System Overlord

A blog about security engineering, research, and general hacking.

Hacker Summer Camp 2018: Wrap-Up

I meant to write this post much closer to the end of Hacker Summer Camp, but to be honest, I’ve been completely swamped with getting back into the thick of things. However, I kept feeling like things were “unfinished”, so I thought I’d throw together at least a few thoughts from this year.

BSides Las Vegas

I can’t say much about BSides as a whole this year, as I spent the entire time Gold Teaming for Pros vs Joes CTF. (Gold Team is responsible for running the game infrastructure, scoreboard, etc.) It was a great experience to be on Gold Team, but I do miss having a team to support and educate. Overall, the CTF went fairly well, but there were a few bumps that I hope we can avoid next year.

BSides also announced that they are ending their free badges. In some ways, I’m disappointed, but I also understand the reasons they are doing this. Even though I’ve had a badge included with my participation in the PvJ CTF for years, I’ve also been a personal sponsor of BSidesLV for those years as well. I’m lucky enough to be well-employed in the industry that BSidesLV supports, and I want to support their mission. I hope others will do so as well, but I also want to try to find a way to support those who aren’t able to shell out for a badge. Once details are announced for badges next year, I’ll look for an opportunity to support passionate students in our community.

DEF CON 26

DEF CON 26 was an incredible event. I know there were some bumps and warts to it, but I had a great con. (Also, I think it’s the only conference I attend that I refer to simply as “con”.) The villages are my favorite part of DEF CON, and the villages were in rare form this year with the expansion.

This year was my first year speaking at DEF CON (as a village speaker) and I am incredibly humbled by the experience. To think that something I had done was seen as interesting enough for 150 or so attendees to choose to spend 45 minutes of their time listening to me really makes me feel like I’m making an impact. The audience was great, and thanks to the IoT village for having me. (Maybe one day I’ll get a DEF CON speaker badge to place on my wall of badges.)

I have hopes that next year, villages will have some way to divide their rooms or reduce noise for the presentations in their space. So many run another activity (a CTF, hands on activities, etc.) and the noise from that can be problematic when it comes to speakers in the same space. (I experienced this both as a speaker and as an attendee for the talks.)

I also hope that next year, DEF CON will have helped to work through the issues we had with Caesar’s security this year. A good friend of mine landed in hot water over a misunderstood tweet, and there were the obvious reports of “room checks” that were not going according to the established policy. (I’m not even a fan of the room checks, but rifling through guests belongings is completely unacceptable.)

Splitting across Las Vegas Boulevard was also not the best situation. I look forward to moving back to Paris/Bally’s and having Planet Hollywood join the con. (Plus, breakfast crepes!) Getting over to Flamingo was such an ordeal that I only went over there once, and it was a brief visit at that. The ICS village over there was really impressive, and I missed out on a chance to get a Car Hacking Village badge. Some of this was poor planning on my part, but also the sheer distance between the two conference areas made it anything but convenient.

Conclusion

I can’t wait until next year. I’ll begin my planning guide around the beginning of 2019 to try to provide support to those looking for travel information, and I have a feeling that DEF CON 27 will be an even stronger showing. Here’s to all the contributions of the hacker family!


I'm the One Who Doesn't Knock: Unlocking Doors From the Network

IoT Hacker

Today I’m giving a talk in the IoT Village at DEF CON 26. Though not a “main stage” talk, this is my first opportunity to speak at DEF CON. I’m really excited, especially with how much I enjoy IoT hacking. My talk was inspired by the research that lead to CVE-2017-17704, but it’s not meant to be a vendor-shaming session. It’s meant to be a discussion of the difficulty of getting physical access control systems that have IP communications features right. It’s meant to show that the designs we use to build a secure system when you have a classic user interface don’t work the same way in the IoT world.

(If you’re at DEF CON, come check it out at 4:45PM on Friday, August 10 in the IoT Village.)


Attacker Community DEF CON 26 Badge

I’ve spent an unhealthy amount of time over the past 6 months or so participating in the craze that is #badgelife. This year, I built badges for my Security Research Group/CTF Team: Attacker Community. (Because community is important when you’re attacking things.) Like last year, all of my badges were designed, assembled, and programmed by me. There are 24 badges this year, each featuring 8 characters of 14-segment display goodness and bluetooth connectivity. I may not be one of the big names in #badgelife, but if you just make some badges for your friends, there’s a lot less pressure in case something comes up.


