Kiwicon 2038AD Day 1 Summary

8 minute read

Just thought I’d post some quick summary notes regarding Kiwicon 2038AD, which has just finished it’s first day.

Scooters - Disrupting the Electric Scooter Market - Matthew Garrett

  • First talk was supposed to be Jessie Frazelle talking about Docker stuff, but she didn’t make it out of the US :(
  • Reverse engineered apps used by electric scooter companies such as Spin and Lime.
  • Not a massive job, as they both offer Android apps which can be decompiled reasonably easily using something like jadx/apktool.
  • Neither of these are in Brisbane yet, but he suspects Lime is coming (because he was able to find active Lime scooters in Brisbane using their API)
  • Lime scooters track the scooter’s location so that their service can tell people where hirable scooters are located.
    • In use scooters disappear from the map so that you can’t see where people are riding
    • API allows you to query a specific 6 digit scooter ID
    • Scooter IDs are from 000000 to 999999
    • These can be brute forced reasonably quickly
    • When querying a specific scooter ID you get it’s exact location, whether it’s in use or not
    • This means that you can see where scooters ride to and from, potentially learning where somebody works/lives/visits/etc.
  • Lime just raised over $400M USD of funding.

vmpklon - Creation of a VMProtect Clone - Jon Erickson (@2130706433)

  • Jon created a VMProtect clone by reverse engineering pieces of the VMProtect tooling.
  • VMProtect is a tool that obfuscates/protects your application by running it in a VM, like how Java’s JVM works.
  • Key takeaways:
    • Software (of all kinds) gets more complex over time
    • Almost all software stands on the shoulders of it’s predecessors
    • e.g. If you understand the simpler Windows XP internals, you have a much better chance of getting your head around Windows 10 internals.
    • There’s no better way to learn how something works than trying to write your own version of it.

Apathy and Arsenic - Attacus (@attacus_au)

  • Had a really solid comparison between the historical use of arsenic trioxyde (aka. inheritance powder) and the privacy issues that we’re facing today.
  • Both are convenient, cheap, and produce some nice outcomes
    • Arsenic was a cheap ingredient in particular colouring pigments, as a pesticide, and in cosmetics.
    • Privacy-hostile tools/services are free*, are widely used, and provide services that people enjoy using.
  • Both disproportionately affect[ed] people who are already disadvantaged.
    • Arsenic was used in cheap wallpaper for colouring
    • The few privacy-conscious-ish devices/tools that don’t require a ponytail to operate are somewhat pricey (iPhone is the only example I can think of…)
  • Both seem[ed] difficult to get people to care about
    • People are indifferent because:
      • “I’ve got nothing to hide!”
      • “I’m never going to be a target of things like that.”
  • How do we fight “peak indifference” (aka. “When the most people give the least fucks”)?
    • Awareness
      • Attempt to bring privacy education to the masses
    • Resistence
      • Campaign for better laws
      • Fact-check corporate spin/bullshit
    • Accessible alternatives
      • Even if these start out pricey, they will trickle down.
    • Time/patience
      • Keep informing, even if it seems like things aren’t changing
      • Accept that not everyone will be on-board, but do your best to make things better for them anyway.
  • Don’t be afraid to care about things that are important, even if it makes you “uncool”.

Introducing “moriarty”, a smart contract audit tool - Caleb Anderson

  • Created a tool to perform symbolic execution of Ethereum smart contracts in order to find money making vulnerabilities
  • Brute forces all execution paths of smart contracts, for variables that matter
  • Smart contracts can cost lots of money
  • $741M USD of Eth was taken through a smart contract vuln in the DAO, known as a “reenterant attack”.
  • Tool is able to check for money-making vulns, and even create a PoC exploit automatically
  • Not being released to the public, but suggested he is likely to provide it to individuals who ask nicely.
  • This one included a good amount of math-ey stuff that I didn’t understand very well, hence the heavily summarised version.

Feeding the Beast: Network Insurgency - Parks (@syngularity0)

  • Related red teaming to the .mil F3EAD methodology
  • Reinforced that recon/enumeration is key.

Lessons from game consoles and the coming security apocalypse - Boyd Multerer

  • Boyd worked on the Xbox team at Microsoft until recently
  • He and his team were faced with the problems of trying to secure a system where the owners of the system were actively working against you in order to try and cheat or get free games.
  • You are unable to trust local storage, buses, drives, registers, memory, caches, as they are all susceptible to eavesdropping/manipulation if you have physical access and enough money/time.
    • An attack that might cost a lot of money to develop can be funded by selling it as a product once it’s complete.
    • e.g. Xbox 360 Reset Glitch Hack
  • You need to assume that memory is compromised, all data traversing buses has been leaked.
  • Every driver is an attack vector
  • Believes we should move from having security done in CPUs into FPGAs, which need to be on the same die as the CPU (because we can’t trust buses)
    • Make it so that you need to physically destroy the chip to get the info out.
  • Should move from macro kernels -> micro kernels
    • All drivers run in user mode instead of kernel mode.
    • Isolate as much 3rd party code as possible.
  • Is currently working on IoT device security at kry10, and thinks that the above findings will also apply to IoT devices.

