I gave up on Defcon after Defcon 11 because of the venue overcrowding at the Alexis Hotel. But since I had no other plans this weekend and they moved to the larger Riviera hotel last year, I decided to give them another shot this year.
What an improvement! 7,000 attendees and 5 talk tracks, yet now fairly well-organized. I registered Thursday at 9:30 am for $100, but they had already run out of the awesome white animated SMT LED badges with a “HUMAN” cut-out conference badges, and programs.
They should have done a photocopy run of the schedules, but didn’t, which is bad since the schedules are not posted outside the lecture rooms.
Security staff in red shirts called “goons” vigilantly enforced access points and fire codes. I was told that lecture room exits had to be clear in case of sudden emergencies like a smoke bomb attack.
The hotel was big enough that the attendees didn’t swamp the hotel, and the rooms for Tracks 2, 3 and 4 were usually big enough. The Track 5 room and the closing ballroom were too small. Hotel security seemed happy and stayed in the background.
The hotel coffee shop was very busy but served ok food ($10 for a hamburger and fries.) The upstairs dinner buffet was a good deal at $16. Good variety of fresh food and desserts, including prime rib, mexican and asian food.
I didn’t bring a notebook computer this year because it would just get hacked if I turned it on, and I also left my Blackberry off. I understand that some people buy a computer at Fry’s and return it after the weekend to get re-imaged, or use it as a honeypot. Some people did use their work Blackberrys with bluetooth disabled. One guy had a Nokia 770 wifi PDA that he planned to re-image after going home. Nice screen with scalable fonts.
The talks that I attended on Thursday and Friday were very strong, usually presented by the original researchers or somebody deeply involved in the topic. Defcon talks are unusual in that most audience questions are held until after the talk in a separate Q&A room. Not my preference, since expert attendees often get more out of the questions that the talk.
Thursday
Thomas Holt: The Market for Malware
Insight into mainly Russian malware industry:
- pincher programs for intercepting username and password data
- joiner programs to bind pincher program payloads with images or downloads
- like to be paid with e-gold, don’t like Western Union
- like ICQ, irc
- tools cheaper for other Russians to purchase than foreigners
- forums for promoting and rating developers and programs
- good authors provide good customer support, upgrades ($10), manuals and customization ($30)
- admin UI programs very polished and professional looking - some are even skinnable.
Pilgrim: How to be a WiFi Ninja
Pilgrim is the real deal - he knows how wifi works, owns a wifi accessories shop in Florida and is a perennial show vendor.
He gave tips on improving wifi transmission and reception:
- thinner cable is lossier, so keep under 10′
- cable is optimized for Channel 6
- wifi signals transmit better in drier air
- most omni AP transmitters can be made more directional by using a tin-foil reflector behind them, preferably parabolic shape
- used Dish satellite receiver antenna could be very useful
- made a wok dish antenna and recommends it
- recommends USB receivers over PC Cards because of external antenna
- recommends USB cable run to smart antenna instead of long runs of cable
- transmit power isn’t everything. try to balance transmitter, receiver, cable and geometry
- re-orient AP antennae to get better vertical or horizontal reception, especially in 2-storey buildings. same when war-driving.
Broward Horne: Click Fraud Detection with Practical Memetics
Broward gave a great talk.
He has the website RealMeme.com and does experiments in web site promotion and Internet mindshare. He left some blog comments on Casey Serins’ IAmFacingForeclosure.com website but received no traffic to his site initially. He posted a comment inquiring about that, got a bunch of traffic, and upon log analysis realized that it was bot traffic, implying that Casey was involved with bots for AdSense click fraud.
He showed some graphs of discussion activity before and after the Pope’s death, which expanded the bandwidth of discussion, and the SARS outbreak, which barely registered.
D.J.Capelis: Virtualization: Enough holes to work Vegas
Awesome talk on how pathetic x86 virtualization is from a security perspective.
He talked mainly about VMware Server and Xen, but problems generally applicable are:
- vulnerable to physical attacks and DoS at PCI level for shared hardware like video, network and drive controllers
- vulnerable to IP and MAC address changes
- vulnerable to practically undetectable covert channels between VMs
- vulnerable to timing attacks similar to the Intel HT ones
- all the image migration tools use plaintext, possibly across ethernet
- any rogue partition can violate all other partitions, subverting your firewall and network security
- bad default configurations, as documented.
The expensive VMware ESX product fixes a few but not all of the above problems.
He’s hoping IBM can leverage their 30 year virtualization experience on LPARs to do a good job.
He released a script to somewhat improve the default security configuration of VMware Server.
Dave Josephsen: Homeless Vikings, (short-lived BGP prefix hijacking and the spamwars)
He presented a history of spam and countermeasures timeline with commentary (he likes content filtering and thinks anything else is just a pointless technical arms race that can’t be won by the good guys).
