Oh Vegas! What will I do without your blaring pop music, excessive displays of capitalism, flagrant sexism, and and eco-cide around every corner? Vegas really shouldn't even exist, just the same a few of us made it out there to experience all that is Defcon 19. Below are a few notes on some of the talks we thought were most relevant.

SSL and the Future of Authenticity with Moxie, author of SSL strip and the x509 null prefix attack, presented on some concerns of privacy and current implementations of SSL and the implementation of Certificate Authorities. The problem (as opposed to that exploited in sslstrip by MITM-ing a connection and redirecting all https traffic to http) is that there is no good way for users or browser implementations to revoke their trust when they want to. As a result hostile network managers can generate fake certs to trick your browser into connecting to a hostile server instead of your actual destination server (Evidence of this here, here, and here). The solution Moxie proposes is based on delegating the management of trust to trust service providers that can run servers that will report on whether a cert should be trusted. For example riseup can run its own trust servers and you can assign them to vouch certs for you. This concept replaces the need for the CA system and is implemented by a suite called convergence which has a firefox plugin. On the backend trust servers can implement authenticity checks with DNSSEC, BGP data, results from EFF's SSL Observatory.

There were a few talks on linux process injection techniques allowing for hiding unrelated processes in running applications. Consider the example presented in Runtime Process Insemination talk by Shawn Webb where a web vulnerability is exploited and a backdoor is embedded in the running apache process to list for specific urls to spawn a shell. The other presentation on the same topic titled Jugaad - Thread Injection Kit, discussed the jugaad library that was designed in an attempt to implement CreateRemoteThread() on linux. Both of these techniques rely on the ptace() system call, but jugaad usestechniques to reveal linked libraries in runtime processes in /proc/PID/maps. It should be noted that neither of these techniques will work if the ptrace system call is disabled (and there is no reason for it to be enabled on non-development machines), or if GRSEC or PAX are installed on the system (not done by default in ubunutu).

Daniel Garcia presented on umap a upnp gateway scanner and tool for automating exporting features of upnp gateways that allow you to scan behind firewalls, and create socks proxies on other devices. According to Garcia there are a ton of devices out there that are misconfigured including those provided by major ISPs (Linksys, SpeedTouch, Alcatel, etc). Considering the fact that the majority of these devices provide no functionality for logging this is a quick and easy way to set up good quick and cheap proxies as well as the possibility for defeating whitelists between networks.

Kees Cook presented on a kernel vulnerability within the video for lan drivers (CVE-2010-2963). This exploit is interesting enough by itself, but this talk presented a new technique of leveraging un-itialized memory to write out the payload. This presentation can be found here.

Throughout the conference there was lots of talks from white hats about Data Loss Prevention devices that help network managers manage the risk of data loss (including technology that is being deployed to watch for voice data loss!). A group from security Art presented on using voip as a way to create a command and control for infected machines on networks that have robust IDS or DLPS but almost never monitor voip traffic. Using VoIP to PSTN as implemented by nearly all large networks would even allow you to get in and out of networks that don't have any physical data link to the internet! There proof of concept relied on their bot called Moshi Moshi. This technique has clients dialing into a conference call (managed by a asterisk server hosted somewhere in the cloud set up with all the anonymity you can throw at it) and allows a bot manager to call into the conference call (trash phone or sip client through an anonymized connection) and control the bot via dtmf tones. The presentation even included exfiltrating documents as voice mail messages with each byte converted to a tone at a specific frequency that could later be decoded via some leverageing of the asterisk AGI to read back the contents of the file to the bot manager. This may have been my favorite presentation of the weekend.

Itzhak "Zuk" Avraham unveiled a tool for using your android device to perform penetration tests from the comfort of your android mobile device. In addition to being able to scan the network you are on it provides functionality to MITM specific targets and use exploits from metasploit. The tool called Anti is slated to be released to the android market later this week. More here.

Finally there was a thoroughly depressing presentation titled "SCADA & PLCs in Correctional Facilities" by a couple of white hats in bed with the prison industry. This talk continues where the stuxnet worm to examine how similar viruses could effect prisons. It turns out that prisons rely heavily on PLCs for monitoring the infrastructure of their facilities from surveillance systems, perimeter controls, and prison door locks. The team showed that there were a large number of attacks in the Step-7 software (specific to Siemens but similar implementations exist for other PLC/SCADA vendors) that could allow for the opening of doors without notification of the central prison control center. They also went into great detail of the architecture of prisons the whole while affirming their allegiance to the sociopaths that maintain these systems. Going to this presentation after a long weekend of sharing rooms with military intelligence engineers, auditoriums of .gov pen-testers, and seas of hackers who would otherwise be anarchists but lack an analysis of privilege and oppression and work from a libertarian perspective was exhausting and a bit depressing even if they were showing strong evidence that there exists vulnerabilities in prison system. A side note of this talk was that many squad cars with video recording systems will auto upload videos from their cars when they come in range of specific wireless networks to the local SAN. They also reported that these uploads allowed arbitrary file types to get uploaded to these systems creating another vector for getting payloads into jail facilities and intercepting video uploads from squad cars. It would be interesting to see more research into the vulnerabilities of squad car computers. The white paper from their research is here