Paranoid Penguin - DEFCON: One Penguin's Annual Odyssey
Last month, I wrote a case study on Linux desktop system hardening, in the form of a step-by-step walk-through of how I prepared my Ubuntu laptop for DEFCON 17, the annual hacker's convention in Las Vegas that features one of the world's most hostile public wireless LANs. Well, you'll be happy and perhaps surprised to learn that my laptop came through unscathed.
But, you may wonder, was Mick exposed to cutting-edge developments in information security? Did he get invited to any elite skybox parties? And, doesn't this sort of reporting normally belong on a blog instead of languishing for a few months through the lengthy print process to which magazines are subject?
I'll answer the last question first. In the past, I've covered DEFCON on LinuxJournal.com under my hacker pseudonym Darth Elmo. (No, I'm no more scary as a hacker than my handle implies, although I'm working on it.) But this time, I thought it might be interesting to cover DEFCON, which really is one of the most important annual events in my field, in a little more depth. I wanted not merely to report on DEFCON, but also to touch just a bit on some ongoing paradoxes and conflicts in information security that always seem to leap out at me at DEFCON.
In short, I wanted to write a DEFCON article that people still would find relevant and interesting a few months after the actual event. You be the judge!
DEFCON, in case you aren't familiar with it, is an annual conference for the “security underground” held by Jeff Moss, aka The Dark Tangent (aided by scores of volunteers) in Las Vegas, Nevada, every summer since 1993 in late July or early August. It's run for and by self-identified “hackers”, which is to say, technology's more creatively minded researchers, problem solvers and boundary pushers.
The term hacker, of course, has a lot of baggage. In mainstream English usage, it typically means “computer criminal”. However, in the original meaning of the term, hackers are simply people who explore the limits of what is possible in computer systems, networks and other complex systems. Hackers are technologists who are driven to understand the full truth of what a given network, software application, device or operating system is really capable of doing (or being made to do), regardless of what its manuals, specifications or even its creators say.
Penetration testing, the art of breaking into systems or networks in order to document and demonstrate their various vulnerabilities, is one of the most visible and interesting applications of that kind of exploration, although it represents only a subset of what hacking is about. But penetration testing, and the skills involved in its practice, is somewhat problematic. Some hackers can and do cave in to the temptation to use their skills illegally or unethically, and even those who don't tend to be treated with suspicion by more conventionally minded IT professionals (not to mention law-enforcement representatives).
DEFCON has represented, for nearly two decades, an attempt to build some sort of understanding between the hacker community (in the broadest sense), law enforcement and the IT professions (certainly IT security). It isn't the oldest hacker conference, but according to longtime DEFCON insider Dead Addict, it probably was the first hacker convention to invite law-enforcement representatives and journalists to attend deliberately, and to encourage them to give presentations too.
In this column, I discuss my own perspective on DEFCON. DEFCON has changed a lot even just in the eight years I've been going (and even more over the past 16), but in my opinion, it remains the single-most important event in my profession, imperfect though it unquestionably is.
To start off, a bit of reporting is in order. At DEFCON, you really can't discuss culture separately from technology, since the whole point of the exercise is to celebrate their convergence. Furthermore, as always, I saw some very cool and interesting things.
In “Is Your iPhone Pwned?”, Kevin Mahaffey, John Hering and Anthony Lineberry (whom I interviewed in the August 2009 issue) described a WAP push attack that, although easily detected and traced by carriers, can be used to open arbitrary links and windows on mobile browsers. They gave an excellent overview of mobile device security, highlighting difficulties caused by incompatibilities between different providers' implementations of mobile platforms and devices.
Moxie Marlinspike, in his talk “More Tricks for Defeating SSL”, described a new “null prefix” attack that can be used to create fraudulent certificate signing requests (CSRs) that could result in attackers obtaining legitimately signed certificates for domains they don't own. Moxie's talk created a lot of buzz, and at least two other presentations referred to his work, including Dan Kaminsky's and Sam Bowne's.
