DEF CON 2020: extreme bystander mode

2020 was my first year “attending” DEF CON (Safe Mode due to covid).

I was an extreme bystander:

However, I was lurking in the darkness enjoying that it was all going on. I watched 3 talks from this year and 1 from last year, and even with that amount of participation was really grateful to have been able to see what people are up to when it comes to security research, and feel like even with my limited experience I was still able to pick up a bunch of new concepts to read more about and look into.

Demystifying Modern Windows Rootkits

Bill Demirkapi, 38m :: YouTube

Would recommend if: you wanna hear an analysis for how to pretend to be a part of an OS to gain access to it

Stray observations
  • I like that hackers use other hackers' work when they’re stuck. Bill did this. For some reason, in my head hacking something seemed like a totally individual act. Interesting to hear that it’s also about sharing tools and knowledge, which I guess makes sense at an event all about sharing security info.
  • The strategizing about how to fake being a part of Windows was fascinating to me in an old school detective type of way. It was funny, because the more Bill spoke, the more the thought of really detailed, specific information about Windows started to seem special and valuable to me.
  • Bill mentioned that he used ReactOS, an open source OS, that has a lot of info on undocumented Windows APIs. Made me wonder what similar open source operating systems are out there. From a quick search, I’m seeing a lot of talk about Kali Linux.
  • All of this networking talk is making me want to download Wireshark.
  • Bill talked a lot about how in Windows you have user and kernel access levels, and about how they differ. Mentioned that a rootkit acting with kernel permissions is less detectable by antivirus software because generally antivirus software lacks a lot of kernel permissions. Made me wonder what the downsides are of choosing kernel access over user.
  • Bill repeatedly assessed different possible solutions based on criteria: detectability, usefulness, and exposure.
  • Lots of what Bill needed to know to build the rootkit seemed to rely on documentation from the makers of the software or hardware.

Dont Be Silly It’s Only a Lightbulb

Eyal Itkin, 38m :: YouTube

Would recommend if: you wanna hear about how a lightbulb networks and see how a buffer overflow attack got this team into one

Stray observations
  • For some reason when I learned about buffer overflows in college that they were a thing of the past. But it turns out they’re still very much a tool you can use to get access to a whole system, and vulnerabilities for that attack can be found in modern software.
  • Before this talk I’d never heard of Zigbee, apparently a specification involving mesh networks commonly used for smarthome devices (low-power, low data rate, close proximity).
  • “rooting” is, maybe predictably, a verb for gaining superadmin access to something. That was the goal with the lightbulb.
  • The GOT is the “global offset table”, a table of function pointers in program memory used to run library functions. Eyal ended up using a buffer overflow to write to the GOT to modify a function pointer to run his shell code.
  • The lightbulb exploit used a write-what-where exploit, which is “Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.” -CWE (so you can write to the GOT to execute your shell code, which could install your attack code).
  • Here’s an article I found that has a walkthrough of a write-what-where.
  • The lightbulb exploit used EternalBlue, an exploit developed by the NSA that gives the attacker control to execute code and have network access based on a Windows vulnerability. It was used by notable ransomware malware “WannaCry” apparently. From a quick search, looks like EternalBlue is talked about in a couple of Darknet Diaries episodes, which is cool.
  • MTU in this context stands for maximum transmission unit, or the largest size of a network packet in bytes that can be communicated in a network transaction (so a device like a smart lightbulb has an MTU because it’s connected to the internet. The Philips Hue MTU is 128 bytes).

Bypassing Biometric Systems with 3D Printing

Yamila Levalle, 26m :: YouTube

Would recommend if: you wanna see well-organized table effectiveness comparisons of ways to hack into different types of systems with different types of strategies

Stray observations
  • You can be identified biometrically by your gait and veins apparently. Wow. Makes me wonder what the exhaustive list is for all the things can be identified by and that you’re vulnerable to today. Is anybody really using gait and veins right now? Wow.
  • People are buying silicone masks online to impersonate people to escape prison, rob banks, and impersonate politicians. This is some in-depth, movie-level stuff.
  • People can use silicone fingers to break into systems protected by fingerprints.
  • People can use 3d printed heads to break into systems protected by facial scans.
  • List of the different types of fingerprint scans: optical (light), capacitance (electrical charge), and ultrasonic (sound).
  • This talk was very practical in tone. Yamila goes over grease stain attacks, consensual molds, and nonconsensual attacks, describing how each method works.
  • I liked the nonconsensual attacks most because they’re obviously the scariest ones. One way Yamila did this was to use fingerprint dust, a digital camera, and a silicone fingerprint made using the first two steps.

(2019) Confessions of a Nespresso Money Mule

Nina Kollars, 20m :: YouTube

Would recommend if: you wanna see someone start at a weird eBay purchase and build tools to get answers

Stray observations
  • This talk showed a really cool way of being clued into an odd thing and then investigating it really hard in an organized way to get some answers. I thought that was amazing.
  • The weird thing Nina noticed initially was that the cheap Nespresso capsules she ordered on eBay came directly from Nespresso instead of the 3rd party seller she ordered them from, which she confirmed by calling Nespresso about it and legally securing the extra machine by offering it back.
  • Nina investigated by creating a set of rules, questions, and criteria for what an auction and seller would look like to search out more daily with a Python script. From a Google search on it, looks like there are lots of articles out there about how to build a basic web scraper with Python, which is exciting.
  • Nina collected the data about sellers fitting those criteria and stored it in a spreadsheet (how many sold, what was sold, how much they made, etc) so she could look at it all together and analyze it.
  • She researched who the victims were (in this case, elderly people) and reflected on how not to be complicit in similar schemes (which is basically that you should watching out for the weird stuff and then, once you know what’s going on, make a conscious decision not to participate despite the benefits you’d get for keeping quiet).
  • I’m probably not unique in this at all but I’m always down to hear about the types of fraud that are out there (in this case, triangulation fraud).