“If #infosec is a religion, then Las Vegas is our reverse-Mecca.”


This was my 10th trip to the annual hacker convention in Las Vegas. Here’s a report on some of the activities there that really impressed me.


DDoS Black and White Kung Fu

Some guys from China were teaching us how to do a DDoS. Their second slide was an advertisement for a DDoS services in China (see below). Don’t even ask me what else that says.


A few highlights:

1. They are more diligent about using reconnaissance now to get around things like caching and load-balancers.

2. They’ll crawl the site first, looking for things unlikely to be cached (such as MP4) and unprotected submit forms which they assume will bypass CDNs, caches, and load-balancers.

3. If they determine a site supports HTTP pipelining, they’ll send seven GET requests in one packet. Imagine seven requests for your biggest MP4 file in every packet!

My favorite part was when they tested a competitor’s device and found that it accepted this as valid input:

HTTP/1.0 POST /submitform.cgi
Content-Length: i_am_expletive_corporation

Also, when they found a big PDF farm that was unprotected by CAPTCHA challenge-response tests, they evilly laughed.

Defeating PPTP VPNs and WPA2 Enterprise with MS-Chapv2

via MS-CHAPv2 via DES via an FPGA via the Cloud

Moxie Marlinspike, David Hulton and Ray Marsh are up to their old tricks again – this time presenting a method of owning any network that uses the MS-CHAPv2 authentication algorithm. If you want the technical details, here’s Moxie’s blog about it. The gist of it is that MS-CHAPv2 relies on DES to protect some known plaintext. DES can be cracked in hours using hardware. Moxie and friends have acquired one of these DES hardware crackers and hooked it up to the cloud so that you can rent super-fast cracking mojo. Then they released a tool that uses the cloud cracker to analyze 18 billion keys/sec to break WPA2. Average break time is half a day (you pay $17).

I’m a little sad about this, because I always liked MS-CHAPv2 due to the fact that it never stored user passwords on the perimeter. Moxie is recommending that enterprises move to IPSEC or anything that uses PKI, like SSL VPN. APM anyone?

Your App’s Still Leaking Your Information

Mobile Apps still send ridiculous amounts of your personal data to third parties. For example, I saw a slide (I swear) that said that Angry Birds sends your username and password to a third party. I hope that they meant that it sent your Rovio credentials and not your Google credentials.

NSA Director General Keith Alexander

The fact that DEFCON finally landed the NSA director as a speaker is huge. Many people were not able to get into the talk (myself included). Reactions to the talk (in the hallways and on Twitter) were lukewarm. On the positive side, he said “let’s all work together to make the world a better place.” He also made a pitch to hire hackers for the NSA (but, of course, everyone in Security already has a job). On the negative side, the crowd felt like they were being talked down to.


Anonymous and the Fight for Online Justice

While I was helping a friend check into our hotel at midnight, I noticed a young woman behind me rummaging through her stuff. We talked for a bit and it turns out she was the infamous Mercedes Haefer - the only female arrested after the WikiLeaks attacks. For a long time there was a “www.FreeMercedes.org” site that was accepting donations for her defense.

Her part of the Anonymous panel was quite short. She made two basic points. Actually three, but the third was R-Rated and I won’t share it here.

Her first point was that it’s weird that you can block traffic on the street during a demonstration and your punishment is $200 and a night in jail, but if you do it online your punishment is 15 years in prison.

Her second point was this: she instructed us each to turn to the person on their right and punch them in the face. “And now they can charge me for inciting violence!” Actually I’m not sure what the point of that was, but it was funny at the time (for everyone but the people that actually got punched – just kidding.)



Defcon Kids

This is the second year that there’s been something called “Defcon Kids” which is kind of like elementary school for hackers. Defcon put some serious energy into this year and honestly, I was blown away by the quality of the talks they had available for the little ones. Next year, if his mother permits, I will bring my little guy along. Imagine the creds 20 years from now if you could say that you were schooled in hacking by Mudge, Poulsen, Doctorow, and the Dark Tangent at Defcon Kids III.

· Hacking your School’s Network (Cory Doctorow!!)

· How to find a 0-day

· Christopher Hoff’s NSA Crypto Challenge

· Lock picking 101

· Hacking Hotels and the Law

· Open Source Drones

· Wall of Lambs (LOL)

· Old School Hacking (Kevin Poulsen)

· A Secret Talk (Mudge)

What’s really interesting is that if you go to the defconkids.org website, they appear to be listing the Department of Defense as a partner. No, really.


Kaminsky’s Black Ops – Secure Development

Dan Kaminsky filled the Penn & Teller Theater again and this time his topic was Secure Development. He covered topics that were certainly near and dear to my heart. I love Kaminsky for his showmanship and his analysis of the big picture. For example, regarding the survey earlier this year that revealed that 5% of the SSL keys on the internet were insufficiently random. His analysis was that it’s because we’ve been lazy about our random number generators (RNG), and damn it, we should have fixed this 20 years ago. Kaminsky’s solution for the RNG was to go back to using Matt Blaze’s “TrueRand” algorithm. Mr. Blaze, though, has been telling people not to use it, because there’s no way to prove how well it works. Kaminsky’s position is that it seems to work, and it can’t be worse that what we’re doing now so let’s go back to it.

He also made a compelling case for letting application writers continue to use SQL statements, mostly because, well, they’re going to do it anyway because it’s so much easier than using native objects. Therefore someone should add protection into the compiler or underlying system that differentiates SQL code from data input. I think that’s a great idea. Such a great idea in fact, that it should be applied not just to SQL but really any system that accepts input that will be passed on to any programmable system.

Mobility Eavesdropping and the Law

Google, Sprint, and T-Mobile have been releasing the number of law enforcement requests that they have to deal with. It’s in the millions for each. In order to deal with all this, some of the providers have set up automated systems so law-enforcement can just log in and track as many people as they want for $30/month. It’s basically a surveillance smorgasbord! In fact, they can also do things like, after deciding that a particular 7-11 store is sketchy, track everyone who goes there for a month.

While it used to take a team of 20 FBI agents to tail somebody, it can now be done by some Milton Waddams look-alike behind a bank of LCDs. This means that many, many, more people can be tracked and law-enforcement doesn’t have to be so picky about who gets tracked. Hmmm, are they tracking me now?




The Jester Denied


If you know about The Jester (@th3j35t3r), you know that he was at Defcon last year. This year I didn’t see any tweets from him, and that’s because some of his enemies had set up some kind of bot that was auto-reporting his Twitter account as being malicious, so it got shut down. Since The Jester doesn’t keep an email address (too risky), Twitter had no way to get in touch with him.

Spreading the Love

The taxi line guy at the hotel handled so many hackers that by the second day he had his own DC20 badge and was telling people “I’m never going to pay for Wi-Fi again! All these hackers showed me how to get it for free!”

And that’s my informal report. By no means comprehensive, just my impressions.