After a lunch of churros, main course not needed because it turned out the Food for the People bacon and egg butty that had for morning tea rendered a savoury lunch meal unnecessary, the afternoon session kicked off. The churros at Mexico were good, but the service was incredibly slow. Slow enough that said churros took so long to deliver that I was late back to the first afternoon session.
Churros. One hour to serve. Also mistaking one of my lunch companions for a man, despite her having breasts, long hair, and a flowery dress, which would usually cause me to assume the person in question would prefer feminine forms of address. It’s a subtle distinction, I know.
Anyway, the same caveat applies to the morning session: tech failure, no note-taking apparatus, write-up from memory, all errors of fact, understanding, or anything else mine.
Multipath Madness, MPTCP, and Beyond - featuring HTTP evasive fragmentation
Kate’s bright yellow dress seemed entirely appropriate for someone who appears to have about as much energy as a small explosion. Despite arriving late (grrrr), I quickly picked up the gist of it, namely:
- There are an increasing number of mechanisms for routing packets (at various levels of the network stack) between servers and clients. Kate noted that multipath TCP, recently getting a serious workout in the Linux kernel, in particular.
- By design these encourage diverse routes; MPTCP is intended to improve performance and resilience in devices with many network devices; for example: cellphones with LTE and 802.11 should be able to use both links at once, and fail in between them at any point needed.
- Most intrusion detection and content filtering systems, on the other hand, take a very simplistic view of the world, where traffic is always routed from the source to the destination via a single connection (or group of connections) from one interface on the client.
- As such, there are interesting things one can do by forcing route diversity between the client and the server; these don’t even need ot map to different physical interfaces.
- The intercept technology will typically become confused by the payload - the client and server expect to see packets sprayed over (e.g.) four disparate routes, but most intercept tools will regard it as junk.
- This effect can be further exacerbated by mixing more and more source and destination traffic together - for example proxies on either side of the intercept traffic that sift the data from many clients or many sessions on the same client.
This can, Kate suggested, be used to hide in plain sight - if the tools can’t make sense of it, data could even be sent in the clear with the interceptor none the wiser as to how to reassemble it.
Red Teaming “Enemy of the State”
Some of the hackers present listed their favourite movie as, well Hackers. Wayne (no surname, no handle, no company affiliation) listed his as Enemy of the State, where Will Smith and Gene Hackman conspire to take down the NSA by relentlessly coming after the boss. Wayne was less interesting in bringing down the NSA per se, and more in the pursuit of a high-value target, bugging his house, car, and so on.
The stage thus set, Wayne gave what was a talk which was at once, interesting, thought-provoking, and really disturbing.
Wayne’s job, which allows him to live out his Enemy of the State dreams is working as part of a red team. “When the target gets on flight overseas, you think, well, I guess I’m travelling this week”; living the dream indeed.
The first portion of Wayne’s talk covered his philosophy of doing red team work properly; one problem, he noted, is that “we look at the threats we think we deserve”, which is something I agree with hugely, although in an entirely different direction to Wayne1. Fundamentally, Wayne argues that red teams need scope to attack as they think appropriate, not to have terms of engagement that constrain them to what a client thinks is interesting, and he makes a good argument for it. Yes, it’s interesting to know that John the secretary lets people wearing overalls wander around the office if they claim to be doing network maintenance, or that Jane on the helpdesk will help you work around password reset policies if you’re a smooth talker, but if you rule out going after, say, senior managers, what have you really learned?
From there, Wayne started to share some of his war stories to buttress the idea of a no-holds-barred approach. This is were “interesting” quickly morphed into “interesting and really disturbing”.
At one point Wayne allowed that many of these techniques could get you into trouble, and waving what purports to be a contract from a client may not convince the police you’re on the up and up; he shared the story of one set of attacks where he was based out of a hotel. He was useing a rifle scope as a spotting device. As was his custom, he sleeps in a sleeping bag beside the bed. Being a very neat person, he likes to carefully lay out his tools, such as his lockpicks and scanners and so on, very neatly and just so on the desks in his hotel room.
(I’m going to take a wild guess here and assume Wayne has some sort of millitary background. No reason.)
Well, someone reported his suspicious behaviour, leading to the police popping into his hotel room. And, strangely enough, on finding a sniper scope and a variety of tools associated with Serious Crime, they arrested Wayne and questioned him for 8 hours before deciding his story stacked up. They still weren’t especially pleased.
Anyway, Wayne started out by describing an engagement where he was attacking a company via a senior manager. He followed the manager day in, day out, establishing his routines and patterns. Other members of the team followed him on social media. He was under more or less constant surveillance, his car being followed, and being observed at work. Wayne showed a picture (face blurred out) of the manager at work - Wayne had sat in a swamp for most of a day, almost a kilometer away, to time the picture for a period where the reflective glass in the target’s building would be transparent for a few minutes so he could snap some shots. The team used these for some social engineering work - calling people in the same office and asking for particular books on the shelf behind the target’s desk to be read out over the phone.
