Posts Tagged ‘DefCon32’
[DefCon32] DEF CON Unplugged: Cocktails & Cyber with Jeff & Jen
Jen Easterly, Director of CISA, and Jeff Moss, founder of DEF CON, engage in a candid “Ask Me Anything” session, blending mixology with cybersecurity insights. Their informal dialogue, set against Jen’s cocktail-making, addresses pressing issues like cyber liability and secure software development. As members of CISA’s advisory council, Jen and Jeff offer a unique perspective on fostering a secure digital ecosystem through collaboration and accountability.
Navigating Cyber Liability
Jen and Jeff tackle a question on cyber liability, acknowledging its complexity due to legal frameworks focusing on proximate causes, like human errors in ransomware attacks, rather than root issues. Jen emphasizes the need for a cultural shift toward security, referencing CISA’s Cyber Safety Review Board report, which highlights vendor accountability. Their discussion underscores the challenge of legislating liability without a major incident driving change.
Building a Secure Ecosystem
The duo explores levers for enhancing cybersecurity, such as fostering a culture of responsibility among software vendors. Jen highlights the importance of product differentiation through secure development practices, while Jeff stresses the role of community engagement in shaping policy. Their dialogue, enriched by real-world examples, advocates for proactive measures to prevent devastating cyberattacks.
Community Engagement and Collaboration
Reflecting on DEF CON’s role, Jen shares her enthusiasm for the conference as a hub for hacker innovation. She and Jeff emphasize the value of open dialogue, as seen in their AMA format, to bridge gaps between government and the hacker community. By encouraging questions, they foster a collaborative environment where ideas can shape future cybersecurity strategies.
Future Directions for Cybersecurity
Concluding, Jen and Jeff call for sustained efforts to protect critical capabilities from malicious actors, including nation-states and criminals. Their session, blending humor with policy insights, inspires attendees to contribute to a more secure digital landscape through shared responsibility and innovative thinking.
Links:
[DefCon32] Secret Life of Rogue Device: Lost IT Assets on the Public Marketplace
Matthew Bryant, a seasoned security researcher and red team leader at Snap, unveils a startling investigation into the underground market for rogue IT assets. His presentation explores how sensitive devices—employee laptops, hardware prototypes, and even classified government systems—end up on public marketplaces. Through innovative techniques like scraping millions of online listings and reverse-engineering obfuscated apps, Matthew reveals the scale of this issue and its implications for organizational security.
The Scope of Rogue Devices
Matthew begins by defining rogue devices as assets that should never be resold, such as corporate laptops or early-stage hardware prototypes. His research, conducted with support from Snap and inspired by collaborator Apple Demo’s YouTube work on iPhone prototypes, involved analyzing over 150 million images from Western and Eastern secondhand markets. Matthew’s findings expose a thriving trade in sensitive equipment, often originating from e-waste recycling centers or lax supply chain controls.
Technical Challenges and Innovations
To uncover these devices, Matthew employed creative methodologies, including an OCR cluster built from repurposed iPhones to process listing images. He also reverse-engineered Chinese marketplace apps, navigating their obfuscation to extract data. These efforts revealed employee laptops with sensitive data, prototype iPhones, and even government servers on platforms like eBay. Matthew’s approach highlights the ingenuity required to track assets across global, often opaque, marketplaces.
Supply Chain and E-Waste Vulnerabilities
Delving deeper, Matthew identifies supply chain leaks and e-waste mismanagement as primary sources of rogue devices. Companies assume discarded hardware is destroyed, but recyclers often resell functional equipment, such as “50 good iPhones,” for profit. This creates opportunities for attackers to acquire sensitive assets. Matthew stresses the need for organizations to enforce strict destruction protocols and monitor secondary markets to prevent leaks.
Strengthening Organizational Defenses
Concluding, Matthew urges companies to trace their assets’ lifecycle rigorously, from procurement to disposal. By identifying leak sources through marketplace analysis, organizations can close vulnerabilities. His work, enriched by collaborations with underground collector communities, underscores the importance of proactive monitoring and robust supply chain security to safeguard sensitive data and hardware.
