Jonathan Lalou's Blog

Posts Tagged ‘DefCon32’

Cory Doctorow, a renowned author and digital rights advocate, delivered a passionate keynote at DEF CON 32, dissecting the decline of the internet and rallying hackers to reclaim its potential. Introducing the concept of “enshittification”—the degradation of online platforms due to unchecked corporate greed—Cory argued that restoring competition, regulation, interoperability, and tech worker power is essential for a new, user-centric internet. His call to action, rooted in decades of activism, inspired attendees to fight for technological self-determination.

Understanding Enshittification’s Roots

Cory began by lamenting the loss of the “old, good internet,” where Google delivered reliable search results, and platforms like Facebook prioritized user preferences. He attributed the rise of the “enshitternet” to corporate decisions prioritizing growth over security, such as data sharing with agencies like the NSA. Drawing on his work with the Electronic Frontier Foundation, Cory explained how the absence of competitive pressures, regulatory oversight, and worker advocacy allowed executives to degrade services, locking users into walled gardens that prioritize profits over functionality.

The Mechanics of Platform Decay

Delving deeper, Cory outlined the enshittification process: platforms initially attract users with quality services, then exploit them through data harvesting and degraded experiences, as seen in Amazon’s proliferation of low-quality drop-shipped products or Uber’s shift to higher fares and lower driver pay. He highlighted how tech giants leverage monopolistic control to stifle innovation, citing Apple’s pivot from privacy advocacy to surveillance-friendly practices. Cory’s analysis underscored the systemic nature of these changes, driven by executives exploiting unchecked power within corporate structures.

Empowering Hackers for Change

Cory urged the DEF CON community to lead the charge against enshittification by leveraging their technical expertise. He advocated for interoperability—enabling users to move seamlessly between platforms—and supported regulatory measures to curb monopolistic practices. Referencing his blog, Cory encouraged hackers to develop open-source alternatives and challenge proprietary systems. He emphasized the role of tech workers, citing the Tech Workers Coalition as a model for organizing to restore user-focused innovation.

Building a New Digital Future

Concluding, Cory envisioned a revitalized internet combining the simplicity of Web 2.0 with the decentralized ethos of the early web. He called for a “digital nervous system” to address global challenges like fascism, climate change, and inequality, urging hackers to reject the narrative that user experience and enshittification are inseparable. His post-talk book signing at the vendor area invited attendees to engage directly, fostering a collaborative push for a freer, more equitable digital landscape.

Links:

• Cory Doctorow’s blog
• Electronic Frontier Foundation website
• Tech Workers Coalition website

The DEF CON 32 Hacker Jeopardy Night 2, hosted by the spirited duo Lint and Miss Kitty, delivered an electrifying conclusion to the iconic contest, blending technical prowess with raucous entertainment. With a dedicated crew and enthusiastic audience, the event showcased cybersecurity-themed challenges, culminating in a dramatic finale where team Stepmoms clinched victory. Lint’s dynamic hosting and Kitty’s birthday celebration added a personal touch, reinforcing the community spirit that defines DEF CON’s beloved game show.

Crafting a Cybersecurity Spectacle

Lint kicked off the evening with gratitude for the 14-person crew’s tireless efforts, emphasizing the complexity behind the seamless show. The introduction of the “Lentil Lookalikes,” replacing past crew roles, brought fresh energy to the stage. The contest featured teams like Pandemonium and OnlyFans, competing in categories testing hacking knowledge, from network protocols to historical exploits. Lint’s humor and Kitty’s candid revelation of her “30 [expletive] years” birthday infused the event with camaraderie, making it a memorable celebration of hacker culture.

The Thrill of the Final Jeopardy

The competition intensified in the final round, where a question about OSI model layers—application, presentation, session, transport, network, data link, physical—tested the teams’ precision. Pandemonium’s correct answer, marred by failing to phrase it as a question, led to a catastrophic point loss, while OnlyFans’ alphabetical misordering cost them their lead. Stepmoms’ strategic zero wager secured their win, earning them a coveted Black Badge. Lint’s animated commentary amplified the drama, cementing Hacker Jeopardy’s reputation as a high-stakes, community-driven spectacle.

Fostering Community and Legacy

Reflecting on Hacker Jeopardy’s evolution, Lint highlighted its role in uniting the DEF CON community, encouraging attendees to “be [expletive] excellent to each other.” The event’s blend of technical rigor and playful chaos, supported by the crew’s dedication, showcased the hacker ethos of collaboration and creativity. Kitty’s personal touch, sharing her birthday with the audience, deepened the sense of connection, ensuring Hacker Jeopardy remains a cornerstone of DEF CON’s cultural legacy.

