Wednesday, August 7, 2013

Black Hat 2013 USA and DEFCON 21 Trip Report...

This years computer security conference Black Hat 2013 USA was held at Caesars Palace in Las Vegas Nevada.  DEFCON 21, a follow-up security conference was about a block away at the Rio hotel.

I have attended a number of security conferences over the years but I must admit I'm a bit of Black Hat and DEFCON noob.  In any case, many people asked if I was attending so I though I should experience these events myself firsthand.  By pure happenstance, the Black Hat staff asked me to present (my previous post) about a month prior to the conference.  I only mention the session briefly since some have criticized me for the closed session.  Please keep in mind, the summit rules are not my rules.  I was privileged to be invited and I will respect their rules.  It's also the first time I have ever been invited.

There's a few things I noticed immediately as a new attendee.  Both conferences are a little rougher or raw around the edges.  Often a heckler in the audience would belch out a contrary opinion to the speaker or even obscenities at times.  In one case, a speaker retaliated telling a heckler to "-uck off".  There were a few uncomfortable moments where I considered slipping down into my chair and low crawling out the door.  I was not sure what was going to happen next.  The leader of the National Security Agency,  General Alexander's, keynote presentation was a great example of the electric atmosphere at Black Hat.

Photo:  Mohawks at DEFCON21
A few impressions from a first-timer, one of things you will notice is that the crowd is a little different than some of the conferences you may be accustomed.  But a little background first, over the years I have developed what I affectionately call the, 1000 yard gaze.  The 1000 yard gaze, shared by most Californian's, is simply the blissful indifference to shocking sights and sounds.  So for example, if you want to walk around me with a purple mohawk and sparklers for ear rings it's OK.  I will pretend I don't notice and you can feel like we all have purple hair.  Even with a trained gaze, there are a few sights you are likely to encounter at these conferences that will test your abilities.  Also presenters, while undeniably experts at what they do, are sometimes not the best communicators, lack of eye contact, mumbling, etc.  One would think communications ability is a requirement for presenting at a conference but you might be wrong.  My impression is innovative content is sometimes favored over presentation ability.  It's a tough tradeoff for conference planners I suspect but I can understand how that makes sense for these innovative conferences.  Still during a couple sessions, I had to tap a fellow attendee on the shoulder and ask what the heck the speaker just said, only to receive a shoulder shrug.  I wondered if anyone in the room understood what was said at the time.  It's definitely the exception rather than the rule but it surprised me.

In the end, the raw edginess (if that's a word) gives these conferences their charm.  Both conferences were super fantastic and I should have attended them many years ago.  Following are a few highlights from the conferences to challenge what you know about the state of the art in security.

Mobile platforms are a security nightmare
Most security professionals realize the tools for mobile security are woefully inadequate.  In fact, intrusion detection and prevention tools are simply not available to consumers.  Mobile consumers are running on the "trust me" security model.  One particular presentation at DEFCON21 stands out, Do-It-Yourself Cellular IDS Sherri Davidoff & Panel.  They demonstrated how to turn a femtocell into a Intrusion Detection System (IDS).  The project was a considerable effort by a team lasting almost a year.  Incidentally, there are a few ways to sniff your mobile traffic like connecting your phone to a local WIFI network and sniffing outbound traffic with standard tools.  The limitation with the approach is that you can't see IP traffic going back through the carrier networks.  The presenters claimed around 50% of the audience phones were infected, ouch!  Also that some malware allows listening to conversations or viewing what is happening in a room -- downright creepy.


Hardware hacks
Photo:  Hardware hacking lab
There were a ton of good hardware hacks and spy gear.  ACE Hackware was selling a device called the r00tabaga for penetration testers.  The device is self-contained computer, smaller than a pack of cigarettes running a modified Linux kernel.  It's mostly for executing remote pentest assessments, surveillance, and Man in the Middle(MITM) attacks.  The device appears to be a 3G mobile hotspot, exploited, and reflashed with a modified version of OpenWRT.  The device is a little too polished to be manufactured by a niche vendor in my opinion.  Nevertheless, whatever it is it's great and the price at the show was $110USD.  There are other popular long standing competitors like the Pineapple.  Likewise, Raspberry PI maybe a good contender for such a project but I'm not aware of any flash images/plans for ready to go solutions.

The lock pickers also had a strong presence.  If I knew they had a Lock Pick Village maybe I would have considered bringing my picks.  Although, I'm done with traveling abroad with my picks

Exploitation of office equipment
Stepping p3wns: Adventures in Full Spectrum Embedded Exploitation by Ang Gui and Michael Costello showed how an entire office environment may be exploited by an adversary.  In his demonstration, Ang exploited an HP printer to gain a foothold in a mock office environment.  The printer was used for office reconnaissance to find other IP enabled devices.  An attack from the printer was launched to exploit a Cisco IP phone and other devices were captured.  The presentation crescendo was a denial of service attack against a Cisco 2851 router by the printer rendering it useless.  The point of the presentation was that many common office devices are IP enabled.  These devices may have interesting information (e.g., phone numbers last dialed, contacts, last document scanned), valuable platforms for reconnaissance, or even to launch attacks.  Given the proprietary nature of hardware these devices are difficult to secure.  Ang mentioned some technology he's developed to help secure these legacy environments.

Trading privacy for security
ACLU and EFF had a strong presence and generated interest from attendees.  These groups highlighted many of the current issues(e.g., Snowden, FISA courts) and the need for more privacy and transparency.  The greatest challenge presented was how can the government ensure the safety for American's without violating their privacy?  Unfortunately, there didn't seem to be any satisfying answers for attendees.

Celebrity appearances
Brian Krebs (Krebs on Security) and Lance James session Spy Jacking the Booters covers Brian's SWAT'ing ordeal.  For those who don't know SWAT'ing is, it's like it sounds.  Bad guys fabricate a story to bringing the SWAT to your home.  Unfortunately, SWAT don't have a good sense of humor so it's guaranteed to inconvenience the victim for an evening.  Not to mention the price for door repair which, according to Brian, some cities don't cover.  The lesson learned here, it's no fun to be SWAT'ed.  Interestingly, I did get to shake Brian's hand as he was walking out the door.  He was in a hurry so we did not talk long but it was fun to watch his expression as I introduced myself.  Anyway, I enjoy reading Brian's articles.  Maybe someday I will be able to communicate so expertly.

Will Smith appeared at DEFCON21.  I really have no idea why he was attending the conference.  I didn't notice him on the schedule.  Maybe his giving up movie making for life in security?  I didn't see him at the conference myself but I saw a few Tweets.  If anyone has details feel free to drop a comment on this posting or send a tweet.

Equipment failures
Photo:  Crashed phone system?
I noticed a rather higher than usual occurrence of failure for hotel hardware at the event.  I really have no figures to back up my feelings, consider it a hunch.  First was the phone in my room.  Take a look at the screen in the photo, "Server Unreachable".  I'm not sure what that's trying to tell me but it does not look good.  The next event was a fire alarm at the Rio hotel during DEFCON.  There were flashing lights all throughout the halls and audible warnings followed by a voice message.  The alarm sounded for at least 10 minutes.  Following the alarm termination a voice indicated it was a test.  I don't ever remember tests like this in any fully occupied hotel during a large event.  The last time I heard a flashing lights and sounds like that Halon was about to dump and I was sprinting out of the data center.   If anyone has any hardware failures please share them.


A parting thought...
Evidently there's not much you can't do in Vegas.  Including shooting fully automatic weapons -- geek bait.  I wonder how many attendees tried this?  Send me a Tweet or something if you got to shoot any of these firearms.

Photo: The Gun Store

Share It!