Links:
[DefCon32] A Shadow Librarian: Fighting Back Against Encroaching Capitalism
Daniel Messe, a seasoned librarian, delivers a passionate call to action against the corporatization of public libraries. Facing challenges like book bans, inflated eBook prices, and restricted access to academic research, Daniel shares his journey as a “shadow librarian,” using quasi-legal methods to ensure equitable access to knowledge. His talk inspires attendees to join the fight for open information in an era of digital gatekeeping.
The Plight of Public Libraries
Daniel opens by highlighting the existential threats to libraries, including censorship and corporate exploitation. He describes how publishers impose exorbitant eBook licensing fees, rendering digital content unaffordable for libraries. Book bans, particularly targeting marginalized voices, further erode access. Daniel’s narrative underscores the library’s role as a public good, now undermined by profit-driven models.
Shadow Librarianship in Action
Drawing from three decades of library work, Daniel recounts his efforts to bypass restrictive systems. By digitizing out-of-print materials and sharing banned books, he ensures access for underserved communities. His methods, while ethically driven, skirt legal boundaries, reflecting a commitment to serving patrons over corporate interests. Daniel’s stories, including providing banned books to struggling youth, resonate deeply.
Empowering Community Action
Daniel encourages attendees to become shadow librarians, emphasizing that anyone can contribute by sharing knowledge. He advocates for scanning and distributing unavailable materials, challenging unconstitutional bans, and supporting patrons in need. His lack of a formal library degree, yet extensive impact, illustrates that passion and action outweigh credentials in this fight.
Building a Knowledge Commons
Concluding, Daniel envisions a future where communities reclaim access to information. He urges collective resistance against corporate control, drawing parallels to hacker ethics of openness and collaboration. By sharing resources and skills, anyone can become a librarian for their community, ensuring knowledge remains a public right rather than a commodity.
Links:
- None
[DefCon32] Abusing Legacy Railroad Signaling Systems
David Meléndez and Gabriela Gabs Garcia, researchers focused on transportation security, expose critical vulnerabilities in Spain’s legacy railroad signaling systems. Their presentation reveals how accessible hardware tools can compromise these systems, posing risks to train operations. By combining theoretical analysis with practical demonstrations, David and Gabriela urge stakeholders to bolster protections for critical infrastructure.
Vulnerabilities in Railroad Signaling
David and Gabriela begin by outlining the mechanics of railway signaling, which relies on beacons to communicate track status to train operators. Using off-the-shelf tools, they demonstrate how these systems can be manipulated to display false signals, potentially causing derailments or collisions. Their research, motivated by Spain’s high terrorist alert level, highlights the ease of tampering with outdated infrastructure, drawing parallels to past incidents like the 2004 Madrid train bombings.
Exploiting Accessible Technology
The duo details their methodology, showing how domestic hardware can override signal frequencies to mislead train operators. By crafting a device that mimics legitimate signals, attackers could disrupt train circulation without detection. David emphasizes the simplicity of these attacks, underscoring the urgent need for modernized systems to counter such threats, especially given the public availability of required tools.
Risks to Critical Infrastructure
Gabriela addresses the broader implications, noting that Spain’s railway vulnerabilities reflect global risks. The 2004 Madrid bombings, which killed 193 people, serve as a stark reminder of the stakes. Their findings reveal that motivated actors with basic knowledge could exploit these weaknesses, endangering lives and infrastructure. The researchers call for increased investment in security to prevent catastrophic incidents.
Call for Industry Action
Concluding, David and Gabriela advocate for a reevaluation of railway security protocols. They urge stakeholders to implement robust countermeasures, such as encrypted signaling and real-time monitoring, to protect against tampering. Their work aims to spark industry-wide dialogue, encouraging collaborative efforts to safeguard transportation networks worldwide.
Links:
- None
[DefCon32] Behind Enemy Lines: Engaging and Disrupting Ransomware Web Panels
Vangelis Stykas, Chief Technology Officer at Atropos, delivers a bold exploration of offensive cybersecurity, targeting the command-and-control (C2) web panels of ransomware groups. His talk unveils strategies to infiltrate these systems, disrupt operations, and gather intelligence on threat actors. Vangelis’s work, driven by a desire to challenge criminal enterprises, showcases the power of turning adversaries’ tools against them, offering a fresh perspective on combating ransomware.