Links:

• None available

Adnan Khan and John Stawinski, security researchers, delivered a riveting presentation at DEF CON 32, exposing systemic vulnerabilities in GitHub Actions’ self-hosted runners. Their research revealed how misconfigurations enable attackers to compromise major open-source projects like PyTorch, leading to supply chain attacks. Earning over $250,000 in bug bounties, Adnan and John shared tactics, techniques, and procedures (TTPs) to elevate trivial compromises into critical breaches, urging organizations to bolster CI/CD security.

Exploiting Self-Hosted Runner Misconfigurations

Adnan and John opened by explaining GitHub Actions’ role as a leading CI/CD platform and its reliance on self-hosted runners—machines executing workflow jobs. They detailed how insecure defaults allow attackers to compromise runners, gaining access to sensitive repositories. Their attack on PyTorch demonstrated how a runner compromise enabled code contributions to the main branch, malicious release uploads, and backdooring related projects, highlighting the catastrophic potential of such flaws.

Escalating Privileges in GitHub Actions

Delving deeper, the duo showcased techniques to escalate privileges within GitHub Actions workflows, leveraging GitHub’s permissive features. Their research campaign uncovered vulnerabilities in organizations like Microsoft, TensorFlow, and ByteDance, exploiting misconfigured runners to achieve critical impacts. Adnan’s live demo illustrated how attackers could manipulate workflows to gain unauthorized access, emphasizing the need for robust access controls and monitoring in CI/CD pipelines.

Real-World Impact and Bug Bounty Success

Adnan and John shared war stories from their extensive bug bounty submissions, noting that internal CI/CD systems are often more vulnerable than public ones. Their work, yielding significant bounties, exposed a lack of awareness around CI/CD security. They highlighted successful mitigations by triage teams, urging organizations to learn from their findings. The duo’s research on platforms like HackerOne provides a blueprint for identifying similar vulnerabilities in other systems.

Strengthening CI/CD Security

Concluding, Adnan and John emphasized the need for heightened awareness among developers, architects, and executives to prevent supply chain attacks. They recommended isolating privileged runners, auditing configurations, and educating teams on CI/CD risks. Their call to action inspired attendees to explore these attacks and implement controls, ensuring organizations are better equipped to thwart the next critical breach in their CI/CD pipelines.

Links:

• HackerOne website
• Adnan Khan on LinkedIn
• John Stawinski on LinkedIn

Jim Rush and Tomais Williamson, security researchers from Wellington, New Zealand, electrified DEF CON 32 with a deep dive into exploiting NTLM authentication before its planned phase-out in Windows 11 and beyond. Representing CyberCX, they unveiled new vulnerabilities, bypassed existing fixes, and exposed insecure defaults in Microsoft’s NTLM-related controls. Their fast-paced presentation, infused with humor and technical depth, offered a final hurrah for NTLM hacking, urging attendees to turn off NTLM where possible.

Revisiting NTLM’s Persistent Flaws

Jim and Tomais began by contextualizing NTLM, a 25-year-old authentication protocol still prevalent despite its known weaknesses. They highlighted Microsoft’s plan to deprecate NTLM, yet emphasized its lingering presence in legacy systems. Their research uncovered new bugs, including a bypass of a previously patched CVE, allowing attackers to coerce NTLM hashes from various applications. By exposing these flaws, Jim and Tomais underscored the urgency of transitioning to more secure protocols like Kerberos.

Novel Exploitation Techniques

The duo detailed their innovative approaches, combining multiple bug classes to extract NTLM hashes from unexpected sources, such as document processors and build servers. Their live demonstrations showcased “cooked” bugs—exploits leveraging URL inputs to trigger hash leaks. Jim’s anecdotes about their discoveries, including a nod to their CyberCX colleague’s assistance, highlighted the collaborative nature of their work. These techniques revealed NTLM’s fragility, especially in environments with permissive defaults.

Insecure Defaults and Systemic Gaps

Focusing on Microsoft’s NTLM security controls, Jim and Tomais exposed glaring gaps, such as libraries allowing unauthenticated hash extraction. They demonstrated how attackers could exploit these defaults in applications like Microsoft Teams or PDF generators, turning innocuous features into attack vectors. Their findings, supported by CyberCX’s research efforts, emphasized the need for organizations to audit NTLM usage and disable it wherever feasible to prevent hash coercion.

Community Collaboration and Future Steps

Concluding, Jim and Tomais called for community engagement, inviting attendees to share ideas for extracting hashes from novel sources like video games. They praised Microsoft’s MSRC team for their responsiveness and urged continued disclosure to advance research. Their advice to “turn off NTLM, then turn it back on when someone screams” humorously captured the challenge of legacy system dependencies, encouraging proactive steps toward more secure authentication frameworks.

