As last year, this year the conference was a lot about LangSec and that you have to think about your software as something that parses and executes "code" (the input). The less you test your handling of the input the more vulnerable you are. Also as we get more and more devices, the Internet of Things, that are connected which means we have more and more vulnerabilities at home. Most devices today come without any authentication at all, because they need to be simple, and that allows for more and more drive-by attacking to succeed and in a lot of cases permanently infect the devices with malicious code.
My top 3 talks in random order are:
- Andreas Lindh on Attacking Mobile Broadband Modems Like A Criminal
- Hugo Teso on Going deeper on aviation security
- Travis Goodspeed on A neighborly surprise talk
And the funnies was Unparseable Resource Locators by Karl Zetterlund.
The keynote speak by Felix Lindner (FX) (full video) was about how we got to play the IT Security industry game like we do today as the only way to play it is to win and that means not getting hacked and the moment your successful nobody care about you, the moment you suck your really really visible to the CEO.
The presentation was comparing today’s world with the Dune game where the spice was the Internet, the planet Arrakis was Google and the most powerful of the great houses was ICANN.
In relations to the game, the houses we have here on planet earth are:
- The Global Observer (NSA, which actually coined the term)
- Lord of the Ring 0 (Russia, with all them good hackers)
- Sun Tzerg (China, where all the hardware comes from)
The great houses of earth are APT:
- A = High-Tech adversaries
- P = Constantly attacking
- T = Risking a collapse of the planets eco/social-system
FUN FACTS:
- Cisco Nexus 1000V amongst a lot of other Cisco products uses A FIXED AES key and IV for encrypting the command channel... and here is the KEY/IV as image and video .
- The only industries that call their customers "user" are the IT industries and the drug industries.
A LangSec talk by Meredith Patterson (video) which discussed the issue about that secure software are often hard to use and that insecure usable software always wins because of that. Meredith brought up the success of PHP, that many tend to hate, how one factor for that is that it is so easy to get up and running and produce something.
There was a lot of talk around naming of things and how it complicates the understanding of what something is or is not (which implicitly meant that people tend to not read the manual). The example of CURLOPT_SSL_VERIFYHOST was brought up, it sounds like a boolean but is not and the behavior depended on the underlaying SSL library used by CURL (may have been a bit of unnecessary bashing on CURL, response from Daniel Stenberg).
THINK ABOUT: Learning something wrong the first place, you'll do it wrong every time and takes a lot of effort to unlearn/relearn it right. (Example, .NET URLPathEncode() does not encode query string and has apparently been a big issue in the .NET world)
FACT: PHP does not leak state between runs, other languages tends to do.
Andreas Lindh gave a small talk (video) about the USB 3g/4g modems that are used by Swedish operators. Most of these modems now days are managed by an internal web interface and have very poor security. Andreas showed how he could do a drive by attack and inject HTML/JS that is permanently saved by the modem and executed when the user goes to the management page. With this he could scan the modems SMS pool and send commands to the modem that the user would never sees.
Q: Why can you brick several devices by just using the built in web interface and/or API?!
A presentation about DMA attacks over Thunderbolt by Snare (& RZN) with a demo of a working PoC. They built a custom board with an FPGA, some PCIe stuff and a Thunderbolt port, connected the card to a locked OS X host and initiated a full memory scan via Thunderbolt DMA, found the area with the code for the lock screen and rewrote it to be able to unlock the host by just entering one space character into the password prompt. So depending on what ports your computer has, even locking it does not help anymore. The card they produced was the prototype and with some change of components they think they can get the size down a lot along with the price and might even start selling them in a few months.
-"So what does the vendors say?" -"(shrugs) Yeah, we know. And we are not going to do anything about it." ...
Hugo Teso held a follow up talk about aviation security. Last year he presented the first part, which he also goes through quickly at first in this talk, where he analyzed the aviation technologies ADS-B and ACARS which of course does not have any security at all so with a $20 antenna and a laptop you can send/read messages to/from the pilot.