Targeting Ransomware Infrastructure
Vangelis opens by highlighting the resilience of ransomware groups, noting that only 3.5% of 140 tested web panels exhibited vulnerabilities, compared to 15–20% for Fortune 100 companies. He recounts infiltrating panels of groups like ALPHV/BlackCat, Everest, and Mallox, exploiting flaws such as outdated WordPress sites and chat features. These breaches enabled Vangelis to extract decryption keys and member identities, disrupting operations and aiding victims.
Methodologies for Infiltration
Delving into technical strategies, Vangelis explains how he exploited low-hanging vulnerabilities in ransomware C2 panels, such as misconfigured APIs and weak authentication. His approach, refined over two years, involved identifying data leak sites and leveraging penetration testing expertise to gain unauthorized access. By targeting infrastructure like Tor networks and custom firewalls, Vangelis demonstrates how attackers’ own security measures can be weaponized against them.
Ethical Dilemmas and Community Impact
Vangelis reflects on the moral complexities of his work, rejecting the vigilante label in favor of being a “Socratic fly” that disrupts the status quo. He urges cyber threat intelligence (CTI) firms to share data openly, noting that faster access to C2 information could amplify his impact. His successes, including contributing to ALPHV/BlackCat’s collapse, highlight the potential of offensive tactics to weaken ransomware ecosystems.
Future of Cyber Offense
Concluding, Vangelis emphasizes the need for persistent innovation in fighting ransomware. He advocates for collaborative intelligence sharing and proactive disruption of criminal infrastructure. By drawing parallels to the “Five Horsemen” of cyber threats, Vangelis inspires researchers to confront adversaries head-on, ensuring that the cybersecurity community remains one step ahead in this ongoing battle.
Links:
[DefCon32] The Rise and Fall of Binary Exploitation
Stephen Sims, a veteran cybersecurity expert, navigates the evolving landscape of binary exploitation, a discipline long revered as the pinnacle of hacking challenges. His presentation at DEF CON 32 examines the impact of modern mitigations like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and newer technologies such as Control-flow Enforcement Technology (CET). Stephen explores how these defenses have reshaped the field, while emphasizing that the pursuit of novel exploitation techniques remains vibrant despite increasing complexities.
The Golden Era of Binary Exploitation
Stephen begins by reflecting on the historical significance of binary exploitation, where vulnerabilities in low-level languages like C++ enabled attackers to manipulate system memory. In the early 2000s, exploiting large applications was a hallmark of hacking prowess. However, Stephen notes that memory safety issues have prompted a shift toward safer languages like Rust, though these are not yet mature enough to fully replace C++. This transition has made exploitation more challenging but not obsolete.
Impact of Modern Mitigations
Delving into technical details, Stephen dissects key mitigations like DEP, which prevents code execution in data memory, and ASLR, which randomizes memory addresses. He also discusses CET, which enforces control-flow integrity, and Virtualization-Based Security (VBS), which isolates critical processes. These protections, often disabled by default on Windows to avoid breaking applications, have significantly raised the bar for attackers. Stephen illustrates their enforcement through practical examples, showing how they thwart traditional exploits.
Ethical and Legislative Challenges
Stephen addresses the ethical dilemmas facing researchers, noting that restrictive legislation, such as the Paul Maul Act, could push exploit development underground. He argues that the more researchers are constrained, the greater the risk of unethical markets flourishing. By sharing insights from past research, including contributions from Jeremy Tinder and Haroon Mir, Stephen underscores the need for responsible disclosure to balance innovation with security.
The Future of Exploitation
Concluding, Stephen likens modern exploit development to skateboarding legend Tony Hawk, where past techniques are now accessible to newcomers, enabling rapid advancement. He predicts that as bounties for zero-day exploits rise—some now fetching $500,000—the incentive to bypass mitigations will persist. Stephen encourages researchers to innovate ethically, leveraging open knowledge to uncover new vulnerabilities while navigating an increasingly fortified digital landscape.