Links:

• CyberCX company website

J. Hoffman and Colby Morgan, offensive security engineers at Robinhood, delivered a compelling presentation at DEF CON 32, exploring vulnerabilities in the 1Password macOS desktop application. Focusing on the risks posed by compromised endpoints, they unveiled multiple attack vectors to dump local vaults, exposing weaknesses in 1Password’s software architecture and IPC mechanisms. Their research, blending technical rigor with practical demonstrations, offered critical insights into securing password managers against local threats.

Probing 1Password’s Security Assumptions

J. and Colby opened by highlighting the immense trust users place in password managers like 1Password, which safeguard sensitive credentials. They posed a critical question: how secure are these credentials if a device is compromised? Their research targeted the macOS application, uncovering vulnerabilities that could allow attackers to access vaults. By examining 1Password’s reliance on inter-process communication (IPC) and open-source components, they revealed how seemingly robust encryption fails under local attacks, setting the stage for their detailed findings.

Exploiting Application Vulnerabilities

The duo detailed several vulnerabilities, including an XPC validation bypass that enabled unauthorized access to 1Password’s processes. Their live demonstrations showcased how attackers could exploit these flaws to extract vault data, even on locked systems. They also identified novel bugs in Google Chrome’s interaction with 1Password’s browser extension, amplifying the attack surface. J. and Colby’s meticulous approach, including proof-of-concept scripts released at Morgan’s GitHub, underscored the need for robust validation in password manager software.

Mitigating Local Threats

Addressing mitigation, J. and Colby recommended upgrading to the latest 1Password versions, noting fixes in versions 8.10.18 and 8.10.36 for their disclosed issues. They urged organizations to enhance endpoint security, emphasizing that password managers are prime targets for red teamers seeking cloud credentials or API keys. Their findings, developed over a month of intensive research, highlighted the importance of proactive patching and monitoring to safeguard sensitive data on compromised devices.

Engaging the Security Community

Concluding, J. and Colby encouraged the DEF CON community to extend their research to other password managers, noting that similar vulnerabilities likely exist. They shared their code to inspire further exploration and emphasized responsible disclosure, having worked with 1Password to address the issues. Their call to action invited attendees to collaborate on improving password manager security, reinforcing the collective effort needed to protect critical credentials in an era of sophisticated local attacks.

Links:

• Colby Morgan’s GitHub
• Robinhood company website

Michael Orlitzky, a multifaceted security researcher and mathematician, captivated the DEF CON 32 audience with a provocative presentation on bypassing payment mechanisms in CSC ServiceWorks’ pay-to-play laundry machines. By exploiting physical vulnerabilities in Speed Queen washers and dryers, Michael demonstrated how to run these machines without payment, framing his actions as a response to CSC’s exploitative practices. His talk, rich with technical detail and humor, shed light on the intersection of physical security and consumer frustration, urging attendees to question predatory business models.

Uncovering CSC’s Predatory Practices

Michael began by introducing CSC ServiceWorks, a major provider of coin- and app-operated laundry machines in residential buildings. He detailed their business model, which charges tenants for laundry despite rent covering utilities, often trapping users with non-refundable prepaid cards or unreliable apps like CSC GO. Michael recounted personal grievances, such as machines eating quarters or failing to deliver services, supported by widespread customer complaints citing CSC’s poor maintenance and refund processes. His narrative positioned CSC as a corporate antagonist, justifying his exploration of hardware bypasses as a form of reclaiming fairness.

Bypassing Coin Slots with Hardware Hacks

Delving into the technical core, Michael explained how to access the service panels of CSC-branded Speed Queen machines, which use standardized keys available online. By short-circuiting red and black wires in the coin-drop mechanism, he tricked the machine into registering payment, enabling free cycles without damage. His live demonstration, complete with safety warnings about grounding and electrical risks, showcased the simplicity of the bypass—achievable in seconds with minimal tools. Michael’s approach, detailed on his personal website, emphasized accessibility, requiring only determination and basic equipment.

Addressing CSC’s Security Upgrades

Michael also addressed CSC’s response to his findings, noting that days before DEF CON 32, the company upgraded his building’s machines with new tubular locks and security Torx screws. Undeterred, he demonstrated how to bypass these using a tubular lockpick or a flathead screwdriver, highlighting CSC’s superficial fixes. His candid tone and humorous defiance—acknowledging the machines’ internet-connected logs—underscored the low risk of repercussions, as CSC’s focus on profit over maintenance left such vulnerabilities unaddressed. This segment reinforced the talk’s theme of exploiting systemic flaws in poorly secured systems.

