Kawaiicon 2019 Day One

Awesome intro, out with the old, in with the new

Runa Sandvik, look ma we are here

@runasand

  • Tor and secure drop contributor
  • Hacked a sniper rifle
  • Works at NYT
  • the industry was “PoC or GTFO”
  • narrator: but she didn’t
  • and that’s ok
  • if you believe there’s a gap and a skill set, you can create your own niche, job, industry
  • what are you up to?

Peter firman - automotive security

  • grab slides
  • some of those aren’t even protocols, they’re vulnerabilities with wire formats
  • exciting and safe… not how you expect
  • “trust” is more like “forced on you” in the IT industry
  • faults and errors are OK, they happen and can be mitigated - they have to escape mitigations to be a problem
  • Dependability is key
  • fault mitigation in crypto - it either works or just burns and you don’t know where you are
  • Timing predictions can be filed in “fiction”
  • you can restart a 1996 Toyota ECU at 180kph and you only see an ignition ping miss
  • Restarting every day is valid mitigation, try that with a web server
  • US allows self cert, no one else does
  • Outside the US, you can’t change it once it’s approved
  • Tesla OTA brake updates were… fun?
  • new design: Linux. Buy a train pass?
  • software security in the presence of faults talk
  • why would hackers care? Where’s the money?
  • autobahn firmware updates? Oh nose

endpoint security selection

Missed this one

Courtney Elkhart - The mechanics of being good to each other

@hashoctothorpe

https://kawaiicon.org/talks/good-to-each-other

  • hydrodemolition to resurface the bridge, high pressure water to strip it
  • Too nasty to let drain into the lake
  • You can’t store water in piles, the bridge is hollow
  • … accessed by cutting holes into the pontoons
  • During thanksgiving weekend
  • typically Monitored so they aren’t over full
  • Shit is more likely to break when you’re fucking with it
  • expensive modelling and study found that pontoons don’t float while they’re full of water
  • the bridge had cracks, the load twisted the pontoons, because they couldn’t keep up
  • asking questions and documenting why is important, doubly so when it goes wrong, for the future
  • if I couldn’t swear, I couldn’t run incidents
  • Don’t swear at people or about the things they build
  • millers law - assume it’s true and imagine what it could be true of, to understand another’s descriptions
  • English is a pretty blame-y language
  • Starting a sentence with “you” draws a line between you and the person
  • Why is also blame-y
  • always, never, every time, should just only - are bad
  • why didn’t you just fix it last time
    • so. Many. Assumptions.
  • how, what, what if, (photo more)
  • contributing factor analysis - find all the reasons, there’s rarely one
  • human error is never a root cause, it’s a symptom
  • enjoy your meeting
  • Have an agenda
  • Play nice
  • Stay on topic and time
  • don’t tune out - interactions and comments provide insight
  • Try and get a different scribe or rotate, it takes a lot of analysis brain
  • ensure everyone can speak, look for the shy/quiet
  • wait. Wait more. Let people get their thoughts together
  • Take humour out, it’s a bad time
  • Some jokes are ok (photos)
  • lighten the mood with kindness
  • if you mess up, apologise and move on
  • don’t be witty, no one wins a retro
  • “please don’t make jokes like that here” and move on
  • conways law is so true
  • in 2019 we don’t need more reasons to push away allies

Gargoyle hunting: Detecting ‘Gargoyle’ code-hiding via automated Windows kernel analysis

  • when threat hunters run out of time he gets the things
  • Back in the day, viruses would write to disk
  • then moved to memory
  • gargoyle hides in non-executable memory
  • only gets put into live memory periodically
  • no executable code in itself
  • Uses system methods
  • ROP, stack pivot… blockchain

detection

  • Super hard to get state, especially from userland
  • volatility plugin! Timers dumps timers
  • hunting automation should be objective. Don’t say x bad thing happened, but provide the observables
  • unicorn-engine.org - emulates CPUs
  • @alizthehax0r
  • hilariously endearing

lunch announcement

Code brown : don’t interact with the sewerage

online voting - from bad idea to poor execution

Dr Chris Culnane, unimelb

  • Secrecy

  • Integrity

  • Verifiability

  • Availability

  • A is dominating the decision making process, because media exposure

  • Two method for voting and security, remote and supervised

  • internet voting lowers democratic equality, digital security takes money

  • Postal vote hacking takes a mass conspiracy

  • Internet, one bad actor can do it, possibly

  • coercion is an issue - household/carers etc is a problem

  • Pushes for the change

    • claimed increase in turnout doesn’t actually play out
    • “postal fraud” - incredibly unlikely
    • “end of the postal system” - alongside the paperless toilet
    • “cost savings” - massive upfront cost

  • Australian Internet voting, NSW and WA… owned by Scytl, no one knows who owns it and it’s kept super secret

  • PWC report about NSW voting system was super vague (photo)

