CodeMash 2014

I'm finally wrapping up CodeMash 2014 and, while it turned out much differently than I expected (I had to leave early on Thursday), I really enjoyed the conference and had a blast presenting and getting to interact with a number of folks.

As discussed, I've included links to the videos and slides below:

Scary and Amazing Security Things

I'm working on getting ready for my precompiler at CodeMash in just a few weeks and I'm incredibly excited. Last year I had a blast presenting along side Bill and talking with many in the developer and security community.

This year, Bill is doing a talk Tuesday afternoon on Applied Application Security that I'm quite excited to attend. You can learn more about the details of his talk here: http://www.sempf.net/post/Applied-Application-Security-at-CodeMash.aspx

I will be giving a talk covering a number of security-related topics on Wednesday morning. I have the following items on my list to discuss:

  • Hiding in Plain Sight
  • Passwords?
  • Software Defined Radio & the Hacker
  • How well do you know your Runtime?
  • Open Discussion – how do *you* guarantee your machine isn’t compromised?

There are no pre-requsites for my talk other than an open and inquisitive mind. We will have a number of demonstrations and will try not to adversely affect anyone else's talk :).

I hope you will consider joining me and participating - I look forward to seeing you there!

 

Offensive Forensics/CSI for the Bad Guy

This talk was interesting as it relates to some of the forensics work I've been doing for my day job, however the premise was that rather than using it (forensics techniques) to uncover illegal activity, it can be used for uncovering material important for pen testing/red teaming. They gave some examples from real-world pen tests that they have worked on where they were bit by having not used these tactics, and some wherein they were benefited by having used them.

 

Making this more interesting, they announced that they were going to be releasing a metasploit module (forensics_scraper) that, once you have a foothold on a machine (i.e. meterpreter shell) could be executed to batch collect/download this forensic data (MFT, reg data, etc.). They are expecting that the module will be released “soon” (probably a few weeks) – status can be followed here: http://www.rhinosecuritylabs.com/blog/

 

The slides for the talk are available at this post: http://www.rhinosecuritylabs.com/defcon-21-offensive-forensics/

All Your RFz Belong To Me

This was one of the best sessions that I attended at DefCon, and was also the longest (double-length). The room was packed, and the aroma “fresh”... however the content made up for all of that.

Essentially, the guy is an RF nerd who, utilizing old-style equipment and now SDR, pokes around with (i.e. listens to) signals in the air and tries to figure out what they are.

 

As an example of what he has been learning, he referred to the ATCBRS and, of particular interest, the ADS-B Mode S signals that are provided by all airplanes. (http://en.wikipedia.org/wiki/Automatic_dependent_surveillance-broadcast) He demonstrated an application he has written that will simply listen to the (unencrypted) signals in the air near airplane traffic paths. They include all sorts of information about the plane, including GPS location, status of on-board equipment, etc. It is fascinating that the information is out there, that it is unencrypted, and that, technically, you could transmit the signal yourself (NOTE: this is illegal).

 

If you are thinking through what I just wrote, and saying “no... that can't be true”, I point you to the following: http://maps.spench.net/aviation/ and http://spench.net/drupal/research/mode-s

 

A couple of links/tools of particular interest:

Wireless Penetration Testing 101

I attended this session as my last of the day, and honestly didn't expect much. As some of you know, I have spoken on wireless pen testing a handful of times, have done some training and certification work, and generally feel like I know the basics fairly well.

I was pleasntly surprised to walk out having picked up a number of small, but useful tips/tricks.

  1. http://wigle.net - an interesting site that I may contribute to as a result of my "research" driving
  2. airdrop-ng: a program used for targeted, rule-based deauthentication of users.
  3. Espoused the benefits of a three-card setup for wireless pentesting... I think I'm going to spend some more time discussing this with them.
  4. As they should, they stressed the importance of having clear rules of engagement defined ahead of time, and the use of one card for pure logging/defense of what you did/didn't do.
  5. airgraph-ng: a tool for generating graphs of what you are/are not seeing in the air.
  6. Practice, Practice, Practice! - I like this point as I learned it the hard way... testing RF stuff is challenging, and the tools can be confusing... practice repeatedly, know your gear, know your setup.
  7. Precision - also something I appreciated was their focus on precision... it is easy to spray & pray when it comes to wifi testing, but it is a different thing altogether to very selectively target a network/client set in an RF-heavy environment.