Ethical Implications and Community Call

Concluding, Michael framed his work as a protest against CSC’s exploitative practices, encouraging attendees to consider the ethics of bypassing systems that exploit consumers. He shared resources, including manuals and his write-up, to empower others while cautioning about legal risks. His talk sparked reflection on the balance between technical ingenuity and corporate accountability, urging the DEF CON community to challenge predatory systems through informed action.

Links:

• Michael Orlitzky’s website
• CSC ServiceWorks website
• Alliance Laundry Systems website

Silvia Puglisi and Roger Dingledine, key figures in the Tor Project, delivered an insightful presentation at DEF CON 32, shedding light on the Tor network’s metrics and community-driven efforts to maintain its health. As millions rely on Tor to evade surveillance and censorship, Silvia and Roger detailed how the Tor Project collects safe metrics, detects attacks, and fosters a vibrant relay operator community. Their talk provided a window into the challenges of sustaining an anonymity network and invited attendees to contribute to its mission of preserving internet freedom.

Collecting Safe Metrics for Anonymity

Silvia opened by explaining the Tor Project’s approach to gathering metrics without compromising user anonymity. By analyzing usage patterns and relay performance, the network health team identifies unusual activity, such as potential attacks or misconfigured relays. Silvia highlighted tools like Tor Weather, which notifies operators of relay issues, and the network status API, which supports data analysis. These efforts ensure the network remains robust while prioritizing user privacy, a delicate balance in an anonymity-focused ecosystem.

Detecting and Mitigating Network Threats

Roger delved into the strategies for identifying and countering attacks on the Tor network, which supports over seven thousand volunteer-operated relays. He discussed how metrics help detect malicious relays and unusual traffic patterns, enabling rapid response to threats. Roger cited historical examples, such as the 2009 Green Party Movement in Iran, where Tor empowered activists, underscoring the network’s role in global activism. By sharing these insights, he emphasized the importance of community vigilance in maintaining network integrity.

Fostering a Diverse Relay Community

The duo highlighted the Tor Project’s efforts to grow its community of relay operators, encouraging attendees to run relays, bridges, or Snowflake proxies. Silvia detailed initiatives like the formal relay operator meetup planned for future conferences, aiming to strengthen community ties. Roger stressed that contributing to Tor supports activists worldwide, particularly those without institutional protections. Their call to action invited DEF CON attendees to join the network health team or contribute to projects like rewriting tools in Rust for better performance.

Future Challenges and Community Engagement

Concluding, Silvia and Roger outlined ongoing challenges, such as improving data visualization and scaling the network to handle increasing demand. They encouraged contributions to the Tor Project’s wiki and open-source tools, emphasizing that every relay or code contribution aids the fight for privacy and anonymity. Their interactive session at the Tor booth post-talk invited attendees to explore further, reinforcing the collaborative spirit that drives the Tor ecosystem forward.

Links:

• Tor Project website
• Roger Dingledine on LinkedIn
• Tor Project Wiki

Nick Frichette, a cloud security expert, enthralled the DEF CON 32 audience with a deep dive into vulnerabilities within Amazon Web Services (AWS) that enable initial access to cloud environments. Moving beyond traditional misconfiguration exploits, Nick explored flaws in AWS services like AppSync and Amplify, demonstrating how attackers can hijack Identity and Access Management (IAM) roles. His presentation offered practical defensive strategies, empowering organizations to secure their cloud infrastructure against sophisticated attacks.

Understanding IAM Role Exploits

Nick began by explaining how IAM roles establish trust within AWS, relying on mechanisms like sts:AssumeRoleWithWebIdentity to prevent unauthorized access across accounts. He detailed a confused deputy vulnerability in AWS AppSync that allowed attackers to assume roles in other accounts, bypassing trust boundaries. Through a real-world case study, Nick illustrated how this flaw enabled unauthorized access, emphasizing the importance of understanding trust relationships in cloud environments to prevent such breaches.

Amplify Vulnerabilities and Zero-Day Risks

Delving deeper, Nick revealed a critical vulnerability in AWS Amplify that exposed customer IAM roles to takeover, granting attackers a foothold in victim accounts. His demonstration highlighted how adversaries could exploit this flaw without authentication, underscoring the severity of zero-day vulnerabilities in cloud services. Nick’s meticulous analysis of Amplify’s architecture provided insights into how such flaws arise, urging security practitioners to scrutinize service configurations for hidden risks.

