May 16, 2012
"This is our SUV, the Nebuchadnezzar. From it, we hack into the Matrix and broadcast our pirate signal."
That pretty much sums up our trip to CarolinaCon 8, held last weekend at the Hilton Hotel in Raleigh, North Carolina.
CarolinaCon, now in its eighth year, is a small, intimate hacker con founded by people who believe that sharing information with one another is the best way to both learn and advance the state of the art. It's the sort of con where you will see a talk by someone who may have learned about public speaking from watching Jerry Seinfeld's standup routines and at the same time learn exactly how the latest malware agents conceal themselves in a compromised system and what countermeasures they use to prevent analysis. It's not a dry technical conference but a freewheeling free-for-all thrown by some good folks. You'll learn a lot while you're there, probably get some hands-on experience if you like, and your ribs will be sore by dinnertime because you'll probably be laughing your head off. Not to say that it's not serious - it is - but a little sugar definitely helps the medicine go down.
Last Thursday night after work Haxwithaxe and Sitwon drove to my house to pick me up for the trek down to North Carolina. We loaded my kit in the back of Sitwon's SUV along with the already-packed stack of laptops and sundry other bits of luggage, stopped at a local brewpub for dinner, and then strapped in for the long haul south. Wired for power with a couple of inverters we took turns plugging our respective media players into the vehicle's sound system and hacked pretty much the whole trip on Project Byzantium. After discovering how to tether Windbringer to my cellphone (it still strikes me as novel that firmware not manufactured and backdoored six ways to Sunday by a company will let one do something as simple as push changes to a repository) the rest of the trip was lost in a haze of commits and test runs.
When plotting a course, a zip code wasn't used for our destination and so we wound up two hours and over a hundred miles away from where we needed to be. We discovered this the hard way when we pulled up to the front gate of a small, private college (the campus of which had a security guard posted, something I found curious). After discovering our mistake we turned around, drove another two hours in the proper direction, and then pulled into the parking lot of the Hilton very early in the morning on Friday only to discover that they'd resold our room because we'd missed check-in. However, the night manager was kind enough to put us up at a neighboring hotel for the night and comp us the cost. So, about a half hour later the three of us trudged into a suite that, in the final analysis, was easily larger than our actual hotel room and collapsed for a few hours of rest. Around mid-morning on Friday we repacked the SUV and had a nice conversation in the parking lot with an older lady who was curious about the three strangely dressed individuals with a vehicle full of equipment. Our conversation was largely about CarolinaCon, why we were dressed strangely (we're strange), and Project Byzantium. Then we had a quick lunch at a nearby mall, drove to the Hilton, checked in, unpacked, and got back to hacking on the Byzantium codebase. We set up a few nodes in our room in the hopes of getting some more feedback from con-goers, and then late Friday afternoon we took the elevator downstairs to check into the con itself...
After some initial milling around and figuring out what to do, we sat down for the opening of CarolinaCon and the first presentation of the weekend, Professor Farnsworth's research on Identifying Cyber Warriors. His work was a sociological study of people who are potential hacktivists operating in an offensive mode (i.e. taking direct action to compromise targets; case in point, Anonymous) rather than in a supportive role (i.e., aiding dissidents and spreading information, like Telecomix). In a nutshell, his work covered a lot of what the US Military calls fifth generation warfare. Roughly, this refers to combat by and in environments when literally anyone is potentially a warfighter and there are no leaders or even armies as we usually picture them. Instead people who take up particularly virulent memes and apply whatever skills and resources are available to them are the combatants, all working toward much the same goals in a chaotic fashion. Prof. Farnsworth's work has shown that there are personality traits which seem to statistically correspond to people taking direct action rather than just taking it. Political interest as shown by a willingness to write to leaders about issues, a willingness to attend protests, an inclination toward online piracy, and nationalism and patriotism seem to indicate a propensity toward taking part in hacktivist efforts. This inspired a new slide in our presentation, but I'm getting ahead of myself.
Georgia Weidman's presentation Bypassing Android Permissions was extremely informative and amusing at the same time. Granted, being an Android user I have something of a vested interest in such things, but I'd recommend her talk to anyone who is interested in developing for Android, or who is even vaguely concerned about what's going on inside that slab of plastic that isn't quite iPhone-like in appearance. The set of permissions the Facebook app requires are nothing if not frightening due to what it could potentially do (like reading and sending text messages without your knowing about it). There was also a solid reminder of how easy it is to reverse engineer Java binaries in general and Android binaries in particular, and why hardcoding things in the source isn't a useful way of keeping them concealed. The ubiquitous microSD cards used as secondary storage on Android devices are also almost always formatted with the FAT32 file system, which is incapable of imposing access restrictions so it's trivial for one app to access data stored by another app on the SD card. She also gave a few demonstrations of how to abuse features corresponding to those permissions without your app having to request those permissions in the first place. All in all, a fascinating talk, and one I recommend highly.
