Matt Garret, Shitty Scooters

• Meta
  • Moved to replace Jess Frazelle
  • First X minutes explaining the economy of scooters
  • Notably, some look like they’re in Australia too
  • Moved into reversing the android app
  • Guy grepped for https:// in the app
  • Bunch of privacy violations
• Reversing a scoooter app (For Lime)
• Commercial scooter
  • Terrible one - GPS tracker / gear
  • Better ones have modems/controls
• First gen Lime scooters were getting people injured, allegedly
• What the app is
  • Shows you where the scooters are (With Identifiers, has a number on the scooter)
  • Lets you hire a scooter
  • When hired, scooter doesnt show on UI, but will tell you where it ends up when its finished
• What the API lets you do
  • Request the location of every scooter (6 digit ID, not a large keyspace)
  • Also lets you request where an in use scooter is, while hired
• Guy plots location of where the scooters are
  • They’re broadacasting when they’re manfactured and moved from factory to factory
  • Theres about 250k of them
• Theres other shitty scooter places, go figure
  • Vendor called ‘spin’, sold to Ford
  • Not really on the internet, just bluetooth to phones and forwards data via that
  • Could have used TOTP, or anything shitty
  • you send a series of bytes to them and they unlock
  • The scooter can’t call home without the app, its got no hardware to do so

Moloch & Mandatory, Cloud/BigData to pentest at scale

• Meta

  • “The slowest part of Amazon is the support”
  • github search ‘mandatoryprogrammer’ ‘intruder’
  • github search ‘mandatoryprogrammer’ ‘masscat’
  • github search ‘moloch–’ ‘big rainbow’

• People

  • Mandatory - @iammandatory (Matthew Brian)
    • Writer of XSSHunter
  • Moloch - @littlejoetables
    • BishopFox guy

• Burp intruder at PS

• Cloud rainbow tables

• Cost effective GPU clusters

• “Burp Intruder” at infinate QPS

  • (Burp proxy + replacement tags)
  • Limitations - Threaded model, single app, single computer
  • Use lambdas
  • Self invocating lambda with a big array of work
  • Their model just does a fan out
  • 1k/s lambda second execution

• Rainbow Tables

  • Stick it into google big query
  • generate the rainbow table, stick it into json blobs, put it into big query
  • optimisations - base64 it or better encoding
  • optimisations - truncate hash at 48bits (Collisions are not a huge concern)

• Auto-scaling GPU clusters

  • high upfront costs, etc
  • Spot instances, elasticbeanstalk, lambda functions, api gateway, sqs, s3
  • They give you a 2 minute warning before killing it
  • beanstalk gives you EC2 instances and routes messages on queue
  • “SpotPrice”

Slack/SDL

• Tl;dr
  • Slack read the checklist manifesto and believe that
    • Doctors who do checklists kill people 50% less
    • Airlines that do pre-flight checklists have less crashes
  • When you make a new thing, you hit a slack bot and it’ll create some tickets
  • The tickets ask you some questions, then give you checklists based on that output
  • The checklists seem to be mostly self-service and documentation
  • They automated out the checklist people and just log the results in Jira

Bruce Schniener

• Computers
  • “This is not a phone, this is a computer that makes calls”
  • “A car is a computer with 4 wheels and an engine” or “actually it’s 100 computers+ with wheels”
  • This is true at all scales (fridge to nuclear power plant)
• The Internet
  • Made on the assumption of security being addressed on the endpoint, rather than the internet itself
• Extensibility
  • Property we know, but the rest of the world doesnt know
  • We cant constrain the functionality of a computer-ised device
  • This is why Fridges can sent spam
  • Installing malware on a device is just adding functionality/features
• Complexity
  • Attack is easier than Defence
  • Attackers can choose the attack, and its conditions
  • “Complexity is the worst enemy of security”
• Interconnections
  • We have vulnerabilities in connected systems
  • Bugs in component A can effect component B
  • Vegas, high roller DB got stoled via internet connected fishtank
  • “You can have an insecurity in the intersect of two secure systems”
• Expertise
  • Goes downhill
  • NSA -> PhD thesis -> HackerTools
  • e.g. Stingray devices
• Changes
  • Computers are being used differently
  • Automation and Physical Agency
  • Theres real risk to life
  • Availability attacks against systems with physical agency is scary
    • i.e. turn off car steering systems (availability), and now you hit a tree/die
  • “Theres a fundamental difference between your office product crashing and you losing your software, and your pacemaker crashing and you lose your life”
    • “this could be the same CPU even”
• Failures
  • Patching
    • Phones are secure-ish because of initial engineering
    • and because those engineers also write and propogate patches ASAP
    • (This costs a pile of money, but on low cost devices this doesnt happen, ie, fishtanks)
    • How you patch a router, is by throwing it in the bin
      • This is a pretty good system, new devices are sometimes more secure
    • “we dont know how to write secure software, so we are agile about patching”
    • “There is a reason microsoft bin their older stuff, its hard to keep secure”
    • We cant do that for our cars, they depreciate at different rates
    • We don’t know how to do patches at scale for these fringe devices
  • Authentication
    • We know how to do person-to-thing/service auth
    • We dodn’t know how to do thing-to-thing authentication
      • i.e. Car auth to emergency broadcast system
    • We know how to do person-to-thing/service auth
    • We can do bluetooth comms from phones to cars, but we do that manually
    • Manually doing shit is really hard
    • Smartphones have become the smarthome controller / auth set-up thingy
    • again, this is manual and won’t scale past a handful of devices
  • Supply Chain problem
    • “Where are the chips made”
    • We find backdoors in F5s and Dlink all the time
    • 2003 - Barely avoided a shitty backdoor in linux
    • Cisco gear being modified by NSA dudes on the way to foreign Telcos
• Choices
  • “security vs security” tradeoff
    • We secure all stuff, or we secure none of this
    • We all get to spy, or none of us do
• Promising stuff
  • give the router some smarts
    • Manufacturer usage descriptions
    • you buy a fridge, it connects to the internet, the router gets a signed list of things the fridge can do
    • if the fridge starts doing weird stuff, it blocks it
    • Meta - this is either Senrio or a shitty IPS, it’ll probably suck
• Problem is “lack of tech adoption ideas”
  • Equifax happened, you weather the press storm and it’ll be fine
• Regulation is the only way
  • Nothing got better without it
  • The market doesnt reward security
  • The market rewards least viable security in a product
  • “If we want better we need to force the market to do better”
• What we (the room) can do
  • “we technologists need to be involved in policy”
  • “We need to build a career path for public technology security to policy people”