Links:
[DefCon32] From Getting JTAG on the iPhone 15 to Hacking Apple’s USB-C Controller
Thomas Roth, known as Stacksmashing, a hardware security researcher and co-founder of HexHive, takes the audience on a technical odyssey to compromise Apple’s proprietary ACE3 USB-C controller in the iPhone 15. Using reverse-engineering, RF side-channel analysis, and electromagnetic fault injection, Thomas achieves code execution on this custom chip, unlocking JTAG access and exposing its inner workings. His work highlights the persistence required to tackle secure hardware.
Cracking the ACE3 Controller
Thomas introduces the ACE3, a microcontroller managing USB-C functions, internal buses, and JTAG on the iPhone 15. Unlike its predecessor, ACE2, which was vulnerable to software exploits, ACE3 employs personalized firmware and disabled debug interfaces. Through meticulous reverse-engineering, Thomas mapped its architecture, revealing access to UART and SPMI buses, critical for deeper device exploration.
Leveraging Side-Channel Attacks
To bypass Apple’s protections, Thomas employed RF side-channel analysis and electromagnetic fault injection. Using tools like ChipShouter, he induced faults to read and write arbitrary memory, dumping the ACE3’s ROM and RAM. This painstaking process, despite battery challenges, yielded a complete firmware dump, enabling further analysis of the chip’s security mechanisms.
Democratizing Hardware Hacking
Recognizing the high cost of professional tools, Thomas ported his attack to the affordable PQM-P1, reducing the cost to $60. This democratization of fault injection empowers researchers to explore similar chips without prohibitive expenses. His open-source firmware for ChipShouter automates the process, making hardware security research more accessible to the community.
Future of Hardware Security Research
Thomas concludes by encouraging researchers to persist in analyzing unknown silicon, as demonstrated by his success with minimal prior knowledge. His glitching lab at the MedSec Systems Village invites hands-on exploration of fault injection techniques. By sharing his tools and methodologies, Thomas fosters a collaborative approach to uncovering vulnerabilities in secure hardware.
Links:
[DefCon32] Behind Enemy Lines: Going Undercover to Breach LockBit Ransomware Op
Jon DiMaggio, a cyber threat intelligence expert at Analyst1, shares a gripping account of his two-year infiltration of the LockBit ransomware gang. By earning the trust of its leader, LockBitSupp, Jon unmasked the real-world identity of this elusive figure, disrupting the syndicate’s operations. His narrative blends human intelligence with cyber expertise, offering a masterclass in combating ransomware through undercover operations.
Infiltrating the LockBit Syndicate
Jon recounts his covert journey, posing as a potential affiliate to gain access to LockBit’s inner circle. Through strategic exchanges, he built rapport with LockBitSupp, navigating the dark web’s complexities. His interactions, documented in real-time, reveal the gang’s operational structure and reliance on affiliate hackers, providing a rare glimpse into the ransomware ecosystem.
Unmasking LockBitSupp
A pivotal achievement was identifying LockBitSupp’s real-world identity, a feat that challenged the narrative of his anonymity. Jon’s persistence, despite threats of retaliation, led to public exposure via an indictment, disrupting LockBit’s operations. He emphasizes that this identification required meticulous intelligence work, countering claims that LockBitSupp’s operational security was amateurish.
Impact on Ransomware Operations
Jon’s actions had unintended consequences, including a perceived breach that rattled LockBit’s infrastructure. By leaking sensitive communications, he forced the gang to divert resources, weakening their operational resilience. His work with law enforcement amplified this impact, showcasing the power of combining human intelligence with technical analysis to dismantle cybercrime networks.
Lessons for Combating Cybercrime
Concluding, Jon advocates for integrating human intelligence into cybersecurity strategies. His experience underscores the value of undercover operations in understanding and disrupting threat actors. By sharing his methodologies, Jon inspires researchers to adopt similar tactics, strengthening defenses against ransomware and safeguarding organizations worldwide.
