Written by I)ruid

ToorCon 12

After a two year absence due to unavoidable other obligations like good friends’ weddings, I finally made it back to one of my favorite hacker conferences, Toorcon.  San Diego is always beautiful when I happen to be there with nice weather and a cool mix of people, both locals and visitors who are there for the conference, and this year was no exception.

On Friday night I only made it through about half of the reception and didn’t make it to the party that evening as about the time the reception started I was going on about 40 hours without any sleep.  Lately I’ve been going to bed about 5 in the morning and I had to be at the airport to catch my flight at 6:30 AM, so I just didn’t sleep Thursday night at all.  I attempted to get some sleep on the plane flight in but every time I would start to doze off the plane would hit some turbulence and wake me back up.  Anyhow, I crashed out early on Friday night.

Saturday was a good day at the conference with many excellent lectures.  I got to catch up with some folks I hadn’t seen in a while since I had missed the last two ToorCons as well as others who I had seen as recently as BlackHat and DEFCON.  The Microsoft sponsored party Saturday night was good, I had a number of great conversations and even had a chance to dance a bit.  After the party a lot of people went back to h1kari’s room at Hotel Solamar to hang out and chat and of course drink more.  Good times.

Sunday was all turbo-talks at the conference followed by the closing remarks and then the ToorCon afterparty.  I only saw a couple of talks but the ones I did see were good.  After the closing remarks a few of us had a quick bite at a sports bar in the same hotel as the after party and then headed up to that.  Similar to the parties the previous night I met a number of interesting new people and had some good conversations.  Hopefully I’ll see many of these people again soon at other conferences or back again next year at ToorCon 13.

Below are my thoughts on some of the lectures I was able to attend:

Real Men Carry Pink Pagers – Travis Goodspeed & Michael Ossmann

While I had been following this research for a while and saw an earlier talk covering some of the subject material given by Travis at REcon, this talk was full of interesting information and was quite entertaining with Travis and Michael constantly referring to certain types of people  as quiche-eaters and showing some rather funny marketing videos from the manufacturer of the IMMe.

This talk came at the subject from a slightly different direction than the talk I had seen before and had more information deriving from Travis’s more recent advancements as well as contributed by Michael.  They covered how while the radio chip in the IMMe is hardware, it’s about as close as you’re going to get to a software radio due to how flexible and configurable it is.  The radio itself is entirely capable of using a wide range of frequencies other than the few that the manufacturer used for its purpose as a communications toy for girls.  Beyond even that, you can configure the radio’s packet structure so that it can be made to talk to a wide range of devices, even devices that don’t necessarily share the type of radio chip used in the IMMe in common.  If you want to work with this device’s radio for very specific frequencies, TI’s Smart RF Studio is extremely useful and will save you a lot of time.  However, if you want to write an application that employs frequency hopping, or monitoring multiple frequencies at once like Micheal’s spectrum analyzer that he wrote for the device, Smart RF Studio isn’t quite adept at those things, so you’ll want to roll your own or email Travis or Michael for some pointers.

Some interesting tidbits of information that came from the spectrum analyzer project is that some consumer two-way radios that they analyzed, while having 14 “channels”, really only used two distinct frequencies to cover those channels; one frequency for the lower 7 and one for the upper 7.  They speculated that there is something in the radio packet that is sent that indicates which of the 7 channels that are assigned to one of the two frequencies is to be used and the radio just squelches any packets received for the channels it’s not tuned to.  Due to only employing two frequencies, it makes it quite easy to monitor or jam the devices as you can observe or affect 7 channels simultaneously.

Another interesting use they had made of the device was using it to observe and replay garage door opening codes, of which they showed a video of this working.

Travis and Michael then talked about some RF devices used for instant feedback and polling which are becoming popular on many university campuses.  Apparently they use these to take attendance, and to do instant polling during lectures.  The application that they developed to attack these is essentially a monitor to see in real time what answers other devices around you are responding with before you choose your own answer (:

The guys finished up showing Travis’s new case mod for the IMMe which accommodate an opening in the side of the device for an internal GoodFET interface that has a Mini USB Type B socket rather than the older GoodFET USB Type A plug, a number of boards for which they gave out at the end of the talk.  I already have a GoodFET however I also own an IMMe so I went ahead and grabbed a board so that I can duplicate the case mod so that it’s much easier to reprogram it.  They also briefly touched on a Zombie game that they are developing for the device which is to be debuted at the next CCC, so now I have even more incentive to make it out to the next one… I love multi-player games, especially when they involve hardware or gadgets (:

All in all an extremely informative and entertaining lecture.  So cool…  So connected.

Exploiting SCADA Systems – Jeremy Brown

I only got to see the first bit of this talk as about 20 minutes into it I got a phone call and had to duck out of the talk to answer.  Jeremy started off by noting how poor security is on many SCADA systems as many of them run services that you can interface with without any authentication at all, they’re just wide open services that you can have perform actions for you.  Jeremy then went though an amusing story about attempting to disclose a vulnerability to a SCADA vendor who seemed fairly clueless regarding security, what a vulnerability is, whether or not it could be leveraged to do anything, etc.  He then went into some tips for managing the vulnerability disclosure process which seemed like he was getting off-topic a bit and that was the point at which I had to duck out.