There was also some conversation around studying other RF protocols such as zigbee, bluetooth, amateur radio, etc... hoping to learn more on this topic in Day 1's talk on RF.

Decrypting DEF CON

This talk was given by one of the head guys of the con, specifically the guy responsible for the human badge challenge. He talked a bit about himself, the way he views the world, and gave some hints as to how one might go about solving some of the challenges associated with the badges, the lanyards, the stickers on the floor of the con, etc.

I found it interesting that there are over 40 distinct challenges/puzzles tied up in this year's badges. Further, the number of distinct badges is high... and it will take seeing all of them to solve all of the problems. One of his primary goals in constructing the challenges is to force people together... to work as teams, to get to meet people, etc.

What I appreciated the most about this talk was not the primary topic, but rather the side comments that the speaker made... he spent some time bemoaning the state of "computer science" practiced by many - esp. those who do the forms-over-data type work... he was being reasonable (there is work do be done, etc.) but he is concerned that we are turning out a large cadre of developers who don't really understand the platforms that they are building on - and that fact might have implications far into the future.

For example, to the programmer who claims he knows that computers are made op of 1's and 0's, he suggested that you take a box of switches and "go make Pong".

He also challenged the "hackers" who spend so much time being excited about the vulnerability they discovered... he flips the coin and asks... did you study it to find how to protect against the attack? How should it be secured? Do you really understand what is going on? or were you just lucky to find a particular overflow string?

Oil & Gas Infosec 101

This talk was from a seasoned security professional workign in the Oil & Gas industry (18+ years). It was by no means a terribly dramatic presentation, and the speaker was sort of "finding his way", however I found the talk very educational. He identified a number of ways in which early assumptions were made when the technology landscape was more innocent, and how these assumptions are now the source of significant risks.

To strengthen his point, he highlighted two historical cases wherein O&G folks had been targeted:

  1. Spear Phishing attack on Natural Gas Operators
  2. The Saudi Aramco attack wherein 30,000 computers were compromised (MBRs were wiped)


He showed a number of pictures of different types of gear that would be forward-deployed and the types of communication and technology gear on each. One issue he mentioned was the need for high-security technology in a physically insecure environment. For example, you have a wide-spread physical area such as the following:



Where the oil field spans many square miles and each white dot represents a piece of equipment that has to report data back to centralized collectors.

Many of the talks I've heard recently in this general subject area have been focused on the electric grid, so it was interesting to hear it from the perspective of the O&G guys. Not surprisingly, many of the same issues apply. Comms can be over serial, microwave, licensed/unlicensed radio, 802.1x and is often not encrypted. Much of the gear has default passwords - he even hinted that some of the gear doesn't allow you to change the passwords...

Some of the technology is SCADA, but not all. That which is, is suseptible to the same types of atacks that we have heard about in the SCADA field for other fields. Frankly, the gear that doesn't talk SCADA is suseptible to the same types of attacks, just using different protocols.

Much like the other industries, the O&G field is vulnerable to attacks where "small" attacks can have long-term consequences... a mis-configured (i.e. hacked) pump/valve could cause an explosion... leading to damage of physical life, as well as damage of long-lead-time equipment meaning that the small event (time-wise) could cause an outage/reduction in capabilities lasting months if not longer.

Other systems of interest include the toxic chemicals/public health monitoring tools. Evidently they have systems that monitor the fields for emissions of gasses and chemicals (i.e. sulfide) that could be severely harmful to human life and, if detected/alarmed, begins the process of evacuation of the affected areas. One can imagine how much trouble this could cause if the alerts were falsly triggered.

