Kawaiicon 2019 Day Two

Tesla cool guy

  • Pretty fun, IGBT’s for control, export controls etc
  • Hilarity ensues

finding a poisonous seed

  • @negarshbb
  • @noushinshbb
  • trust and supply chain attacks on developers

malware examples

  • induc
  • Xcodeghost
  • ShadowPad
  • Something else? Tuned out
  • ccleaner

first do no harm

  • news stories
  • Izzi, CertNZ
  • everyone influences news, by advertising or providing stories and so forth
    • paid placements
    • Experts… “experts”
    • influence & influencers
  • journalism has a critical role in society, considering things and context
  • teach and learn, engage with the communicators. Media teams don’t know tech
  • we need to engage in a way that doesn’t just show how smart we are, or how scary it is
  • tell stories about cred dumps, not MFA and artisanal firewalls

level one

  • become a critical reader of the media
    • who’s pushing it
    • Why now
    • Who’s on stage
  • help people you like with things

level two

  • engage with the Comms team
  • Build relationships with them
  • Use then to tell stories
  • Broaden your influence, take every opportunity to drive change
  • Myth bust rather than eye roll

level three

  • talk to your boss before this!
  • be a source of truth (answer questions, provide info)
  • correct mistakes in public media stories
  • Make yourself available to media
  • hire Comms people

sparkle talks!

fingerprinting encrypted traffic

Uncrackable lockbox

  • algomachines.com u/cryptocomicon
  • Timelock custom encryption
  • Posts ln reddit with challenges

1

  • decompile, follow paths
  • patched binary, win
  • new version 2
  • encoding, not encryption
  • popped 3
  • Sybil attack (malicious nodes)
  • force the machine to connect to local fake nodes
  • dnsseed.bluematt.me
  • Fake DNS server with python (basedns.py)
  • patch the binary, redirect it to the fake nodes 4
  • dev Hard coded a bunch of things
  • deterministic cipher
  • xor twice and lol 5
  • updates crypto
  • … by adding more
  • And reusing the old one
  • … and a new one was another symmetric deterministic one
  • Popped.
  • ubunchu manga

the call is coming from in the house

  • Michelle Burke
  • @smrtgirl
  • I’m awesome and I’m sorry if I frighten you
  • by 2020, 1.7MB per person on earth every second
  • So. Much. Data.
  • privacy act. Do you collect it for a reason?
  • GDPR, yo.
  • so many different providers for data analysis
  • 3fun dating website for threesomes
  • filters on client side, rather than server side
  • all the data was public s3 buckets again
  • doctorow quote (photo)
  • big data isn’t 1’s and 0’s, it’s people

decrypt everything everywhere

  • Birk and Dennis
  • Lots of popping appliances
  • 2019, Thales/Vormeteric
  • “holy grail of cloud encryption”
  • HSM, key, transparent encryption etc
  • Holds all the keys, is the gateway for encrypted data
  • live demo…!

vuln 1

  • cli is … not escaping well
  • ip network namespace exec… as root
  • no ASLR
  • fuzzing etc
  • Frida binary instrumentation tool - stalker
  • Follows execution paths
  • radamsa randomizer

uh auth RCE - parsing SSH logs for things

  • command injection

priv esc

  • scripted remote things

  • “root shell isn’t possible”

Super self-service: hacking kiosks using barcodes

  • multiple modes
  • Generally configured by… scanning barcodes
  • bad hacker, no biscuit
  • win+r cmd, enter
  • gh/lateralsecurity/barsploit

a hacking tale

  • Shahn Harris
  • equifax staff found out from the news
  • Not ideal
  • “how secure are we…?”
  • his boss had 282 client meetings in a few weeks
  • security is very different in a post-breach environment
  • Make sure everyone uses the same project methodology
  • What works in one country doesn’t always work for another
  • stress ramps up for people who know where the bodies are
  • two people hospitalised

liar liar first timer red teaming

  • l0ss
  • @mikeloss
  • Asterisk
  • “red team”
  • one confluence site, deface with apolitical message and.. stop?
  • business hours, and you can’t lie
  • if they ask for dumb or impossible, figure out what they actually need
  • lessons
  • A couple of IED looking things
  • Don’t bring extra crap
  • half the truth is often a great lie - Benjamin Franklin
  • thinks he’s busted, some guy is doing his yearly cyber security training
  • went back a year later, popped them hard
  • ASCII powershell rick Astley
  • Hilarity ensued
  • escalated endlessly

scooter hacking

Matthew Garrett

  • actual crimes?
  • I got lucky not smart
  • I’m bad at giving up
  • openOCD - debugging platform
  • Dump firmware
  • Strings, win
  • Ghidra
  • does it work? Yes. Well. No. I can steal a scooter for two minutes
  • oelinux123 is the root password lol
  • scooters push their serial over their Bluetooth stack

k-Rail k8s management

  • Frenchie and Dustin
  • @nfFrenchie
  • k-rail
  • getcruise.com
  • nerd + deployment -> kube-apiserver
  • Authenticated (attackers|idiots)
  • k8s is a declarative state machine
  • is also the Death Star
  • mounting the docker socket is basically root
  • GKE does metadata concealment but only if you do it right… and not always
  • auto exploit GitHub/bgeesaman
  • existing tooling is prescriptive and inexplicable.
  • doesn’t act at a high level
  • k-rail (photo)
  • immediate feedback
  • helm tiller is a great way to pwn yourself
  • 18k pods, 29 violations, cleaned down to 15 exceptions
  • “it’s now open source”

the power of Poseidon

Charlie Lewis

  • gh/cglewis

  • Gh/cyberreboot/Poseidon Three main questions

  • What’s in my network and why

  • What is it doing

  • Do we care?

  • SDN + Machine Learning

  • Faucet is an Nz open flow v1.3 controller,

  • faucet.nz

  • check out lazydocker, shell

  • p0f

  • management interface

  • invoking the docker compose demo gods

  • so much open source (photo)

  • the demo failed but not terribly

meat and three segfault

  • DoI
  • Hacking super neat boy
  • why? Fun. Skills
  • live bugs
  • strace the game
  • don’t push 0-day to your steam cache…
  • mysql server on the internet
  • pytm- threat modelling
  • Ristretto? PDF maybe
  • gdb break mysql_real__connect
  • smb_editor_user / editor (photo)
  • radare2 + cutter + fuzzy lopp fuzzer
  • dynamo Rio instrumentation
  • fast fuzzer much better
  • Resin helped him be a better man
  • try the dumb stuff!
  • take good notes
  • Tools: a bunch of software
  • More tools: going for a smoko

ending comments

  • Chuurrrrrr
  • Box^3 - won by ozseccon
  • Hal.org.nz - learning environment from blue and red team sides

October 22, 2019 · 5 mins reading time
#conferences #security #fun #new zealand #kawaiicon