DEF CON 23

Školení, která pořádám

This is the first DEF CON I attended and I was wondering how a conference with no registration and just walk-ins will look like. There's probably no cap on how many people can attend and the entrance fee is very low ($230 for 4 days, compare with Black Hat at $2595 for 2 days). The conference was super crowded which ruined it for me. I was able to attend only every other talk I wanted to. You have to stay in a line for 20 to 30 minutes before a talk started to get in, at least for the popular talks. The previous talk in a different room was obviously still happening at this time meaning that you either have to leave early or attend every other talk or just stay in the same room and attend whatever is there.

I wasn't very happy about the quality of the talks either. I tried to attend talks that could be useful for my work and they were very poor – mentioning only the basic stuff, no original research, no deep insight, no new discoveries. I also attended some other talks and they were great – description of bold actions of the presenters, original research, new tools. Sadly, these talks aren't useful for my work. Let's go over the talks I attended.

Hacking web apps

★☆☆☆☆, Abstract, Outline

A very basic talk about penetration testing. The presenter mentioned some tools he use: Nessus ($2,190 per year), IBM App Scan ($18,700 per year), sqlmap (free), Xenotix (free). He also repeated several times that gathering all information is very important and mentioned KeepNote that allows him to color folders based on their severity.

Secure Messaging for Normal People

★★☆☆☆, Abstract, Slides

A very basic and vague talk about messaging apps security. The presenter didn't name a single app, he didn't even answer a direct question about which app does he personally use. He mentioned that if the communication is encrypted from you to the server and from the server to the other party then someone can still read it on the server. He also talked about metadata collection – if someone sends you a message and listens to your network then he can pair your online identity to your real identity when you download the message of a given size.

Stagefright: Scary Code in the Heart of Android

★★★★★, Abstract, no slides yet

A great talk about a recently discovered security bug in Android's media decoding library. The presenter explained how he discovered the bug (he saw lots of reports about this part of Android crashing, fuzzed it which didn't reveal any security bug but a manual inspection near the crashes revealed security issues). He also talked about privileges on Android (this component had almost all privileges, including system (just one level above root) and ability to talk with GSM. He also talked about attack vectors for this bug – the most interesting one is an MMS which is processed by this library before the notification appears. It means that you can hide the notification before it shows.

Hacking SQL Injection for Remote Code Execution on a LAMP stack

☆☆☆☆☆, Abstract, Slides

The worst talk of the conference. The presenter didn't have a good knowledge of the topic. He just mentioned bunch of random security related problems of PHP he read about at OWASP, Wikipedia and W3Schools, often unrelated to SQL injection. He mentioned Wildcard Poisioning – you create a file named -l and when someone does ls * then it actually executes ls -l – this can be used to run an arbitrary command with TAR or SCP.

REvisiting RE:DoS

★★★☆☆, Abstract, Slides

An average talk about performance problems of regular expressions – memory based in POSIX, speed based in POSIX and PCRE. The presenter showed his tool for finding the worst possible input for a given regular expression. I would expect showing more poorly performing patterns than just the obvious (a+)+. I've learned one thing at this talk: (a|ab) run against "ab" matches "a" in PCRE (the first pattern) and "ab" in POSIX (the longest pattern).

Tell me who you are and I will tell you your lock pattern

★★★★☆, Abstract, Slides

A nice talk about lock patterns that people choose. The presenter explained her own research about lock patterns people choose when asked. I was sad about two things – a small data set (only around 800 people) and not using real patterns (people were asked to create three new patterns just for this research). The research showed that almost half people start the pattern in the top left corner and almost quarter either in bottom left or top right. This is true both for left- and right-handed people. I would like to see a percentage of people using the most frequent 100 patterns but this wasn't part of the research.

I Will Kill You

★★★★★, Abstract, Slides

A very interesting talk from a guy who figured out how to issue death certificates – you only need a report from a medical examiner and funeral director. He started researching the area when a hospital mistakenly claimed 200 people as dead. It is very easy to fill the report as medical examiner – medical examiners may register online and you only need their identification number which is available online. The presenter became a real funeral director himself – he created web pages about his fake funeral agency which was enough to get the certificate. He also mentioned how easy is to issue a birth certificate – you just need a midwife instead of a funeral director. In the presentation, he showed a video how he actually “killed” someone which was very brave. He also listed why you might want to declare someone as dead (for example your parents and the judge).

