Just thought I’d post some quick summary notes regarding Kiwicon 2038AD, which has just finished it’s first day .
Scooters - Disrupting the Electric Scooter Market - Matthew GarrettFirst talk was supposed to be Jessie Frazelle talking about Docker stuff, but she didn’t make it out of the US :(
Reverse engineered apps used by electric scooter companies such as Spin and Lime. Not a massive job, as they both offer Android apps which can be decompiled reasonably easily using something like jadx / apktool . Neither of these are in Brisbane yet, but he suspects Lime is coming (because he was able to find active Lime scooters in Brisbane using their API) Lime scooters track the scooter’s location so that their service can tell people where hirable scooters are located. In use scooters disappear from the map so that you can’t see where people are riding API allows you to query a specific 6 digit scooter ID Scooter IDs are from 000000 to 999999 These can be brute forced reasonably quickly When querying a specific scooter ID you get it’s exact location, whether it’s in use or not This means that you can see where scooters ride to and from, potentially learning where somebody works/lives/visits/etc. Lime just raised over $400M USD of funding. vmpklon - Creation of a VMProtect Clone - Jon Erickson ( @2130706433 ) Jon created a VMProtect clone by reverse engineering pieces of the VMProtect tooling. VMProtect is a tool that obfuscates/protects your application by running it in a VM, like how Java’s JVM works. Key takeaways: Software (of all kinds) gets more complex over time Almost all software stands on the shoulders of it’s predecessors e.g. If you understand the simpler windows XP internals, you have a much better chance of getting your head around Windows 10 internals. There’s no better way to learn how something works than trying to write your own version of it. Apathy and Arsenic - Attacus ( @attacus_au ) Had a really solid comparison between the historical use of arsenic trioxyde (aka. inheritance powder) and the privacy issues that we’re facing today. Both are convenient, cheap, and produce some nice outcomes Arsenic was a cheap ingredient in particular colouring pigments, as a pesticide, and in cosmetics. Privacy-hostile tools/services are free*, are widely used, and provide services that people enjoy using. Both disproportionately affect[ed] people who are already disadvantaged. Arsenic was used in cheap wallpaper for colouring The few privacy-conscious-ish devices/tools that don’t require a ponytail to operate are somewhat pricey (iPhone is the only example I can think of…) Both seem[ed] difficult to get people to care about People are indifferent because: “I’ve got nothing to hide!” “I’m never going to be a target of things like that.” How do we fight “peak indifference” (aka. “When the most people give the least fucks”)? Awareness Attempt to bring privacy education to the masses Resistence Campaign for better laws Fact-check corporate spin/bullshit Accessible alternatives Even if these start out pricey, they will trickle down. Time/patience Keep informing, even if it seems like things aren’t changing Accept that not everyone will be on-board, but do your best to make things better for them anyway. Don’t be afraid to care about things that are important, even if it makes you “uncool”. Introducing “moriarty”, a smart contract audit tool - Caleb Anderson Created a tool to perform symbolic execution of Ethereum smart contracts in order to find money making vulnerabilities Brute forces all execution paths of smart contracts, for variables that matter Smart contracts can cost lots of money $741M USD of Eth was taken through a smart contract vuln in the DAO, known as a “reenterant attack”. Tool is able to check for money-making vulns, and even create a PoC exploit automaticallyNot being released to the public, but suggested he is likely to provide it to individuals who ask nicely.
