Some Highlights of Defcon 18

Hey everyone, my name is Clint Gibler and I'm an intern at Fortify for the summer. I had the opportunity to attend Defcon 18 and thought I'd mention a few neat presentations I saw. There were many good presentations I'm not going to cover, but you can review them yourself here.

Perspectives on Cyber Security and Cyber Warfare and Of Bytes and Bullets

There were several panels about cyber warfare and cyber crime. The following people participated in the talks listed above:

• Max Kelly, former CSO of Facebook
• Jeffrey Carr, author of "Inside Cyber Warfare: Mapping the Cyber Underworld"
• Robert Knake, author of "Cyber War: The Next Threat to National Security and What to Do About It"
• Joseph Menn, author of "Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet"
• Robert Vamosi, author of "When Gadgets Betray Us: What We Don't Understand About the Everyday Gadgets We Use and How That Puts Us At Risk"

Some comments made:

• It's unlikely that there will be an attack that takes a large portion of the internet offline, because the internet is a valuable asset that attackers don't want to lose. Attacks will probably focus on causing localized network problems.
• The military tends to defend computers like they are buildings - (fire)walls, access control, restricting information flow.
• The Russian government sponsors some Russian mafia hackers.
• Uses their technical abilities for attacking other nations, political rivals, etc.
• Gives government deniability for actions taken.
• "Russian mafia doesn't do anything not blessed by the Kremlin." -one of the speakers
• Over 100 nations are starting cyber warrior programs.
• Recently declassified U.S. military cyber doctrine indicates desire for offensive superiority.
• Historically, when nations sought offensive superiority there tended to be more wars.
• One panelist recommends further research into cyber deterrence.
• "The Chinese Cyber Army - An Archaeological Study from 2001 to 2010" talk was cancelled at the last minute for mysterious reasons.

Kim Jong-Il and Me: How to Build a Cyber Army to Defeat the U.S. by Charlie Miller

Charlie Miller is a well-known computer security researcher, known among other things for exploiting Apple products. In this talk Charlie described what his process would be if he was kidnapped by a foreign government and forced to develop a cyber army. The talk was insightful and high level enough that someone with average security knowledge could grasp nearly all of it. This was one of my favorite talks, I recommend watching it online later if you missed it. Some takeaways:

• Charlie's proposed army requires a budget of ~$49 million a year (less than the U.S. currently spends on cyber security) and is composed of ~600 people.
• The army would be composed of the following roles: bug finders, exploit developers, bot obtainers, bot maintainers, penetration testers, remote personnel, developers, technical consultants, and system administrators.
• Bots and human agents would be geographically distributed.
• A country can't protect itself by filtering packets from the outside when there are already both bots and agents inside.
• He would develop several different bot software instances so that an AV signature or vulnerability of one type would not impact the others.
• After 2 years from inception, Charlie expects his army would have some foothold into almost every desired network - financial institutions, power grid, government agencies, etc. He also projected that his botnet would be composed of around 500 million computers by this point.
• Final message: Not much defense is possible against attackers with enough dedication, patience and skill.

Mastering the Nmap Scripting Engine by Fyodor and David Fifield

Nmap is a free and open source utility for network exploration or security auditing. I'll let them describe NSE: "Nmap's high-speed networking engine can now spider web sites for SQL injection vulnerabilities, brute-force crack and query MSRPC services, find open proxies, and more."

• They had a number of Windows-specific rules they needed to test. However, they didn't have any Windows VM's so...
• Fyodor scanned Microsoft's 1 million IP range and found ~75k hosts.
• The scan took about 26 hours. (That's over 10 IPs scanned per second for those counting)
• Fyodor showed some funny host configurations found and was able to enumerate the user accounts on certain machines. (with comic results)
• Lastly David wrote a script live that found a webserver running on his computer at home that was behind a NAT.
• The script was only 30 lines or so (of Lua), demonstrating the power and customizability of the NSE.

Black Ops of Fundamental Defense: Web Edition by Dan Kaminsky

Dan Kaminsky is well known for having found the critical DNS vulnerability in 2008. This year Dan talked about the benefits of and some recent work in DNSSEC.

• Dan spent most of the talk speaking about applications of DNSSEC and integrating it into current systems in a way that minimizes migration pains.
• He demonstrated the ability to do cross-domain authentication using the infrastructure provided by DNSSEC:
• eg. ssh dan@recursion admin@client.example.com
• Very rough paraphrase: "You often hear at places like Defcon and other security venues that users are stupid and are the weak link in the security chain. I disagree. They asked us for secure products and we have failed them. We gave them new ways to communicate, like email, but we have failed at preventing spam and phishing attacks. We gave them complicated solutions like PKI..."
• He gave an excellent layman's description of public key cryptography:
• "It's easy to recognize someone else's face, and it's hard to squish your face to look like someone else's."
• Blaming the user is a cop-out of having to design easy to use, secure systems.
• "When you receive an email from the bank, someday soon, you will know it came from the bank."

Exploits Demo'd

Every year at Defcon there's at least one presentation about how a widely used product, API, operating system or something else electronic was hacked in some way. Here are two notable ones from this year:

• Jackpotting Automated Teller Machines Redux by Barnaby Jack
• Practical Cellphone Spying by Chris Paget

All of the presenter slides, videos of the talks and sometimes released tools will be available online from the Defcon website in a few weeks. Until then, you can read the talk descriptions here.