Defcon coverage will happen this year over at disLEXia.
Finally all presentation materials from Vegas are uploaded.
See here for “NoSEBrEaK – Defeating Honeynets and here for “Hidden data in Document formats”.
You might enjoy the videos of hacking censored PDFs: copying black text on black ground, copying the image from under the black marks and removing the censorship boxes. This stuff is so ridiculous that it resulted in spontaneous applause from the audience.
Dan Kaminsky was scheduled to give a talk on “Black Ops of TCP/IP 2004″ but decided to take his BlackHat talk on DNS and present it at Defcon. I left the talk after 20 minutes. Deems I wasnt the only underimpressed attendee, since I found this on Dan Kaminsky’s website:
OK, let me repeat.
Throwing arbitrary data in DNS — NOT a big deal.
Even doing network tunneling over DNS — ALSO not that big a deal; NSTX has been doing this for a while.
But he continues:
DNS radio is new. By segmenting audio into small chunks, we actually get universal caching of the streaming signal — a functionality we’ve never really had before. Generally, audio broadcast over the Internet falls apart after a few thousand users. Based on this ring-buffer-into-BIND architecture, combined with the utterly minimal bandwidth load of Speex, we should be able to host audio for a much greater number of listeners.
The entire suite of incoming attacks to firewalls are also new. DNS trusts the hierarchy to tell it the next hop to its target name; since I can acquire second level domains in the hierarchy for minimal cost, it’s trivial for me to insert arbitrary destinations along the DNS route path. In technical terms, whenever a recursing resolver comes to my name server to resolve a name, rather than providing an answer, I can redirect that request to another, supposedly authoritative server. That server can be at any address — even one I cannot IP route to — but if the resolver communicating with me can route to that address (say 10.0.1.11) my communication will reach that host. If there’s an SSH over DNS daemon running on 10.0.1.11, I’ve now achieved incoming connectivity to the network of my choice, completely bypassing firewalls and a trojan’s need to poll.
Recursion on dual hosted interfaces is not even necessary. There are large numbers of applications that, upon receiving untrusted traffic, execute DNS name lookups. Most commonly, they are reverse PTR lookups, but occasionally there are other types (MX from mail servers, most notably) that can be easily induced. When they are induced, the hierarchy is followed. When the hierarchy is followed, the attacks previously discussed start working. In practice, this means an IDS triggers the DNS server to start proxying traffic between an external attacker host and an internal trojaned machine. Nasty.
There’s some other stuff — check out the slides and the code — but long story short, there’s some new stuff out :-)
So I might better have stayed longer, but the talk certainly spend to much with trivialities. I might have been somewhat overqualified, being the author of an DNS tunneling tool myself but Dan’s comment indicate that I was not the only one.
Grab his slides here.
I havent attended it but heard very different opinions on the RFID & Smart-Labels talk. The by far most interesting part in the presentation seemed to be the RF-Dump tool but is that interesting?
Some I talked to think it is a basic data-on-tag reading and writing application which should come with every good RFID SDK as an example program. Others claim it really is nifty stuff allowing scripted en-masse reprogramming of tags.
Check http://www.rf-dump.org/press.shtml for press voices.
I was seriously annoyed by the Bluesnarfing talk. Adam Laurie & Martin Herfurt basically told us what they where telling for months now: Basically they found a way to do things cellulars should do only when paired without going thorough the pairing process. At least so they claim.
Their presentation consisted of about 30 minutes “what nasty things you can do to a phone (when paired or when being able to circumvent pairing)” -nothing new there. Not a thing we hadn’t come up with ourselves in the first 60 seconds after the first announcements of bluesnarfing.
Then they wined about 5 minutes that the cellular vendors didn’t show them proper respect and played the problem down, even after they published it on bugtraq and full-disclosure.
Next they told us they couldn’t give a demo “because of legal reasons” (a phrase they used often). Then they tried to give a small demo with their own phone which didn’t succeed although they made several attempts. Then they showed a Web page which supposedly showed the phones in the room but how can I believe it was live – all our phones didn’t show up in that list?
When being asked HOW they where actually doing bluesnarfing they declined to give out details.
What a shitty talk! “Bad thing will happen. We can’t show you because of legal reasons. Our cut down demos don’t work. We will not tell you the technique we used. We are pissed because industry isn’t taking us as important as we do.” Hello? This is defcon? Can you spell F_U_L_L D_I_S_C_L_O_S_U_R_E? Do you know that that’s the way to get vendor’s attention? Why did you post to full-disclosure if you didn’t want to do that?
What a FUD.
There was a Root-Fu competition between West- and East-Cost announced. See http://mega.rootfu.org/