Think about that for a minute.
The next phase was noting that the manager had mentioned on his social media account that he liked to have an electronics-free period during the week - only an hour or two, but a nice electronic detox. So Wayne and the team followed him to the place he did this. Wayne noted he went to the same place via the same route every day. And having watched him - a lot - they noticed that he had the habit of leaving all his electronics, including his corporate laptop and phone, in the car. And that when he got out of the car, he locked it with the remote without bothering to so much as glance back and see whether the car had actually locked.
So Wayne and his team did the logical thing, which was to use a jammer to block the car fob from locking the car, and then to go through the car and see what they could loot.
Take another moment.
Next, Wayne discussed another case. He was being asked to infiltrate a high-security datacentre facility. He didn’t give any client details, of course, but the description he gave put it into fairly rarified company in the Australian market: weigh-in, weigh-out security systems, entry and exit tubes that prevent tailgating and so on and so forth. This presented a problem for Wayne, since sneaking in wouldn’t work. Even if he talked his way in as part of a nominal maintenance crew, the facility was crawling with cameras, so it would be trivial to spot anyone horsing around. So he had to come up with another approach.
Wayne outlined a much less traditional attack: he contacted the facility, claiming to represent a Singaporean company that was looking to enter the Australian market and would need a high-security data center. He was intensely interested in this one, he told the sales rep, but his company required him to personally audit the facility before they could progress anything. Were there any customer tours where he could get the information he needed to assure his bosses they could place millions of dollars of business here? No? Such a shame, Wayne was so looking forward to doing business with the facility, but he understands, policy is policy… wait, a staff tour?2 Well, if you think that would be appropriate… no, Wayne wouldn’t mind tagging on to a staff tour.
He wouldn’t mind that at all.
Not least because the eager sales rep scheduled him on a day when new people with critical roles in the facility were being inducted, giving him more detail about the actual setup than he could have dreamed he’d get.
Finally, Wayne rolled out both his tech demo and the ultimate story: a client where exec-level staff were in the habit of discussion highly confidential information in all sorts of ways they shouldn’t be. Anyone who’s sat in the Koru lounge or equivalent would understand its value for high-end espionage, but Wayne wanted to demonstrate why you shouldn’t be discussing multi-million or multi-billion dollar contracts over your cell phone while you’re in your car, for example.
So Wayne showed us how you, too, can make like the FBI and run your own Stinger device. For a surprisingly small sum of money, you can purchase a GSM device which will hook cellphones and let them do with them as you will - after all, you’re a cell phone tower now! Metlstorm noted that they had, in fact, obtained a license to demonstrate this ($23, apparently, for experiments with cellphones, so long as you operate in bits of the spectrum that won’t interfere with carriers). Wayne wanted to share this demo with us, although the demo gods were not kind, and it looked like things wouldn’t work out. Until audience members, ignoring Wayne’s warnings that they really, really, really shouldn’t be trusting him by connecting their Telstra phones to his cell tower, loaned him some phones. Whereupon Wayne was able to demonstrate how trivial it was to record in-flight conversations one the phone calls were being routing through his fake tower.
This is highly fucking illegal if you do it in the wild. Client contract or no.
But, I imagine, it made the point rather dramatically to the client. It was a bravura performance - Wayne’s a very good story teller, along with his other abilities. Probably not someone you’d want to upset in case he went full Taken on your arse.
I ended up with very mixed feelings from this; on the one hand, I agree with much of Wayne’s point: if you are worth it, an adversary can achieve some pretty remarkable outcomes without having to take too massive or expensive a set of risks. On the other hand, there seem plenty of risks with going down this kind of red team rabbit hole:
- Fundamentally how do you determine whether you are at a realistic risk of this level of attack?
- How do you avoid being seduced by sexy stuff while ignoring more mundane and more critical vulnerabilities?
- How do you deal with the potential fallout if your red team gets caught by the police?
- How do you deal with the fallout of a senior person with a good employment lawyer takes serious objection to their employer waging this kind of campaign againt them?
Practical SMEP Bypass Techniques on Linux
This talk had to be cancelled, seeing as how Vitaly was stuck in Sydney airport, and had missed all his connections to Wellington. Thanks, airlines!
People’s Choice Cyber Talk - Day 1 - The Kiwicon Crue
This ended up being a session on looting KeePass.
- Turns out to be gratifyingly difficult.
- The first three approaches failed. It turns out that the KeePass devs have documented all the obvious attacks and then countered them.
- Not only that, their implementation is really robust.
- Eventually there was a way, but it’s not trivial, and requires a good understanding of managed code on Windows and how to subvert it by injecting a DLL into the VM, then exporting the KeePass DB as plaintext.
A nice palette cleanser after the morning sessions of “everything is terribly designed and incompetently executed.”
Modern Corporate Wifi Rustling
So we’re back to “Oh god it’s all awful.”