For this talk Hugo took the analyzes a bit further and looked at the internal systems of the aircraft and how they are updated. He found scary situations where systems had become industry standard, pre-installed in all new aircrafts, and basically means that all aircrafts and connected via 3g/4g or WiFi, accessible via Internet or the system manufacturers vulnerable web site. At the end of the talk we shows a PoC where he have hooked up a quad-copter to a Flight Management System, was able to give the FMS instructions and then remotely uploaded invalid configuration/software in order to crash it.
Hugo has been in contact with airlines, aircraft manufacturers and system companies and they all ignore/deny the problem.
References material:
- http://conference.hitb.org/hitbsecconf2013ams
- http://conference.hitb.org/hitbsecconf2013ams/materials/D1T1%20-%20Hugo%20Teso%20-%20Aircraft%20Hacking%20-%20Practical%20Aero%20Series.pdf
- http://commandercat.com/
- http://www.commandercat.com/files/SECT-2014-Slides.pdf
Karl Zetterlund from Sentor held a lightning talk about URL parsers and have tested them for the majority of languages and browsers, in short; Don't trust any of them, they are all broken and everyone looses!
Some of the highlights are:
- PHP parses URL different if appended with / or not
- PHP converts \n to _
- Node cuts host at invalid char, no error
- Chome converts space to %20 AND can resolve the hostname (wtf?)
Karl's recommendation is:
- Split every part of the URL and valid individual or compose the URL yourself when ever you can.
A lightning talk by Marta Janus about how unprotected most Small Office Home Office (SOHO) equipment are today. A lot of these devices uses fixed internal IP-addresses so they can easily be exploited with drive-by pharming (inject custom JS code in configuration parameters).
Anna Shubina held a lightning talk about how they where able to fingerprint the VPN software and cipher used by looking at the traffic when dropping every 5th package. Note: they where mostly able to fingerprint when the VPN tunnel had a lot of traffic and sometimes very specific traffic.
Olle Segerdahl from the Swedish Armed Forces talked about hard disk crypto and what matters when your selecting a solution, do not fall for the "many bits" or the "military grade crypto" marketing talk.
Mattias Karlsson held the last lightning talk about breaking out of the AngularJS sandbox, a framework for building single page web applications made by Google.
First talk of the day was by David Jacoby on how he was too scared to brick his TV and how vulnerable most home equipment are. He had very easily infected and owned his NAS and from that he could start infecting other devices. He showed more examples of drive-by infecting and/or pharming devices.
Question to think about: Do you segment your network at home?
Travis Goodspeed held a very interesting talk about backdooring hard disks in a sense that he was able to rewrite the firmware of a drive and from that was able to create command channels from the hard disk to and C&C on the Internet without involving the host OS (uhm or something like that). There was also some talk about creating custom USB devices and fuzzing through that to crash part of the host. Be able to fingerprint what kind of host your talking to via USB by looking at how it talk to different devices (if you have a USB devices that emulates different devices in order to inject code). Create tamper proof disks that can understand if they are being scanned. imaged or erased. Boot Linux on the chips of the hard disk, sure! And more...
Interesting facts:
- Took 10 man-months to hack the firmware of a hard disk and bricked 15 of them in the process.
- Travis with others have created PoC || GTFO, just google it.
- phrack.org
Sergey Bratus talked more about LangSec and bugs that got famous. Many of the bugs today have had their equality in the past for different software that do the same thing, like for example Ngnix chunked encoding bug from 2013 (CVE-2013-2028) that is more or less exactly the same bug Apache had back in 2002 (CVE-2002-3092).
LangSec cat says: FULL RECOGNITION before processing!
Antti Karjalainen from Codenomicon was part of the team that discovered the Heartbleed bug and his talk was around how they did it, what tools and technologies they used. A lot of fuzzing was involved and he pointed out that all major SSL libraries have very simple input validation problems, bugs and/or exploits.
Question for everyone: Do you know where you use OpenSSL and what version it is?
Fahad Ehsan talk was about memory forensics to detect unknown malware.
Interesting fact: Fahad lived very near where, allegedly, the first malware was created. He was very surprised when he found out (or was he???).