Monday, August 06, 2007

Things I learned at DEFCON 15

I just went to DEFCON in Las Vegas for the first time this year and it was a blast. Tons of smart people, cool hacks, great speakers, fun activities and stuff to learn. Here's a brief summary of some of the things I picked up this past weekend (in no particular order):
  • Virtually any lock that you have bought can be picked, easily. Even the (supposedly) secure Medeco locks that they have on the white house and other high-security areas can be broken by a 12-year-old girl. For more, see the blog entry (by the guys that made this presentation, Marc Weber Tobias and Matt Fiddler) here. Gun locks, also, are completely trivial for a kid to break as this amazing video proves (more on this subject: blog, report). Also from the talk: most hotel safes are terribly insecure. To break those that use your credit card to open/lock them, the code of the master card that unlocks all of them in stored in memory inside the safe. All you have to do is open the safe (legitimately) and then dump that code and write it to a card to have a "master card" for all the safes in the hotel... yikes!
  • SCADA systems, the systems that run critical infrastructure such as water treatment plants, electrical grids and nuclear power plants have an overwhelming number of vulnerabilities. Scary. Nationwide emergency alert systems also have relatively easy attack vectors (from the talk by Ganesh Devarajan).
  • There is always a motive for Internet crimes, just like ones off the net. The motive for the attack on the Dolphin Stadium website prior to the 2007 Super Bowl was particularly interesting because the attack, which was made on several other lower-profile websites, was linked to a Chinese syndicate that wanted users' World of Warcraft online credentials to acquire additional WoW gold! This is the first attack of its kind. (From the Internet Wars 2007 panel)
  • One interesting way of getting malware on a user's computer is to set up a website and register malware to be downloaded on that website as a codec with Microsoft. That way, when a victim visits the attacker's site, he is prompted with a "Additional codecs are required to display content on this page... would you like to download them?" message. If he does, he downloads the malware onto his computer. (From the Internet Wars 2007 panel)
  • If you're a NBC Dateline reporter, don't refuse a press pass and then try to brew up some sensationalist report about hackers at DEFCON. You will get owned.
  • Even the badges at the conference were a hack unto themselves (video). How cool is that? And there is a rap about the conference, too!
  • If you want to start up an advocacy organization, the most important thing you can do is have a paid person sitting by the phone who knows what expert to contact (and how to contact them) when called by reporters. PledgeBank is a good site to help organize the effort to raise this money. (Funny quote from the same Danny O'Brien talk: "[Imitating a typical clueless reporter that calls EFF] People will call and say, 'I heard that such-and-such technology can make someone's penis fall off; can this be done with Ruby on Rails?' ... In this way, EFF operates as a clearinghouse for idiots")
  • Sam Bowne offers a class at San Francisco City College called "Ethical Hacking and Network Defense" ... sweet! (He recommends Hack this Site and as good references)
  • Brendan O'Connor gave a really good talk about the extra layer of "security" that banks are now layering onto their authentication services and how this layer improves neither the user's privacy nor his security -- in fact, it may be degrading both. Bruce Potter similarly lambasted "Defense in Depth" for being a lame attempt at covering up bad code with extra layers of "security."
  • Bruce Potter of the Shmoo Group gave a talk about how the dynamics of vulnerability disclosure are changing: instead of informing the vendor of the weakness in their product, hackers are often now selling information about those vulnerabilities to third parties (who may or may not have good intentions). Potter called for a discussion on whether this was ethical and/or good for the security community.
  • Thomas J. Holt presented on the economics and dynamics of the malware marketplace. This market is mainly organized around forms based in Russia and Eastern Europe where sellers start forum threads advertising their product. Moderators of the forum then test the software to see if it does what the seller says it does and then give their opinion of it on the same thread. If the opinion is good, and the seller has a good reputation, then buyers start asking questions about the software and perhaps buy it. The final step is the reviews of the software by the buyers which attest to the malware's quality (or lack therof). Some sell not only hacking tools like Pinch, Nuclear Grabber and PG Universal Grabber but the data obtained by using these hacking tools. Some forums maintain lists of sellers who are "rippers" -- rip off artists -- and blacklist them.
  • AgentX gave a whirlwind talk about "22 Things that Keep me up at Night." Among these: "Shrinking the Gap" (based off of ideas of Thomas Barnett), low cost pervasive bandwidth, open source warfare (the terrorists are all sharing techniques -- why aren't we?), the security industrial complex (complacency = bad), homogeneity of the hacker (all white males, but starting to change -- he notes good progress at DEFCON 15), why aren't you encrypting all your communications? (because the NSA is listening)
  • Mike Murray had some interesting things to say about social engineering/NLP/hypnotism. Such as: you are four times more likely to follow a command following a non-grammatical sentence, you wouldn't do something hypnotized that you wouldn't do in the first place (such as kill a commanding officer -- study), tag questions ("won't you?" "right?") are convincing, confusion is the key!, the right tone can be categorized as "artfully vague," stories are more powerful than reasoning, questions are more powerful than statements, Milton Erikson = best hypnotist ever
  • I missed Bruce Schneier's talk, but someone posted a video of it here. The whole presentation is interesting, but probably the most stimulating is his discussion of how you DON'T need an ID to fly on an airplane; you just get a little extra screening.
Other notable moments/events include the Guitar Hero contest, Brew Wars, Phreaking Challenge, Capture the Flag, Hacker Jeopardy, TCP/IP Drinking Game, Lockpicking Village, automated airgun target contest, the Wall of Sheep and the Wireless Village. Definitely going next year!

Videos of all of the presentations have been posted here.

No comments: