I attended the Ruxcon 2012 computer security conference this year and thought I’d post an overview of the event. I’ll cover the awesome presentations that I saw as well as the capture the flag hacking game. I have now attended Ruxcon for the past 3 years and can definitely say that it only keeps getting better, this year was by far the best thus far and I can’t wait to go again in 2013. If you are at all interested in security and are in Australia I highly recommend going.
After getting to sleep late on Friday night, I was waking up just a few hours later at 4am to get ready for my flight from Canberra to Melbourne. I got into Melbourne at 8.30am and then caught a taxi into the city. Energy drinks with breakfast seem to be my Ruxcon tradition. I went down with a couple of friends as we have all gone previously and found Ruxcon awesome.
Presentations – Day 1
Here is a brief summary of the presentations that I attended. Unfortunately I did not get to go to all the ones I wanted, as there are always two presentations running simultaneously in different rooms, so these are the ones I chose to attend. I also missed a few as I was playing the capture the flag (CTF), more on that below!
Mac EFI Rootkits: This presentation was presented by Snare and was basically him demonstrating some cool root kits whereby code would be injected directly to the kernel on boot. This was interesting as the payloads were injected from thunderbolt devices, one example was demonstrated by using a thunderbolt to ethernet adapter, the adapter has a ROM which is used to store the payload. Some recommended fixes to this included gluing all ports on the mac shut, but more seriously putting a password on firmware modifications, as well as disabling the loading of ROMs from expansion devices. During the presentation it was demonstrated how just by plugging in his adapter via thunderbolt, some custom content was displayed on boot.
Android Malware Detection in the Cloud: This one was about automating the parsing of application files and determining if they are considered to be malicious. This would be useful for repackaged applications that look legitimate to the user but may not be. Repositories are automatically crawled and results displayed in a web portal. Applications have a lot of power and permissions on mobile devices these days and can potentially do a lot of damage so being able to discover these things is useful.
Practical Analysis on Payment Gateways: This presentation outlined the weaknesses of online shops that make use of payment gateways to securely process their customers payments. The talk was not specifically about payment gateways or specific vulnerabilities, but focused on the weaknesses between the website itself and the payment gateway. These sorts of things are commonly attacked as hackers tend to want free or cheaper goods and services online. Some techniques included getting the shop to think that it has received a message from the gateway saying that payment has been completed, spoofing the payment could result in a shop sending out items when they have not actually been paid for – of course there is the good old low-tech technique of waiting for payment before shipping method to counter this. It may also be possible to man in the middle (MITM) attack the transaction content when it leaves the store to the destination of the payment gateway, this could include sensitive information if not transferred correctly using SSL. There are also attacks that can be performed on the shop itself, for example exposure of credit card information, modifying payment amounts and orders, editing the currency in use and spoofing transactions – these are all typical things which may be done with SQL injection or other common attack methods. These sorts of things depend on the website security rather than the payment gateway, so users should not assume that they are safe just because they have some third party looking after their transactions.
Reverse Engineering a Mass Transit Ticketing System: This presentation was quite interesting and went through some general steps for black box reverse engineering, this is determining how something works without the source being available. Basically a ticketing system used here in Australia was reverse engineered and the guys were able to identify all information on the tickets by collecting and analyzing large amounts of them which resulted in patterns in the data being identified – not something that should be possible with secure encryption. This in theory would allow people to create their own tickets and get free transport. They went through a responsible disclosure process in order to bring this to the attention of the people the ran it, the system was quite outdated and tickets used custom encryption rather than a proper method which has been proven to be secure, demonstrating that these outdated techniques of obfuscation need to be put to a stop.
After Ruxcon the following article was posted on ITnews about this presentation, which contains some further information. These guys went on to win this years capture the flag event, more on that below.
The Impacts of Advancing Technology on Computer Forensics and E-Discovery: This was presented by Adam Daniel, having seen him present in 2010 and go far over time due to the amount of cool stuff he was discussing I figured it would be worthwhile to attend, and was not disappointed. He outlined some of the new challenges with computer forensics in a constantly changing industry, as technology is continually improving the methods that we use need to also adapt and change to keep up. This job of data forensics is more complex as encryption is now more commonly used to keep data secure, size of data sets are much larger now as hard drive space continues to increase rapidly, data recovery techniques need to change – for example recovering data from traditional hard drives based on magnetic disks is different in comparison to solid state drives (SSD) as the underlying technology is different. The concept of “Cloud storage” also causes issues as data may be stored over many pieces of physical hardware and determining the actual location and attempting recovery can be difficult, especially when the data may very well be hosted offshore on a number of different pieces of physical hardware.
