Posts Tagged ‘DefCon32’
[DefCon32] Changing Global Threat Landscape
Rob Joyce, a distinguished former National Security Agency (NSA) official, joined Jeff Moss, known as The Dark Tangent and founder of DEF CON, for a riveting fireside chat at DEF CON 32. Their discussion delved into the dynamic evolution of global cyber threats, with a particular focus on the transformative role of artificial intelligence (AI) in reshaping cybersecurity. Rob, recently retired after 34 years at the NSA, brought a wealth of experience from roles such as Cybersecurity Coordinator at the White House and head of the NSA’s Tailored Access Operations. Jeff facilitated a conversation that explored how AI is redefining defense strategies and the broader implications for global security, offering insights into the challenges and opportunities ahead.
The Evolution of Cyber Threats
Rob began by reflecting on his extensive career at the NSA, where he witnessed the transformation of cyber threats from isolated incidents to sophisticated, state-sponsored campaigns. He highlighted how adversaries now leverage AI to enhance attack vectors, such as spear-phishing and polymorphic malware, which adapt dynamically to evade detection. Rob emphasized that the scale and speed of these threats demand a shift from reactive to proactive defenses, underscoring the importance of understanding adversaries’ intentions through signals intelligence. His experience during the Iraq War as an issue manager provided a unique perspective on the strategic use of cyber intelligence to counter evolving threats.
AI’s Dual Role in Cybersecurity
The conversation pivoted to AI’s dual nature as both a tool for attackers and defenders. Rob explained how AI enables rapid analysis of vast datasets, allowing defenders to identify patterns and anomalies that would be impossible for human analysts alone. However, he cautioned that adversaries exploit similar capabilities to craft advanced persistent threats (APTs) and automate large-scale attacks. Jeff probed the balance between automation and human oversight, to which Rob responded that AI-driven tools, like those developed by the NSA, are critical for scaling defenses, particularly for protecting critical infrastructure. The integration of AI, he noted, is essential to keep pace with the growing complexity of cyber threats.
Strengthening Defenses Through Collaboration
Rob stressed the importance of bipartisan support for cybersecurity, noting that stopping foreign adversaries is a shared goal across administrations. He highlighted the role of the Office of the National Cyber Director (ONCD) in convening agencies to synchronize efforts, citing examples where ground-up collaboration among agencies has led to effective threat mitigation. Jeff asked about the resource gap, and Rob acknowledged that the scope of threats often outpaces available resources. He advocated for widespread adoption of two-factor authentication and secure software development practices, such as moving away from memory-unsafe languages, to build more defensible systems.
Building a Resilient Future
Concluding, Rob expressed optimism about the trajectory of cybersecurity, emphasizing that automation can alleviate the burden on security teams, particularly for 24/7 operations. He underscored the need for robust teams and innovative technologies to address the relentless pace of vulnerabilities exploited by attackers. Jeff echoed this sentiment, encouraging the DEF CON community to contribute to shaping a secure digital landscape. Their dialogue highlighted the critical role of collaboration between government, industry, and the hacker community in navigating the ever-changing threat landscape.
Links:
[DefCon32] Fireside Chat – The Dark Tangent and DNSA Anne Neuberger
Jeff Moss, known as The Dark Tangent, founder of DEF CON, engages in a dynamic fireside chat with Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology. Their conversation at DEF CON 32 explores pressing cybersecurity issues, including artificial intelligence and quantum computing, from the White House’s perspective. Jeff and Anne discuss how the hacker community can influence policy, fostering collaboration to enhance global digital resilience.
Navigating Emerging Technologies
Anne opens by outlining her role in shaping the Biden Administration’s cybersecurity policies, emphasizing the transformative potential of AI and quantum computing. She highlights the need for resilient digital systems, given their critical role in hospitals and power grids. Jeff complements this by noting DEF CON’s history of hosting government speakers, underscoring the importance of dialogue between hackers and policymakers.
Strengthening Global Cooperation
The discussion shifts to international cybersecurity cooperation, with Anne detailing efforts to align allies against digital threats. She explains how coordinated responses can de-escalate conflicts, reducing the risk of cyberattacks by nation-states or criminals. Jeff probes the practicalities of these partnerships, highlighting the hacker community’s role in testing and refining these strategies.
Engaging the Hacker Community
Anne emphasizes the DEF CON community’s unique ability to identify vulnerabilities and propose innovative solutions. She encourages hackers to engage with government initiatives, leveraging tools like generative AI to patch vulnerabilities swiftly. Jeff reinforces this, noting that DEF CON’s open forum allows for candid feedback, shaping policies that reflect real-world challenges.
Building a Resilient Future
Concluding, Anne reflects on her privilege to serve in government, driven by a commitment to freedom and security. She invites hackers to collaborate on building robust digital systems, ensuring safety for critical infrastructure worldwide. Jeff echoes this call, envisioning DEF CON as a catalyst for policy improvements, with Anne’s return next year symbolizing ongoing partnership.
Links:
[DefCon32] If Existing Cyber Vulns Magically Disappeared, What Next
Dr. Stefanie Tompkins, Director of DARPA, joined by Dr. Renee Wegrzyn, inaugural Director of ARPA-H, explores a hypothetical scenario where all cyber vulnerabilities vanish overnight. Their session at DEF CON 32, moderated interactively, delves into the hacker community’s contributions to cybersecurity and the next frontier of challenges, from supply chain vulnerabilities to quantum computing. Stefanie and Renee emphasize the synergy between DARPA, ARPA-H, and the DEF CON community in shaping a secure digital future.
The Hacker Community’s Legacy
Stefanie opens by celebrating the DEF CON community’s role in challenging the status quo, citing DARPA’s Cyber Grand Challenge and Cyber Fast Track as catalysts for vulnerability detection advancements. She highlights how diverse perspectives have driven innovations like the ARPANET, the precursor to the internet. Stefanie underscores the community’s potential to address future threats, encouraging active collaboration with agencies like DARPA.
Envisioning a Vulnerability-Free World
Renee explores the implications of a world without cyber vulnerabilities, questioning what new challenges would emerge. She discusses ARPA-H’s Apex program, which leverages generative AI to create novel antigen sequences for unaddressed viruses, illustrating how hacker ingenuity could pivot to proactive solutions. Renee emphasizes the need to secure health tech ecosystems, particularly hospitals, against cyberattacks.
Tackling Supply Chain and Quantum Challenges
Stefanie, a geologist by training, shares her focus on supply chain vulnerabilities, given their critical role in global technology ecosystems. She also addresses quantum computing’s uncertain future, noting DARPA’s efforts to determine its transformative potential versus obsolescence. Stefanie’s insights highlight the need for rigorous questioning to guide technological development, inviting hackers to contribute ideas.
Fostering Collaborative Innovation
Concluding, Renee and Stefanie call for continued partnership with the DEF CON community to solve complex problems. They encourage attendees to share ideas with DARPA and ARPA-H, emphasizing that transformative solutions arise from collective creativity. Their vision for a resilient digital and health infrastructure inspires hackers to shape the next era of cybersecurity innovation.
Links:
[DefCon32] DriverJack: Turning NTFS and Emulated ROFs into an Infection
Alessandro Magnosi, a security researcher at the British Standards Institute, unveils an innovative technique for loading malicious drivers on Windows 11 by exploiting NTFS features and emulated read-only filesystems (ROFs). His presentation at DEF CON 32 explores how advancements in Windows security, such as Driver Signature Enforcement (DSE) and Hypervisor-protected Code Integrity (HVCI), have pushed attackers to exploit new vulnerabilities. Alessandro’s work provides actionable detection strategies to counter these sophisticated threats.
Exploiting NTFS and ROFs
Alessandro introduces his DriverJack technique, which manipulates NTFS and emulated CDFS vulnerabilities to bypass modern Windows protections. By exploiting previously identified flaws in emulated filesystems, Alessandro demonstrates how attackers can covertly install malicious drivers. His approach, developed at the British Standards Institute, leverages these weaknesses to achieve persistence, evading detection mechanisms designed to thwart traditional malware deployment.
Bypassing Security Mechanisms
Delving deeper, Alessandro explains how DriverJack circumvents DSE and HVCI. He explores alternative malware delivery methods in usermode, integrating with tools like Kernel Driver Utility (KDU) and Canal Forge when HVCI is disabled. Alessandro highlights the challenges of exploiting modern CPUs, noting that outdated hardware exacerbates vulnerabilities, making timely updates critical for system security.
Detection and Mitigation Strategies
Alessandro provides practical Indicators of Compromise (IOCs), such as monitoring for privilege escalations to SYSTEM or TrustedInstaller, drive letter changes, and alterations in the NT object manager. He advocates for runtime hash verification of driver load events to detect discrepancies, ensuring robust defense against DriverJack. His publicly available proof-of-concept on GitHub empowers researchers to test and refine these countermeasures.
