DEFCON 21- Day 2

August 2nd at 12:00am

My notes from DEF CON, Day 2. Fewer lines, more people and more stuff going on in general.

As it was pretty hard to attend every session, I just attended the ones I found interesting. And bought some cool DEF CON Swag. :)

Summary of my Second day at DEF CON 21:

  • 10:00am - All Your RFz Are Belong to Me - Hacking the Wireless World with SDR
    • Coming into the presentation I had a general idea of the problem that Software Defined Radio solves. I was looking forward to hearing more about the specific scenarios where SDR could be applied and maybe see a practical demonstration of the software.
    • The presenter spoke very quickly and iterated over slides too quickly for me to really understand what was displayed. While he was a VERY personable and likable person, he spent most of his time talking about airplanes and showing his programs that he had made to track airplanes and show where they are at any given time.
      While some mention was made of analyzing signals using software like GNU Radio, it was interspersed in between long segments of airplane info (nothing wrong with that, it's just not what I was expecting).
    • I learned a few interesting things:
      • You can track weather satellites with high-gain antennas and read weather satellite images that are beamed down to earth (cool!)
      • ACARS is like Text Messaging for Airplanes (Unencrypted)
      • Planes and Many satellites use unencrypted communication standards which means that someone malicious could upload malicious commands (if they knew what they were doing)
    • A few key words, terms and software came up which could be interesting to look up in more detail:
      • Direction Finding - Precurser to Radar
      • STANAG 4285 - Military protocol you could hear 'out there'
      • POCSAG - Protocol used to transfer data to Pagers (Unencrypted)
      • OpenBTS - SDR based GSM Access point for Mobile Phones
      • GNURadio - Open Source SDR application
      • Baudline - "time-frequency browser designed for ... visualization of the spectral domain"
      • GNU Radio Companion (GRC) - Visual Programming language for GNU Radio
      • Tetra - SDR application for TETRA Air interface sniffers

    • Tips for handling Police:
      • Hide any police radio equipment you might have (like some Motorola stuff)
      • Have your Ham radio license
      • Dress like you're not 'up to something'

  • 12:00pm - The Dirty South – Getting Justified with Technology
    • One of the Presenters is a maintainer of the Social Engineering Toolkit (SET)
    • I really enjoyed how they had a person in a chicken suit run around the stage with a 'Pop a box' sign. Appropriately timed humour at its best at DEFCON!
    • They briefly covered the evolution of Security
      • Nevil Maskelyne (one upped Marconi and his 'secure' wireless telegraph)
      • Z30G Programmable computer, how do you secure it? Lock it up? What else?
      • *fast forward* Internet comes along, Antivirus, Firewalls, IDS systems
      • In the 2000's, 1.1 BILLION records were comprimised even with some security
      • Social Engineering is a challenge

    • Next they talked about 'NextGen' firewalls/security equipment and tried to debunk a few claims:
      • Claim: NextGen security equipment moves security to the perimeter
        Counter claim: With cloud and mobile devices, where is your 'perimeter'? It's a different world
        Demo/Crack: Use whitelisted websites as attack vectors (like Facebook). Route traffic through it (They showed the SET setup to do this)

      • Claim: NextGen Behaviour analysis detects suspicious activity and lets you know
        Counter claim: People and attackes constantly change. Barking up the wrong tree here.
      • Claim: NextGen Application White Listing reduce attack surface and make you safer
        Counter claim: anything that is whitelisted is an attack vector and can be used to bootstrap an attack (especially user generated content type sites and applications)
      • Claim: Content Filtering prevents leaks
        Counter claim: As an exfiltrator of information you can change the content format which makes this extremely difficult
        Demo (All 3 claims): Use social engineering to get an employee on the inside to visit a malicious website and get an attack vector. Using the SET (and with permission of manager at a business) they dialed someone up and social engineered them into clicking a link and going to a malicious website which bypassed all three protections. boom.

    • They mentioned something interesting: Apparently you can use PowerShell to execute Shell code since PowerShell is a 'white-listed' app. This attack is included in the SET.

    • Hacking is more of a People Problem, not a tech problem. 'Defense in Depth' doesn't work if it muddies your focus or causes you to spend spend spend

    • Here is the 12 step program that could help with this:
      • Get your hands dirty - Figure out your core business, understand what it is that you defend. Get to know the people involved in this.
      • Go back to the 90's - Implement segmenting, ACLs, Segregate groups (like finance, development, others), reduce permissions, etc... Get back to security networking basics that were all discovered years ago.
      • Education and Awareness - Convey that 'Security' is here to help. Be a help rather than a hindrance to those that you support.
      • Make security your Friend - Not a 'big brother' or an inhibitor
      • Don't buy new crap for a year - use the tech you already have. Stop muddying your focus on new stuff when tried and true security techniques are really what you need
      • Focus on Basics - Strip complexity from your network. If you can't understand it, why implement it? Strive for an understandable network.
      • Penetration Testing - Find the weak points in your network before a problem happens.
      • Take a week off - Think about things while not caught up in the daily grind
      • Read the book 'Rework' by 37Signals - I guess it's good (?)
      • Remove Complexity - Another repetition of this idea in the list
      • Do it, Don't just talk about it - No need for excessive meetings. Just go out and implement the solutions you need.
      • Rinse and Repeat - Can't do this just once, it's a process.
  • 13:00 - Offensive Forensics: CSI for the Bad Guy
    • Goal is to apply forensics in new and unconventional ways
    • Traditional forensics:
      • Recovery and investigation of data found on digital devices
      • Solving a crime is the goal (Criminal, corporate, whatever)
      • There are many traditional tools to help out with this.
    • Offensive Forensics:
      • use forensics techniques for offensive / active purposes
      • A point that was made: A Penetration test has a timeframe. Have to speed things up sometimes!
      • The objective is to gain access to additional sensitive data (whether explicitly granted or implicitly accessible)
    • What are some things you can do or gather when applying 'active' forensics:
      • Clipboard data
      • Command line history (doskey /history)
      • Private Browsing data (It is in RAM)
      • Encryption keys
      • IE inprivate browsing writes files to disk during session. whoops! :/
      • Firefox sqlite DBs
      • Browser history
      • Prefetch files (what apps has the user been running lately?)
      • Recently opened files (hmm... what has been accessed?)
      • Backups and volume shadow copy service
      • crash dumps (typically just kernel dump data)
      • Calendar, address book and print spools

