My very first DEF CON (DC 27)
The world's largest underground hacking conference takes place over the period of 4 days every year in Las Vegas, Nevada, and this year I went for the first time. It was as crazy as it get can, and honestly, just what I expected. It's strange because on the one hand I knew it was going to be super weird (the conference and the city), but then the expectation of its being weird didn't in any way serve to prepare me for what was going to happen.
Arriving in the Country
I planned to fly from Manchester, UK to Philadelphia, Pennsylvania and then from there to Las Vegas. Until recently, I wouldn't do flights a lot, and I would always go for online check in (because why wouldn't you), but this time I couldn't find my way through American Airlines' shitty iOS app so I kind of waved my hand and thought I would just do it at the airport... Except I didn't know check-in closes 60 minutes before departure. So I was at the check in desk 55 minutes before my flight, just to find out they wouldn't let me in on the plane. Oops. It took me a few minutes to calm down and soon I had bought another ticket for a direct flight to Vegas. Incidentally the second leg of the original flight got cancelled so I ended up being in Vegas earlier than I would have been had I taken the original flight. Cool.
Getting through the border was slow, it's interesting to see they've only got one gate for US citizens at the airport because most of the traffic that needs to go through border in Las Vegas consists of foreign tourists. Apparently they still don't use automatic passport scanners in the US, so it makes going through the border slow because an actual human will look at your passport (and possibly question you, etc).
The border guard asked me what I'm doing in the US, I asked him if he knew what DEF CON was and he said yes. Soon I realized everyone in Vegas knows about DEF CON. And it really seems to be literally everyone. Every single person that I talked to knew what it was and that includes cashiers, waiters, Uber drivers, homeless people, my AirBnb host, and so on.
Vegas is really fucking hot. You need to prepare before going; you'll need shorts, sunglasses, a hat and sunscreen at minimum (okay, I didn't have a hat cause I forgot to buy one, but if you do you can pull off that cool Hunter S. Thompson look). As soon as I left the airport I got a headache and I thought I wouldn't stand being outside for longer than 10 minutes but in fact I got used to it pretty quickly. I'm more naturally suited to hot weather and I'd rather burn in the sun than freeze in the cold. But still, there's no way you can live there without air conditioning, which was actually annoying for me because I prefer the AC a bit warmer than most people, so casinos were a bit too cold for me, and I actually found myself going outside for a few minutes to warm up.
After leaving the airport I went to the conference venue to get my badge and then went to my AirBnb for check-in. The city is very difficult to navigate if you don't have a car, unless you never leave The Strip (the part of the city where all the casinos are) and public transport is very impractical to use. Uber is highly prevalent with Lyft being another popular choice for transport. Traditional telephone "taxi" practically doesn't exist there. I also have to remark that if you've never been to Las Vegas, to understand it properly you need to imagine what the casinos look like first. There aren't that many standalone "casinos" at The Strip. They're more like huge entertainment centers. Typically you'll have, in one building, a casino, hotel rooms, conference rooms, bars, restaurants, show rooms, and so on. The conference was spread between 4 hotels located next to each other (still, sometimes you needed at least 15 minutes to get from one talk to another, or longer if you have my sense of direction and don't know where you are half of the time). Anyway, after looking around for some time, I registered and got my badge.
DEF CON Badge
The DEF CON badge is a proof of payment, your pass to the conference. You get it on the first day of the conference after a payment of 300 American dollars in cash. By design, they don't accept debit cards and they won't write you a receipt in your name, because then they would have to ask your name. Which is cool but it makes expensing it tricky.
The badge is a piece of electronics with a different design each year, so if you go each year you end up with a collection of pretty PCBs, each of them is unique and if you're a hardware person and know how to reverse-engineer that stuff, then you have a nice piece of equipment to study. Or you can sell it on eBay or whatever you do with your collectibles. There are also other badges, if you want to support a village (see below), badges for special achievements and so on. Curiously, the first result I found when I searched for DEF CON badges on eBay was in a category called "Historical Memorabilia" / "Mobs, Gangsters & Criminals". Uhm, okay.
