With just under 25'000 visitors in this year’s edition, it is the largest hacker event in the world: of course, we’re talking of the DefCon. The annual hacker conference in Las Vegas offers an almost unmanageable flood of presentations, workshops, meetings and competitions. In no way could our Principal Cyber Security Consultant Umberto Annino miss such a show, which he attended live on place. In our previous Cyber Security Blog Post he reported on the first two days at the BSides conference. Now you will hear all about the DefCon 2017…
In the following days, my sleep deprivation did anything but compensate: on the contrary, it got worse. The first day at the DefCon saw an early start at 05:45, because no tickets were available in pre-sale. The surprise, or should I say the shock, came as we cast our eyes upon the 700m long queue. My fellow sufferers and myself discovered on Twitter the pictures of the most hardened characters, who had camped right in front of the ticket stalls. We had counted on standing for 2-3 hours, and I had made myself comfortable on the ground, when the queue suddenly lurched ahead. As early as seven o’clock did we receive the much coveted DefCon badge: for once it was not an electronic device, but a reminiscence of the very first conference, made of rubber.
What does a die-hard DefCon attendee expect and should not be missing? Spot on – a t-shirt and baseball cap with the DefCon logo! After the morning hardships, what I needed first was a reasonable breakfast, and most of all sleep. Unfortunately, I missed the first lecture in my daily schedule; luckily my Swiss friends reported it to me in detail, so that my self-irritation almost faded away.
In the afternoon, I was assigned to voluntary work by “The Diana Initiative”, which is a mini-conference on the fostering of diversity, support of women seeking a career in the IT, and work culture change in the IT industry. We all know that the branch is dominated by men, though ladies are in high demand. Even at InfoGuard, they are in a striking minority; however, we are happy to have already some she-specialists on board, and of course we hope to have further in the future. Who knows, it might be soon – we may have something in your line here.
The highlight of the day was the so-called “lock picking”, with which I was already acquainted, though I was so far unable to test it myself. I managed to use the provided tooling to unlock the sample within minutes. The first five-pin locks went easily off; but with the six-pin I had to give up. I asked the experts, who confirmed that such locks are standard in the US. European lock pickers, of which a large community exists, are much more skilled, since Europe has higher standards.
The second day began with THE hype-theme par excellence in the financial technology industry: “Hacking Smart Contracts”. A field day for hackers, of course! The lecturer asked the public if anyone believed that in “such beautiful source codes” there might be errors. A large laughter ran through an audience of several thousands. Next came a quote from Vitalik Buterin, one of the leading minds of Ethereum: “The key component is the idea of a Turing-complete blockchain”. One of the major problems of a smart contract is that once it is in force it cannot be subsequently fixed. It is also imperative to perform a thorough preventive check of the software: this is how the “recursive call” bug in the Ethereum smart contract was analysed. To put it more plainly, it is possible to “empty” the smart contract by multiple repeated operations over a bugged implementation of the re-entry function.
In the afternoon, the programme went on with “Phone system testing and other fun tricks”. The feature started with looking back to year 1996 and the communication channels available at the time, such as ICQ, or the very first iPhone of 2007, then moved on to the current channels such as e.g. iMessage, Facebook Messenger, WhatsApp, Snapchat, Signal, Hangouts etc. Of course, “phone testing” means hacking, which after all is indeed one way of testing. To establish a reference mark for vulnerabilities in telephone systems, the OWASP Top 10 vulnerabilities were adopted; in fact, these vulnerabilities can also be found in telephone systems, not just in Web applications. And yes, there are cross-site scripting vulnerabilities also in telephones, much to everybody’s astonishment.
The following presentation was “The adventures of antivirus and the leaky sandbox”, which demonstrated the possibility of performing data exfiltration through cloud-based antivirus solutions. There are two types of “highly secure enterprises”: those with restricted Internet access at the endpoints, and those with no direct Internet access at the endpoints. Data exfiltration from Internet-connected endpoints has already been widely reported, though fewer such reports involve highly secure enterprises. This presentation showed that the main point of exfiltration consists of cloud-based AV sandboxes, to which endpoint data leaking was combined. Data were loaded in a “rocket”, so to speak, which was at first loaded into the target system by the attacker. The target system contains a “satellite”, which simulates a malware, and thus the transfer of the payload in the AV sandbox in the cloud. The attack in itself was not subtle, since the supposed malicious payload raised an alarm in the antivirus tool. However, in the background the data exfiltration has succeeded, so the false AV alarm does not disturb the attacker.