Strengthening System Defenses
Concluding, Alessandro urges organizations to prioritize hardware updates and implement cross-checks for driver integrity. His work underscores the evolving nature of cyber threats, encouraging the cybersecurity community to stay vigilant. By sharing DriverJack’s methodologies, Alessandro inspires proactive measures to safeguard Windows systems against emerging exploits.
Links:
[DefCon32] Compromising Electronic Logger & Creating Truck2Truck Worm
Jake Jepson and Rik Chatterjee, systems engineering master’s students at Colorado State University, present a compelling investigation into the cybersecurity risks of Electronic Logging Devices (ELDs) in the trucking industry. Their session at DEF CON 32 exposes critical vulnerabilities in these mandated devices, demonstrating the potential for remote exploits and a wormable attack that could propagate across truck networks. Jake and Rik’s research underscores the urgent need for standardized security protocols in an industry pivotal to global supply chains.
Uncovering ELD Vulnerabilities
Jake opens by highlighting the role of ELDs in ensuring compliance with Hours of Service regulations, yet notes their susceptibility to cyber-physical attacks due to inadequate security measures. Working at Colorado State University, Jake and Rik reverse-engineered commercially available ELDs, identifying insecure defaults and poor security practices. Their findings reveal how attackers could exploit these weaknesses to gain unauthorized control over truck systems, posing significant risks to safety and logistics.
Developing a Truck2Truck Worm
Rik details their proof-of-concept attack, which leverages wireless communication vulnerabilities in ELDs. Using tools like Ghidra for firmware reverse-engineering and network scanners, they developed a worm capable of spreading via over-the-air updates, exploiting default credentials. Rik explains how trucks’ proximity at rest stops or distribution hubs, combined with always-on diagnostic ports, creates ideal conditions for a worm to propagate, potentially affecting entire fleets within a 120-foot range in dense environments.
Coordinated Disclosure and Industry Impact
Jake shares their responsible disclosure process, including his first CVE, which prompted a swift response from manufacturer IO6, who issued a patch. However, Jake emphasizes that the root issue lies in government-mandated, self-certified devices lacking rigorous security standards. Their work highlights systemic flaws in ELD certification, urging regulators to prioritize cybersecurity to prevent large-scale disruptions in the trucking industry.
Links:
[DefCon32] Prime Cuts from Hacker History: 40 Years of 31337
Deth Veggie, Minister of Propaganda for the Cult of the Dead Cow (cDc), leads a nostalgic panel celebrating 40 years of hacker culture, joined by members of cDc, Legion of Doom, 2600 Magazine, Phrack, and r00t. Moderated by Professor Walter Scheirer from the University of Notre Dame, the session traces the origins of the computer underground in 1984, a pivotal year marked by the rise of personal computers and modems. Through vivid storytelling and audience engagement, the panelists reflect on the rebellious spirit, technical curiosity, and community that defined early hacking, offering insights for inspiring the next generation.
The Birth of Hacker Culture
Deth Veggie sets the stage, recounting the founding of cDc in 1984 in a Texas slaughterhouse adorned with heavy metal posters and a cow skull. This era saw the convergence of disaffected youth, empowered by personal computers and modems, forming groups like Legion of Doom and launching 2600 Magazine. The panelists share how their fascination with technology and rebellion against societal norms fueled the creation of a vibrant subculture, where Bulletin Board Systems (BBSes) became hubs for knowledge exchange.
The Rise of T-Files and Phrack
The panel explores the explosion of written hacker culture in 1985 with the advent of Phrack Magazine and text files (t-files), which became the currency of elite hackers. Panelists from Phrack and 2600 recount how these publications democratized technical knowledge, from phone phreaking to early computer exploits. Their stories highlight the thrill of discovery and the camaraderie of sharing hard-earned insights, shaping a community driven by curiosity and defiance.
Navigating the Underground
Reflecting on their experiences, the panelists discuss navigating the computer underground, from dial-up BBSes to illicit explorations of early networks. Members of Legion of Doom and r00t share anecdotes of creative problem-solving and the ethical dilemmas of their actions. These narratives reveal a culture where technical prowess and a desire to challenge authority coexisted, laying the groundwork for modern cybersecurity practices.
Engaging the Next Generation
Responding to audience questions, the panel addresses how to inspire today’s youth to engage with technology creatively. Deth Veggie suggests encouraging hands-on exploration through hacker spaces, maker spaces, and vintage computer festivals, where kids can tinker with old cameras and computers. The panelists emphasize finding role models who ignite passion, citing their own experiences looking up to peers on stage. They advocate fostering an active search for knowledge, akin to the BBS era, to cultivate emotional and intellectual investment in tech.
