20,000 security enthusiasts and I just returned from Caesar’s Palace, which for the first time (?) hosted the world’s oldest, and some say best, hacker conference, DEF CON. This year, like every year, attendees said the same thing: “OMG, there’s too many people here!” They were saying even at DEF CON 7 (my first), which had maybe 1,000 attendees crammed into tents on the lawn of the old Alexis Park hotel.
DEF CON turned 25 this year and for the first time, I wondered to myself if this was going to be my last. I’ve missed most of my child’s birthdays due to the consistent timing of the conference. Poor guy is pretty understanding about it though, especially since I took him to DC22.
And even though this year featured some pretty cool talks, I had a sense that I’ve seen this before. Because how many hacker talks can you attend over two decades before you start to lose your child-like sense of wonder? So I’m actively considering leaving DC26 to the younger people.
While I ponder my options for DC26, let’s recap some of the more interesting talks, events, and sub-communities from DC25. You are also highly encouraged to listen to these talks if they become available on the DEF CON media server (or YouTube, whichever comes first).
Given all the news around election meddling over the last six months, DC organizers were smart to include a new Voting Village where enthusiasts could pen-test the various voting machines used around United States. The buzz on the first day was that most of the machines had fallen to hacks within 90 minutes of the opening. By the end of the conference, every single voting machine had surrendered to the hackers. No one should really be surprised by that; having physical access to a device almost guarantees a break given enough time and talent, and there was plenty of both at DC25.
The call to action post-Voting Village was generally that we, as a nation, should fall back to paper ballots. But reasonable, knowledgeable experts suggest a combination of electronic and paper ballots for the best security, as evidenced by this excellent NPR Science Friday discussion.
Theme: Many of the speakers rely on public data sources (such as the Certificate Transparency project) and Project Sonar as the foundation for their research.
► Abusing Certificate Transparency Logs - Hanno Böck (@hanno)
I wrote about the very cool Certificate Transparency (CT) project nearly three years ago for SecurityWeek.com. Since then, the CT project has been gathering logs from the certificate authorities. In theory, the browsers are comparing certificates in the wild against the logs in order to spot mis-issued certificates. In fact, according to the speaker Hanno Böck, Symantec is finally participating in the CT project after being threatened by Google. Note: Symantec just ragequit the whole business and is selling their certificate authority to DigitCert.
The community certificate garden, Let’s Encrypt, has been participating in the CT project, and now Cloud Flare is, too.
Another note: The CT project has a great little portal at crt.sh where researchers can look at the whole set of logs via a web interface (or even Postgres, my fave).
Anyway! Researcher Hanno Böck formulating an interesting attack idea: Monitor the CT project logs for new domain names. As new names are found, check the sites to see if someone is setting up a WordPress or Joomla website. There’s a small window of time where someone starts an installation but doesn’t finish it, where a clever attacker could insert a malicious plug-in to get a back door to the site.
The site operator would have no idea that you did this. Böck showed a demo of how this would work, and then tried to figure out if someone was already doing it (no sign of that yet). He practiced responsible disclosure and alerted WordPress and Joomla about it, and even offered some mitigations. One of the frameworks implemented his suggestion, but later they both realized it was an imperfect fix, and that the attack will likely still work.
Takeaway: If you are registering a new domain, and getting a certificate for it, be sure that you complete your WordPress install as quickly as possible. If you let the installer just sit there, you might find yourself hosting something you didn’t mean to.
► The Adventures of AV and the Leaky Sandbox - Itzik Kotler (@itzikkotler) and Amit Klein
Imagine you’re an espionage agent in a highly secure environment; think military, or secret technology contractor or other. Now imagine you need to exfiltrate some data, but you can’t use the normal channels (Google drive, USB stick, etc.). Everything is monitored, except the network uses one of the many anti-virus solutions that has a cloud detonator.
