WAHCKon highlights
A few weeks ago I bought a ticket to the inaugural WAHCKon which was held at ECU Joondalup over last weekend. It was a great event, with some interesting talks and a general 'good vibe' over both days. Mostly so I don't forget some of the cool things I heard about, I thought I'd quickly mention a few of the talks that I particularly enjoyed.
A Small Chain of Security Bugs Gone Astray
Like most people, I've heard about cross-site scripting attacks before but never really understood how they worked or why they're a factor in so many site hacks. The underlying story was about a couple of bugs in the open-source portfolio system Mahara which allowed an attacker to cascade from a simple piece of Javascript into full-blown shell access on the server. I also managed to have a chat with Hugh during a break - I'd be interested to hear some of the other talks he's given.
Watering Hole Exploitation
As with the first talk, this was a deeper look into how small vulnerabilities can cascade into serious issues for hacked targets. The focus of the talk was the idea of a 'watering hole' - a place that users located in the target organisation are likely to visit. If you're able to compromise or impersonate the watering hole, you can gain user-level access to an internal network and start elevating the access you have from that point. A lot of the methods used seemed similar to those that Mandiant described in their report on the Chinese military's hacking group APT1. The talk made me happy I don't have to look after any large networks as one small mistake by a non-admin user can lead to serious problems.
ICANN & the DNS root
I hadn't really been looking forward to this presentation - I know ICANN is important to the functioning of the Internet, but it's never something I've looked into at all. The two parts of the talk I found most interesting were how many new top-level domains are about to be released and how the DNS root is able to withstand such heavy traffic (it turns out the key is anycast). It's amazing that a not-for-profit that has so many different groups involved can make any decision, let alone ones that seem to work pretty well!
Cyberwar and the Real World
The Stuxnet worm has perhaps been the most-publicised piece of malware in recent years, so I'd heard a fair bit about it before. Some of the in-depth information presented was really fascinating, particularly how precisely targeted the payload was. Even more interesting was the demonstration of how Stuxnet was targeted using a publicly-available picture from the Iranian President's offical site that showed a number of the computers used to control the centrifuge cascade.
WithIn the Groove: How To Be A Dick To Your Arcade
One of my favourite presentations, mostly for the frequent use of #hashtagjokes and Gandalf. The talk itself discussed a method to trick the dancing game In The Groove 2 into running arbitary Lua code to give free credits. Although it's an arcade game, players are able to insert USB drives to store profile data and it's this that allows the attack - profile files can include Lua code. Although the game uses RSA to sign the profile files (so only signed profiles are trusted) and the private key is encrypted with AES-192, a flaw in the iButton DS1963S used to calculate the AES key exposes the RSA key. Although it was only an attack on an arcade machine, it was a great demonstration of the fact that a single flaw in the implementation of cryptography can lead to a complete compromise.
I also found a more technical overview of the attack by Ronald Huizer who's also documented a software attack on the DS1963S. The original fault attack on the dongle was presented by Christian Brandt and is also available online if you speak German.
Phreaking in a post copper world
Before seeing this talk, I had no idea how big VoIP hacking was. It turns out that the cheap international telephony that the Internet has brought in has created more than a few options for those looking for a quick buck. Once you've got hold of someone's account credentials, you can use that to make calls at their cost. One option is to call premium phone lines that you control and profit from; those willing to play a long game have apparently set up calling card enterprises built entirely on hacked VoIP accounts.
Hardware hacking and stretching the Parrot ARDrone platform to the limit
At work, one of the ways we illustrate how quickly technology progresses is to show students an AR.Drone - something that ten years ago would have been government technology is now available for a few hundred dollars at a nearby shop. As part of a final-year university project, these guys created the Intellidrone. Using the original AR.Drone platform they added modifications for GPS, real-time telemetry and payload pick-up/drop-off along with a software package to control it all. This is definitely something I'll be looking to include in our presentations, though I might leave out the extended-capacity battery hacking.
Another highlight along with these talks was the conference party and lockpicking contest on the Saturday night. Although I've been into lockpicking for a while, this was the first chance I've had to even meet other people that are into it in Perth let alone enter try a competition. I didn't perform that well in the end as the five-pin lock that was worth most of the points eluded me. It was great fun and as a bonus I even got to pick my first pair of handcuffs as part of the competition. For a first event the whole conference was amazing and I'll certainly be heading to the next one in 2014.