    • It can be time consuming and tedious to look over all this data. The presenter has a script called forensic_scraper for the metasploit framework. It will be available here eventually: http://rhinosecurity.com/blog
  • 14:00 - Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
    • For more information on this presentation, visit the presenter's blog at jwsecure.com. (Timedkey.exe tool, whitepapers and other stuff)
    • The NSA thinks that Mobile and Cloud are inevitable and will eventually be included in their infastructure. They are working on ways of getting this to work SECURELY. But what about us? That is where Dan's talk comes in.

    • Phones are the biggest target right now:
      • Rootkits are generally harder on phones
      • Malicious apps are way easier to write (99-cent app is security reviewed? yeah right!)
      • Phones are easy to steal

    • The talk proceeded quickly and had some jargon and complicated graphs that I would need to examine in detail to really 'get'. Here is what I understand from his presentation:

      The TPM (Trusted Platform Module) could be used to enforce encryption keys that are valid for only a short time. The TPM Module could also have secure timing built in to improve reliability of PKI / Certificate infrastructure.

      To really make this work you need to know that the TPM Module and adjacent components / firmware are in a good state of 'health'. To know if a TPM or system is 'healthy' it requires 'measured boot' (term used in presentation) along with some middleware (called Remote Attestation Services in the presentation). This system would use diagnostic data about the hashes of software, TPM Secure logging and other things to 'halt' the system if things are compromised.

      In this system you would rely on the manufacturer toolchain (and root key protection). Also something else that he mentions is that you should consider who is trying to comprimise your systems: If they have the resources to get around the built-in TPM Security protections, the system may not work for you.

    • Final note: this would only work with TPM v2.0 and later. Right now with most TPM in new systems at v1.2, you can't really do much with it. The presenter hopes this changes with time.
  • 15:00 - How to use CSP to Stop XSS
    • Content Security Policy (CSP) can be used to help secure your site and perform some site audits
    • Basically, it lets you get warnings or stop loading inline JavaScript, javascript eval statements (and maybe CSS??)
        • The recommendation is to separate out inline JS into their own files
        • Require.JS can be helpful for now while we wait for CSP 1.1

    • You can setup a 'report' header to have the client browser send back CSP violation information to you.
      • This seemed pretty novel to me. I wasn't aware of CSP before today and the idea of a browser reporting meta data about the end-user's page experience seems intriguing.
        ... But can you trust the client browsers?? (my question)
    • There are unsafe-* directives you can use if you want to bypass CSP protections in certain areas of your site or web application

    • The presenter developed CSPTools to help you develop & test your CSP rules. It looks like it is hard to do otherwise:
      • Proxy - intercepts and includes a CSP report-only header
      • Browser - Selenium powered browser to test portions of your site
      • Parser - creates a CSP policy based on the proxy traffic that comes in
        (He didn't have time for 'real' demos of the tools. i'd recommend checking them out in person if you want to know what they do to any meaningfully significant degree. :) )

        Tools link: kennysan.github.com/CSPTools
  • 16:00 - The Government and UFOs: A Historical Analysis
    • A VERY strong and eloquent presenter!
    • "How crazy can you be before people don't hire you anymore?" An important question as peoples beliefs and the actions they take to uphold their morals can get in the way of 'employability'.
    • The book that this presentation covers is well respected, well cited and sourced and is recommended for inclusion in university libraries.
    • The National Security state started post WWII
    • The book covers the governments response to the UFO question. He draws a comparison between then and today's NSA hearings about the surveillance techniques used on americans. Same 'lies' and misdirection where used.
    • See the movie 'Chinatown' if you haven't  Things aren't as they appear.
    • A particularly moving idea: As I wander into the shadows of a belief youve grown up your whole life with, it can strain reputation and credibility. The further away from the deed, the less people care- so when the truth comes out later very little gets done to change anything.
    • Feynman said that both Fact and anomaly are required for a paradigm to shift. So why hasn't anything shifted in regards to the way we view UFOs?
    • CIA (or was it NSA?) considers US Citizens to be the 'enemy' when it comes to misinformation campaigns about UFOs

    • Other things to check that could be interesting (recommended by the presenter):
      • Buying the book 'The Government and UFOs: A Historical Analysis"
      • Something called the 'Alaska airship'
      • CIA ministry of culture

Remarks:

Ovrall I had a GREAT Time today- things have picked up in terms of the presentations and I got a lot out of the sessions I attended. I have more things to research & lookup (like ubertooth, I missed that presentation). Tomorrow should be even better!