zaCon

SO, zaCon is coming.

It’s a conference without all the fluff and hubub of commercial vendors. It’s being put on by people who live, eat, breathe and sometimes poop information security. It’s going to give people who wouldn’t usually have this platform to talk about new cool stuff they might be working on. New tools, new ideas, just about anything that’s going keeps us up at night.

There isn’t going to be any corporate sponsorship. It’s going to be very ad-hoc and probably very chaotic, but that’s a good thing. Nothing like this has happened in South Africa before (as far as I am aware).

So keep an eye on the website. The speaker list is up and running. The venue has been locked down and it’s happening.

If you have any questions, comments or general ideas, please feel free to contact people@zacon.org.za

But mostly, come along. It’s going to be alot of fun.

DefCon17.txt

How does one write a decent article about DefCon ? How do you truly convey the madness and all out chaos that is the weekend of DefCon to someone who likely hasn’t been ? I have NO idea. I’m going to attempt this, it’s probably going to fail miserably and you are going to think me mildly insane. I can, however, simplify this for you into one word.

GO!

Yes, it’s that good. If you are in any way interested in security or even networking (an not just the type with Cat5e cables) go. But I’m getting ahead of myself.

Prep

There are a number of differing opinions on the matter. Some people bring a vast array of hardware to play around with in the hardware hacking village, some people bring machines to attempt to spread malware and break into other peoples machines. Heck, some people even brought along a fake ATM machine to skim your banking details from you, but that’s beside the point. What it all boils down to at the end of the day is you are going to be connecting to what is considered to be THE most hostile computer network on the planet. End of story. This is drummed home by the dreaded Wall of Sheep. If you transmit ANYTHING over the DefCon network that isn’t encrypted, your credentials AND host you are connecting to are posted, in real time, to this “wall”. Not fun. That’s not to say someone isn’t going to be messing with your connection even if it is encrypted. Moxie had an awesome talk on how SSL is broken, check it out on the Blackhat Archives here. There were discussions on various forums and mailing lists as to what hardware to take and what precautions to use to ensure that you weren’t “pwned” along the way. I personally setup an EEPC 701 with a hardened copy of Linux and VPN software to connect out. Did I use this ? No. I ended up bringing along my trusty 13″ Macbook simply because I couldn’t afford to be disconnected from the Office 10000Km away. No, I did not connect to the DefCon network…In fact my machine stayed off for the duration of DefCon as there was simply far too much to do that didn’t require a working notebook. We will get to that.

Goons

Before going any further it’s worth mentioning the Goons. These are the guys and girls who attend DefCon and herd the many thousands of hackers around the conference. They have the most unenviable job out there. Not only do they miss all the talks and general shennanigans, but they have to ensure that we GET to see the talks and don’t end up killing ourselves by bungi jumping from the roof. I have no complaints about the Goons. They did an awesome job and while some could complain that they were a bunch of hard-asses, look at it from their perspective. I’d also be pretty gruff and terse if I had to deal with a crowd like that.

So, what’s going on ?

What goes on at DefCon besides the 5 rooms with various talks ? Well you have your choice of the following:

• Hardware Hacking Village
• Lock Pick Village
• CTF Arena
• Competition Floor / Food area
• Vendor Area
• Sky Boxes
• Big Room with old hardware and Team Fortress 2 Arena
• Chillout Lounge with DJ’s

So yeah, there’s ALOT to do. I checked out most of it. Got my hands dirty learning to pick locks. Played a little team fortress 2 against people I didn’t know. Attended the micro talks in the Sky boxes, bought “cool stuff” from the vendor area, checked out the teams competing in the Binjitsu CTF event, ate some really expensive food in the food area, took it easy to some great tunes in the chill out lounge and went to the Pauldotcom private party. Yes. I did. It was awesome. The PDC crew are a fantastic bunch. Had beers with Mick, spoke to John Strand about the course I was thinking about taking upon my return, got a t-shirt signed and generally had an awesome evening. The podcasters meetup was the same evening. It was surreal seeing all the guys I listen to on a weekly basis up close. Then getting to shake hands, swap business cards and have a cold beer with them once the recording stopped. Insane.

Talks, what talks ?!

Apparently they have talks at these conferences. Yes, I went to alot of them. But DefCon isn’t just about talks and learning things most people wouldn’t want to know in their life time. It’s about the parties and meeting people. And after 18h00 that’s exactly what happens. The doors open (or close) and there are any number of after hours “events” to go to. Being alone and not knowing anyone “in the loop” I didn’t do much. But hey, I hear there were some scary things going on around the Riviera that weekend

No, really, what talks ?