Living Without the Land - AD Attacks from Linux - @mubix

  • “Living on the land” has been a trend for some time now
    • Effectively means using offensive powershell tools to get your dirty hacker stuff done in a Windows environment.
    • Is getting more detectable and less attractive because of it’s prevalence, and new (PS5/Win10) protections/logging.
  • Created a ruby msf/SEtoolkit-like tool that can query or modify AD from a non-domain joined Linux/Mac/Windows machine
  • LDAP-WAT (to be released shortly…)
    • LDAP Windows Attack Toolkit
    • Modular
  • The coolest thing I saw in this talk was the following:
    • Any AD user, by default, can join a Windows computer to a domain, using the SeMachineAccountPrivilege
    • Using @mubix’s LDAP-WAT, you, any standard AD user, can join a machine, and tell AD that it should be a domain controller.
    • This means that you get a full copy of the directory, including the ability to pull any credential information using dcsync.
    • You get all of the AD account hashes, including krbtgt, the kerberos ticket granting ticket account.
    • Effectively, from what I can tell, standard AD user -> domain admin privileges.
    • Epic.

Ghosts in the Browser - Emmanuel Law @libnex and Claudio Contin @claudiocontin

  • Service monitors are javascript code run in the background of a browser, registered to a web page, and are used for things like push notifications, and background data retrieval.
  • Can be used to act as a temporary browser implant with access to a page’s cookies and other info, if you are able to run JS in the page (XSS).
  • Can exist even once XSS has been fixed, because the service worker registers, and runs in the browser until the site unregisters it.

Mayday, Mayday, Mayday - Safe Harbour No More - Eliza @zemmiph0bia

  • Currently in the US, for the most part, a platform is not liable for content which it’s user’s submit
    • Section 230
  • FOSTA-SESTA is an exception to that.
    • FOSTA-SESTA (Fight Online Sex Trafficking/Stop Enabling Sex Traffickers Act)
    • Became US law in April ‘18
    • Removes a platforms immunity when hosting sex traffickers
    • Sounds good, except that it doesn’t seem to make a big differentiation between (legal, or not) sex workers.
    • Is already having impact on sex workers, meaning that they are being kicked off/shadowbanned from sites where they share their services (Twitter/backpage/etc.).
  • Because the US hosts a large proportion of our online services/tech companies, this affects users that don’t live in the US, including places where sex work is accepted/legal.
  • This kind of idea is interesting to think about, that the power/problems of the US extend to other areas of the world due to the fact that lots of tech innovation occurs there.

DHCP is Hard - Felix Wilhelm

  • Spoke about a number of DHCP -> code execution bugs that he and others have found over the last two years
  • dnsmasq - CVE-2017-14493
  • ISC DHCP - CVE-2018-5733
    • dhclient - is the default DHCP client on almost all mainstream linux distributions
    • Exploit requires ~200GB of traffic to the DHCP client… not so useful
  • ISC DHCP - CVE-2018-1111 - “dynoroot”
    • Root arbitrary command execution by sending a specially formed DHCP packet to a DHCP client…
  • Takeaways:
    • Backwards compatibility increases attack surface
    • DHCPv6 is enabled everywhere, increases attack surface, but not many people use it…
    • “Don’t write new network daemons in C”

Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale - Moloch @littlejoetables and Mandatory @iammandatory

  • Burp intruder is a tool to send a large number of customised HTTP requests quickly, and provide the results in an easy to read manners quickly, and provide the results in an easy to read manner.
    • Can be used to brute force logins, identifiers, or to fuzz web applications
    • Is limited by your browser/bandwidth/rate limiting
    • lambda-intruder allows you to do the same thing extremely quickly (enough to DoS many servers without realising it…) and cheaply using Amazon services.
  • Rainbow tables are pre-computed hashes, used as an alternative to brute forcing/”cracking” password hashes
    • Rainbow tables are big (TBs and TBs)…
    • Google Big Query and other amazon services can help…
    • big-rainbow
  • GPU password cracking is useful and pretty fast, but causes lots of heat, and tends to cost a lot of money in GPUs, especially if you want to do it super fast
    • AWS comes in handy again…
    • masscat is a tool which can utilise Amazon services to spin up servers/lambdas/spots with big GPU power to perform your password cracking activities for you quickly and cheaply…

Securing a World of Physically Capable Computers - Bruce Schneier

  • Spoke about how the increasing complexity of computer systems increases their vulnerability
  • Computer systems are not just our computers, but our TVs, fridges, phones, DVRs, etc.
  • All of these are getting more and more vulnerable, and we need to make changes to stop this.
  • The free market does not care about security, because consumers do not care
  • I got lost taking notes at this point, thinking about what he was talking about, and instead took a horrible quality audio recording of the remainder, which I’ve linked here.

If you’re around, and you recognise me (I’m wearing a black tshirt and sunglasses…), say hi!