This one included a good amount of math-ey stuff that I didn’t understand very well, hence the heavily summarised version. Feeding the Beast: Network Insurgency - Parks ( @syngularity0 ) Related red teaming to the .mil F3EAD methodology Reinforced that recon/enumeration is key. Lessons from game consoles and the coming security apocalypse - Boyd Multerer Boyd worked on the Xbox team at Microsoft until recently He and his team were faced with the problems of trying to secure a system where the owners of the system were actively working against you in order to try and cheat or get free games. You are unable to trust local storage, buses, drives, registers, memory, caches, as they are all susceptible to eavesdropping/manipulation if you have physical access and enough money/time. An attack that might cost a lot of money to develop can be funded by selling it as a product once it’s complete. e.g. Xbox 360 Reset Glitch Hack You need to assume that memory is compromised, all data traversing buses has been leaked.Every driver is an attack vector
Believes we should move from having security done in CPUs into FPGAs, which need to be on the same die as the CPU (because we can’t trust buses) Make it so that you need to physically destroy the chip to get the info out. Should move from macro kernels -> micro kernels All drivers run in user mode instead of kernel mode. Isolate as much 3rd party code as possible. Is currently working on IoT device security at kry10 , and thinks that the above findings will also apply to IoT devices. Living Without the Land - AD Attacks from linux - @mubix “Living on the land” has been a trend for some time now Effectively means using offensive powershell tools to get your dirty hacker stuff done in a Windows environment. Is getting more detectable and less attractive because of it’s prevalence, and new (PS5/Win10) protections/logging. Created a ruby msf/SEtoolkit-like tool that can query or modify AD from a non-domain joined Linux/Mac/Windows machine LDAP-WAT (to be released shortly…) LDAP Windows Attack Toolkit Modular The coolest thing I saw in this talk was the following: Any AD user, by default, can join a Windows computer to a domain, using the SeMachineAccountPrivilege Using @mubix’s LDAP-WAT, you, any standard AD user, can join a machine, and tell AD that it should be a domain controller. This means that you get a full copy of the directory, including the ability to pull any credential information using dcsync. You get all of the AD account hashes, including krbtgt, the kerberos ticket granting ticket account. Effectively, from what I can tell, standard AD user -> domain admin privileges. Epic. Ghosts in the Browser - Emmanuel Law @libnex and Claudio Contin @claudiocontin Service monitors are javascript code run in the background of a browser, registered to a web page, and are used for things like push notifications, and background data retrieval. Can be used to act as a temporary browser implant with access to a page’s cookies and other info, if you are able to run JS in the page (XSS). Can exist even once XSS has been fixed, because the service worker registers, and runs in the browser until the site unregisters it. Mayday, Mayday, Mayday - Safe Harbour No More - Eliza @zemmiph0bia Currently in the US, for the most part, a platform is not liable for content which it’s user’s submit Section 230 FOSTA-SESTA is an exception to that. FOSTA-SESTA (Fight Online Sex Trafficking/Stop Enabling Sex Traffickers Act) Became US law in April ‘18 Removes a platforms immunity when hosting sex traffickers Sounds good, except that it doesn’t seem to make a big differentiation between (legal, or not) sex workers. Is already having impact on sex workers, meaning that they are being kicked off/shadowbanned from sites where they share their services (Twitter/backpage/etc.). Because the US hosts a large proportion of our online services/tech companies, this affects users that don’t live in the US, including places where sex work is accepted/legal. This kind of idea is interesting to think about, that the power/problems of the US extend to other areas of the world due to the fact that lots of tech innovation occurs there. DHCP is Hard - Felix Wilhelm Spoke about a number of DHCP -> code execution bugs that he and others have found over the last two years dnsmasq - CVE-2017-14493 ISC DHCP - CVE-2018-5733 dhclient - is the default DHCP client on almost all mainstream linux distributions Exploit requires ~200GB of traffic to the DHCP client… not so useful ISC DHCP - CVE-2018-1111 - “dynoroot” Root arbitrary command execution by sending a specially formed DHCP packet to a DHCP client… Takeaways: Backwards compatibility increases attack surface DHCPv6 is enabled everywhere, increases attack surface, but not many people use it… “Don’t write new network daemons in C”Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale - Moloch @littlejoetables and Mandatory @iammandatory
Burp intruder is a tool to send a large number of customised HTTP requests quickly, and provide the results in an easy to read manners quickly, and provide the results in an easy to read manner. Can be used to brute force logins, identifiers, or to fuzz web applications Is limited by your browser/bandwidth/rate limiting lambda-intruder allows you to do the same thing extremely quickly (enough to DoS many servers without realising it…) and cheaply using Amazon services. Rainbow tables are pre-computed hashes, used as an alternative to brute forcing/”cracking” password hashes Rainbow tables are big (TBs and TBs)… Google Big Query and other amazon services can help… big-rainbow GPU password cracking is useful and pretty fast, but causes lots of heat, and tends to cost a lot of money in GPUs, especially if you want to do it super fast AWS comes in handy again… masscat is a tool which can utilise Amazon services to spin up servers/lambdas/spots with big GPU power to perform your password cracking activities for you quickly and cheaply… Securing a World of Physically Capable Computers - Bruce Schneier Spoke about how the increasing complexity of computer systems increases their vulnerability Computer systems are not just our computers, but our TVs, fridges, phones, DVRs, etc. All of these are getting more and more vulnerable, and we need to make changes to stop this. The free market does not care about security, because consumers do not care I got lost taking notes at this point, thinking about what he was talking about, and instead took a horrible quality audio recording of the remainder, which I’velinked here.If you’re around, and you recognise me (I’m wearing a black tshirt and sunglasses…), say hi!
XORcat