Yeah, the talks were all outstanding. The problem is (as I found out the hard way at Blackhat) there are so many great talks going on at the same time, it’s difficult to see everything. And believe me, you want to see everything.
Stand outs for me included:

• 0-day, gh0stnet and the Inside Story of the Adobe JBIG2 Vulnerability
• Defcon Security Jam 2: The Fails Keep on Coming (oh the lulz)
  
• Johnny Long – Three Point Oh. (Legend)
  
• Using Guided Missiles in Drive-Bys: Automatic browser fingerprinting and exploitation with Metasploit
• Hijacking Web 2.0 Sites with SSLstrip—Hands-on Training (RSnake is the man)
  
• Sniff Keystrokes With Lasers/Voltmeters
• “I Am Walking Through a City Made of Glass and I Have a Bag Full of Rocks” (Dispelling the Myths and Discussing the Facts of Global Cyber-Warfare)

But really, to go on and list all the great talks is just silly. There are so many great ones it’s so difficult to pick and choose.

What I found is that you would get 90% through the day and end up either meeting some random person (Johnny Long in my case) and spend the remainder talking “shop”. Someone said to me prior to heading over to Vegas that with the big conferences like Blackhat and DefCon you didn’t get to meet the speakers or anything like that. I don’t know if I lucked out but I spoke to so many of the guys I wanted to chat to. Hell, I even got two seconds with DT himself. I think he may have thought I was a little crazy because it was late on Sunday afternoon when I spoke to him and I may have been a little hopped up on energy drinks and fried chicken.

Wrapping up…

I  could ramble on about this for ages as for me it was the high light of the year. Both DefCon and Blackhat were so amazing, so much fun and at the same time, so humbling, I don’t think I could ever forget the experience in a hurry. To answer many peoples question to me upon returning: yes, go. Go if it’s the last thing you do. You will learn so much, be inspired by what you learn, by the people you meet and by what you get to do yourself. I for one will be doing everything in my power to get back there next year, hopefully with a couple of friends this time.

Blackhat Briefings 2009 – Las Vegas, NV – Day Two

Day Two of Blackhat

(aka. The Day of the Cloud)

Day two of Blackhat was definitely “The Day of the Cloud”. That and possibly also “Revenge of the Mobile Handset”, but I don’t know enough movie titles to really make this as witty and as crowd pleasing as possible…

In all seriousness, day two was just a tough as day one to do the whole “I want to see X” game. Before we get into that in too much detail it’s worth mentioning the size of Blackhat for those who didn’t get to go. I realize I should have done this for day one, but alas I’ve never really followed a check list. Blackhat was held at Caesars Palace. There were 8 tracks on day one and 7 on day two so getting to see everything was nigh on impossible. They were selling DVD’s of the whole show but the only one really worth getting (Blackhat + DefCon Combo) was $499 !!! For someone coming from South Africa, already on a shoe string budget (read company per diem) this was just a non starter. I guess we will just have to wait the 4 months or so before they release it to the public and download…

Moving swiftly forward…

Great talks for day two:

Fuzzing the Phone in Your Phone: Charlie Miller and Collin Mulliner

Yes, they dropped 0-days. Yes, they provided great technical details and yes, I was able to follow most of it even though I know a dangerous amount about the mobile platforms. Charlie and Collin dropped a huge amount of really great info on the iPhone, Windows Mobile and Android platforms. Their talk on how they actually fuzzed the phones to get the required data for the 0-days was not only technically useful enough to do the work required but got me very interested in the topic. Needless to say, people were turning off their phones in the audience and the live demo worked like a charm. Being an iPhone user (read fanboy) I am more than a little concerned. Yes, Apple did patch the SMS vulnerability the day after, but really, how many people are THAT efficient at patching their phones. This is definitely a talk to check out when it’s available…

Clobbering the Cloud: Haroon Meer, Nick Arvanitis, Marco Slaviero

I was fortunate enough to not only catch the SensePost guys at this years ITWeb Security Summit and again they proved why they’re at Blackhat year after year. Haroon and the guys gave not only a very technical but entertaining talk on how they simply broke a number of the main stream “cloud” applications. I won’t go into too much detail as it was a fairly technical talk with some very scary demos done. If you think the main stream cloud applications are secure and you don’t really need to worry about putting your “stuff” into the cloud, watch this talk. Then lock all your data in a nuclear bomb shelter in Alaska. This talk just re-enforces my lack of trust for “the cloud”. Charl and the guys from SensePost did South Africa proud. Keep up the great work guys…

I did attend most of the much hyped Cloudburst: Hacking 3D and Breaking out of VMware but to be honest the speaker wasn’t very engaging and I did lose interest. We know that Cloudburst works and is available for a fairly significant fee in the CANVAS Framework by Immunity. It does change the game again completely but this goes with the whole theme I took away from Blackhat, EVERYTHING is broken in some way or form and to some degree we’re building “secure” protocols over very insecure protocols…but that’s a story for another day.

