Getting home from what we affectionately call Security Summer Camp is almost as much of an adventure as attending the conferences. Getting caught in the Deltapocalypse on the way home just added to the fun. If you want a real challenge, try seeing your way onto earlier flights during a system-wide meltdown of a major legacy carrier.
Good practice, and a reminder that yes, backup, business continuity, and disaster recovery are in fact security disciplines. Last time, I wrote about some of the things that I wished that I would see, but probably won’t at the BlackHat and Defcon conferences. This week, I’m going to recap some of the very cool stuff that I saw that you should know about too. I had a chance to sit down and chat with Colin O’Flynn with NewAE. Colin is the mad genius behind the ChipWhisperer hardware board that makes it easy to attack “secure” microcontrollers and figure out what they’re doing using a variety of “glitching” attacks involving power and clock signals, in addition to power usage analysis to do fun things like extracting information on cryptographic algorithms. My own hardware hacking efforts are leading me more and more often to competently designed devices, and having the ChipWhisperer tools available is a good and useful thing. I now own one for my lab. Keep an eye on them, since the more streamlined and feature-rich ChipWhisperer Pro is coming soon.
Maxim Goncharov’s presentation on BADWPAD, highlighting the various and varied way that the venerable Web Proxy Auto Discovery protocol can be used and abused by attackers in many many different environments. I’ve long been a fan of leveraging WPAD attacks during pen tests to collect credentials, and it’s great to see more attention being brought to this old, busted, and not terribly necessary protocol. We saw several talks this year on bypassing security mechanisms that make the life of the attacker difficult like Address Space Layout Randomization (ASLR). Just like every other mitigation technique developed, somebody is going to figure out a way to work around it. Talks like this reinforce, and yes, challenge the mitigation designers to keep things interesting in the next round of technologies.
Elie Bursztein’s talk on USB dropping (also a favorite technique of mine during penetration tests) reported success rates of over 40%. Users will still plug the darnedest they find on the ground into their computers. I hope that they’re better about other things, like food, that they find on the ground. If you want to try this on your next pen test, Core Impact makes it easy to generate a variety of payloads for your USB dropping pleasure. Defcon had its set of highlights (and lowlights as well). Fiat Chrysler hacked a Dodge Charger to turn it into a gigantic driving simulator in the Car Hacking Village.
Chris Hadnagy and his merry band of Social Engineers once again demonstrated with face palming ease how live targets would give up the crown jewels if you could just tell the right story in the Social Engineering Capture the Flag. On the hands on side, in the Tamper-Evident Village, was the infamous Box, a simulated bomb with realistic booby-traps. Yes I tried it. No, I didn’t successfully “disarm” it. Still fun and a great way to practice some of the less commonly touched areas of security. Probably the most interesting talk of the Defcon show was on the last day: Przemek Jaroszewski’s explorations into generating QR codes that will allow access to airport lounges. Przemek dove into the technology and validation techniques used, and demonstrated pretty solidly that the adage of “Trust but Verify” is on life-support in a lot of areas. Simply having a valid flight for the day, in the correct class of service proved to be enough to gain entry. Do not try this at home, sports fans. Attendee protip: security at the Flamingo doesn’t like it when you fix the misbehaving elevator on your own. If you were lucky (or unlucky, as your case might be) enough to attend the major events, sound off in the comments about what your highlights looked like!