The speaker did a good job of talking about how one might begin to secure the environments... non-flat networks, broadcast ACLs, etc. He indicated that in one case a piece of equipment failed due to a misconfigured router/switch that was allowing broadcast traffic from the corporate network to spill over onto the control systems network. Incidentally, he hinted that one of the biggest problems is that "we can no longer air-gap the networks" - not for technical reasons, but due to management's requirements that they be able to monitor/control these systems from their mobile devices, or their desk in the office, or whatever. The classic convienience vs. security trade off...

 

Pentesters Toolkit

The second session I attended was called the Pentesters Toolkit and was designed to walk us through the "bag" that a seasoned pentester carries with him on most any job. This was very practical and I enjoyed the session. More interesting to me, was that my normal "kit" includes nearly everything mentioned.

Some of the items mentioned were:

  • Consider using a photography bag... they are nice due to the internal dividers that can be rearranged for your gear. Also have some "quick entry" panels that make it easy to grab the stuff you need in a hurry.
  • carry a second (USB) ethernet adapter
  • network switch
  • WiFi Pineapple
  • multiple WiFi adapters
  • multiple VMs with multiple OSes - don't stick to just one... understand where each shines and use the appropriate one for the given task
  • Favors Nessus over other scanners (Qualys, Nexpose)
  • Favors Pentoo over Kali/Backtrack but really pushed manually installing the tools... you need to know your toolkit and its dependencies... don't just click menus (I strongly agree)


One of the most salient things mentioned, was "know your audience" - which is simple, but extremely important. There are times where you want to convey your hacker cred and are working with the "boots on the ground" - here walking in with your case/laptop covered with stickers, dressing with a colored mohawk might be great. However, there are also times where you might be presenting to the corporate leaders and a suit and a plain/conservative approach is more likely to yield the desired affects.

During the Q&A time at the end, someone asked him how to become a good/proper pentester. I really appreciated his answer: "Learn how to be a great defender." He went on to say that once you learned how to properly defend a network, you would be well trained on how to pick apart a network. He claimed that very few good pentesters go directly into the attack/offensive side (although many bad ones do).

My First DEF CON

This is my first defcon.

I'm going to post a few things here about my experiences, primarily as a means of storing the data for my own purposes later on. Maybe it will be of some use to others.

For those of you who are unfamiliar with defcon (http://defcon.org) it is a hacker conference that occurs in Las Vegas each year. It is not for the faint of heart, nor is it a place suitable for many people other than the target community. It is anonymous (don't use your real name). They take this so seriously, that there is no online registration - no logs, no nametags, no credit cards...  registration fees are paid in cash at the door.

This last part, incidently, makes for a very long line on opening day... I entered the line at 8:08 this morning and exited with my badge at 9:45. Last year they had approximately 13,000 attendees with recent years averaging > 10,000. It should be interesting to see how tight things get tomorrow when the "main" portion of the conference starts.

As it was my first time here, I elected to attend the "Defcon 101" session. While there were some nuggets of value here, I personally found it generally waste of time. Essentially a group of guys on the stage seeing who had the bigger ego and who could swear the most. They certainly have a right to do this, and most of the crowd seemed to be enjoying it - it just seemed over the top for my taste. However, I did appreciate that while they were crude, they stressed the importance of being respectful to other attendees.

The primary take-aways from this session were:

  1. have fun - get involved
  2. even though this is a completely introverted crowd, make yourself talk to the people around you
  3. be nice to people... mean people"stink"
  4. oh... and be smart about what you are doing in the RF spectrum

 Another thing I found interesting was the ban on photography. This doesn't mean it doesn't happen, but you are expected to ask permission prior to taking someone's picture. So much so, that a flash went off during a talk and the speaker stopped, made the guy stand up and proceeded to humiliate him in front of everyone. Given the crowd/purpose/etc, this makes sense... just seemed interesting to me.