Wrapping Up

In all Blackhat Briefings 2009 was very very cool. For someone coming from South Africa, the WOW factor was huge, not only in coming to Las Vegas, but simply the scale of the talks. Having 8 tracks on the go at the same time in some very big rooms AND having them fill up to the brim with some of the most intelligent people on the planet was simply awesome. What I find coming away from events like this isn’t just all the “cool tech” and great talks, it’s that feeling of “wow, I actually know NOTHING.” and that’s not a bad thing. It revs me up to get back into learning, reading books, listening to podcasts and generally expanding my base of knowledge. I’m hoping to use what I learned not only in giving talks to anyone interested in Durban but also to people in my workplace. Security awareness is of vital importance in this day and age and going to Blackhat gives me fuel for this engine.

Will I be back next year ?

You better believe it.

Blackhat Briefings 2009 – Las Vegas, NV – Day One

Getting Started

Late July I was lucky, nay privileged enough to be one of the few South Africans making the yearly pilgrimage out to the hot as hell desert of Las Vegas, Nevada for Black Hat Briefings ’09. It’s the more “corporate”, main stream version of DefCon (which I will talk about later). There were some great talks and looking through the program on the Tuesday before the con opened officially I realized doing the “pick and choose” was going to be akin to choosing between Angelina Jolie and Scarlett Johansson.

Here’s a quick tip for you. Pitch up the day before registration. You will get your badge and bag and all the accompanying goodies and you won’t have to sit in huge queues for the majority of the opening day. This theme was to be repeated for the entire weekend of DefCon. With that said, the registration and general running of the entire conference was handled much like the Swiss make watches. Very well done there guys…

Now I’m not going to go through everything, simply because there is just too much to go through.  What I will do is pick some of my favourite moments or talks and share that madness with you. Needless to say the vendor area was huge. There were more free t-shirts, free bags and other detritus with a logo or witty saying on it than you could shake the proverbial stick at.

Overshadowing Themes

There were a number of themes that seemed to take focus over the course of the two days that make up Blackhat. Yes there were the usual privacy, exploitation and legal type talks but above this came these topics. I believe it’s because of the way we as an Internet using community are going but perhaps there is something more to be said. I’ll leave that for you to decide..

• Rootkits – not your run of the mill rootkits either. Advanced rootkits for Mac OS X comes to mind.
• Mobile – Aside from Charlie Millers talks on the iPhone/SMS vulnerability
• Cloud / Virtualization – Not just a generic overview

Day 1 Highlights :

I went to: Veiled – A Browser Based Darknet        (I wanted to go to: Stoned Bootkit)

While Billy and Matt didn’t release any code which was a little disappointing, their talk was technical enough that anyone with more than two braincells (the entire audience) could come up with some workable proof of concept. The general idea was to use web browsers to create a darknet without the need for a central server that isn’t under the control of the darknet operators. It also allowed for the quick construction and destruction of the darknet. Very cool ideas and with some very interesting real world applications. Let’s hope the guys can get through the HP red tape and release their code sometime.

Note: The 11:15-12:20 slot was impossible to go to simply because out of the 8 tracks I wanted to go to 6 of the talks. This was the first time this happened, but it was by no means the last. All I can say is thank GOD for DefCon17

I went to: Weaponizing the Web            (I wanted to go to: See note above)

Nathan and Shawn gave a great talk on CSRF and how it’s still in use today. There were some great examples and they also released their tool MonkeyFist. There were examples on SocNets, blogs and the various Wikis floating around the ‘net these days. Aggregated news also featured in their rants on the general fail of user generated content.

“Complexity breeds exposure…”

Awesome talk of the day: Moxie Marlinspike – More Tricks for Defeating SSL

This was one of those talks where he builds you up, feeding you enough to keep you interested until it hits you in the face and you go “Daaaammmmnnn….there it is. We’re screwed.” There was talk about sslstrip and the new improved sslsniff. Both very cool tools to check out, if only to re-enforce the “Oh my god SSL is very broken” feeling. Add this talk to the one Dan Kaminsky gave directly after and you have a very good case for not trusting the foundations we seem to build all of our security houses on.

End of Day One.

I was going to put all of Blackhat into a single blog post, but looking at this length of this post, I see that’s not going to be possible. Tune in later for Day Two.