Defcon 2012 marked its 20th anniversary with unexpected speakers, some pretty tough content, and the cultural dark magic that buzzes the conference every year.
The Dark Tangent welcomed Mark Weatherford. an ex-Navy and Raytheon security guy that became the CISO of the State of Colorado and California and then CSO at the highly regulated NERC before recently moving on to a top spot at the Department of Homeland Security. Weatherford provided some insight into the amount of attacks he sees every day, and then moved on to explaining that some of the best people he is working with don't have a college degree and some recruiting - they are hiring.
The next, huge name that Dark Tangent brought out was General Keith Alexander, Commander of the US Army CyberCom and Director of the NSA/CSS. It seems to be a sign of the times that the hacker community would be approached by the individual building out what is becoming the largest group of "cyberwarriors" in the world, attempting to draw shared principles and parallels between the groups. The guy was genuinely funny, rolling out jokes throughout his talk and Q&A answers, inviting kids onstage and showing off multiple tshirts. Aside from the explanation of their mission and the recruiting talk, a couple other interesting topics came up. According to Alexander, folks should know better than claiming that the NSA maintains files on every individual in the US, and he thinks that the Cybercom doesn't need to become larger than the current US Navy, partly because of the power that automation and smart work provides. Oh, and they are hiring. It was a repeated theme this past week.
A couple of the talks were shocking in their presentation. FX from Phonoelit and Recurity Greg analysed just how bad Huawei router code really is from a security perspective, it was almost unbelievable for a product line from a $21 billion company. Their preso began with a Code Quality slide that they claimed was almost left empty. Every slide's content made it seem like Huawei security practices and implementation couldn't be worse than suggested by the previous slide, but it did. And it was bad. After pouring over the router codes' open services and inability to be disabled, they described a lack of security advisories and updates, interrupt tables with RWX access, a Chinese-only debug interface, a lack of any communication channel whatsoever for reporting vulnerabilities, and a lack of real security development lifecycle throughout the code development, they followed Huawei's lead and copy/pasted their decades old Cisco IOS exploit code into exploits developed for these Huawei routers, targeting 90s style vulnerabilities. The company clearly has't also taken security lessons learned from Cisco's experience in this space.
At first, I was disappointed that the "Dr Strangelove" nuclear power plant SCADA system talk was cancelled without notice to attendees until arrival at the talk. It was replaced with a talk on SCADA HMI (or human-machine interfaces) security issues from Wesley McGrew titled "SCADA HMI and Microsoft Bob: Modern Authentication Flaws With a 90's Flavor". At face value, it sounded comparably uninteresting. But, it was eye-opening. The talk itself weaved through known, commonly approached technical problems that were met with disturbingly juvenile, incorrect security implementations - these systems are critical infrastructure and security requirements are not being met. This talk was complemented by Alberto Garcia Illera's pen-testing adventures in the transportation systems of Spain, using simple, unforeseen flaws in publicly accessible systems, to peel layers back until they reached the poorly protected SCADA systems called "How to Hack All the Transport Networks of a Country". The first talk revealed incredibly weak implementations in SCADA systems, and the second revealed exactly why those weaknesses need to be fixed and better understood by their developers and vendors.
Another couple of talks complemented each other - Michael Coppola's "Owning the Network: Adventures in Router Rootkits" presented a frankenstein patchwork of open source tools and experience in mod'ing SOHO router firmware and code, implementing working rootkits running on an array of routers usually used on home and small business networks. These routers all share a stripped back Linux OS, MIPS processor and various older open source code bases in their implementations. On the offensive security side, this work complemented Zachary Cutlip's "SQL Injection to MIPS Overflows: Rooting SOHO Routers" talk on SQLi attacks and remotely compromising SOHO routers.
Michael Robinson and Chris Taylor spoke about spying on mobile spy software and portrayed a somewhat bumbling commercial mobile spyware marketplace, with five mobile spyware packages analysed over the course of six months or so on Android and iPhone devices. Interestingly, while Android spyware used to required rooting the phone to perform, that requirement is no longer. Comparatively, all the commercial iPhone spyware that these guys encountered require that the target iPhone be jailbroken. The performance and "stealth" characteristics of these spyware packages were pretty comical in many ways. With some technical skill, owners of Android and iPhone devices can fairly reliably and simply identify that their phone is running one of these commercial packages.
Andrew Fried and Paul Vixie, consultants that were contracted by the Fbi to assume the Rove Digital DNS servers, reviewed Operation Ghost Click, attempting to clear up any questions about the operation that there might have been - 1. no, visiting DNS-OK.US did NOT result in any DNSChanger infections. 2. No, the Fbi was NOT monitoring communications from infected machines. 3. Unfortunately, the internal redirection ISPs implemented that I discovered in this post most likely is maintained by the ISPs to keep support phone call volume low, so a large number of DNSChanger-affected hosts with disabled Windows updates and AV updates may still be connected to the internet and not know it. At least seven other points were made about the operation, including those about allocating enough web server resources at DNS-OK.US for traffic spikes related to press releases.
The Defcon badge and the games that come with it are lots of fun this year. The badge itself is interactive, maintaining code and clues to the crypto puzzle requiring hardware mods and P2P interaction with other attendees. I screwed mine up messing around with the Parallax Propeller Tool, but got back on track when the makers posted a "virgin" EEPROM image to the forums. Clues laid in the giant Defcon art images scattered on the floors of the hall. Both anagrams of alphabetic names and numeric digits in binary, hex and decimal representations decorated these clue sites. Even Pink Floyd lyrics shined on to the next level of the puzzle.
Also during the conference, a more traditional "Capture the Flag" contest charged on with 70 teams participating. Not all were in the CTF room itself, the winning team had almost 80 members logging in remotely from all over the world. Approximately 50+ challenges raged on during the day, ranging from a SQL administrator/Postgres developers' skill challenge called "Schemaverse", the lockpicking (and handcuff!) village, weekend long scavenger hunts, hash cracking contests, 10,000 Canadian Penny Hacker Jeopardy, to Ninjatel telecom network buildout and provisioning, and hugely successful bone marrow and blood donation projects inspired by the Goon staff. Defcon Kids attracted the eight through 16 year old crowd, with around a hundred kids and parents participating in online game fuzzing, hardware hacking, and other activities.
Finally, Infected Mushroom played a show after the conference Saturday with a big turnout, and rumor has it Kreftwerk may be playing next year.
2012 Jul 31, 17:18
HMI is Human-Machine Interface, not management.