Hacker Summer Camp 2018: Cyberwar?

I actually thought I was done with the pre-con portion of my Hacker Summer Camp blog post series, but it turns out that people wanted to know more about “the most dangerous network in the world”. Specifically, I got questions about how to protect yourself in this hostile environment, like whether people should bring a burner device, how to avoid getting hacked, what to do after the con, etc.

The Network

So, is it “the most dangerous network in the world”? Well, there’s probably some truth to that in the sense that in terms of density of threats, it’s likely fairly high. In terms of sheer volume of threats, the open internet is obviously going to be a leader.

First off, the DEF CON network is really multiple networks. There’s the open WiFi, which is undeniably the Wild West of computers, and there’s the DEF CON “secure” network, which uses WPA2-Enterprise (802.1x) with certificates to verify the APs. The secure network also features client isolation. Additionally, the secure network is monitored by a dedicated NOC/SOC with some very talented and hard-working individuals. I would assert that being compromised on the secure network is approximately the same risk as being compromised on any internet connection.

So, there’s 0-day flying around left and right? Not so much. Most of the malicious traffic is likely coming from someone who just learned how to use Metasploit or just found out about some cool tool in a talk or workshop. Consequently, it’s unlikely to have much impact for those who patch and are security-aware.

What you will see a ton of is WiFi pineapples. People will go buy one at the Hak5 booth, and then immediately turn it on and try to mess with other attendees. It gets pretty old, pretty quickly. Just make sure you’re connected to the DEF CON Secure WiFi and this will be a minimal problem (maybe a denial of service).

In all honesty, the con hotel WiFi is a worse place to be than DEF CON secure, by a large margin. Plenty of stupid things happening there.

3 Approaches

The Minimalist

The minimalist carries a flip phone with a burner SIM. He/she maintains contact with friends using SMS or (gasp) actual phone calls. No laptop, no smart phone to be compromised. This is a great approach if you’re not going to participate in any activities that require tech on hand. If you’re going to hang out, listen to a few talks, and drink, this is the approach with no need to worry about getting compromised.

The Burner

No, this isn’t about Burning Man, although DEF CON is kinda like Burning Man for “400-lb hackers in basements”. This hacker brings a burner version of everything: so a smart phone, but a cheap burner. This probably will get compromised, as their carrier hasn’t pushed a patch in 3 years. (And even before that, it shipped with some shady pre-installed apps that send all your contacts over plaintext to a server in China…). They also bring a $200 Dell or HP laptop with Kali Linux on board.

They connect to the first WiFi they see, never mind that it’s labeled “FBI Surveillance Van 404”. If you plan for your hardware to get pwned, it doesn’t really matter if it’s bad WiFi, right?

Of course, in order for this to work correctly, you have to never use your devices for anything sensitive. Hopefully the urge to check your real email doesn’t get too strong. Or maybe your card is suspended for potentially fraudulent activity (like that $300 SDR) and you decide to log in “briefly” to reactivate it. This route really only works if you can maintain good OpSec.

“Good Enough” Security

If you can set aside ego and assume nobody is willing to try using a $100k+ O-day on you, you can get by with a reasonable level of security. This involves bringing a modern fully-patched phone (iPhone or “flagship” Android phone), and optionally a well-secured laptop.

For the laptop, I’ve previously discussed using a Chromebook. Even with dev mode for crouton, I believe this to be reasonably safe from remote exploitation. This can also be cheap enough to be a disposable device. In my previous post, I suggested 3 Chromebook options:

Alternatively, you can get a cheap laptop and run fully-updated Windows 10 or Linux with a firewall enabled and be in a pretty good state for passive attacks over the network.

In either case, you should then run a VPN. I like Private Internet Access, but there’s a lot of options out there, or you can even run your own OpenVPN server if you’re feeling adventurous.

Summary

There’s never a guarantee of security, but with updated devices & good security hygiene, you can survive the DEF CON networks. The basic elements involved are:

  • Fully updated OS
  • Be super careful
  • Use a VPN
  • No Services Exposed

Good luck and see you at Hacker Summer Camp!