Hacking Smart Safes: On the "Brink" of a Robbery

★★★★★, Abstract, no slides yet

A funny talk about hacking a very lame smart safe. The safe exposes a USB port through which you can connect a keyboard and a mouse (or Teensy sending the keyboard and mouse events for you). The safe is running Windows XP with MS Access 4 with the list of users. The hack was to escape the kiosk mode (right click on the video in tutorial, click About Flash, opens IE), open Explorer from IE, run cmd from Explorer, insert two service users into the database using VBscript and then normally log in as these users as they have the privilege to open the safe. The mitigation from the vendor was to disable IE (there are probably lots of other vectors and the main issue of unencrypted database is still there). The computer communicates with the safe through a serial port which would be probably possible to hack too.

Let's Encrypt - Minting Free Certificates to Encrypt the Entire Web

★★★★★, Abstract, no slides yet

A great talk about Let's Encrypt. They demoed the command line tool to verify the domain, issue and install the certificate and modify the config files, all in about twenty seconds. They also mentioned DVSNI – a method for validating a domain through TLS.

Protecting global email - status & the road ahead

★★★★☆, Abstract, no slides yet

A good talk about STARTTLS in SMTP. The presenter also mentioned EFF's STARTTLS Everywhere, DNSSEC and DANE. At the end of the talk, the presenter immediately started talking about a completely unrelated and unannounced topic (identifying people from keystrokes behaviors) which was quite weird. He also announced a tool to add a random delay between key strokes to prevent keyboard behavior identification.

The Bieber Project: Ad Tech 101, Fake Fans and Adventures in Buying Internet Traffic

★★★☆☆, Abstract, Slides

An average talk about creating and buying Internet traffic. The most interesting part was the explanation of a traffic exchange network Jingling which uses your computer to click at other websites and other computers click at your website in exchange – originally from China, now with users worldwide. Cheap solutions generate the traffic just from your computer which is easily filterable.

Abusing Adobe Reader’s JavaScript APIs

★★★★★, Abstract, Slides

A very insightful talk about handling JavaScript in PDF. Adobe Reader has a compiled file of a trusted JavaScript which runs without prompting the user. Luckily, someone decompiled and prettified this file. The presenters found a bug where there's a check for obj.property – they defined a getter executing an arbitrary code and called that function with this object. Then they found a function entering a privileged mode and a function calling eval on a parameter. They were able to open a URL without prompting the user. They also found an undocumented function writing anything to the filesystem. They used it to overwrite a DLL loaded by Reader and used it to run an arbitrary binary code.

Who Will Rule the Sky? The Coming Drone Policy Wars

★★★★☆, Abstract, no slides yet

A good intro to rules around drones: Anything under 55 pounds flying under 400 feet is a model plane and you don't need a license to fly it. You couldn't fly 5 miles around airports or in Washington, D.C. You couldn't shoot a drone flying over your property the same way as you couldn't burn down a neighbor's car parked in your driveway. There are state laws forbidding some usage of drones – for example you couldn't take a video of an agricultural facility from a drone in some state or you couldn't film hunters in some other state.

Knocking my neighbor’s kid’s cruddy drone offline

★★★★★, Abstract, Slides

A great talk about how to shut down a drone without firing on it. Parrot Bebop generates a WiFi network and you can connect to it. It runs several services including FTP and Telnet which are not password protected. You can connect to it and run a script (already included) to shut down the drone. It's also possible to disrupt the WiFi signal and connect to the drone from your device. It's also possible to disrupt the GPS signal but that is illegal. Bebop doesn't react to a magnetic field but Phantom 3 does.

Let's Talk About SOAP, Baby. Let's Talk About UPNP

★☆☆☆☆, Abstract, Slides

A pretty boring talk about UPnP and SOAP of smart devices. The key takeaway is that most devices will happily talk to you if you connect to them.

Jakub Vrána, Osobní, 10.8.2015, comments: 0 (new: 0)

Insert Comment

Input is understood as plain text but URLs will be converted to links and PHP code enclosed in <?php ?> will be highlighted.

Name: URL:

avatar © 2005-2018 Jakub Vrána. Publikované texty můžete přetiskovat pouze se svolením autora. Ukázky kódu smíte používat s uvedením autora a URL tohoto webu bez dalších omezení Creative Commons. Můžeme si tykat. Skripty předpokládají nastavení: magic_quotes_gpc=Off, magic_quotes_runtime=Off, error_reporting=E_ALL & ~E_NOTICE a očekávají předchozí zavolání mysql_set_charset. Skripty by měly být funkční v PHP >= 4.3 a PHP >= 5.0.