After the presentations were over we headed over to the Saturday after party (sponsored by Rapid7)which resulted in being out most of the night and enjoying 1 hour sleep – probably still more than most people!
Presentations – Day 2
Examination of the VMWare ESXi Binary Protocol Using : This talk provided a demonstration of Canape and how it can be used against the VMWare ESXi binary protocol. It can be used to parse traffic and inject your own and works with multiple protocols over the one connection such as HTTP/HTTPS which are used for VM management. Realistic scenarios demonstrating man in the middle (MITM) attacks on the VMWare console were shown including logging and replaying keyboard strokes and mouse movements as well as injecting your own directly into the VM console. Potential MITM on datastore file transfers was demonstrated as by default files are transferred over plain text. An example was provided where a file was uploaded to the datastore + fuzzing was performed to crash ESXi, and if this is done twice within 1 minute the hostd service dies and must be restarted manually through SSH – this cool vulnerability has been presented to the VMWare security response centre and they are currently working on a fix. This outlined some best practices for virtual machine management with vSphere, namely avoid using it over an Internet connection if possible, either connect first using a secure VPN connection and then connect with vSphere using HTTPS, and if possible have vCenter running on an internal network. It also seems to be a good idea to not use network file copy (NFC) to transfer sensitive files to the datastore as the transfers can be read.
Some further information on this talk was posted here on their blog.
Finding Needles in Haystacks (The Size of Countries): This talk focused on the idea that security analysis is often limited to the amount of data that can be stored / processed in regards to an incident, it comes down to the level of logging that you have in place. Instead of traditional logging it was proposed that all network traffic should be logged so that you have full packet captures as these will show everything in your network. In the past we have been bound by the size of data as the time taken to process it was immensely large, however now with cloud computing where we can purchase hours of online compute power for a few dollars this task is much easier, allowing people without significant investments in infrastructure to process their data in a timely manner. The potential problems with this however may be with sending potentially sensitive data to the “secure cloud” which may in fact be offshore at random locations that you have no control over. Depending on the amount of data it may be possible to analyse it in real time to avoid storing it and just rely solely on compute power. With this high level of data you can define baselines for normal traffic, identify outliers and by extension attacks, find 0day attacks through past traffic and other new things not previously seen in your traffic. Time stamps of everything, specific protocols used, payloads as well as location of attackers are all things that can be analysed with this method.
The demonstrations with this presentation was really cool, they have since posted some videos up of these on their website, found here.
Hardware Backdooring is Practical: This was definitely my favourite presentation this year, it outlined so many awesome ideas that I had not previously considered that were quite mind blowing to be honest. Basically a backdoor was created that would be permanent, persistent, stealthy in that no malicious code is used, portable – the OS does not matter as this is done at the hardware level, remote access and updates needed to be possible and pulled down from external locations, plausible deniability was gained as code was all legitimate open source code – it would download a payload over HTTP/HTTPS, avoiding network perimeters such as corporate firewalls/IDS by potentially making use of WiFi to a nearby attacker, redundancy – the backdoor would be stored in multiple locations making removal difficult, it could be in locations such as on the network card as well as other PCI devices meaning that unless you flash everything at once you could still be vulnerable. The backdoor would be very hard to detect as traditional antivirus would be basically useless as it scans disk and this is not where the backdoor is stored, operations also take place before OS boot such as kernel patching meaning that observing memory is useless too, or any contents in RAM would appear to be legitimate code.
It was found that over 200 Intel architecture motherboards are capable of being infected by this, this is not really a vulnerability but more so bad legacy design for backward compatibility. The key message here that was outlined was that unless you control the hardware manufacturing process, closed source firmware should be questioned and hardware should be flashed on reception of new hardware with open source firmware that you can verify. Obviously the majority of people aren’t going to actually do this, so if the manufacturing process somewhere along the way is compromised and providing root kitted hardware there isn’t much you can do about it. Basically if you purchase hardware over the Internet for example, it could be possible that the seller has already placed a root kit on it.