Hacker Summer Camp 2018: Last Minute Tips

This is an update to my planning guide as we get closer to Hacker Summer Camp. (We’re down to about 3 weeks now!)

Planning Your Time

Schedules and details for events have begun to be released. For example, we have:

It’s time to take a look at the lists of events and times and start making your “must do” list. Resist the temptation to try to plan every minute – first, you won’t be able to stick to it, and secondly, you’ll feel like it doesn’t leave you time for spur of the moment events. There will be conversations you want to have, people you want to meet, or unscheduled activities you want to check out.

For your evening plans, there’s no better source than the DEFCON Parties Calendar. Make sure you hydrate (and maybe take a shower) before you head out for the evening. Some of my favorites from years past include:

Dining & Restaurants

Value Eats

There’s a number of cheap eats in Las Vegas. I covered some of the cheapest in my first post, but I wanted to add a few more notes. I’ll focus on the ones in relatively close proximity to the DEF CON hotels (Flamingo and Caesars) as well as BSidesLV. I’ll also include things whose portion size/quality make up for the (slight) cost.

Quick bites (fast food):

  • Earl of Sandwich
  • Shake Shack
  • Caesar’s Food Court

Fast casual dining (sit down):

Buffets

Buffets on the strip are not cheap, despite what you might have heard. They also can have long lines at dinner time, so don’t expect it to be quick in and out.

  • Caesar’s Palace is home to the Bacchanal Buffet, which has incredibly high quality options (and is one of the top-rated buffets in Vegas), but is a pretty expensive meal. The lines are likely to be very bad during DEF CON, so I suggest going to another hotel if you’re absolutely looking for a buffet.

  • Flamingo’s Paradise Garden Buffet is a middle-of-the-road buffet, with decent, but not outstanding food. It is dramatically cheaper than at Caesar’s, so might be a good option for all-you-can-eat at a lower price.

  • Next door to Caesar’s is the Mirage, which hosts a buffet named Cravings. Unlike many Vegas buffets, beverages here are self-service,so you’ll never be wanting for a drink refill, but also don’t expect many servers around. I haven’t been here myself, but the menus generally look unimpressive.

  • Though not particularly close by, the Wicked Spoon is one of the best regarded buffets in Las Vegas, with gourmet dishes made from the best ingredients. They also offer brunch 7 days a week, which appeals to some.

  • The Buffet at the Wynn (literally, it’s named “The Buffet”) has one of the best dessert/pastry selections along with great entrees and sides. It’s also not cheap, but will not suffer from the peak rush at Caesars.

Nicer Options

These are the kind of restaurants where you’ll want more than a t-shirt and jeans (and almost certainly no shorts)! Reservations are recommended. Vegas is full of these restaurants, but a few of my favorites include:

Top Shelf

Okay, to be honest, I don’t really do the top shelf restaurants myself. If you’re into that sort of thing, you might want to check out the usual guides (Michelin, etc.)

A few I’m familiar with:

  • Bouchon
  • Mon Ami Gabi
  • Restaurant Guy Savoy
  • Nobu

Packing Reminders

Handling the Weather

It’s going to be hot, so be prepared. I strongly encourage bringing a reusable water bottle like the aluminum bottle I’ll be sporting, or a Nalgene bottle. Some will even go with a bladder-style backpack. I’ll also bring along a cooling towel, which work surprisingly well! (They use evaporation to cool you down.)

Hacking All the Things

Maybe you’re into hacking and would like to give it a shot while at DEF CON. There’s a bunch of different options here. If you want to bring a laptop with maximum security, I can’t encourage bringing a Chromebook enough. At the budget end of the spectrum, I really like the Acer Chromebook 11. For a mid-range Chromebook, I like the C302CA. At the top end, there’s nothing quite like the Pixelbook, which is currently 25% off.

While you can get lots of tech in the vendor area, you might want to consider bringing a C232HM universal cable, or at least a UART Cable. This will at least get you basic capabilties to play around with any electronic badges you might come across.

If you’re into other specific activities (SDR, etc.), you’ll want to bring the appropriate gear.

Conclusion

It’s time to start making your day-to-day plans. Many have suggested leaving lots of room for flexibility and just going with the flow, which is not a bad idea at all. Have fun!