  • WA voting went through incapsula, persistent cookie, shared certificate

  • Backend server was still open and located in NSW

  • partial / half completed votes were protected poorly and brute force able

  • “we trust incapsula” - WA and NZ…. awkward

  • 2019 NSW, audit report was pretty damning

  • bad decisions

  • Expert advice is being ignored and they are being attacked on a personal level

  • Rookie mistakes

  • @chrisculnane

black swans: how to prepare for the unexpected

  • @vashta_nerdrada
  • Wade Winright
  • thinks he’s DeadResourcePool man, looks like old man Logan
  • 💩 ☂️
  • threat model this: turkey, cat, dog
  • challenge assumptions when threat modelling
  • attackers have budgets and bosses
  • expect the unexpected, kernel bugs, crypto fail etc
  • black swan - originally impossible but a ditch guy found one in WA in the 16th century
  • Black swan - only explainable after the fact
  • silent evidence, the turkey’s lived for eleven months and life has been great
  • A black swan only happens if you don’t know about it. Other people do - Snowden
  • titanic captain never saw a ship in distress (quote photo)
  • black swans are unknown unknowns. You can’t predict them.
  • complexity++ == fragility++
  • PaaS == RCE as a service
  • turns out it was a Russian researcher, Postgres bug.
  • need continuous assurance
  • Spend your 85% well, then the other 15% is crazy town
  • default in and out limit Comms
  • validate you’re beliefs
  • (photos)
  • ephemeral all the things
  • HSMs are better than not having them, because if you make it there, it’s already game over. Layers. Like ogres
  • priv esc alerts
  • Secret detection on checkin
  • Feedback to engineers
  • supply chain verification - libs, source, builds, CI/CD
  • botb, pipeline test (photo)
  • any sufficiently is sufficiently insecure until acted on by an outside force
  • Fine grained permission
  • per thread permissions
  • Dropping capabilities is good
  • Seccomp allows for removing system calls
  • Kernel priv checks
  • meet the engineers where they work, go to them.
  • recap (photo)
  • how often is CI/CD pipeline rebuilt?

APIC fail

Oliver ERNW

  • ACI vulnerability assessment
  • So. Many. Root. Processes.

vuln #1 - connect to management interface, see two ssh daemons

  • second one is open on IPv6
  • Key auth, one key for all systems, private and public keys are on every box
  • firewall… which is open to source port
  • locked down shell, but vulnerable
  • path traversal :(
  • allows file writing

cron takes file content and runs it

  • has filters but poorly, they used $()

  • he invoked the demo gods

  • worked great, root!

vuln 2 - APIC and Switch do discoverable interactions to talk to each other.

  • no authentication.
  • switch announces the required info
  • photo - pops management open
  • chain with previous one, get root

vuln 3 - LLDP

  • custom LLDP types and subtypes
  • buffer overflow, pop
  • what is fgrep?
  • 2-20 minute reboot time, if you miss on a brute force
  • it’s noisy but you can do what you want

They’ve fixed some of these things but … attack surface is massive

(Not) hacking your biology

  • Dr Sophia Frentz
  • a genome is the first draft of a screen play of your life
  • Maori people came out as Mexican 9/10 because of terrible data on small populations
  • “how gay are you” on gene plaza
  • identifying personal genomes by surname inference
  • is it possible to provide meaningful informed consent about genetic data, because even the researchers don’t know what they’ll be able to infer
  • https://www.mincingmockingbird.com/products/risk-postcards-set-of-12-troubled-birds
  • German researchers pulled Australian medical data without much effort
  • Social problems make technical issues worse - paperwork delays, people. People? People.
  • security is hard but a culture is good
  • Yaniv Erlich - shouting from the balconies about it
  • Tell friends and family and harp on it

physical access control on Sesame Street

Matthew Daley

  • system design
  • I lost access to my slides, guess why
  • Gallagher contolrollagher
  • previously was called cardax
  • Gallagher t20 - big boi
  • the rest, long boi, wide boi
  • Squiggle is the indicator
  • Dave Dave Dave (photo)
  • breathalyser module
  • “i miss you, laptop”
  • proxmark FTW
  • https://proxmark.com/proxmark-3-hardware/proxmark-3-rdv4
  • mifare has a shared secret
  • “is that correct? … moving on”
  • mifare card encryption details (photo)
  • not difficult to infer
  • mifare desfire is the current state of the art
  • Cards have applications and keys and files, possible to have one card for everything
  • “I won’t tell you the key or how to get it because I don’t want to be thrown in a room as a frazzle tester”
  • epic brute force attack by replacing the reader, or putting a Bluetooth Arduino thing behind the reader
  • long range readers can lower each other within … a short distance. A scary amount of power
  • “bigger is better” (photo) antenna 3m range
  • developed a method for identifying tech and non-default key
  • 1/95 doesn’t use non-default key
  • Laptop confiscated by the NZ police. Awkward
  • Gallagher security health check, default thing
  • hardening guides
  • what is i2p?
  • Tom Moore Moore info sec, his boss

securing people who don’t look like you

  • Safestack.io
  • Jessie Irwin has a gang of old ladies
  • Rose is 78 and loves doing things on the Internet and she’s scary
  • Standard advice couldn’t be applied because she’s… not us.
  • old people, lol.
  • should we let them be on the internet? Of course.
  • age concern recipe for life (photo) - where do you find your things
  • diagnostic frameworks for daily living (photo) - paper based frameworks for ascertaining daily life capability
  • instrumental activities of digital living (photo)
  • what do we mean by independent
  • online assessment link (photo)
  • power of Digital attorney
  • socialise and improve plans
  • referred back to purplecon y’all
  • such a good summary of

October 22, 2019 · 9 mins reading time
#conferences #security #fun #new zealand #kawaiicon