DEF CON badges traditionally come with a challenge you can try yourself on. I say the future is social, and this year the challenge, rather than being a technical puzzle, was designed to force you to go to different parts of the conference and talk to people. This year, your badge can "connect" to other people's badges using magnetic induction if you hold them close together. A set of flashing LEDs indicates the "state" of the badge. There are a few "special" badges (they look differently and you could read up on who has those badges beforehand). If you connect with a special badge that you've not connected with before, that puts your badge in the next state. You can do them in any order, and after you've done all of them, you win the challenge. And you unlock some new commands in the badge's shell. Oh, did I mention you can access a control shell through a serial interface?
The badge is a beautiful piece of art. It was created by Joe "Kingpin" Grand. If you're interested to learn more, check out his talk at this year's DEF CON.
CTFs / Contests / Competitions
There's plenty of CTFs each year at DEF CON (CTF means "Capture The Flag", a name that denotes a specific type of competition but in the hacking world sometimes it's used as meaning any kind of a hacking contest). A proper CTF will have "challenges", and your team is awarded a specific number of points for every solved challenge. After a set period of time (often 48 hours) and tons of coffee, the team that has acquired the largest number of points wins.
Some of the contests at DEF CON fit this description of a classical CTF, others are competitions with different rules and themes. The more esoteric ones (and beware, some participants prepare for those very seriously!) include a beer cooling contest (I don't know if that's still on though - last one mentioned on the website was 10 years ago), another one where the contestants get their computers smashed with sledgehammers and tesla guns (and 18 other ways to destruct your hardware), and another one which is a beauty pageant for facial hair.
Back to security focused competitions, the original DEF CON CTF is sometimes called the "World Cup of Hacking" and the "Olympics of Hacking" and is widely considered to be the most prestigious hacking CTF in the world. Only teams qualified either through the official qualifications CTF ("DEF CON Quals") or through one of the many pre-qualification events can participate. Be sure to check out the DEF CON CTF's website, as an introduction, and this awesome video (from last year) by LiveOverflow.
This year's challenges included a multiplayer game of the 1993 Doom, where each team was given a modified binary of the game that you were supposed to reverse engineer and patch to help you win (the modified binary wouldn't even allow you to use your weapons). The source code has now been released here.
Congratulations to the Plaid Parliament of Pwning for winning the 2019 DEF CON CTF!
At over twenty five thousand participants, DEF CON is huge. And the ambiguity of the word hacking means that people with diverse interests will flock to the conference and form groups around common interests. Each subconference within DEF CON is called a "village" and it will have its own talks, workshops and contests.
I think the first village I ended up going to was the Car Hacking Village. Arguably the most fun event of the Car Hacking Village was the Car Hacking CTF where you gather a team of 6 people and you get to break into cars. The winning team takes home a 2019 Tesla Model 3. I didn't play (I was in and out of talks most of the time, nor did I have the skills or a team), but it would be something interesting to try some time.
If you want to get a taste of the Car Hacking Village, check out this talk by Brent Stone.
I spent a lot of at the Social Engineering Village started by the awesome Chris Hadnagy that focuses on the psychological methods to hack things. And it also has its own CTF.
Then there are all your typical security-oriented villages dealing with cryptography, network security, incident response, web application security, and so forth and so on.
One noteworthy village is the Voting Village. Voting machines are quite prevalent in the US, and the laws and regulation concerning them differ from state to state. This means there are multiple different models of voting machines, some more secure than others...
Aviation Village was a new village this year. I hadn't heard about it and didn't go.
The talks take place between 10am and around 6-7pm each day, followed by a few official parties and many unofficial ones during the night. All I'm going to say about the parties is that I enjoyed them.
I have multiple times heard the opinion that you don't go to DEF CON for the talks... It is assumed that lots of raising-the-state-of-the-art grade research has moved to BlackHat and similar conferences. My experience was that there were many introductory talks, talks that were fun to listen to and stimulating, they had engaging speakers who presented interesting ideas, but few fresh research talks. I think I only had one of those "wow moments" that you get when you experience something really novel and cool. Here are the talks that I recommend.