Preserving the Hacker Spirit
The panel concludes by urging the community to preserve the hacker spirit through mentorship and open knowledge sharing. Walter Scheirer’s moderation highlights the importance of documenting this history, as seen in cDc’s archives and 2600’s ongoing publications. The panelists call for nurturing curiosity in young hackers, ensuring the legacy of 1984’s rebellious innovators continues to inspire transformative contributions to technology.
Links:
[DefCon32] Clash, Burn, and Exploit: Manipulate Filters to Pwn kernelCTF
Kuan-Ting Chen, known as HexRabbit, a security researcher at DEVCORE and member of the Balsn CTF team, delivers a riveting exploration of Linux kernel vulnerabilities in the nftables subsystem. His presentation at DEF CON 32 unveils three novel vulnerabilities discovered through meticulous analysis of the nftables codebase, a critical component for packet filtering in the Linux kernel. Kuan-Ting’s journey, marked by intense competition and dramatic setbacks in Google’s kernelCTF bug bounty program, culminates in a successful exploit, earning him his first Google VRP bounty. His narrative weaves technical depth with the emotional highs and lows of vulnerability research, offering a masterclass in kernel exploitation.
Understanding nftables Internals
Kuan-Ting begins by demystifying nftables, the successor to iptables, which manages packet filtering and network-related functionalities in the Linux kernel. He explains how features like batch commits, anonymous chains, and asynchronous garbage collection, designed to enhance efficiency, have inadvertently increased complexity, making nftables a prime target for attackers. His introduction provides a clear foundation, enabling attendees to grasp the intricate mechanisms that underpin his vulnerability discoveries.
Uncovering Novel Vulnerabilities
Delving into the technical core, Kuan-Ting dissects three nftables vulnerabilities, two of which exploited challenging race conditions to capture the kernelCTF flag. He details how structural changes in the nftables codebase, often introduced by security patches, can unintentionally create new flaws. For instance, one vulnerability, identified as CVE-2024-26925, stemmed from improper input sanitization, enabling a double-free exploit. His methodical approach, combining code auditing with creative exploitation techniques like Dirty Pagedirectory, achieved a 93–99% success rate across hardened kernel instances, including Ubuntu and Debian.
The kernelCTF Roller-Coaster
Kuan-Ting’s narrative shines as he recounts the emotional and competitive challenges of the kernelCTF program. He describes a series of near-misses: an initial exploit collided with another submission, a second was rendered unusable due to a configuration error, and a third lost a submission race by mere seconds. The turning point came when a competitor’s disqualification allowed Kuan-Ting to secure the bounty just before Google disabled nftables in the LTS instance on April 1, 2024. This gripping tale underscores the persistence required in high-stakes vulnerability research.
Lessons for Kernel Security
Concluding, Kuan-Ting reflects on the broader implications of his findings. He advocates for rigorous code auditing to complement automated fuzzing, as subtle logic errors can lead to potent exploits. His work, detailed in resources like the Google Security Research repository, encourages researchers to explore novel exploitation techniques while urging kernel maintainers to strengthen nftables’ defenses. Kuan-Ting’s success inspires the cybersecurity community to tackle complex subsystems with creativity and resilience.
Links:
[DefCon32] Encrypted Newspaper Ads in the 19th Century
Elonka Dunin and Klaus Schmeh, renowned cryptology experts, unravel the mystery of encrypted advertisements published in The Times between 1850 and 1855. Intended for Captain Richard Collinson during his Arctic expedition, these ads used a modified Royal Navy signal-book cipher. Elonka and Klaus’s presentation traces their efforts to decrypt all ads, providing historical and cryptographic insights into a unique communication system.
The Collinson Cipher System
Elonka introduces the encrypted ads, designed to keep Collinson informed of family matters during his search for the lost Franklin expedition. The cipher, based on a Royal Navy signal-book, allowed Collinson’s family to encode messages for publication in The Times, accessible globally. Elonka’s narrative highlights the system’s ingenuity, enabling secure communication in an era of limited technology.
Decrypting Historical Messages
Klaus details their decryption process, building on 1990s efforts to break the cipher. Using their expertise, documented in their book from No Starch Press, Klaus and Elonka decoded over 50 ads, placing them in geographic and cultural context. Their work reveals personal details, such as messages from Collinson’s sister Julia, showcasing the cipher’s effectiveness despite logistical challenges.