Links:
[DefCon32] The Pwnie Awards
The Pwnie Awards, a cornerstone of DEF CON, celebrate the triumphs and missteps of the cybersecurity community with a blend of reverence and humor. Hosted by Ian Roose, this annual ceremony honors groundbreaking research and notable blunders, judged by a panel of esteemed security experts. The 2024 edition, sponsored by Margin Research, Red Balloon Security, and Summercon Foundation, pays tribute to luminaries like Sophia d’Antoine, whose lifetime achievements have shaped the field.
Celebrating Cybersecurity Excellence
Ian opens the ceremony by highlighting its role in recognizing outstanding contributions. The Pwnies showcase the best exploits and research, voted on by peers, offering a unique platform for hackers to gain recognition. From novel vulnerabilities to innovative defenses, the awards reflect the community’s ingenuity, fostering a culture of excellence and accountability in cybersecurity.
Honoring Sophia d’Antoine’s Legacy
A poignant moment comes with the Lifetime Achievement Award for Sophia d’Antoine, accepted by her sister Claudia d’Antoine of Margin Research. Sophia’s work, spanning hacking, policy advocacy, and training with Binary Ninja, left an indelible mark. Ian emphasizes her ethos of curiosity and community care, inspiring attendees to continue her legacy of impactful research and collaboration.
Acknowledging Community Contributions
The ceremony acknowledges the broader community, including nominees, presenters, and sponsors like Margin Research and Red Balloon Security. Ian highlights the collective effort behind the event, from organizers like Neil Durkin and Mark Trumpour to the audience’s participation. This collaborative spirit underscores the Pwnies’ role in uniting hackers to advance the field through shared knowledge and recognition.
Looking Forward to Future Impact
Closing, Ian reflects on the Pwnies’ role in inspiring future research. By celebrating both successes and failures, the awards encourage resilience and innovation. The call to stay curious, inspired by Sophia, resonates as a guiding principle, urging attendees to push boundaries and strengthen cybersecurity through collective effort.
Links:
[DefCon32] The XZ Backdoor Story: The Undercover Op That Set the Internet on Fire
In a riveting exploration of one of the most sophisticated cyberattacks in recent history, Thomas Roccia, a security researcher at Microsoft, unravels the intricate tale of the XZ backdoor. Discovered by Andres Freund in March 2024, this clandestine operation compromised the open-source XZ utility, specifically its liblzma library, threatening SSH servers worldwide. Thomas’s narrative dissects the attacker’s methods, the discovery’s serendipity, and the broader implications for open-source security, urging the community to remain vigilant.
The Discovery of the XZ Backdoor
Thomas begins by recounting the fortuitous discovery by Andres Freund, a Microsoft engineer, who noticed anomalies in the XZ utility. The backdoor, orchestrated by a mysterious maintainer named Jia Tan, was embedded in the liblzma library, a critical component for SSH operations. This breach could have granted attackers remote access to countless systems. Thomas highlights the mix of luck and expertise that led to the detection, emphasizing how close the internet came to a catastrophic compromise.
The Attacker’s Modus Operandi
Delving into the operation, Thomas outlines how Jia Tan infiltrated the XZ project by gaining trust over time. The attacker, potentially backed by a nation-state, employed sophisticated techniques to insert malicious code, exploiting the project’s open-source nature. By meticulously integrating the backdoor into legitimate updates, Jia Tan evaded scrutiny until Freund’s investigation. Thomas details the technical mechanics, including how the backdoor manipulated SSH authentication, underscoring the attacker’s deep understanding of Linux systems.
Lessons for Open-Source Security
The XZ incident exposes vulnerabilities in open-source ecosystems, where trust in contributors is paramount. Thomas advocates for enhanced vetting processes and automated code analysis to detect anomalies early. He stresses the importance of community awareness, as knowledge of such attacks is a key defense. The incident redefines what constitutes a sophisticated attacker, prompting a reevaluation of how open-source projects manage contributions and verify integrity.
Future Vigilance and Community Action
Concluding, Thomas poses a haunting question: how many other Jia Tans are embedding backdoors in open-source projects? He urges researchers to study the XZ case, leveraging blogs and technical write-ups from contributors like Freund. By fostering a culture of transparency and collaboration, the community can bolster defenses, ensuring that open-source software remains a pillar of trust rather than a vector for compromise.