Defcon 22

August 9th at 12:00am

Like last year, the Bored Wookie finds himself on a Pilgrimage to Las Vegas to join with Hackers and security researchers from all over the world. It's a great time to find out what the rest of the world has been up to and get ideas for new projects to do this upcoming year.

It's been a great experience so far, and the Electronic badge this year has been pretty interesting (more interesting information on the badge here). The best tip I have is to eat a big breakfast as you may not be able to eat a well-defined 'lunch' during the event (one of the tracks was WAY too small for the interest generated by the presenters and I was stuck in one room for 5 hours). See my Defcon Tips from last year for a few other useful thoughts.

Looks like there are at least 14,000 attendees (that's how many badges were created) and I know they ran out of badges this year!

This year I decided to take things a bit slower than I did last year where I went to every session I could physically attend (and frequently skipped out a bit early to pop in on other rooms to see what was going on there).

 

Thursday:

The first day of the conference. I got in line a little before 6am and found that I was even further back than I was the year before when I got in line at 8am. Wow, the crowds were incredible! It felt really packed all day, and this was just the first day (most of the action happens Friday through Sunday).


There were only 2 tracks open today: Defcon 101 and 'Track 3'. The talks I was most interested in were in the DC101 room. I foolishly left for some food after sitting through just 2 presentations. When I got back from lunch, the line to get back in was out the door, around 3 corners and across the hall! Needless to say I wasn't really going to make it back in there any time soon!

With the conference room being full, I explored the Villages and got a better feel for the Hardware Hacking village, Wifi Village and Packet Hacking Village. I also picked up some swag (The lab coat was calling to me).

I spent a few hours Hacking the DefCon 22 badge. The source code that came on the Conference disc was informative- but the 'spin' language is still bugging me a bit. It feels a bit scripty where I'm used to C-derived languages.


The 'Best' talk of the day was on 'Practical Foxhunting'. I've had an SDR for awhile now and would like to use it for something fun. What could be more fun than probing for RF sources and trying to track them down? Best advice: use a Power/Time chart over a Power/Frequency chart as it can save you from having to remember too much state information. Also the Pentoo linux distribution has a lot of radio stuff built in, which is good for SDR

Radio hardware of note:

  • HackRF1 (general purpose SDR hacking platform)
  • Alfa Radios (wifi specific)
  • TL-WN722n is an SDR which has some small degree of utility, lasts for 6 months or so

Best lame joke of the day: A SQL Statement walks into a bar, goes over to 2 Tables and says, "May I join you?"

 

Friday:

Knowing the size of the conference rooms helped me better plan my day. I had a big breakfast and settled in for another day of conferencing. Most of the talks I was interested in / were work related were in the DC101 track again, starting at 10am. Knowing the hassle I had in that room the day before, I lined up at 9am for the 10am slot (before the line got TOO long) and was able to stay in the room for 5 hours to catch the 3 talks I wanted (and sit through another couple which padded the sessions I was interested in. Only bad part was that I missed out on the NSA RetroReflector session that sounded pretty interesting to me (I'll have to torrent the DC22 archive when it comes out to find out what I missed).

After staying in one room (one chair) for 5 hours, I had to call it quits and go back to the hotel room. I was wiped out.

Looking on the Conference disc, I found shattr which looks like an interesting tool for obfuscating cryptographic keys that could be useful if you have to cross the border with electronic equipment containing sensitive data. Can't find it on google yet or I'd link it


The talk today on SHAREENUM was pretty good. It is a tool which lets you enumerate and search for CIFS/SMB shares that are 'out there'. Best part of the session was the refresher on the windows permission model and how it is constantly evolving. While SMB and permissions may seem 'basic' to many people, I like to get refreshed periodically- it helps me see old topics in a new light and this talk did just that!

Highlight of the day: The talk on USB Hacking / USB For All. It opened my eyes about the ubiquitous device bus that is found in just about everything these days. It can be easy to forget that USB devices often have microcontrollers that are capable of being exploited.

 

Saturday:

It turns out that the 'villages' post their schedule to twitter and some well-defined locations. I subscribed to their twitter feeds to get up to date information. And I'll keep this in mind for next year, since the paper schedule doesn't necessarily list what all the villages are up to at each hour of the day.

I went to a SkyTalks presentation on SHA1 backdooring and Exploitation. The presentation was by a french speaker who had a thick accent and spoke too fast for me to get a lot of his words. The presentation was very technical and it got me thinking about ways of circumventing or limiting the effectiveness of hashes. It also got me thinking about ways to enhance the security of hashing (I may write an article on my thoughts sometime if I get around to some experimenting!)


There was a VERY interesting presentation on using RF to disable GFCI electrical equipment/outlets. The talk was given by a not-so-techical person, but I could tell that they were excited even if some of the deeper details of how an electromechanical system works were beyond them. Apparently a 420Mhz Ham-radio 'call' function can cause the solenoid to trigger which can take out a GFCI (Ground Fault Circuit Interruptor) outlet. This could potentially mean DDOSing something important (like a hospital). Not all GFCIs are impacted, but enough were us to see some smoke!

There was a talk on Medical Device security that I appreciated- the presenters were careful to show how they responsibly disclose vulnerabilities and work with manufacturers and law enforcement to effect change. This is important to me because I have seen how ignorant people can be about the topic of medical device security. I was talking to one of my coworkers recently and he blew up at me for suggesting that medical devices like pace makers could be pwned and said that its 'just ignorant hackers talking and who are you going to trust'.I'm just glad some group is working on this as medical devices are 10 years behind when it comes to security. Even SCADA devices are only 5  years behind, so medical devices have a long ways to go to catch up! I'll be old someday and may rely on some of this equipment- I want it to be secure.

Now in the interest of disclosure about my coworker, his mom just got an electronic pacemaker installed with wifi capability so I'm sure the concept that it might not be 'secure' was unsettling to him. It is interesting to see how people jump to conclusions about 'those people' and don't even try to listen to the arguments. He was condemning research that he simply doesn't understand.

Another highlight of the day: Apparently ICLASS HID badge systems are insecure. They all share a common private key, so they can be owned easily. There was a talk last year about RFID Badge insecurity by Bishop Fox that focused on older badge systems, this was the first presentation I heard about how insecure the 'new' ones are too. A real eye opener and I'm glad I went to this session (Advanced Red Teaming: All your Badges are belong to us)!

Lastly, the Mana project gave a presentation on improving KARMA attacks against wifi devices. It was comprehensive and they've released their 'mana' framework to aid in security research. They were nice enough to include a pre-release version of the source code on the Conference CD. Nice work, guys!

 

Sunday:

I was so beat from my previous travels that I only attended the NSA Playset: DIY WAGONBED. It was a great presentation and I'm glad I went! Apparently there's this bus called I2C (I-Squared-C) that is a serial bus and it is found in a number of devices (like VGA connections) and can be used as part of a data-exfiltration mechanism when coupled with something like a GSM transmitter. I highly recommend looking up the talk once it's put out on bittorrent and visiting the github page (https://github.com/nsaplayset/chuckwagon) where they posted some information about their prototype Open Source I2C exfiltration system.