Friday 3 August 2012

Defcon 20 - Thoughts on 10 days in Vegas or at least what I can remember of it. Part 1

This was my first time to defcon and Las Vegas at all, and I really wanted to make as much effort to meet new folks, see as much of defcon as possible and see as many great talks as possible. This is the first post in a series which will cover defcon, the talks, the social aspect of it, and las vegas in general.
And although a bit belated, this post in particular is about the talks of defcon I went to on the Friday of defcon, which was the first full day. The Thursday had a few events throughout, although I wasn't able to attend these so I'll start here.

..At the Rio, have my badge and amazingly despite what I've heard, there was practically no line, except to buy the official swag. So onto my first talk of defcon..

Making Sense of static - new tools for hacking GPS by Fergus Noble and Colin Beighley
This was my first talk of the day, and as far as talks go this wasn't the best presentation I've ever seen. Although I first thought the idea for the talk was quite a good one, there was simply too much of going through the technical details of how GPS works, and waves and other not too interesting details. Although there was a tool introduced, very little time was actually spent on this, whereas I thought it should have been the other way around or at least near equal amounts of time. I'm not sure if both or either of the speakers were first timers, but there were a few moments of stopping and staring into space as they had forgot what they were going to say, which seemed to be due to nerves. In the end I thought the subject matter could have been interesting, and I think the information could be quite interesting but it just wasn't presented as an interesting subject, and seemed almost like a research talk instead of something where a tool was created.

..So not a great start to my defcon talks, but onto the next..

Passive bluetooth monitoring in scapy by Ryan Holeman
I thought this was quite a good talk, although at the start Ryan said he had performed this at blackhat where he had more time and so had to shorten the talk for defcon, which was a shame, but the talk was still good nonetheless [Update: Ryan contacted me on twitter and turns out I misheard and this was longer than the one at blackhat. Still, wish the talk could have been a little longer just because it was cool tool]. Ryan started by going over the subject, having an overview of bluetooth and the ubertooth board (further information about the ubertooth project can be found here) to interact with bluetooth and the scapy-btbb library he created with the simple goal to get bluetooth baseband traffic with python.
This will allow easy data analysis of btbb (bluetooth baseband) traffic, with the compatibility across hardware through using pcap files, and so can be easily integrated into tools for debugging, auditing, or exploitation, whichever is your inclination.
Now I haven't used the library myself, but Ryan went through a couple of demos and it generally seemed like it has at least the basic functionality that would be wanted: reading btbb packets from a pcap, seeing all the information to do with the bluetooth packets, writing btbb pcap files, and streaming btbb packets. Basically everything that seems would be needed for integrating into debuging, auditing or exploitation.
He has also added some handy functionality to the library as well, the part I particularly noted liking was the fact you can get the vendor name. This is because as Ryan noted, it can be difficult keeping tracking of multiple bluetooth signals and a name is generally easier to keep track off than a MAC address.

..So getting warmer. What next? 

Don't stand so close to me: an analysis of the NFC attack surface by Charlie Miller
Ok now this is the kind of talk I wanted to see while at defcon. Charlie actually did this talk at blackhat as well, so as of the time of writing the slides can be found here.
It turns out this started off when the speaker was having a conversation with Moxie Marlinspike, who happened to tell him the NFC stack was poorly designed, and so this is what got Charlie interested in the subject, but anyway, back to the presentation. Charlie started off as you would think, going over the NFC protocol, and as he realised, despite such a small amount of bytes being sent, the protocol is actually quite complex, and that there are two different ways an NFC communication can take place, either
-there is an initiator and a target e.g. a NFC-enabled phone and an NFC tag, or
-it can be done peer-to-peer, which needs two devices which are powered e.g. two different NFC-enabled phones.
After this he actually went into far greater detail than I am going to here, but this can basically seen from the paper I've linked to above, along with example data to give you an idea of what's happening. Now we're finally onto the interesting part that people want to hear about though -- fuzzing of the NFC stack (or is that just me?). This was particularly interesting for me, and he went through his setup, including what hardware was used for emulating a passive tag, and how he fuzzed so that he basically wouldn't have to sit there manually placing the phone near an emulator and taking it away again (especially in fuzzing terms, due to the cases often ranging in the thousands, or tens of thousands, manual=bad and automated=good. For an overview on fuzzing you can see a previous post about it here). I thought it was interesting to note that as Charlie was fuzzing wildly different sections, he used both generation and mutation based fuzzing, and he went through what was fuzzed in which way for each platform tested on, and some results which at face value seem to be not that interesting.
However the talk became most interesting when you delve into what the phone does with the data it receives, rather than if there are issues parsing it, so when you look into this, the attack surface for NFC gets blown wide open as for starters with android, you can get people to visit a website in the browser with NO USER INTERACTION. As you can imagine, by the amount of different fileformats with web browsers, and possible plugins this has all of a sudden changed to an enormous attack surface instead of just being parts from the NFC stack. There are some caveats depending on the platform being used, but Charlie generally went through these and possible workarounds. And with these came the real crowd pleasers: the demos. Charlie had multiple demos showing different attack scenarios, all leading to full exploitation of the other person's phone and in general it seemed although there was a bug found in Android 2.3 (although fixed in a later version, the vast majority of android phones use 2.3 or lower), the major problem with NFC is what's done with the data. As NFC in itself isn't too insecure, the fact is the platforms just give the information straight out to another application without a second thought.

