Just thought I’d post some quick summary notes regarding Kiwicon 2038AD, which has just finished it’s first day.
Scooters - Disrupting the Electric Scooter Market - Matthew Garrett
- First talk was supposed to be Jessie Frazelle talking about Docker stuff, but she didn’t make it out of the US :(
- Reverse engineered apps used by electric scooter companies such as Spin and Lime.
- Not a massive job, as they both offer Android apps which can be decompiled reasonably easily using something like jadx/apktool.
- Neither of these are in Brisbane yet, but he suspects Lime is coming (because he was able to find active Lime scooters in Brisbane using their API)
- Lime scooters track the scooter’s location so that their service can tell people where hirable scooters are located.
- In use scooters disappear from the map so that you can’t see where people are riding
- API allows you to query a specific 6 digit scooter ID
- Scooter IDs are from 000000 to 999999
- These can be brute forced reasonably quickly
- When querying a specific scooter ID you get it’s exact location, whether it’s in use or not
- This means that you can see where scooters ride to and from, potentially learning where somebody works/lives/visits/etc.
- Lime just raised over $400M USD of funding.
vmpklon - Creation of a VMProtect Clone - Jon Erickson (@2130706433)
- Jon created a VMProtect clone by reverse engineering pieces of the VMProtect tooling.
- VMProtect is a tool that obfuscates/protects your application by running it in a VM, like how Java’s JVM works.
- Key takeaways:
- Software (of all kinds) gets more complex over time
- Almost all software stands on the shoulders of it’s predecessors
- e.g. If you understand the simpler Windows XP internals, you have a much better chance of getting your head around Windows 10 internals.
- There’s no better way to learn how something works than trying to write your own version of it.
Apathy and Arsenic - Attacus (@attacus_au)
- Had a really solid comparison between the historical use of arsenic trioxyde (aka. inheritance powder) and the privacy issues that we’re facing today.
- Both are convenient, cheap, and produce some nice outcomes
- Arsenic was a cheap ingredient in particular colouring pigments, as a pesticide, and in cosmetics.
- Privacy-hostile tools/services are free*, are widely used, and provide services that people enjoy using.
- Both disproportionately affect[ed] people who are already disadvantaged.
- Arsenic was used in cheap wallpaper for colouring
- The few privacy-conscious-ish devices/tools that don’t require a ponytail to operate are somewhat pricey (iPhone is the only example I can think of…)
- Both seem[ed] difficult to get people to care about
- People are indifferent because:
- “I’ve got nothing to hide!”
- “I’m never going to be a target of things like that.”
- People are indifferent because:
- How do we fight “peak indifference” (aka. “When the most people give the least fucks”)?
- Attempt to bring privacy education to the masses
- Campaign for better laws
- Fact-check corporate spin/bullshit
- Accessible alternatives
- Even if these start out pricey, they will trickle down.
- Keep informing, even if it seems like things aren’t changing
- Accept that not everyone will be on-board, but do your best to make things better for them anyway.
- Don’t be afraid to care about things that are important, even if it makes you “uncool”.
Introducing “moriarty”, a smart contract audit tool - Caleb Anderson
- Created a tool to perform symbolic execution of Ethereum smart contracts in order to find money making vulnerabilities
- Brute forces all execution paths of smart contracts, for variables that matter
- Smart contracts can cost lots of money
- $741M USD of Eth was taken through a smart contract vuln in the DAO, known as a “reenterant attack”.
- Tool is able to check for money-making vulns, and even create a PoC exploit automatically
- Not being released to the public, but suggested he is likely to provide it to individuals who ask nicely.
- This one included a good amount of math-ey stuff that I didn’t understand very well, hence the heavily summarised version.
Feeding the Beast: Network Insurgency - Parks (@syngularity0)
- Related red teaming to the .mil F3EAD methodology
- Reinforced that recon/enumeration is key.
Lessons from game consoles and the coming security apocalypse - Boyd Multerer
- Boyd worked on the Xbox team at Microsoft until recently
- He and his team were faced with the problems of trying to secure a system where the owners of the system were actively working against you in order to try and cheat or get free games.
- You are unable to trust local storage, buses, drives, registers, memory, caches, as they are all susceptible to eavesdropping/manipulation if you have physical access and enough money/time.
- An attack that might cost a lot of money to develop can be funded by selling it as a product once it’s complete.
- e.g. Xbox 360 Reset Glitch Hack
- You need to assume that memory is compromised, all data traversing buses has been leaked.
- Every driver is an attack vector
- Believes we should move from having security done in CPUs into FPGAs, which need to be on the same die as the CPU (because we can’t trust buses)
- Make it so that you need to physically destroy the chip to get the info out.
- Should move from macro kernels -> micro kernels
- All drivers run in user mode instead of kernel mode.