Moxie is also author of the SSLstrip tool, which is sort of an HTTPS-to-HTTP proxy that can be used to capture SSL-encrypted data via man-in-the-middle attacks. He had presented on SSLstrip just a few days earlier at Black Hat Briefings 2009, a large commercial security conference that always precedes DEFCON. Sam Bowne gave a chilling but engaging demonstration of SSLstrip in his presentation “Hijacking Web 2.0 Sites with SSLstrip”, also demonstrating Rsnake's “Slowloris” tool for denial-of-service-attacking Apache Web servers.
While we're on the topic of SSL attacks, Mike Zusman gave a talk called “Criminal Charges Are Not Pursued: Hacking PKI”, in which he demonstrated a way to use ordinary Domain Validation (DV) SSL certificates in man-in-the-middle (MitM) attacks against sites that use Extended Validation (EV) certificates. It was easy to see how Zusman's attack could be combined with SSLstrip and the null prefix attack.
As you can see, man-in-the-middle attacks against SSL were a very hot topic at DEFCON 17. At this point you may be wondering, “oh great screaming goats, can I ever use eBay safely again?” The good news is, yes, probably.
MitM attacks work only when attackers can insert themselves logically upstream of the victim and downstream of the Web site the victim is trying to reach. In some contexts, this is relatively easy—on a public Ethernet, like at a hotel or on some kinds of Wi-Fi hotspots (never mind exactly how for right now, although I may write a future column on ARP spoofing). But the chances of someone doing this on your home DSL network or at your workplace are probably fairly slim.
Still, I hope this cluster of presentation topics serves as a wake-up call to Web developers who mix clear text (HTTP) and encrypted (HTTPS) content, which makes this sort of attack much harder for end users to detect, and to Certificate Authorities who need to figure out better ways of screening certificate signing requests.
It may, of course, simply be that somebody needs to figure out a better way of securing Web traffic than SSL (or TLS) as we know it. Even without attempting MitM attacks, phishers frequently are successful in luring users who don't even notice that their fake e-commerce and on-line banking look-alike sites lack any SSL at all. SSL and TLS represent an important enabling technology for making the WWW useful for shopping, banking and other sensitive transactions. We wouldn't be using the Web for those things today had it not been for SSL/TLS. But, it isn't at all certain whether SSL can evolve to address emerging threats satisfactorily.
As is so frequently the case with DEFCON, some of the best talks I attended weren't explicitly technical. In “The Year in Computer Crime Cases”, Jennifer Stisa Granick of the Electronic Frontier Foundation used two recent court cases to illustrate a rash of recent attempts to widen inappropriately the definition of “unauthorized access” in the US Computer Fraud and Abuse Act. Jason Scott, in his talk “That Awesome Time I Was Sued For Two Billion Dollars”, gave a breathtakingly profane and funny account of a spurious lawsuit filed against him over an electronic book archived on his site www.textfiles.com.
And, in a conference characterized by very large venues filled to capacity, Adam Savage of the TV show MythBusters really packed the house, giving an entertaining and inspiring account of the role of failure in his career. Savage, an expert in special effects and industrial design, may not be as obvious a candidate for speaking at a hacker conference as Ms Granick, a longtime legal advocate in criminal cases involving hackers, or Mr Scott, a noted hacker historian and archivist. But with his highly creative approach to problem solving and his eloquence and empathy in describing the challenges faced by everyone who works with complicated systems, Savage connected convincingly and resoundingly to the DEFCON crowd and received a very warm welcome (and a standing ovation).
I also saw good presentations on security challenges in cloud computing, techniques and patterns of stock-scam spammers, quirks of the credit reporting system and on Metasploit's new WMAP module for attacking Web applications. And, I was very pleased to attend a talk by my old friend and former employer Richard Thieme, hackerdom's most prominent cultural attaché.
Some of the presentations I attended weren't very good—sad to say, I even walked out on a couple. DEFCON always has been somewhat hit and miss with regard to consistency of presentation quality. But the good ones were very good, and they easily outnumbered the less-good ones. In all my years attending DEFCON, I've never felt it was a wasted trip. Besides, prematurely exiting one or two presentations is usually the only way I can find time to check out the DEFCON vendor area, which provides one-stop shopping for all your hacker-fashion, lockpicking and wireless hardware needs.