CCC and DefCon Videos – Part 1

Recently, @rygorous tweeted a link to a video called Writing a Thumbdrive from Scratch presented at 29c3. YouTube’s recommended other videos list lead me through some other C3 talks and then on to Defcon videos. Defcon is described as “the world’s longest running and largest underground hacking conference.” C3 in this case is the Chaos Communication Congress and the about page says that the events blog is maintained by members of the Chaos Computer Club.

For me, a lot of the enjoyment of watching these videos comes from learning something from an area completely outside of my comfort zone. I’ve only been to Games and Graphics conferences and even at those, it’s always the talks about subjects wildly different to what I know well that I learn the most from. Hacking and security topics are something I find interesting despite a lack of exposure to that kind of content. There’s also the fact that some of the presenters are entertaining and the material can be quite funny.

The Videos

Writing a Thumbdrive from Scratch – Travis Goodspeed (29c3)

This talk was about the possibility of designing your own USB drive from scratch. Using something like a Facedancer (prototyped by the presenter) you can prototype your own USB mass storage device. However since you’re able to program the behaviour of the device, beyond handling standard storage requests, you can also add your own behaviour based on how the device is used. For example, based on the different ways in which operating systems access the drive, you can decide whether to allow access to the drive, expose different data or just not work at all. Similarly, by detecting block copy operations, you can tell when the drive is being copied, possibly for later forensic examination,  and this means you could respond by returning something else or just destroy the drive.

There’s more information about Travis’s work on his blog.

Trolling reverse engineers with math – frank^2  (DefCon 18)

Initially the title confused me but the underlying principle is about thinking of a different way to obfuscate your code to obstruct any reverse engineering efforts. This is based on remapping the code into memory based on a lookup function. The example uses a sine wave to distribute chunks of code so that you have multiple ops or basic blocks evenly distributed over memory and someone using a disassembler (or if they’re unlucky, a debugger) will have to track all of the jumping back and forth. Further obfuscation involved adding prologues and epilogues to each op or basic block with extra branches not taken and setting states to be picked up after the jump.

Looking from the obfuscator’s point of view at complicating the lives of those disassembling their work makes this quite a funny presentation.

And that’s how I lost my eye: Exploring Emergency Data Destruction Shane Lawson Senior Security Engineer (DefCon 19)

A simple premise: how do you destroy a hard disk in 60 seconds? There’s a couple of gotchas like limited physical space, not setting off alarms (smoke, seismic etc) and no killing any sysadmins or other humans nearby. The range of explored options is entertaining and the final solution is surprising. Any discussion of the talk will give away some of the highlights, so just go watch it instead.

My life as a spyware developer Garry Pejski (Defcon 18)

The story of a guy who picked up shady job from Craigslist and ended up writing spyware. Since this happened several years ago, the application was designed to work as an IE plugin and was delivered a custom installer using an exploit. The installer meant that there was an element of legitimacy since the user was partially involved with the install, despite it being almost impossible to exit – there was even a set of terms and conditions! The application itself performed affiliate link redirection (changing affiliate IDs to its own) and displayed popups based on intercepted searches. However, it sounds like the affiliate/popup monetization strategy didn’t make as much as using the application for installing other people’s spyware, leading to more hilarious stories.

At the time, the state of the art malware removal was quite basic and sounds easy to defeat. I noticed that the presenter raised the idea of needing to whitelist applications in the future which made me think of the discussion of whitelisting in the Windows Store.

Worth a watch, especially for the view from the Dark Side from one of the guys building the Death Star.

The Art of Trolling (Slides) – Matt ‘openfly’ Joyce (DefCon 19)

A comedy piece covering examples of trolls through history and a examples of the different types of trolling. With all of the anecdotes in this talk and the underlying material, it’s difficult to know what’s true. You won’t learn much, but you might have a laugh.

How I met your girlfriendSamy Kamkar (DefCon 18)

The presenter starts by introducing himself as someone previously banned from using computers for a little misbehaviour. The talk is based on penetrating someone’s Facebook account and starts by focusing heavily on the quality of the elements that form the basis for hashed passwords in PHP. Reducing the entropy of each of these elements results in something that limits the possible range of values to brute force. Ironically this doesn’t affect Facebook because they use their own HipHop system and since this vulnerability was found, PHP has been patched too, as well as the obvious recommendation that you use your own mechanism for seeding the random numbers.

This talk also introduced me to NAT pinning, enabling forwarding of a port from a user’s computer through their router. This is based on submitting invisible HTML forms which I think scared me even more. Getting these invisible forms talking to an IRC server behind the user’s back further escalates the fear. The final link in the chain was establishing location which is easy thanks to Google’s roving mappers having grabbed the location of a lot of routers based on their MAC address.

Definitely worth watching to learn a few new things and for the entertainment value too.

