A Week of Security in Vegas: Black Hat, Bsides, & Defcon

Towards the end of summer each year the information security world descends on Las Vegas for a week of training, discussion and the disclosure of a year’s worth of quiet research. I’ve been attending off and on for years, and was joined this year by several of my new SecureState co-workers from Profiling and Risk Management.

The week started off with the biggest, and most expensive of the 3 events: Black Hat Las Vegas. This is the original and largest of the Black Hat events held around the world each year, and it has often been a forum for disclosing some of the most cutting-edge and impactful research within Information Security. The biggest talk this year hands down was Barnaby Jack’s presentation on compromising Automatic Teller Machines. Barnaby had attempted to give a similar presentation in 2009, but his employer pulled the presentation after pressure was applied from some unnamed ATM manufacturers. After changing employers and adding several new ATM machines to his collection, Barnaby was back this year to give a live demo of local and remote compromise of two different ATMs.

Both of the ATMs targeted by Barnaby were the smaller stand-alone units commonly seen in convenience stores, liquor stores, and other public environments. In both cases the vulnerabilities were devastating, allowing for total compromise of the ATMs and for an attacker to dispense cash at will, or conduct other financial transactions. There appeared to be a strong reliance by the manufacturers on the relative obscurity of these systems, the perceived price barrier towards getting access to an ATM, and their physical controls. The manufacturers clearly hadn’t considered the relative ease with which a researcher like Barnaby could obtain their machines on secondary markets (such as EBay and Craigslist). More alarming was Barnaby’s assertation that the locks protecting the ATM guts were all keyed identically, and that he had been able to obtain a master key for just $10 on these secondary markets. It should be noted that while Barnaby speculated that the more expensive machines often found in banks had the same vulnerabilities; he was not able to obtain any of these machines to confirm this as they are more tightly controlled.

One of the most interesting developments in the last 2 years has been the advent of Security Bsides. Last year a number of individuals felt they’d had strong talks which for whatever reason were not accepted at Black Hat. In response a grass roots event known as Security Bsides was organized in the weeks leading up to Black Hat 2009 as a venue for these talks, and for those who were beginning to feel less welcome at the big Black Hat show. 2010 was the second year for Bsides, and it drew over 650 people to a rented house off the Las Vegas strip for an impressive list of familiar names, along with plenty of first-time speakers. Part of the goal with Bsides is to place more emphasis on the so-called “hallway track” and less on the talks themselves, and I would say they succeeded immensely. With lounge areas everywhere and a huge outdoor pool, the venue was extremely conducive to having conversations with passionate security professionals from around the world.

Two talks at Bsides stuck out for me. The first was Metasploit creator and Rapid7 CSO HD Moore presenting a series of severe vulnerabilities he had found in the VXWorks OS. For those who aren’t familiar, VXWorks is an embedded OS found in appliances like your video conferencing phone, multi-function printers, and SAN controllers. Embedded systems aren’t generally designed to be patched regularly like other computing systems, so any vulnerability can be very difficult to fix. HD had a spreadsheet filled with thousands of affected systems, and even once there are patches available it will be difficult for those with affected devices to apply patches within a reasonable timeframe. My recommendation for anyone with these devices (which is virtually all of us) is the same as for any device we can’t easily patch: don’t connect them directly to the internet, and if at all possible put them on an isolated segment within your network.

Another phenomenal talk came from Bruce Potter, best known as the founder of DC’s Shmoocon (http://shmoocon.org). The topic, “Making Network Diagrams That Don’t Suck” wasn’t overtly a security presentation, but it was inspired material that any IT professional could benefit from. Potter covered five trouble areas to consider for any diagram, such as making a clear legend or avoiding a rainbow of colors. The presentation closed with an assortment of diagrams pulled off the internet which the audience was asked to assess based on Potter’s criteria. This talk is already available for free download, I encourage you to go here (http://livestre.am/hqhB) to check the talk out yourself.

The final event of the week was Defcon itself. One of the oldest and hands-down the largest hacker conference in North America, Defcon is an unforgettable experience. This year over 2000 of us crammed into the Riviera for 3 days of talks ranging from blah to blah. That number is worth remembering: the attendance at Defcon has gotten so high that for most talks it was necessary to wait in line to attend, and for high-profile talks one had to show up an hour or more in advance!

One of the more interesting talks taking place at Defcon was Chris Paget’s latest on the popular cell-phone protocol, GSM. Signs were posted all over the conference area nearby on Saturday warning attendees that during Paget’s talk their phone calls could be intercepted, and advised attendees to turn their phones off if they did not wish to be part of the show. During the talk itself, Chris demonstrated that with about $1400 worth of readily available hardware (http://www.ettus.com/products) and some open source software (http://openbts.sourceforge.net, http://asterisk.org) he was able to stand up his own GSM cell phone tower. GSM cell phones will attempt to connect to whichever tower has the strongest signal, which for GSM cell phones in the vicinity of the presentation was Chris’s! Additionally, most cell phones will allow the tower to dictate that they connect with the older, and less secure, 2G GSM protocols. This allowed Paget to intercept voice transmissions from these phones, although data transmissions remained encrypted with the newer 3G GSM protocols which have not yet been compromised.

It’s worth mentioning that with Defcon the real reason to go isn’t the talks, it’s the conversations. Because of its size it attracts hackers, security professionals, and technology enthusiasts from all over the globe. This was a highpoint for me, getting to see guys like English Eurotrash podcaster Chris John Riley (http://blog.c22.cc) English Jasager developer Digininja (http://digininja.org), and Dutch Seccubus creator Frank Breedjik (http://seccubus.com) isn’t something I get to do a lot back here in Ohio. I spent most of my Defcon time walking the hallways and hanging out in the lockpick village talking shop with folks I rarely see. This is something I won’t get on the Defcon talk DVDs…and it’s what keeps me coming back year after year.