Researchers Itzik Kotler and Amit Klein demonstrated a novel technique for exfiltrating data in cloud-AV environments. The created two binaries; and outer one (the rocket) and an inner one (the satellite). They encoded their data inside the satellite binary, and then encoded that binary inside the rocket binary. The rocket binary they introduced to the network.
The rocket writes the satellite binary to disk where the AV can see it. The AV, suspicious of the satellite binary, sends it outside the network to their cloud detonator, where it is executed. The satellite then communicates the data from the cloud detonator to a drop zone.
So cute! Of the 10 cloud AV scanners that Kotler and Klein tested, four allowed the satellite to communicate out to the drop zone.
► DNS - Devious Name Services: Destroying Privacy & Anonymity Without Your Consent - Jim Nitterauer (@jnitterauer)
Jim Nitterauer spoke for the first time at DEF CON. As per the tradition, he took a shot (whiskey?) at the start of his talk. Since there were so many new speakers this year, the DEF CON guys must have been buying Wild Turkey in bulk.
According to Nitteraur, DNS requests have a new “client subnet” field (see RFC 7871). Clients are supposed to put their actual LAN address in there. DNS resolvers along the way can use that address to decide how to cache the response. Seems pretty logical, right?
But Nitteraur is concerned “the watchers” are using the client subnet information to track people. For mass surveillance or other nefarious services.
There’s little evidence that the client subnet field is actually being used for broad spectrum mass surveillance. If anything, it will be used for ad tracking (the authors of the RFC include Google and Akamai), but props to Nitteraur for raising the privacy flag over this possible privacy nightmare. But on the other hand, all of DNS is a privacy nightmare and it’s likely to stay that way for long time.
We’d like to thank the Mirai botnet for bringing IoT security to the forefront of people’s minds!
► Trojan-tolerant Hardware & Supply Chain Security in Practice - Vasilios Mavroudis and Dan Cvrcek (@dancvrcek)
Problem: what if your FIPS 140 hardware security module (HSM) was malicious? As in, it contained malicious chips that were compromising your sacred RSA keys. Would you even know? And how?
That’s the premise of an interesting talk by two London-based researchers, Mavroudis and Cvrcek. The premise might seem far-fetched, but there are orgs that have to threat model tech-spy movie plots like this one. For example, imagine the NSA or the US Secret Service suspiciously eyeing the integrated circuits for their computers manufactured in China?
Mavroudis and Cvrcek suggest a solution taken from aircraft avionics: supply chain redundancy. The Boeing 777 aircraft, for example, uses triply-redundant controllers from 3 different supply chains on a single board. For avionics the concern is reliability, but Mavroudis and Cvrcek apply that redundancy for security instead.
They built some home-made HSMs (so cool!) and distributed them across the Internet. Each HSM participates in a set of distributed encryption protocols where they have partial access to secret data. The HSM network can detect if one of their members goes down, or tries to corrupt the cryptography. I suspect there’s some complicated math involved here that they didn’t show their work for, but that’s okay, we can wait for the white paper.
They also included instructions and pictures on how to build your own home-made HSM out of an old USB hub, some integrated circuits, their applet and some bubble gum. Nifty!
► CableTap: Wirelessly Tapping Your Home Network
The coolest talk at DEF CON 25 that no one is writing about was “CableTap: Wirelessly Tapping Your Home Network.”
Two researchers from Bastille Networks started poking around the Comcast and Time Warner consumer network deployments. One of the researchers barely knew Linux or networking when he started in January, but by March had figured out how to get remote access to millions of home routers and set-top boxes. Their attack chain was awesome, and their presentation was funny and inspiring.
Read more about it in my SecurityWeek.com article: The Coolest Talk at Defcon 25 That No One is Writing About
Okay, after writing all of that, I’ve decided that YES, I will likely be at DC26. There’s just too much cool stuff happening at DEF CON; six days in Vegas (because Blackhat, too) just left me worn out, but that’s not DEF CON’s fault, is it?
Here’s my plan for next year.
Well, cheers to that, and I’ll see you at DC26.