Chuck
Principal Security Engineer
Blog

My Week at Hacker Summer Camp

August 17, 2017 by Chuck McAuley

Since DEFCON 25 and BsidesLV are in the books for 2017, I thought I'd reflect on some of the talks I attended and provide my views about them. I tried to stay on task with job-relevant talks, but even I can’t not go see Kasparov.

Bsides Las Vegas

GO Forth and Reverse - Tim Strazzere

Tim gave a fantastic run-down of the GO runtime as compiled software. He released an IDA Pro plugin for analyzing the GO runtime and automatically labeling functions. This tool looks like it's going to save researchers a lot of time analyzing GO-based binaries. I look forward to using this tool to analyze Mirai compiled C&C server binaries, which were written in Go.

Think Complex Passwords Will Save You? – David Hulton

David Hulton, who along with Moxie Marlinspike, created the DES cracking tool Cloud Cracker in 2012, gave an update on this service, now labeled crack.sh. First, he's added support for many more services using DES encryption, including NTLMv1, des_crypt hashes, Kerberos, and WPA enterprise. Second, they built a rainbow table to support NTLMv1 DES hashes with a known challenge. This NTLMv1 rainbow table service is now available free of charge, which should effectively kill NTLMv1 as an authentication protocol if it isn't dead already. By making it free, David hopes to eradicate at least one breakable encryption protocol.

Modern Internet-Scale Network Reconnaissance – HD Moore

This was a great talk and project by 'underflow' on easily finding servers with default credentials in realtime. By tracking newly issued certificates from sites like Google's Certificate Transparency feed, you can enter a race condition for popular CMS sites that get set up with default credentials (often older WordPress versions). If the attacker gets to the site first, they can take control of the website before it's finished deploying, as was demonstrated live at BSidesLV. This is a good demonstration of how a new security features deployed can also bring another level of risk and exposure, sometimes without the user's awareness or consent.

Defcon 25

The Brain's Last Stand - Kasparov

Chess genius Gary Kasparov talked about his history battling chess-playing computers, framed within the discussion of ‘the current state of Artificial Intelligence’. Rather than decrying the loss of another great game to the number-crunching ability of computers, he noted that the best outcomes were not a combination of the best players and the best software, but with mediocre players who knew when to make use of the computer software. The suggested takeaway was describing a new future, one in which computers are used as an extension to human intuition, given light guidance and direction by human operators to solve portions of problems that they are well suited for. As Kasparov mentioned when reviewing the notes afterward, both he and the computer made mistakes, but combined they would present a much stronger opponent, as long as he would not get in the CPU's way. The piece that impacted me the most was the use of the phrase "brute forcing" to refer to a CPU's approach to winning chess. It took a minute for me to think about chess and other games as a system to be beat by sheer computational guesswork, but it makes complete sense. In the context of Information Security, I can see us already using log analysis tools to bring things to Incident Responders for further analysis. Kasparov's future is already in use in many of our day-to-day tasks.

The Adventures of AV and the Leaky Sandbox – Itzik Kotlerand, Amit Klein

While at a customer site, Kotler & Klein discovered that several AV products submit unknown malware to cloud-based A/V sandboxes. They also found most solutions make a determination of malicious/non-malicious by executing the malware. This can end up leaking details through the sandbox network, as most sandboxes allow limited Internet connectivity to try coercing malware to execute. In their example, they took a piece of unknown malware (no matching hash), collected sensitive data on the infected machine – which was otherwise isolated from external communications – and created another piece of malware that contained the data. Once the second, newly-created file was executed, it was uploaded to cloud sandboxes where it was executed; DNS and ICMP communication were allowed to communicate to live Internet hosts, which permitted the sensitive data that had been collected to be exfiltrated. It shows that another layer of defense is not always the solution and that sometimes more security controls in place equal more exposure. Furthermore, simply having malware communicate back home from a sandbox can indicate to an attacker that their malware has been discovered and needs to be respun (recompiled).

Breaking Wind - Windmill ISC Security Landscape – Jason Staggs

Jason Staggs took the mystery out of the networks that operate wind farms with his presentation. Across several assessments of SCADA networks, he found two or three protocols in use, typically OPC XML-DA, DNP3, or IEC 61850. The red team work focused primarily on OPC XML-DA, which acts as a webservice gateway to speak to Industrial Control Systems (ICS). He found that wind farms have little to no security measures in place, leaving write-access “on” via OPC, do have SSL enabled, and therefore are susceptible to both MiTM and side-channel attacks. He demonstrated that an attacker can disable a wind farm and cause physical damage quite easily.

DNS - Devious Name Services – Jim Nitterauer

Jim shed light on new DNS options in EDNS that further enable tracking of user behavior. Using new opcodes, individual users and local networks can be identified easily. Opcode 26946 sends the device’s serial number and 'internal' IP address. There are two drafted opcodes to identify the client based on location and IP and netmask. Many of these features are enabled with seemingly good intentions to deliver a faster Internet (Content Delivery Network optimization for instance), but the net effect is that more privacy is given up by the user and intermediary recursive resolvers can catalog this data before forwarding. This means that user behavior and tracking gets a lot easier, and can navigate around some VPN technology to unmask the original user. In response to these proposed and ratified EDNS options, RFC's like 7816 are gaining traction to reduce the amount of tracking technology that can be put in place.

Conclusion

The talks were well-done and operations went smoothly. If you plan to go to Vegas to attend Blackhat, make sure you find the time to attend either BSidesLV or DEFCON. They aren't as scary as they sound, and a lot of the research is just as good, if not better. There were other talks I attended as well, but these were the ones that stuck with me and were relevant to our focus here at ATI.