The last feature I visited on Friday was the “voting machine village”, where one could prove himself as a voting machine cracker. All of the machines could be cracked – some in few seconds, others needed somewhat more. It is remarkable that none of the hackers who took part to the experiment had any previous specific experience. One of the participants indeed succeeded in uploading a video by Rick Astley, one of the top icons of the 1980s, into one of the voting machines. The show made for major headlines in the news, and was broadcast by major media outlets, including the BBC. Forbes reported the story; you can find it here.
"MS just gave the blue team tactical nukes (and how the red teams need to adapt)" was the title of the first lecture I attended on Saturday. This is how the leader of the Red Team at IBM Security referred to Microsoft Windows Defender ATP (advanced threat prevention), which made the Red Team’s life much more difficult. The presentation introduced some of the new functions, including Microsoft’s ATA (advanced threat analytics), and commented in detail on the Red and Blue Teams, in particular on their advantages and disadvantages. At InfoGuard we embraced this tactic with enthusiasm, running the two concurrent teams, which is why I was particularly interested in this presentation. You can learn more about our Red and Blue Teams in this blog post.
In the afternoon, I attended yet another presentation, in which we learned how to open a physical seal without destroying it, for instance to circumvent product guarantee terms and conditions. Then came one of the highlights of the whole event: defusing a bomb – of course not a real one. One after the other, teams of two persons set themselves to the task; when I entered the session, none of the previous 41 teams had succeeded. I proceeded then to a short visit to the “car hacking village”, in which I was somewhat interested, since our own pentesting team had demonstrated a car hack, at this year’s Security Lounge.
“The call is coming from inside the house! Are you ready for the next evolution of DDoS attacks?”, was the title of the first presentation on day four. Last February saw the appearance of MIRAI, a tool to help building bot-nets: a horror scenario. The lecturer referred in detail about DDoS on IoT, and what it can mean for the future: especially in view of the fact that the last two years saw the biggest DDoS attacks in the world. For example, the infection of a network could begin by infecting the computer of one of DefCon’s attendees. As soon as he is back in his office, he would reconnect his notebook to the company net, infecting other devices in the company. A well-conducted attack at 330 pps against a network device can bring it to its knees, by forcing it to process non-standard packets. The only practicable defence is once more a multi-layered architecture and the adoption of best common practices.
The conference was coming to its end. My last visit was to “Weaponizing machine learning: humanity was overrated anyway”, in which “DeepHack” was introduced. This is an attack tool which uses learning algorithms to break into a Web application, or to perform a penetration test in full autonomy and with no previous information. The fascinating notion was that DeepHack had not been programmed; rather it learned these skills by itself!
Another interesting presentation was “Bypassing Android Password Manager Apps without Root”, in which a group of researchers of the Fraunhofer Institut had fun with using premium features for free. One cannot hear of hard-coded AES keys, or of an obfuscator with a randomising function, without some concern. The latter generates a “casual” 9-digit value in a domain of all of 55 values: of course there cannot be any question of randomisation here! Once again it was proved that fundamental security issues are often completely forgotten in implementations.
The official conclusion of DefCon 2017 consisted of a panel discussion on how politics deal with cyber security themes, and how to promote the increase of theme culture in the political environment and communication with hacking experts. A successful closing of four great days!
In retrospect, both the BSides and the DefCon were exciting; in terms of content, it was the DefCon that was more useful to me. I especially enjoyed the workshops, such as the lock picking or the bomb defusing: neither experience shall I forget soon! I look forward to next year, and I suggest that everyone interested in cyber security should take part to these events – especially the least experienced.
Do you want to be kept abreast of my future experiences at hacking events? Keep up with current themes in cyber security and cyber defence in the weekly posts of InfoGuard’s Cyber Security Blog – the best idea is that you subscribe to our blog update, and never miss one more post!