Slashdot Mirror
Domain: defcon.org
Stories and comments across the archive that link to defcon.org.
Comments · 168
-
Pffft Only one country?
At a defcon talk in 2014 (talk slides) they scanned the whole IPv4 space live, looking for VNC instances. At least, anything that responded to a SYN packet.
Then they took a couple months to connect to each VNC instance, if no password was required, grab a screen shot.
Leading to a series of talks of things that shouldn't be on the internet.
-
Re:Truth is evasive
Your solution to the elusiveness of human memory and perception is to throw your lot in with the panopticon? Really? Not that you're in favor of universal surveillance
You have a very binary view of a world that actually runs through many shades of gray from black to white. Police body cameras are actually quite subjective. For one, the officer wearing them is responsible for starting recording. Department policy can dictate recording under a wide variety of circumstances, but at the end of the day, the officer must start recording. And can we even trust the data they produce as being untampered?
I didn't say there is no truth. That is a strawman of your design. I just said that subjective truth is much harder to nail down than objective truth, and most of our experience is run through the lens of subjective not objective reality. Humans are quite fragile in that way, and they will continue to be so far beyond our deaths, panopticon or not.
-
Re:Move away from Vegas then
Hotel is violating the code of conduct.
https://www.defcon.org/html/links/dc-code-of-conduct.html
Eject the employee, or leave the hotel.
-
Re:Honeypots
Ok. You go stand up a RTU simulator and feed it some data that is good enough to fake that there is actually a real SCADA system doing some processing behind it. You could also fake some ICCP links. The protocols you are interested in are ICCP, IEC104, DNPi, and number of others. A good place to start is with this.
Also you would be a fool to have that stuff hooked to the internet even behind a VPN but then there are an awful lot of fools which is why there are these problems. Even having them off the internet isn't enough, just ask the Iranians as they will just build a better fool. -
Here is the actual Defcon presentation
-
Re:Which ten browser extensions?
The presentation is available (as a 6.2MB PDF) from the Def Con Media server, along with all the other presentations, but it doesn't provide a list either. It does provide some useful insights into how they do it though, which should enable the more clueful to run their own tests. The only plug in I could see that was mentioned was Web of Trust, but without the context of the talk it might only appear to be getting singled out for special attention. Generally speaking though it appears that any extension that is validating URLs against a central source for whatever reason - just as WoT does - is a great source of data that can then be readily mined to provide a unique identity.
-
Re:Which 10 extensions?
Well, here's the actual presentation: https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Svea-Eckert-Andreas-Dewes-Dark-Data.pdf
It appears they opted not to name the extensions.
Not so helpful.
-
Re:Which ten browser extensions?
The DefCon 25 Speaker List doesn't even mention a top 10 extension list.
Anyone attend the presentation?
-----
Dark Data
Friday at 15:00 in Track 345 minutes
Svea Eckert NDR
Andreas Dewes PhDA judge with preferences for hard core porn, a police officer investigating a cyber-crime, a politician ordering burn out medication - this kind of very personal and private information is on the market. Get sold to who is willing to pay for.
In a long time experiment, with the help of some social engineering techniques, we were able to get our hands on the most private data you can find on the internet. Click stream data of three million German citizens. They contain every URL they have looked at, every second, every hour, every day for 31 days. In our talk we will not only show how we got that data, but how you can de-anonymize it with some simple techniques.
This data is collected worldwide by big companies, whose legal purpose is to sell analytics and insights for marketers and businesses. In the shadow of Google and Facebook, companies have evolved, their names unknown to a broader public but making billions of dollars with your data. The new oil of the 20th century.
Our experiment shows in a drastic way, what the youngest decision reversing the Broadband Privacy Rule means. What the consequences for everyday life could be, when ISPs are allowed to sell your browsing data. And why that piece of regulation from the FCC was so important regarding privacy and constitutional rights.
Svea Eckert
Svea Eckert works as a freelance journalist for Germany's main public service broadcaster "Das Erste" (ARD). She is researching and reporting investigative issues for the PrimeTime news shows and high quality documentaries. Her main focus lies on new technology: computer and network security, digital economics and data protection.Bigger projects and documentaries are for example "Superpower Wikileaks?" (ARD), "Facebook - Billion Dollar Business friendship" (ARD), her first book "Monitored and spied out: Prism, NSA, Facebook & Co" and in 2015 "Netwars" (ARD). Svea Eckert studied "Journalism and Communications" and Economics in Hamburg. She completed her journalistic training at NDR, Hamburg and Hannover.
Twitter: @sveckert
Website: www.sveaeckert.deAndreas Dewes
Andreas Dewes is a trained physicist with a PhD in experimental quantum computing and a degree in quantitative economics. He has a passion for data analysis and software development. He has received numerous awards for his work on data analysis and his work on data privacy and big data has been featured in the national and international press.Twitter: @japh44
Github: adewes -
Re:Link to the story
Two links that are ten times more informative:
http://boingboing.net/2016/08/...
https://www.defcon.org/html/de... -
Re:I wonder...
That is a valid question, and often the case. In our case however we are 11 full time and another 6 or so part time people. We have a building, and locations in several states. You can, for example, look up our papers published by blackhat, defcon, etc. to see more than just what we post on our blog. Here is one of my old favorites: https://www.defcon.org/images/... I know at least one of the other companies, InGuardians, is roughly similar in size, and many of its people were foundational contributors to things such as SANS. Dell Secureworks is one of the pre-eminent security organizations in the world and are a very large group V.
-
Re:You get what you deserve for using comcast.
BTW, the presentation at BlackHat about serious flaws in ADT's security was pulled due to legal pressure from vendors: Two more talks pulled from Black Hat hacking conference
The paper, however, may be found here
-
Very much not new
Take a look back to Zac Franken's talk at Defcon 15 (August 2007), where he introduced the same types of tools: https://www.defcon.org/images/...
tl;dr you clip into the data lines of an RFID card reader and record the (plaintext) transactions, then you can later play them back directly over the same bus so the access control system sees what it thinks is a card read from the reader.
Mitigation? Keep your access control readers behind an RF-transparent barrier (glass works, as long as it's not metallic-particle tinted). -
it's been done before
and the paper was presented at DEFCON https://www.defcon.org/images/...
-
Re:Hmmm ....
https://www.defcon.org/images/...
Different physical network. Someone in GAO misread the original report.
-
Kind of a dup, but here's a link that explains it
This is a dup story, so here's my dup comment:
See DefCon 22's avionics preso from 2014 to see what you can and can't do from a hacker's perspective.
https://www.defcon.org/images/...
(Since the summary doesn't even often a link or name...this MIGHT even be exactly what the submitter is talking about.) -
Also see DefCon's avionics preso from 2014
Also see DefCon 22's avionics preso from 2014:
https://www.defcon.org/images/... -
Re:Re-engineer the OS to include ROMs?
How many people would be harmed if some basic components of XP had been burned into ROM?
Everyone who had one, because they would be found to have security vulnerabilities (see here for an example of exactly that happening), and then everyone's system would be vulnerable.
Incidentally, Kaspersky was building an OS that does exactly what you suggest, so if it works, then maybe we will see more of what you suggested in the future. I'm doubtful though, for reasons mentioned in the previous paragraph. -
Blast from the past: the Orange Book
This feels like a blast from the past, specifically the Trusted Computer System Evaluation Criteria (TCSEC) aka the "Orange Book."
DoD 5200.28-STD - December 26, l985
4.1 CLASS (A1): VERIFIED DESIGN
Systems in class (A1) are functionally equivalent to those in class (B3) in that no additional architectural features or policy requirements are added. The distinguishing feature of systems in this class is the analysis derived from formal design specification and verification techniques and the resulting high degree of assurance that the TCB is correctly implemented. This assurance is developmental in nature, starting with a formal model of the security policy and a formal top-level specification (FTLS) of the design. Independent of the particular specification language or verification system used, there are five important criteria for class (A1) design verification:
4.2 BEYOND CLASS (A1)
Most of the security enhancements envisioned for systems that will provide features and assurance in addition to that already provided by class (Al) systems are beyond current technology. The discussion below is intended to guide future work and is derived from research and development activities already underway in both the public and private sectors. As more and better analysis techniques are developed, the requirements for these systems will become more explicit. In the future, use of formal verification will be extended to the source level and covert timing channels will be more fully addressed. At this level the design environment will become important and testing will be aided by analysis of the formal top-level specification. Consideration will be given to the correctness of the tools used in TCB development (e.g., compilers, assemblers, loaders) and to the correct functioning of the hardware/firmware on which the TCB will run. Areas to be addressed by systems beyond class (A1) include:
DEF CON 20 - Tom Perrine - Creating an A1 Security Kernel in the 1980s
-
DEF CON
DEF CON - https://www.defcon.org/
-
Overreach?
As noted here earlier this month, three young hackers in Britain convicted of similar charges relating to the Stratfor hack received sentences that pale in comparison to what Hammond faces and highlight the U.S.’ overreach when it comes to cybercrime prosecutions. The longest sentence handed down in the U.K. cases carried a maximum of 15 months jail time. Meanwhile, as Hammond expressed in a statement Tuesday, he could have faced 30 years in prison were he to have been found guilty at trial. His supporters and legal team are now asking his presiding judge to hand down a sentence far less harsh than the possible 10 years his plea agreement can carry.
Uhm. How is this overreach?
This is NOT his first CFAA violation. He did 2 years in federal lockup previously for THE EXACT SAME CRIME several years back?
Worse, he started this little shindig while still on parole from the first offense!
Not to mention other convictions for assault and battery, theft, assaulting a police officer, etc.
This guy isn't a hero. He's not a crusader. He's not a moral compass. Hell, he hasn't actually even done anything ORIGINAL. His basic idea, steal a bunch of credit cards and donate to liberal causes? Hello? Sneakers?
He's a glory hound with delusions of grandeur.
The whole reason he got ID'ed for this was he HAD to drop his "cred" about his past endeavors. All he had to do was STFU. And he was constitutionally incapable of that.
I've met this guy. I've had dealings with this guy in a social setting for a couple years.
He can be very likable when he wants to.
But when he doesn't get his way, he's absolutely toxic.
People as "why doesn't the government recruit him!".
He's not a hacker. He's a one-trick pony. He's a script kiddie who happens to be better than average with someone else's tools.
This is the same guy who went to a zero-day security newsgroup and exhorted the regulars to hold back the "best stuff" for themselves. So they could "look like gods" to all the up and coming hackers...Cue gales of derisive laughter.
Jeremy Hammond does NOT need lenience at this point. He needs a more lengthy incarceration and some intensive psychological therapy to relive his attention-seeking, destructive tendencies.
-
Want to hear about scary malware?
Here you go https://www.defcon.org/html/links/dc-archives/dc-20-archive.html#Brossard
Rakshasa (I couldn't find any code released though)
-permanent
-OS independent
-undetectable
-almost unremovable
-could be running on your box while you read this -
This DEFCON Presentation...
... addresses the subject and is at the same time very entertaining!
(Warning: large video download... but its worth it!)"And That's How I Lost My Eye: Exploring Emergency Data Destruction"
by Shane Lawson, Bruce Potter & Deviant Ollam -
Spot The Shill
The DefCon folks have the right idea. Although with discussions of global warming, as with anything political, sometimes it's almost too easy.
-
Re:Ok, let's jump into this
How to tell a crap sec pro from a good one, and at least I believe the answer isn't on paper.
You can tell the difference by subjecting the applicants to creative tests. If they manage to break in, they're more likely to be able to switch hats and guard the other side of the fence.
-
Does it encrypt REAL phone calls?
While it is nice for someone to be making an easy-to-use all-in-one encryption app, the real question for me is this:
Does it encrypt phone calls; real, phone-to-phone, no-VoIP phone calls.There are already several solutions out there for encrypted VoIP. Even a free, open-source general-purpose Android SIP client CSipSimple supports ZRTP for key exchange (or 'of course' a free, open-source
However, I have not found a single app (and indeed only a few specialised devices) to actually make encrypted phone calls without using VoIP, and none that have made encrypted phone calls over GSM voice. A few people have talked about phone call encryption over GSM voice (e.g. at DEFCON) and there are many papers on the topic of data-over-GSM-voice), but I haven't yet seen it implemented. If this *does* implement it, *then* I'll be pumped.On the SMS front, there is already TextSecure for sending encrypted SMS, and all the key exchange is handled through SMS (and perhaps MMS? I believe only SMS). Mind you, Moxie Marlinspike hasn't released the source for it (and it is now owned by Twitter, so we'll probably never see it).
-
DEFCON 20
This was demonstrated at DEFCON 20. He live demo'd rooting an android device using NFC to open the browser and a brwoser exploit to gain root. https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Miller
-
Valery Aurora is a feminist provocateur...
Here's her webpage:
with links to the white male privilege checklist:
http://www.amptoons.com/blog/the-male-privilege-checklist/
And here is here in her scantily clad attire at DEFCON designed to bait desperate sexless men into acts to further her feminist bullshit:
https://www.defcon.org/images/graphics/PICTURES/DAN-2.JPG
She's an ideological provocateur whose only relevance comes from her nutty feminist nonsense . You can read more her BS at her blog:
-
Nothing Replaces Being around Security Admins
Nothing Replaces Being around Security Admins.
Blogs are fine.
Books are fine.
but nothing replaces hanging out with people paid to hack into corporate systems. Find a local DC{areacode} group and get on their email-listsrv, follow them on twitter, go to a few meetings. Here's a list https://www.defcon.org/html/defcon-groups/dc-groups-index.htmlThere are other system security groups too - search for "DevOps" and "OWASP" to find those. I've seen more on meetup.com than I would have expected.
If you live near a town with a vibrant admin/sec corporate culture, finding these is easy. In my metro area, we have at least 5 of these groups meeting monthly. Some are college students looking to learn to be a cracker, but most have real jobs for state, government, huge telecom and DoD companies. These guys keep up with all sorts of security issues from social engineering to the dumbest things they've seen at clients.
Have I got stories about security issues in some of the very largest companies
Short of all that, stay patched and don't do stupid things like running DNS, sendmail, or WebDAV. All inbound connections should be through a VPN - like OpenVPN. If you insist on running a web presence, please, please, please use a reverse proxy to block access to every URL except those you specifically want available to the outside world. Putting apache directly on the internet is foolish in the same way that putting any MS-Windows PC directly on the internet is foolish.
Another dumb thing people do all the time is use php-based programs. It appears that php attracks noob programmers. They are just happy that the functions work and can't be bothered with security. Clearly not every php program is insecure, but based on the recent core-Php security issues, I wouldn't trust these on the internet. You'll get a feel for which types of developers tend to have the most secure code by hanging out with the DC-xyz crowds. My local DC group is pretty vocal about never deploying php or java programs on their networks - or anything from Adobe.
Network architectures are the first stage of securing any system(s). It is best if most of your systems can't actually be reached from the internet - sorta like a DMZ and internal LAN that we see on corporate networks. That means you probably need another router or you need to get good at virtual networking.
Folks will say you need a firewall - that's true, but for a low-end website, the home router is probably enough when you first start out. Every Linux distro has a world-class firewall built-in. Learn to use it. A firewall does not replace a well designed network with security zones. Don't be confused about that.
Never trust anything that you've setup to be perfect. Rarely is that the case. Test it until you are **positive** it is verified.
Stay patched. An old OS (for anything) can be worse than a brand new, untested, beta OS from a security perspective. If you don't want to be tweaking the OS all the time, get on an OS with long term support - CentOS or Ubuntu LTS. I've got about (9) Ubuntu 8.04 LTS systems still running great here. They are patched weekly and have another year of support. I have 10.04 and a few 12.04 systems too. The 8-10 change was pretty big. The 10-12 change, not so much.
Following all the security issues for an OS is hard, but if you want to waste 30 minutes a day, use an RSS feed for the distro you choose and find their security issues list.
Ubuntu: http://www.ubuntu.com/usn
This should make it clear why you don't want to run hobby distros. There are constant security issues for every OS, including Linux. -
Re:Windows malware doesn't go viral
Eh, there's a fair amount of pushback on this.
Was looking at getting a dice roller on my phone, and one of the free apps I was looking at had a number of 1-star ratings because the dice roller needed access to dialing out, the internet, and who-knows-what-else.
The author of the app just put up an apologetic, "We need all those permissions on this app to get Google Ads to work", without bothering to fix the underlying cause. He didn't need all the permissions he was asking for.
A friend of mine gave an interesting talk on the subject of Android security at Defcon:
https://media.defcon.org/dc-19/presentations/O'Neil-Chin/DEFCON-19-O'Neil-Chin-Google-Android.pdf -
Death Envelope
I heard Matt Yoder talk about a "Death Envelope" on Pauldotcom Security Weekly. He gave a presentation about it at DefCon. The slides are here.
-
Re:Antivirus / security companies
This made me think of Charlie Miller's Talk at Defcon 18. Basically, he sends out lots of remote access tools, but ensures redundance because he expects an amount of his code to get caught. I assume the Duqu writers did the same thing. So what if 1 RAT gets caught. Your sister malware lived on.
-
Case Study
I don't have any personal experience, but here's how a presenter at a previous Defcon did it.
-
Utterly Useless
There's zero chance this will work how they think it will. From a great presentation at this year's DefCon:
Why Airport Security Can’t Be Done FAST -
Re:Only as "free" as your ability to defend it
Wikipedia links to this DEF CON presentation(PDF) from 2003 which has some details.
-
Re:I want to call bullshit...
http://www.defcon.org/html/defcon-18/dc-18-speakers.html#Paget
GSM != ( CDMA || 4G )
I'm underwhelmed.
-
Conference Confusion
Black Hat != Def Con. Def Con is the convention for Hackers. https://www.defcon.org/html/links/dc-about.html Black Hat is the convention for Corporates. http://www.blackhat.com/html/about.html
-
Re:Well yeah
Ad mobile phones, I suggest watching http://defcon.org/html/links/dc-archives/dc-18-archive.html#Marlinspike. Choosing to not use a cellphone may equate to not participating in society, which is a dilemma. And that sucks.