Advanced AIX Heap Overflow Methods – Tim Shelton

I had already seen most of this talk on video from Black Hat earlier this year but I wanted to catch the rest and Tim is a friend so I figured as a last resort I could heckle him a bit if things got too boring (:  Things didn’t get boring because he started off the talk drinking and was dipping the entire time, which got quite amusing toward the end of the talk after he’d gone through about half a bottle of liquor (:

As far as the content goes, Tim covered Litchfield’s previous research on the topic from 2005 and explained that technique for achieving code execution using heap corruption.  This context is important because the second technique he detailed was his new research on the topic and without an understanding of Litchfield’s previous research you might not understand how the two techniques differ and under what different process execution circumstances each are used.

In short, Litchfield’s previous research described a technique for abusing heap corruption employing the rightmost() function when memory is allocated and then followed by a free().  Tim’s new technique is a way to abuse heap corruption employing the leftmost() function when memory is allocated and then followed by another memory allocation.  In both cases however you’re overwriting 8 bytes beyond the end of a heap buffer and creating a fake heap frame in memory for your linked list pointers that got overwritten to point to, so without understanding the subtle differences it can seem like the same technique.  All in all, it was some good research in an area that isn’t too well explored that actually advances the current state of the art in that area and provides more options for anyone attempting exploitation against that platform.

How I Met Your Girlfriend – Samy Kamkar

This was a fairly entertaining talk that took the form of a case study in social engineering assisted by various and fairly interesting web application attacks and browser protocol abuse.

The web application attack scenario covered breaking down a site’s authentication cookie into components that could be guessed, harvested,or brute-forced, with the goal of bringing the amount of brute-force work within the realm of possibility.  The example cookie broken down during the lecture contained components such as the user’s IP address, timestamps, etc.

The protocol abuse component covered some interesting properties of text-based protocols that use CRLFs as command or line delimiters.  By abusing the properties of web forms and POST commands, an HTTP client like a browser can be made to connect to other services such as SMTP or IRC servers which are usually resilient enough to ignore the HTTP commands and headers and only start processing commands once it receives commands it recognizes.  By using hidden form fields a user that submits the form can have their browser subverted into connecting to a different remote server and issuing commands, such as sending an email or logging into an IRC server and sending a message.  This behavior obviously gives up sensitive information that the attacker may not already have such as IP address of the connecting client, various HTTP headers, etc., some of which were used in the authentication cookie that was being broken down and attacked during the talk.

Samy also covered a technique for geo-locating someone based on XXXSS combined with Google’s street view tracking of WiFi access points by MAC address.  By causing the victim’s browser to pull the MAC address from the internal side of the victim’s WiFi AP/Router and then send it out to the attacker, the attacker can then  look the MAC up on Google to get a fairly accurate location of where that AP resides in the real world.

Overall this was an informative talk and Samy is an engaging and entertaining speaker.  I look forward to more lectures from him in the future (:

The Carmen Sandiego Project – Don A. Baily & Nick DePetrillo

I had missed this talk the last few times it was given for various reasons, so I was glad to finally catch this even though I was aware of the research Nick and Don were doing well before the first time they gave this talk.  I am into phones, after-all, and I know Nick fairly well so we had been discussing various things relating to this research for a while.  It was good to finally see it all come together and actually be useful for the intended goal though (:

Nick and Don started off covering SS7 a bit and explaining how prevalent it is in the back-end cellular networks and how having access to it essentially gives you the keys to the kingdom to do whatever you want, however access is fairly expensive and if you’re abusing your access your peers will cut you off as they actively detect bad actors in the community.  Part of the point of bringing this up at the beginning was to set the frame that everything they describe doing throughout the rest of the lecture was done entirely with available information and without any special access to data or systems such as SS7 devices.

After setting the stage, and identifying a few acronyms (yes, look this over now…), they first covered using CNAM and HLR information to ID and track someone via cellular tower switching of the person’s cellular devices.  This essentially allowed them to somewhat granularly map MSC areas and where their boundaries are geographically.  Then by using other data points for augmentation such as traffic cameras with publicly available video feeds, reversing flight information from times and dates where cellular devices disappeared and showed up again, and other data, a fairly detailed intelligence profile can be constructed about a given individual.

Watch Primer for Hackers – Nick DePetrillo

This was probably the talk that I found most entertaining of the entire conference, and describing it here won’t even do it justice.  I’m sorry you weren’t there…

Autism and the Coevolutionary Imperative for Cyborgsurvivalism – Amber Lundy

This lecture was a LOT of information that was being compressed down to fit in a 20 minute turbo-talk.  As such the presenter was rushed, but there was really no escaping that for the amount of material being presented.  Honestly it went so fast that I wasn’t able to take notes, so it’s hard to write up a report here.  If you have an opportunity to see the full length talk I would recommend it if you’re into this sort of thing, as I’m sure much more detail would be available than was given here, as this was somewhat high level due to the time constraint.

After this talk I spoke to Amber briefly to see if she perhaps had been subscribed to my Body Hacking email list and had just been a lurker, but she said she hadn’t heard of it so hopefully she’ll join as I feel she likely has a lot to contribute to the discussions there.

Leave a Reply