- Isolate as much 3rd party code as possible.
- Is currently working on IoT device security at kry10, and thinks that the above findings will also apply to IoT devices.
Living Without the Land - AD Attacks from Linux - @mubix
- “Living on the land” has been a trend for some time now
- Effectively means using offensive powershell tools to get your dirty hacker stuff done in a Windows environment.
- Is getting more detectable and less attractive because of it’s prevalence, and new (PS5/Win10) protections/logging.
- Created a ruby msf/SEtoolkit-like tool that can query or modify AD from a non-domain joined Linux/Mac/Windows machine
- LDAP-WAT (to be released shortly…)
- LDAP Windows Attack Toolkit
- The coolest thing I saw in this talk was the following:
- Any AD user, by default, can join a Windows computer to a domain, using the SeMachineAccountPrivilege
- Using @mubix’s LDAP-WAT, you, any standard AD user, can join a machine, and tell AD that it should be a domain controller.
- This means that you get a full copy of the directory, including the ability to pull any credential information using dcsync.
- You get all of the AD account hashes, including krbtgt, the kerberos ticket granting ticket account.
- Effectively, from what I can tell, standard AD user -> domain admin privileges.
Ghosts in the Browser - Emmanuel Law @libnex and Claudio Contin @claudiocontin
- Can be used to act as a temporary browser implant with access to a page’s cookies and other info, if you are able to run JS in the page (XSS).
- Can exist even once XSS has been fixed, because the service worker registers, and runs in the browser until the site unregisters it.
Mayday, Mayday, Mayday - Safe Harbour No More - Eliza @zemmiph0bia
- Currently in the US, for the most part, a platform is not liable for content which it’s user’s submit
- Section 230
- FOSTA-SESTA is an exception to that.
- FOSTA-SESTA (Fight Online Sex Trafficking/Stop Enabling Sex Traffickers Act)
- Became US law in April ‘18
- Removes a platforms immunity when hosting sex traffickers
- Sounds good, except that it doesn’t seem to make a big differentiation between (legal, or not) sex workers.
- Is already having impact on sex workers, meaning that they are being kicked off/shadowbanned from sites where they share their services (Twitter/backpage/etc.).
- Because the US hosts a large proportion of our online services/tech companies, this affects users that don’t live in the US, including places where sex work is accepted/legal.
- This kind of idea is interesting to think about, that the power/problems of the US extend to other areas of the world due to the fact that lots of tech innovation occurs there.
DHCP is Hard - Felix Wilhelm
- Spoke about a number of DHCP -> code execution bugs that he and others have found over the last two years
- dnsmasq - CVE-2017-14493
- ISC DHCP - CVE-2018-5733
- dhclient - is the default DHCP client on almost all mainstream linux distributions
- Exploit requires ~200GB of traffic to the DHCP client… not so useful
- ISC DHCP - CVE-2018-1111 - “dynoroot”
- Root arbitrary command execution by sending a specially formed DHCP packet to a DHCP client…
- Backwards compatibility increases attack surface
- DHCPv6 is enabled everywhere, increases attack surface, but not many people use it…
- “Don’t write new network daemons in C”
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale - Moloch @littlejoetables and Mandatory @iammandatory
- Burp intruder is a tool to send a large number of customised HTTP requests quickly, and provide the results in an easy to read manners quickly, and provide the results in an easy to read manner.
- Can be used to brute force logins, identifiers, or to fuzz web applications
- Is limited by your browser/bandwidth/rate limiting
- lambda-intruder allows you to do the same thing extremely quickly (enough to DoS many servers without realising it…) and cheaply using Amazon services.
- Rainbow tables are pre-computed hashes, used as an alternative to brute forcing/”cracking” password hashes
- Rainbow tables are big (TBs and TBs)…
- Google Big Query and other amazon services can help…
- GPU password cracking is useful and pretty fast, but causes lots of heat, and tends to cost a lot of money in GPUs, especially if you want to do it super fast
- AWS comes in handy again…
- masscat is a tool which can utilise Amazon services to spin up servers/lambdas/spots with big GPU power to perform your password cracking activities for you quickly and cheaply…
Securing a World of Physically Capable Computers - Bruce Schneier
- Spoke about how the increasing complexity of computer systems increases their vulnerability
- Computer systems are not just our computers, but our TVs, fridges, phones, DVRs, etc.
- All of these are getting more and more vulnerable, and we need to make changes to stop this.
- The free market does not care about security, because consumers do not care
- I got lost taking notes at this point, thinking about what he was talking about, and instead took a horrible quality audio recording of the remainder, which I’ve linked here.
If you’re around, and you recognise me (I’m wearing a black tshirt and sunglasses…), say hi!