-
Re:Greed = PROTECT IP = TOR
Tor I believe uses port 443 to communicate with relays. (At least there is an option to use it if the normal port is blocked.)
9050 is just the port it listens to locally.
Ironically (?), Tor receives a lot of funding from the US Government. They did a presentation at Defcon a couple years ago.
Maybe by the time they figure out how to shut Tor down, we'll have developed wireless mesh networks.
-
Re:You know what really sucks?
You're crazy. We've reversed transactions at ATMs with our bank where the ATM didn't spit out the money but marked it as a successful transaction
I am not a lawyer, but I believe legally the customer is liable for ATM transactions, except in a case where the card is stolen, AND the transactions happen no more than 72 hours before the report, and then I think your liability is capped at $50. Any reimbursements would be at the bank's discretion, so if you have a good, sympathetic bank(er), like it sounds like you have, you might get off the hook. I've had my fair share of disputes with banks that like to pin things on customers, and they're generally not as cooperative or polite about it.
If somebody, for example, does this or this, and you see it on your statement the next month; or even if you used your card soon after it happened (can't claim the card is stolen) but didn't check your statement online until later that night, you're stuck with it.
I didn't need to do "research" because I had personal experience to back it up, and no amount of research would have led me to your experience. Banks, in general, try to pin these things on the consumer instead of eating the loss, especially Bank of America.
-
Re:Tech predictions = futile
And you did show here the refrigerator that runs linux, right? And maybe this toaster?
https://pics.defcon.org/showphoto.php?photo=53&cat=512 -
Re:"only a national intelligence agency"
-
Re:Fail.
It's only a security threat if you can't trust the site that the programs are originating from. Sure, this search engine *may* be able to dump a tracking code into their output and therefore break the TOR privacy[1], but you have to ask how likely to happen is this? And my answer: very unlikely.
Please. If you do not understand the fucking problem. Do the world a favor and shut the fuck up.
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-gregory_fleischer-attacking_tor.pdf
http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/
http://www.xssed.com/news/41/A_new_critical_Google_XSS_vulnerability_promptly_corrected/
http://shiflett.org/blog/2005/dec/googles-xss-vulnerability
http://blogoscoped.com/archive/2007-09-28-n28.html
http://www.h-online.com/security/news/item/Google-fixes-cross-site-scripting-vulnerability-in-YouTube-comments-1032988.html
http://ibnlive.in.com/news/orkut-attacked-by-bom-sabado-worm/131714-11.html
http://www.geek-news.net/2010/09/twitter-hit-with-major-xss-hack.html
http://lynnepope.net/twitter-xss-attacks
http://nemesis.te-home.net/News/20090407_Metasploit_Decloaking_Engine_and_TOR.html
http://securityandthe.net/2008/12/23/finding-a-hidden-ip-address-just-got-easier/ -
Talk about google privacy at defcon
The speaker moxie said basically, what the gov't had been trying to do but would never be able to is what google is doing now. To put it in perspective, he asked: "Who do you think knows more about the people of Iran? It's government, or google?"
So for all the good google does, this is one small way that it hurts some. That's not to say though, that the people who have these pools are innocent. Yes, we're a capitalistic society as many think, but no, you don't pay to have the roads you drive on to be paved, you contribute like everyone else does in small amounts. And without those small amounts almost nothing would be possible as we get much more and further by working together than alone.
http://www.defcon.org/html/defcon-18/dc-18-speakers.html#Marlinspike -
Re:Glad AT&T is not being evil (this time)
You think the FBI isn't already there? They've played a game called Spot the Fed for years. It's damn near a tradition. They are there to learn what's going on in the hacker community. It's beneficial to them too.
-
New Tor attacks and anonimity attacks all the time
Attacking Tor at the Application Layer
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
Unmasking You
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Down the R
-
New Tor attacks and anonimity attacks all the time
Attacking Tor at the Application Layer
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
Unmasking You
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Down the R
-
New Tor attacks and anonimity attacks all the time
Attacking Tor at the Application Layer
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
Unmasking You
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Down the R
-
New Tor attacks and anonimity attacks all the time
Attacking Tor at the Application Layer
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
Unmasking You
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Down the R
-
New Tor attacks and anonimity attacks all the time
Attacking Tor at the Application Layer
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
Unmasking You
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Down the R
-
New Tor attacks and anonimity attacks all the time
Attacking Tor at the Application Layer
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
Unmasking You
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Down the R