Then he talked about how BGP can be used by spammers to spoof address blocks or commandeer unassigned IP space, likely the same techniques used by intelligence agencies now.
Gadi Evron: Webserver Botnets
Peter Gutmann: The Commercial Malware Industry
Some repetition of the talk at 10 am, but with more detail.
Daniel Peck & Ben Feinstein: CaffeineMonkey: Automated Collection, Detection and Analysis of Malicious JavaScript
They demonstrated some utilities for de-obfuscating javascript malware and presented some graphs that illustrated how malware and legitimate javascript profile very differently.
Also, they talked about spidering and analyzing some web sites and being surprised at how clean myspace is for example - no JavaScript malware found, probably a credit to their staff.
atlas: Remedial Heap Overflows: dlmalloc style
atlas did a Linux Buffer Overflow 101 class.
He used python to inject the shell code.
All the hotels surrounding the Rivera were full, so I stayed in the Hilton Vacation Getaway Hotel, a moderate walk from the Riviera. My $169 room was a very nice and new suite with a 30″ HDMI plasma TV, jacuzzi, shower, bedroom TV and laundry. The downstairs deli tuck shop is very complete and you can order custom sandwiches there. There is also an outside grill with $5 hamburgers and $4 hotdogs that’s open for lunch. The basement business center is 24 hours and has computer rentals and printing for $1/page. The hallway vending machines have $1 sodas.
Friday
Brendan O’Connor: Greater than 1: Defeating “strong” Authentication in Web Applications
Excellent talk reviewing US online banking so-called strong authentication, then attacking it.
- in-person banking is 2-factor authentication (something you have (card) and something you know (PIN)
- online banking is not 2-factor (you know a PIN but normally you don’t provide card, token or biometrics)
- browser fingerprinting is pointless because everybody buys the same configurations from Dell or HP
- browser fingerprinting is pointless because the implementations are bungled (commented source, little effort)
- banks should display all recent logins, not just the last one
- bank should not star out account numbers, then display the full check thumbnail!
- bolt-on auth systems from 3rd-party vendors weaken overall security and increase the attack surface
- SiteKey is worthless, since they have a limited image catalog indexed by alt tag
- knowledge base questions based on public databases as implemented now are worthless, but could be improved by displaying the same question until correctly answered and not randomizing choices
He finished by demonstrating a MITM attack by writing a newbie-level Perl program to relay the browser fingerprint, setting up Defcon Bank and doing a MITM attack on his personal bank which uses Sitekey.
David Byrne: Intranet Invasion With Anti-DNS Pinning
He discussed DNS pinning issues with IE and Firefox, pinning in Java and also how LiveConnect in Firefox and Opera reduce pinning. Also he showed how to use an exploited browser as a web or socks proxy and talked about using the socket capabilities in Flash 7 and above.
In his demo, he owned somebody’s browser, ran Nessus 3, and started a shell.
Billy Rios & Nathan McFeters: Biting tha Hand that Feeds You - Storing and Serving Malicious Content From Well Known Web Servers
Billy and Nathan are the reason for the recent Firefox 2.0.0.5 and 2.0.0.6 updates.
They talked about:
- XSRF
- serving warez from webmail hosts, in particular Yahoo! and gmail, because they’re free anonymous accounts, have a large storage capacity, good network bandwidth, high-reputation domain names, and plausibly deniable.
- domain substitution
- what can you trust on the Internet? only the domain name in your location bar
- Flash settings XML config file
- browser scheme and %00%00 filetype handlers
- IE 7 and Firefox URI hand-off exploits
- possibly KDE registry might also be vulnerable to filetype handler issues.
The award ceremonies went on 2 hours. It was interesting to learn about the whole Defcon community: security, logistics, press, events, speaker coordination, etc.
40 hardware kits were handed out to people wanting to hack the badge, but only 7 submissions resulted. The 2 winners built a graphical, gray-scale multimeter and a pong game. DT suggested it would be hard to top the badge next year, unless it was converted to a fibrillator or laser beams were added.
A 17 year-old won one of the lock-picking categories. The overall winner mentioned preferring home-made tools.
Some of the award winners received a Black Badge - good for free life-time show admittance. Some got a used notebook or Dish receiver.
The trivia show winning team was booed for their poor result - sometimes needed a dozen clues and still getting the wrong answer - but still got black badges. Next year there will be a pre-qualifying test.
I took one of the airport shuttle buses back to the airport. Depending on how you look at it, either I got a free ground tour of Las Vegas, or they wasted a half hour of my time trying to find a passenger who booked 24 hours in advance but didn’t show up on time. Eventually they found him … back at the Riviera.
theinquirer.ne: How to break forensics software
GData: An Online MD5 Hash Database