The Dark Side of Crime-fighting, Security, and Professional Intelligence – Richard Thieme ThiemeWorks (DefCon 19)

I assumed this would be funny anecdotes, but it’s something darker. The presenter started by highlighting his history with the conference, as a father figure it sounds like he’s seen it all, and as the talk goes on you realize that his experience means that he knows a lot of people. However his stories from the dark side are less comedic and more about reiterating the scary state of affairs in the professional intelligence community.

Overall, a sober and honest look at where we were in 2011.

Practical Cellphone Spying – Chris Paget (DefCon 18)

This is one I watched wanting to find out how simple it actually was. Apparently very simple. Spend a couple of thousand dollars on a laptop and USRP (Universal Software Radio Peripheral). You start by spoofing a network for phones to connect to – easy enough with well known IDs for the major networks.

Of course you’ll be thinking it’s all encrypted, and it might be, but you can ask the phone to turn off encryption. Nevermind, you’d say, no-one can turn off my encryption without asking, but in fact they can and a lot of phones ship with the disable-encryption warning turned off. This is thanks to countries that need it off by default (for example, India) and not wanting to confuse consumers when they get told that it’s being disabled. Even more worrying is the idea of the security of 2G making it HTTP to 3G’s HTTPS, when you’re so grateful for any kind of connection, you don’t typically think of the security implications.

The whole presentation makes the whole thing seem incredibly easy. Slightly scary, but interesting.

Physical Security You’re Doing It Wrong A.P. Delchi (DefCon 18)

This presentation covers considerations for physical security, and the fact that physical implemented poorly is useless, or more realistically, funny presentation content. The presentation starts with the 5 As:

  1. Assessment – where and what to protect.
  2. Assignment – prioritize what to protect.
  3. Arrangement – how to protect.
  4. Approval – get it signed off.
  5. Action – install it.

Starting at 21 minutes is the what could possibly go wrong section: A discussion of the management and vendor level problems and how to handle them. I do like the example of talking to the construction workers as they know what’s actually going on. The last few minutes covers user’s and HR’s greatest hits. I also learnt Spafford’s Law of Security: “If you have responsibility for security, but no authority to make changes, then you’re just there to take the blame when something goes wrong.”

A good balance of very practical advice and comedy things to be aware of.

You spent all that money and you still got owned – Joseph McCray (DefCon 18)

In this, the presenter tells a good story all about his experiences penetration testing and mechanisms for actually performing the testing. There’s discussion of the different tools and scripts to help with things like load balancer detection, handling intrusion prevention and detection systems, and discovering web application firewalls – all things that cost money and in the examples, are all providing only the illusion of security. The talk then goes on to what you can do when you’re in.

This was probably the first of the talks I saw that tells you what’s available for this kind of work and how easy the tools are to use. And be warned, the presenter uses NSFW language, and you may be offended if you like Ruby.

Steal Everything, Kill Everyone, Cause Total Financial Ruin! Jayson E. Street CIO of Stratagem 1 Solutions (DefCon 19)

A good follow-on from Physical Security You’re Doing It Wrong, this starts with history of the presenter’s work with entertaining stories from actually penetration testing offices by entering them. The presentation is split into 3 parts based on the title:

  1. Examples of stealing – what you can find lying about in an office.
  2. How to kill everyone – due to a lack of security in a hotel allowing access to the kitchen or plant room.
  3. Financial thievery – such as grabbing the paper in the shred bin.

Start to end, this is an entertaining talk that will show you what a focused intruder can achieve, and hopefully while you’re thinking that couldn’t happen where you work, I hope you’re also thinking about how you’d stop it.

Pwned By the owner What happens when you steal a hackers computer (DefCon 18)

This is the story of the consequences of using a hackers stolen computer – with a bonus 5 minute story while setting up the equipment. Starting with the theft, it’ll make you think about your security situation. But after that it’s an exciting story about what you can do with a back door to the computer you used to own, and you’ll be glad not to be the new guy using it.

One of the shorter presentations but worth watching. The only thought that came to mind was that maybe the presenter wasn’t picking on the thief, but a new owner, but either way, it was his kit being used.

Nmap: Scanning the Internet Fyodor, Hacker, (DefCon 16)

Nmap is a tool I’ve always wondered about – never having had to use it or really understanding what it does. This talk gives a lot of examples of how to use it and then tips on more advanced usage. The examples show the epic command lines you use to drive the thing and it’s quite obvious that the presenter is the author of the tool. The presentation also shows a nicer GUI frontend to NMap with extra features like a graph of connectivity between nodes.

Interesting stuff if you know very little about Nmap.

Jackpotting Automated Teller Machines Redux– Barnaby Jack (DefCon 18)

To be honest, I confused myself with the title, assuming it was something to do with fruit machines, but even more intriguing, it’s about the gritty internals of ATM machines, focusing on the simple boxes you find in a small shop or petrol station. Although appearing suspicious buying and transporting his own ATMs, the presenter has taken the time to investigate what’s inside. Starting with reverse engineering, he moved on to writing tools to remotely access the ATMs (Dillinger) and rootkit to install (Scrooge).

Although most of the real life excitement of experimenting with the machines happens off screen, the rest of the talk is fascinating enough to make this worth watching.