Operation Damara: This presentation was done by Alex Tiley from the Australian Federal Police (AFP), and having seen his presentations the previous two years I was keen to see what he would be discussing this year. The presentation covered operation Damara, which was the investigation into the hacker known as “evil”. This hacker was basically going around blowing up what ever he could get his hands on to try and make his mark, and caused large data loss for a web hosting company known as Distribute IT. Shortly after the incident Distribute IT was bought out by another Australian web host – Net Registry. The presentation mostly covered the lessons learned from a web host that lost almost everything.
The key points were to make sure that you practice disaster recovery. It sounds obvious and you may even have backup methods already in place but until you attempt to restore all required data and see what happens if you fail various over various parts of the infrastructure, you will never know for certain if any of your plans will amount to anything without testing them. It sounded like a lot of the issues in the aftermath of the attack may have been the hosts own fault, however this was not confirmed. General advice suggesting to make sure you get sleep while trying to deal with a crisis like this in order to avoid making simple mistakes and breaking things further – the fact that this was mentioned made me consider that perhaps some of the damage may have potentially been self inflicted. The process of how the AFP and other organizations work together to investigate different types of cyber crime was also outlined and that was quite interesting.
Capture the flag
The capture the flag (CTF) event is basically a hacking game, where there are various challenges that have been set up for participants to try and break in order to find a token, which is basically a string submitted for points. Different challenges included SQL injection, reverse engineering, network attacks, unix insecurities and many more problems to solve. You can play alone or as a team. Points on tokens are shared among all users that complete the challenge, meaning that easy challenges will not be worth many points because many people will have solved them, thereby distributing the points out to all that have solved the challenge. This also means that skilled players that got tokens no one else had were rewarded large numbers of points.
The CTF basically has it’s own wireless network which you join in order to find the challenges that are hosted on the network. There was also the option of using a wired network which at first only someone from our team was using.
This soon changed once people realized one of the challenges involved a timing attack and the wifi eventually started to prove difficult to perform this attack for some users.
The CTF kicked off at 1pm on Saturday and initially my two friends and myself were playing alone however we quickly joined together to become a team under my friends username “vadium”. I solved a handful of challenges but make no mistake, the majority of the hard work was all vadium. The ones that I did solve were fun, challenging, and I can definitely say I learned some useful things.
After day 1 of presentations the CTF was actually transported a few blocks away to the location of the Saturday night after party. This was pretty cool and allowed people to continue playing the CTF while partaking in delicious alcohol.
Needless to say there were many drink vs laptop near misses.
They actually set up the scoreboard near the bar.
The CTF was set to end at 3pm on Sunday however it ended up going until about 5pm as everyone was into it trying to get some last minute points.
I don’t have an image of the final scoreboard at the end of the CTF, however trainhack came first and these were the guys that presented on the reverse engineering of a mass ticketing system mentioned previously. The prize for first place was an Asus transformer – I’m not sure how well those split between 4 people. My two friends and I playing as vadium ended up coming third this year, I believe vadium was third in 2011 as well and second in 2010. Hopefully before next year I learn some more skills to contribute more for first place.
Lock picking workshop
During the lunch breaks once again they ran the lock picking workshop, basically a ton of locks and lock picking tools are provided and you just try to pick the locks. This is interesting as it is more related to physical security challenges rather than computer security. People from all skill levels are welcome and there are people around to show you the basics in order to get going.
This year they had two guys tie during the lock picking competition, basically they pick locks within a time limit and the locks are worth points based on their difficulty. It was determined that a winner would be chosen based on who could break dance the best. Not long after this was deemed a failure, the two were handcuffed together and the winner would be the first one to get out of them. In less than a minute one of the guys had broken free and won.
Ruxcon 2012 was great and appears to grow and get better each year. I saw a number of interesting presentations and demonstrations which allowed me to think about many different security aspects I had not previously considered which showed me I have a lot more to learn. I played in the capture the flag, applying security and penetration testing skills on realistic scenarios which was awesome fun. I met some cool people, mostly at the two after parties on Saturday and Sunday nights, and of course there was a massive bar tab which is always a plus.
Most of the slides from Ruxcon are up on the site which are full of more information if you missed the presentations, and there are also videos from the presentations posted up on the Ruxcon YouTube channel.