DHCP is hard

• Meta
  • Missed the first 15 minutes
  • Looks like they’re finding memory corruption in DHCP clients
  • Moved into looking at CVE-2018-5733 / ISC DHCP Client
    • Reckons its Reliable RCE
  • Lots of different clients, some rely on bash scripts/hooks
• NetworkManager helpers vs dhclient
  • Fedora dudes made dispatcher.d hooks, which translates hooks for you
  • This thing is a big eval block (dynoroot)
  • Triggering - WPAD Option 252 `foo' & touch /tmp/test123'
  • Works on every Redhat/centos system for the last 5 years
• Systemd / networkd
  • used on RHEL/Ubuntu
  • no dependancies on external DHCP clients
  • Modern C / Clean rewrite/no historical baggage
  • Bugs in IPv6 side, even if not enabled (CVE-2018-15688)
• Conclusion
  • DHCP is hard
  • no one uses ipv6 but everything supports it
  • backwards compatability increases attack surface
  • please dont write new network daemons in C

“Backdooring with Service Workers”

• Meta
  • Emmanuel Law
  • Claudio Contin
• Mitigations are making things hard…ish
  • HTTP-Only Flags
  • Cookies have limited server-side lifespan
  • Transient Payload
  • IP restrictions
  • Service workers can help address these
• Service Workers (SW)
  • JS browser runs in the background
  • Are not tied to the tab, and will keep running after you close it
  • No user magic needed to get it to work
  • e.g. Gmail, composing email - You lose internet access
    • Web app still runs as if it was connected to the internet
    • Service worker ends up syncing things for you automatically
• Spinning one up
  • We need XSS, and to point to a JS File (On same origin)
  • `navigator.serviceWorker.register('/sw.js')
• Primatives provided
  • Fetch()
    • Web requests, no XMLHTTPRequest (Deprecated in 2015)
    • Bounded to Same Origin Policy
  • Background Sync
    • Intended for offline capabilities
    • 2 step process, Register a Sync and Listen for Sync event
    • Problems - You cant control callback interval, or for how long
    • You spin up multiple ones with offset startups, so now you have better coverage
    • Get these to register new ones before they close for persistence
  • Push notifications
    • Notification API
• End Result
  • Guy uses Service Workers to re-implement BeeF pivot via victim browsers
• Mitigations
  • CSP / NOXSS
  • Disallow JS Upload
  • Text/plain
  • TODO - Others?
• SW outlives XSS
  • Fixing XSS isnt enough
  • Removing the service worker file alone isnt enough
  • You need to unregister them from server side
• Summary
  • SW - Provides Persistent Access
  • Still being designed and implemented
• None of this works in IE, as it doesn’t support them
  • Edge kind of supports it, barely

Mubix - “Living without the land”

• Tl;dr
  • Tl;dr - Pull stuff out of LDAP and use it to your advantage
  • Released a tool, LDAP-WAT - LDAP windows attack toolkit
  • You can add a host as a DC, then dcsync that
  • Did this tool ever come out? I don’t see it
• Meta
  • Check out ADRecon made by some other guy that Mubix was going to use
  • Written in PowerShell
  • Lots of Bill Murray things that I don’t care about
  • LDAPSearch sucks, presumably this guy wrote a new tool or something
• No Slides
• PowerShell now has a pile of logging
  • “It was cool when it was version 2 and had no logging”
  • Microsoft had the big play of getting offense to use and rely on PowerShell
  • What about when you use a linux box that isn’t a domain joined machine
• ldapsearch is rubbish, the doco is rubbish and everything about it is rubbish
• “Add new DC with Domain Join Accoint”
  • You can join a machine and sepcify the properties of the box as it joins
  • This includes adding a box as a Domain Controller
  • Caveat - Too many attributes gives you an access denied, but the DC flag alone will work