Information Security in the Public Interest
This is a talk that might matter more than I immediately recognized. It was a non-technical presentation by the legendary information security expert who in the last years has done a lot of thinking on the topics of security policies, law, society and so on. Schneier complains about the fact there are very few technologists working for the public interest. He compares the current situation to that of lawyers. In the past, working for a non-profit organization wasn't considered a viable career option for a law university graduate. Today, lawyers are expected to do public service work as part of their career. Even though the lawyers at non-profit organizations such as the American ACLU make less many than their commercial counterparts, a job at an NGO is considered to be a prestigious career option - something that would make the parents of a recent university graduate proud.
In the coming years, computers will control more and more of our lives, and that means that technologists will shape the our society and their input won't be limited to the technical domain - how people create technology will increasingly affect the lives of all of us. It therefore seems that technologists should take part in creating policies that will drive development of new software.
It's worth starting a discussion around this. How can we get as many people as possible to contribute? How do we make this a viable career option? How do we get politicians to listen?
TLS decryption attacks and back-doors to secure systems
Chris Hanlon shows how you can get an HTTPS certificate for a victim's domain signed by a legitimate CA. The attack makes use of the fact that the process by which the domain obtains the certificate often happens over a plaintext connection.
There are multiple vectors that can be used for carrying out this attack. One possible option is executing a Man-in-the-Middle attack between the CA and the victim domain's nameserver (plaintext DNS). When the attacker requests a certificate from the CA, the CA will believe that the attacker controls the victim's domain because the nameserver says so. A similar attack can be performed by intercepting traffic to and from the servers that serve mail between the CA and the victim. This is possible because some enterprise mail servers don't use TLS.
SELECT code_execution FROM * USING SQLITE: Gaining code execution using a malicious SQLite database
This was perhaps my favorite talk. It had the coolest hack and the most novel and promising exploitation technique. Background: n SQLite database is just a specially formatted file. This file gets parsed by the SQLite code. Now, it turns out that the part of this file that describes the database schema is just a SQL CREATE statement. To verify that this statement (controlled by an attacker) isn't going to do anything dangerous, the code verifies that the statement string begins with "create". However, the authors of this code missed the fact that not only tables, but views can also be created with "create".
The coolest part of this research is when the authors described a way to write basic exploitation primitives using CREATE that would pass through the validation, effectively implementing a way to execute arbitrary code using a CREATE VIEW statement. The researchers also created a Python library to translate your arbitrary shellcode into such a statement.
There's a post about this research available here
Zero bugs found? Hold my Beer AFL! How To Improve Coverage-Guided Fuzzing and Find New 0days in Tough Targets
This talk proceeds in two parts.
The first part is an introduction to security-oriented fuzzing and american fuzzy lop (AFL), a very influential coverage-guided fuzzer. Maksim talks about the limitations of AFL. These include the lack of (more than basic) support for parallelization, non-ideal handling of volatile paths, and the lack of support for network fuzzing out of the box.
Next, Maksim introduces his solution - a fuzzer called Manul. There have been many forks of AFL that fix some of the issues with AFL, but so far all of these forks were falling short of addressing at least one of them. Manul packs the best features of AFL, and, in addition, it also solves all of the issues listed above.
The ABC of Next Gen Shellcoding
Writing shellcodes is difficult because of constraints on the input format. As a common scenario, the application will expect a human-readable (alphanumeric plus, perhaps, some other characters) string, whereas your shellcode is machine code and typically isn't human readable. Your shellcode may be rejected by the application itself, or it might be flagged as suspicious by intrusion detection systems and human agents.
These guys wrote a generic packer/unpacker tool that can encode arbitrary RISC-V attack code as an alphanumeric string. The unpacker itself is a small piece of code written using only alphanumeric characters. This stub is then appended to the encoded attack code. The result is your final shellcode - written using a specific, small set of characters that should pass the application's input validation routine and security checks by IDS's and humans.
The End (See You in Las Vegas in 2020?)
If time and money permits, I'm going to go to the next DEF CON as well.
If this article got you out of your usual boredom and you too want to go to an underground hacking conference, consider joining me at DEF CON 28 on August 6-9, 2020 at The New Caesars Forum (which is a new venue opening soon, and it's going to be huge). Drop me a message if you're interested.