Challenges and Limitations
The duo discusses the system’s mixed success, noting that Collinson received only four messages in Banuwangi due to expedition unrest. Klaus addresses the cipher’s vulnerabilities, such as predictable patterns, which modern techniques could exploit. Their analysis, enriched by historical records, underscores the challenges of maintaining secure communication in remote settings.
Modern Cryptographic Relevance
Concluding, Elonka explores the potential of artificial intelligence in cryptanalysis, noting that LLMs struggle with precise tasks like counting letters but excel in pattern recognition. Their work invites further research into historical ciphers, inspiring cryptographers to apply modern tools to uncover past secrets, preserving the legacy of Collinson’s innovative system.
Links:
[DefCon32] DC101 – Panel
Nikita, Grifter, and other DEF CON organizers deliver an engaging DC101 panel, guiding newcomers through the conference’s vibrant ecosystem. Their session offers practical advice on navigating DEF CON’s contests, social events, and hacking opportunities, fostering an inclusive environment for first-time attendees. Nikita’s candid leadership and the team’s anecdotes create a welcoming introduction to the DEF CON community.
Navigating DEF CON’s Landscape
Nikita opens by outlining DEF CON’s extensive schedule, from 8:00 a.m. to 2:00 a.m., filled with contests, parties, and spontaneous hacking sessions. As director of content and coordination, Nikita emphasizes the variety of activities, such as laser Tetris and social gatherings, ensuring newcomers find engaging ways to connect and learn.
Engaging with Contests and Events
Grifter, the lead for contests and events, shares insights into DEF CON’s competitive spirit, highlighting past highlights like T-Rex fights and the infamous “naked guy” incident from a scavenger hunt. His anecdotes illustrate the creativity and unpredictability of DEF CON’s challenges, encouraging attendees to participate in contests to hone their skills.
Building Community Connections
The panel emphasizes the importance of community, with Nikita encouraging attendees to network and collaborate. The hotline program, led by another organizer, facilitates communication, ensuring newcomers feel supported. Their advice to engage with others, even in informal settings, fosters a sense of belonging in the hacking community.
Inspiring Future Contributions
Concluding, Nikita urges attendees to submit to the Call for Papers (CFP) for future DEF CONs, emphasizing that research and passion can earn a main stage spot. The panel’s lighthearted yet practical guidance, enriched with stories like the bean chair contest, inspires newcomers to dive into DEF CON’s dynamic culture and contribute to its legacy.
Links:
- None
[DefCon32] Bug Hunting in VMware Device Virtualization
JiaQing Huang, Hao Zheng, and Yue Liu, security researchers at Shanghai Jiao Tong University, explore an uncharted attack surface in VMware’s device virtualization within the VMKernel. Their presentation unveils eight vulnerabilities, three assigned CVEs, discovered through reverse-engineering. JiaQing, Hao, and Yue provide insights into exploiting these flaws, some successfully demonstrated at Tianfu Cup, and discuss their implications for virtual machine security.
Exploring VMware’s VMKernel
JiaQing introduces the VMKernel’s device virtualization, focusing on the virtual machine monitor (vmm) and UserRPC mechanisms that enable communication between the hypervisor and host. Their reverse-engineering, conducted at Shanghai Jiao Tong University, uncovered vulnerabilities in USB and SCSI emulation, revealing a previously unexplored attack surface critical to VMware Workstation and ESXi.
USB System Vulnerabilities
Hao details flaws in the USB system, including the host controller, VUsb middleware, and backend devices. Their analysis identified exploitable issues, such as improper input validation, that could allow attackers to manipulate virtual devices. By exploiting these vulnerabilities, Hao and his team achieved privilege escalation, demonstrating the risks to virtualized environments.
SCSI Emulation Flaws
Yue focuses on the SCSI-related emulation in VMware’s virtual disk system, highlighting differences between Workstation and ESXi. Their discovery of an out-of-bounds write in the unmap command, due to unchecked parameter lengths, caused system crashes. Yue’s analysis underscores design flaws in disk emulation, exposing potential avenues for virtual machine escape.
Mitigating Virtualization Risks
Concluding, JiaQing proposes enhancing sandbox protections and elevating process privileges to prevent exploits. Their work, officially confirmed by VMware, calls for robust mitigation strategies to secure virtual environments. By sharing their findings, JiaQing, Hao, and Yue encourage researchers to explore VMKernel security, strengthening virtualization against emerging threats.