Defensive Strategies for Cloud Security

Nick concluded with actionable recommendations, advocating for the use of condition keys in IAM trust policies to block cross-tenant attacks. He demonstrated how setting account-specific conditions thwarted his AppSync exploit, offering a defense-in-depth approach. Nick encouraged organizations to audit IAM roles, particularly those using web identity federation, and to test configurations rigorously before deployment. His work, available at Security Labs, equips defenders with tools to fortify AWS environments.

Links:

• Security Labs website
• Nick Frichette on LinkedIn

Xavier Zhang, an RFID enthusiast and physical security researcher, delivered a concise yet impactful presentation at DEF CON 32, exposing vulnerabilities in HID iClass SE readers used in physical access control systems. By demonstrating cloning, downgrading, and emulation attacks, Xavier revealed how attackers can bypass secure credentials to gain unauthorized access to facilities. His interactive demos, leveraging tools like Proxmark3 and Flipper Zero, underscored the importance of mutual authentication and provided practical mitigation strategies to enhance physical security.

Exploiting iClass SE Vulnerabilities

Xavier opened by outlining the mechanics of HID iClass SE credentials, widely used in secure facilities. He detailed four attack vectors, starting with cloning, the simplest method, which exploits predictable facility codes in poorly configured systems. By analyzing publicly available documentation from a Canadian vendor, Xavier showed how attackers can replicate credentials without physical access, highlighting the risks of enabling legacy technologies on modern readers. His insights emphasized the need for robust configuration practices to prevent trivial exploits.

Advanced Attacks and Community Contributions

Transitioning to more complex techniques, Xavier demonstrated downgrading and emulation attacks that bypass iClass SE’s secure authentication. Using tools like Proxmark3 and Flipper Zero, he showcased how vulnerabilities, such as an authentication bypass discovered by the RFID hacking community, enable unauthorized access. Xavier acknowledged contributors like Eric Betts and Kate, whose work on iClass documentation and emulation code was instrumental. His live demos illustrated the real-world implications of these exploits, urging organizations to prioritize secure credential issuance.

Links:

• None available

Martin Doyhenard, a seasoned security researcher, captivated the DEF CON 32 audience with his exploration of innovative web cache exploitation techniques. Focusing on exploiting ambiguities in RFC standards, Martin unveiled two novel methods—Static Path Deception and Cache Key Confusion—that push the boundaries of web cache attacks. Through detailed case studies and a live demonstration, he showcased how these techniques can compromise application confidentiality, enable arbitrary cache poisoning, and even achieve full site takeovers, providing actionable insights for security practitioners to identify and mitigate such vulnerabilities.

Unveiling Web Cache Mechanics

Martin began by elucidating the inner workings of web caches, which store frequently accessed content to enhance website performance. He highlighted how caches rely on URL parsing to determine what to store and serve, yet inconsistencies in parsing across platforms create exploitable vulnerabilities. By leveraging ambiguities in RFC standards, attackers can manipulate cache behavior to serve malicious content or expose sensitive data. Martin’s clear explanation set the stage for understanding the sophisticated attacks that followed, emphasizing the critical role of URL parsers in web security.

Static Path Deception: Breaching Confidentiality

Delving into his first technique, Martin introduced Static Path Deception, a method that exploits cache handling of static file paths to compromise application confidentiality. Using a case study involving Nginx behind Cloudflare, he demonstrated how attackers can trick caches into serving sensitive content to unauthorized users. By crafting specific URL patterns, Martin showed how this technique bypasses traditional cache restrictions, exposing private data. His findings underscore the need for consistent cache configuration across content delivery networks and web servers to prevent such breaches.

Cache Key Confusion: Poisoning and Denial of Service

Martin then presented Cache Key Confusion, a technique exploiting discrepancies in how platforms like Microsoft Azure Cloud normalize cache keys. He illustrated how attackers can manipulate URL parsing to poison caches, serving malicious content to all users or triggering denial-of-service attacks. His live demo combined Cache Key Confusion with an open redirect vulnerability to execute arbitrary JavaScript, achieving a complete site takeover. This powerful demonstration highlighted the far-reaching impact of parser inconsistencies and the potential for significant disruption in cloud-based environments.

Mitigation and Community Engagement

Concluding, Martin shared practical strategies to counter these vulnerabilities, urging organizations to audit cache configurations and disable key normalization where possible. He introduced his open-source tool, Cache Killer, designed to detect parsing discrepancies, and encouraged the DEF CON community to contribute to its development. By sharing references to prior research and his own findings, Martin fostered a collaborative approach to improving web cache security, inspiring attendees to hunt for similar vulnerabilities in bug bounty programs and beyond.

Links:

• None available