - Linuz & Medic ● Slides are on the conference disc

Propaganda and you (and your devices)... The Bob Ross Fan Club ● Slides are on the conference disc Sunday, August 7, 2016

How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire - Stephan Huber & Siegfried Rasthofer ● Slides are on conference disc

*Hacking Hotel Keys and Point of Sale systems - Weston Hecker ● No slides ● Details on Magspoofer and how that is different than RFID ● Look at Point Of Sale (POS) systems ● Review of how Magstripe Readers work (EM field 0s and 1s) … magnetic technologies (not RFID) ● Magspoofers run really hot … 100s of cards burned out the reader ● Property Management Software (PMS) - folio records, audits, security mechanisms, folio number, room number, checkout date == on track 3 (credit cards use track 1 and 20 ● Floor restrictions are on the card and maid keys can be pulled via the card system (sometimes from your room, the pool, the gym, and elevators) ● Sometimes the name of the person is added to the keys ● Encryption is more like encoding (very system) ● Kiosks in the lobby are a hot target ● Anything with a magreader became a future research system -> transition to POS ● Start with MagReader ($15) [the SQUARE and other readers are also vulnerables] ● Each POS has an older OS underneath ● In the future could Player’s Card Reward Points be used / same for something like a Grocery stores / refunds on to pre-paid cards ● Videos of the demos are on YouTube (https://www.youtube.com/watch?v=BGwy4iXLtow) ​ ​

Examining the Internet's pollution - Karyn Benson ● Slides are on the conference disc

*How to get good seats in the security theater? Hacking boarding passes for fun & profit - Przemek ​ Jaroszewski ● Slides are on the conference disc ● What is a rogue cell phone tower? (also cell-site simulators or interceptors) ● These can be built from scratch for $1-5K. ● You can get downgraded to LTE to 2g (which makes reading data easier). ● Some Android phones can do this if rooted ● Looking for $50 device plus have them network together ● How do you detect? (see slides) // mostly these main fields should not change very frequently. ● Deviation between the norms is one approach (first indications) - have a baseline and then determine if something changes. ● Heat maps (plotting data - signal strength) ● If you have multiple detectors will allow for trilateration ● TDOA - Time distance of arrival (GPS works this way - need a very accurate clock) ● Trilateration vs. Triangulation (see slides) ● In the future look at a spinning dome setup for stronger signal detection (beams). ● Used Raspberry PI 3 / SIM 900 GSM Module / Serial GPS modual and software defined radio ● SIM 900 gives you 7 highest powered towers, it does not sniff traffic ● Also uses the Adafruit Ultimate GPS module ● Uses Raspbian OS / SDR/ USB battery pack ● Uses Gr-Gsm ● Look into sniffing GSM traffic -- sell all raw frames ● Put all the data into a SQLLite Database ● You can make it easy to read - QGIS (IDW, OpenLayers Plugin, Python) ● You can get notifications via EMAIL, SMS (Twilio), Push Notifications (PushOver) ● DEF [email protected] ● RagingSecurity.Ninja ● Recommendation: PenTest Fridays for their corporate network

Hiding Wookiees in HTTP - HTTP smuggling - regilero ● Slides are on the conference disc

Discovering and Triangulating Rogue Cell Towers - JusticeBeaver ● Slides are on the conference disc

Use Their Machines Against Them: Loading Code with a Copier - Mike RIch ● Slides are on the conference disc

Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game - Joshua Drake & Steve Christey Coley ● Slides are on the conference disc

Attacking BaseStations - an Odyssey through a Telco's Network - Hendrik Schmidt & Brian Butterly ● Slides are on the conference disc

*Let's Get Physical: Network Attacks Against Physical Security Systems - Ricky "HeadlessZeke" Lawshae ​ ● Slides are on the conference disc ● Alarms, card readers, logs, surveillance, etc. ● Moving to the network - IOT - ● Access control: locking mechanism, ID, sensors, mgmt software (scheduling, override, etc) ● ID Readers: magstripe, RFID, biometric, pin pad, etc. ● There is also Request to Exit (REX) [motion sensor] ● Door sensor magnet (open/close) + lock/strick (open/close) ● Review of attack vectors (see slides) ● There is a standard coming from Physical Security Interoperability Alliance (PSIA) ● HID door controllers can be pinged by a UDP probe and then give back data. You can then turn on “Command_Blink_On” (had a vulnerability -- there is a PATCH) but you can also see the doors on the Internet via Shoodan. ● Had several videos (not shown) about manipulating video streams from video cameras.