Chris discussed the various schemes used to provide WiFi in corporate environments; these are generally divided into three netowrk zones:
- A secure zone which requires full authentication to join. Authentication can come from a number of sources - machine certs, logins, or what have you, but it’s not uncommon for the auth mechanism to tie back to the same single sign on mechanism used for the whole network, such as your AD login.
- An insecure “internet access” zone which provides unrestriced access, or access via a captive portal, intended to be handed out willy-nilly and providing no real access to the corporate jewels.
- A half-way house where internet access might be available, but also various extranet features, like access to Outlook Web, or Citrix services, or similar.
These are often running on the same wireless APs, which can provide a certain level of entertainment, but the meat of Chris’ talk was the authentication mechanisms used for “enterprise” wireless networks. These commonly use some variant of EAP with varying levels of protection. Chris called out a number of problems:
- EAP, as he would demonstrate shortly, has some problematic security behaviours.
- There are various mitigants to this, including PEAP (EAP-in-TLS), but they require complex client-side configuration.
- Most users aren’t really up to getting that right, and the rise of BYOD means than they’re the ones who have to.
- Different vendors expose different levels of configuration for EAP. The vendors that expose all the options make it easy to fuck it up. The vendor (Apple) who makes it simple also doesn’t provide the ability to turn on most of the security. For fucks sake.
The practical upshot of all this is that it is very, very easy to end up broadcasting the login credentials to your corporate network over any wifi connection your cellphone/tablet/whatever tries to connect do, and broadcasting them with only the native protection enjoyed by at-rest AD password hashes (which is effectively none, these days). This means a misconfigured device will be spraying credentials potentially everywhere and anywhere.
Fortunately for Chris, the audience were keen to assist him in demonstrating this, connecting (presumably) deliberately misconfigured devices to the Kiwicon wireless; Chris quickly demonstrated capturing the information associated with the devices, and then cracking the password of one user. Simples.
Adventures in glitching PIC microcontrollers to defeat firmware copy protection
Metl came on and explained that (now Dr) Silvio’s writing in the dodgy ‘zines of Metl’s youth had been formativ ein encouraging him down the path of hackerdom; hence, it was a particular pleasure to welcome him as a speaker.
I… can’t even come close to doing this one justice. For one, no notes. More importantly, this was one of those things where, like General Relativity, I can grasp the outlines, but ask me to do the calculus, and I’m screwed. But I’ll have a go, anyway.
Dr Silvio’s particular interest is around embedded device hacking. Sometimes, as Matthew outlined earlier in the day, this is stupidly simple due to the grotesque ineptness of the people putting them together, but the devices Silvio is trying to attack are a bit more robust than that; the often have some reasonably sound protection in the way of encrypted firmware (for example) making it hard to find what’s going on.
(Although the noted many of the devices he’s looked at, while doing a bang-up job of locking down the vendor code and data, leave the user data hanging out there for casual inspection, which says a lot about their priorites.)
Anyway, the most fruitful response to this is glitching: looking at altering the environmental characteristics the chip runs under to try and cause consistent error states that can be exploited to reveal information that can ultimately be exploited; one typical example of glitching is to over or undervolt an IC while it runs until it is just far enough out of spec to error consistenly, but not so far out of spec that it fails completely.
This sounds a great deal easier in principle than it is in practise; the practise, of course, is where minds immeasurably superior to mine take over. Silvio went through some of the techniques he uses to make this work; one in particular that entertained the audience was his description of trying to get at a particularly recalcitrant IC by decapping it (removing the ceramic container around the chip proper); the Internet led him to believe that dropping it in warm nitric acid would do the trick and, well, you can see a version of the video he showed us:
Silvio noted somewhat wryly that he is wearing a mask because this is a technique that can kill you, which puts it a bit above the risks normally taken to defeat copy protection; he also observed his first effort did as good a job of dissolving the chip as the casing, which wasn’t really the effect he was after.
Practical PHP Object Injection - hyprwired
This was, I’m afraid, when the combination of my-brain-is-full crossed over with my-children-would-like-to-see-their-father, causing me to head home for dinner.
- That is to say, I agree that people like to focus on threats they’re interested in to the exclusion of ones they should care about. But while much of Wayne’s talk consisted of describing very high-end threats, my day-to-day professional life consists of the opposite problem: too many people in coroporate infosec get hung up on sexy, exciting threats, often after listening to vendors who have expensive products to offer, which neglecting very mundane but much more exploitable ones. If your Unix servers use NFS shares, are they kerberized? Are you sure your IPMI interfaces are listening only where you expect them to? Are they properly secured? Could your code reviews actually pick up someone shaving pennies on transactions? So why the fuck are you worried about someone stealing laptops and using liquid nitrogen to retrieve passwords from memory? Exactly. Because it’s cool and it makes you feel important. ↩
- This one makes complete sense to me, because this line of negotiation works perfectly well with all sorts of things. Sales staff, in my experience, are typically offered incentives which line up surprisingly poorly with what’s good for their employer, and being very disappointed in a deal and explaining one feels forced to walk away from what would otherwise have been a beautiful friendship will cause many sales reps to get very, very creative with the rules they operate under. ↩