..This is going pretty well. What else could there be going on? 

Bypassing Endpoint security for $20 or less by Phil Polstra
With this talk I really didn't know what to expect, and I'll fully take the blame for that as I didn't read further information about the presentation. Basically this is about endpoint security of USB sticks, so basically a way to get around when only certain USB sticks are allowed to connect to a machine (filtered by their VID/PID -- the equivalent of MAC filtering in networking), you can still have any USB connect to the machine and mount successfully and cheaply. Phil Polstra initially went through the hardware and software in use and how the parts communicate with each other in detail (some C knowledge is advised) particularly with mass storage devices (like USB sticks), then we got down to the interesting part and what needs to be done. Basically we'll be using a microcontroller as a proxy between the USB stick and the computer, except it will change the VID to a valid one, effectively spoofing it. Phil went through the particular chip choices and detailed information about them, and then implementations, either to do one of two things: use a known valid VID to impersonate, or brute force finding a valid VID. Luckily Phil has also done a lot of the hard work and has created a list of the most common VIDs [update: Phil has told me he didn't create the list, but found somebody who maintained a list. This is attributed in the code, which can be found here], and then in the chance a valid VID isn't in this list then it will manually brute force through every possible iteration. Plus as a nice addition of a demo showed the bypass in action.
I do wish in hindsight, I knew more about microcontrollers as I feel if I knew more about this or hardware hacking in general, I would've enjoyed the talk more, but still the talk had many interesting and funny moments and opened my eyes up a bit to the hardware side of hacking.

..That was a bit enlightening. Is there anything going on in the last talk of the day? 

Anti-Forensics and Anti-Anti-Forensics: Attacks mitigating techniques for digital-forensic investigation by Michael Perklin
I'll fully admit, I know practically nothing about computer forensics, but I thought seeing as I'm at my first defcon, and I had just learnt something interesting about an area of security I knew nothing about (hardware), that I would try something else I knew absolutely nothing about. So onto the talk, Michael Perklin made this a funny talk, mostly coming down to his constant drinking whenever he forgot to mention his running total (which I'll get onto later).
Michael went through the methodologies taken by forensic investigators and the general workflow used. What I found particularly interesting was he continuously made it clear that it isn't about stopping the forensic investigator (which they can be stopped in a few simple ways -- for example destruction of the physical media) but mitigation of the forensic investigator trying to find information (as shown in the title). Basically the more time it takes, the more money it takes and therefore the bigger likelihood that the prosecutor will just want to settle out of court or stop the trial altogether. He quite cleverly kept this as a running total in each corner of hours and cost, of which every time he forgot to mention that the cost went up, he would need to take a drink.

Notable talks I didn't get to see (but wanted to): 

-welcome & badge talk
-APK File infection on an Android System
-Owning one to rule them allow
-NFC hacking: the easy way
-detecting reflective injection
-how to hack vmware vcenter server in 60 seconds
-new techniques in SQLi
-post-exploitation nirvana: Launching OpenDLP agents over Meterpreter sessions
-The art of the con
-safes and containers - insecurity design excellence
-blind xss


  1. just a quick comment on my Bypassing Endpoint Security talk. I didn't come up with the list of VID/PIDs, I found someone who maintained a list and converted his list to C code (this is attributed in the code). Speaking of code, it is available on the conference DVD or on the media site Extras link. It is also on github as "USB-impersonator".

    1. Hi Phil, thanks for letting me know. I've updated the post now to make this clear.