Game over, man! - Reversing Video Games to Create an Unbeatable AI Player - Dan "AltF4" Petro ● No slides

So you think you want to be a penetration tester - Anch ● Slides are on conference disc

Can You Trust Autonomous Vehicles: Contactless Attacks … - Jianhao Liu,Wenyuan Xu,Chen Yan ● Slides are on conference disc

*Drones Hijacking - multi-dimensional attack vectors & countermeasures - Aaron Luo ​ ● No slides ● Member of HITCON / works Trend Micro ● Worked on “DarkDoor” as a 16 year old (DKDR.v2.0 - keylogger, file download, screen snapshot capture) ● Review of drone architecture, examine vulnerabilities, demos, prevention solution suggestions, tool is posted to GITHUB ● Target to DJI-Phantom (Drone, Flight Controller, Remote Controller, App/SDK) ● 1st hack was focused on App/SDK authentication - checkPermission() [bypass by using the Java Bytecode Editor] ● Demo of bypassing authentication architecture using above hack ● Looked at firmware (analysis, BUI file system dump, looked at ssh config key info) ● Looked at Radio Signal Analysis (HackRF One) https://greatscottgadgets.com/hackrf/ ​ ● RC to Drone uses FHSS and then DSSS from Drone to RC

Backdooring the Frontdoor - Jmaxxz ● Slides are on conference disc

Mouse Jiggler Offense and Defense - Dr. Phil ● Slides are on conference disc

Help, I've got ANTs!!! - Tamas Szakaly ● Slides are on conference disc

An introduction to Pinworm: man in the middle for your metadata - bigezy & saci ● Slides are on conference disc

*VLAN hopping, ARP poisoning & MITM Attacks in Virtualized Environments - Ronny Bull, Dr. Jeanna N. ​ Matthews, Ms. Kaitlin A. Trumbull ● No slides ● How safe are virtual machines in a multi-tenant environment (shared hardware, shared network, cloud services)? ● VMs can be exploited just like purely physical devices ● You can also leave the VM and screw up hardware ● Review of consequences (long list) ● Test Scenarios + Results (reviewed) ● Def Con 23 CD has all details about last year’s presentation ● Review new hardware specs (many hypervisors, virtual machines) ● Test #1: Examination of MAC flooding over a Cisco 2950 (virtual netowrk devices) ● Test #2: VLAN Hopping (there is a demo video on YouTube) [attack uses standard tools in Kali] ● Test #3: Double Tagging (CVE-2005-4440) 802.1Q - good for DoS [video of demo on YouTube] ● Test #4: ARP Poisoning/Cache disrupted ● What can you do? ○ Know what your hosting provider is doing on their virtual switches ○ Audit workloads ● Look to team with others to build out a center looking at this technology as a whole (test vs. production) ● [email protected][email protected] ● http://ronnybull.com (slides?) ​

Toxic Proxies - Bypassing HTTPS & VPNs to pwn your online identity - Alex Chapman & Paul Stone ● Slides are on conference disc

Stumping the Mobile Chipset - Adam Donenfeld ● Slides are on conference disc.

Cyber Grand Shellphish - Shellphish Panel ● No slides

*Platform Agnostic Kernel Fuzzing - James Loureiro & Georgi Geshev ​ ● No slides ● How to do kernel fuzzing and what can you do with Windows ● Kernel exploits enable breaking out of Sandboxes ● Research in this area helps Operating Systems be more secure ● Focus on Windows 7 but also working on Mac OS and Linux ● Recently got 65 crashes in 48 hours of fuzzing ● There is going to be a framework released in the future (written in C) ● Architecture: Fuzzed Values, Framework Core, System Calls Knowledge Base, Object Store, Helps, and OS API Knowledge Base ● Working on how to do HyperVisor Fuzzing and make sure the Fuzzer doesn’t kill itselft ● Review of OS-specific tweaks (Windows Specific examples reviewed) - build out their object store, system calls, OS API calls, and helper files/details ●

Auditing 6LoWPAN Networks using Standard Penetration Testing Tools - Jonathan-Christofer Demay ● Slides are on conference disc.