Next up was .ronin's Intro to Hacking Bluetooth. For Linux users Bluetooth can be daunting because user documentation and tutorials have not kept up with how the code's evolved over the years. Sure, there are some GUI apps that are supposed to make it easy (or easier, at least) but I've found that they don't make a whole lot of sense unless you already know it well. I keep picking it up and then setting it aside again for this very reason. That said, this presentaiton was an excellent introduction to how Bluetooth works in general and how it's used on Linux in particular. There was also a discussion of how connected Bluetooth devices can be compromised remotely with a variety of attacks. Of course, this culminated in CarolinaCon getting rickrolled on stage with a spoofed call.. .ronin also announced the release of his tool Bluetooph for auditing Bluetooth devices. Next was a true moment in hacker convention history: Deviant Ollam pwned Hacker Trivia by absconding with the questions earlier in the evening. He then gave a talk related to rumors that have been going aroud the hacker community for years, relayed in whispers, PGP encrypted e-mails from deniable webmail accounts, and the odd drunken rant at con afterparties. The talk involved commercial aircraft, the countries and airports that certainly models commonly fly into and out of, and various recreational activities that can take place on them. Deviant's talk was very carefully researched, photographically documented, and specific exploitable vulnerabilities were detailed. I'm fairly certain that he was speaking with the voice of experience. From some of the comments by other attendees in the audience I think it's safe to say that this information is legit because it was also corobborated with specific details that I'll not repeat here because this is (mostly) a family blog.
Haxwithaxe, Sitwon, and I spent the rest of the night in our room working on and polishing our presentation and labeling Byzantium Linux CDs to give out. We reworked our slide deck, fixed a couple of things, cleaned up the slides somewhat, and finally wrapped up around 0130 on Saturday morning to catch a few hours of sleep.
I missed most of the Pre-Product Exploitation by Snide due to scheduling conflicts so I'll have to download the video later when it's put online. Lunch was spent in the hotel's bar-slash-restaurant hacking the code for the gateway configuration system. We also thought we'd made progress on a glitch in the captive portal, and in fact committed a couple of patches for it, but when we rebooted to test our changes live there was no small amount of swearing entirely unrelated to the sports games showing on the flatpanel televisions. We similarly missed Big-O's presentation on Malware Retooled because we were huddled in the back of the room booting up Byzantium nodes in the hope of testing the latest version of the codebase that we'd been working on during our talk. The swearing continued and once again I realized that trying to cram too much work into too short a period of time invites Murphy to the dancefloor. Needless to say, our live demo didn't happen. Caution already thrown to the wind we decided to punt by giving our reworked presentation as planned, and hand out the CDs we'd labelled the night before with feltpens. Not ones to do things fractionally, we went all out to psych ourselves up to pull through. Sitwon was dressed to the nines in his pirate garb and I wore one of my Utilikilts (I wear a kilt now; kilts are cool), an Eclipse Phase t-shirt, and my newly decorated black labcoat.
Rather than let the technical difficulties trip us up, we hit the ground running with our presentation, and I think we struck a good balance between a semi-professional tech talk and enough humor to offset the fact that we used Powerpoint. It took us a few revisions to make sure that we weren't going to fry people's brains with mind numbing technicial minituae; we were presenting for hackers, after all, so we could play to everyone's strengths. We started fielding questions around slide 28, finished the slide deck, and then ran the hour out answering more questions from the audience. If you'd like to check out our presentation it's available as a Powerpoint presentation and a PDF file. After wrapping up on stage the three of us hung out in the breakout room next door handing out CDs and flyers for HacDC, and answering more questions about our project. It is my sincere hope that some more developers sign on as a result of our presentation; at the very least, I hope some more interest in mesh networks has been generated. On the last day of CarolinaCon we were given a copy of the video on a disk. We haven't been given permission to distribute it yet but if we do (or if CarolinaCon posts the presentation videos for download) we'll link to them from the Project Byzantium homepage and let everyone know.
We returned to the con just in time to catch Joe McCray's presentation Big Bang Theory: The Evolution of Pentesting High Security Environments. It was, in no particular order, funny, informative, and no doubt reassuring to people who work in the field of incident response (or as reassuring that things get in that field) because there will be no shortage of work anytime soon. McCray spoke mostly about APT's - Advanced Persistent Threats (known for years in the community as "people who pwned you but made a point of keeping it secret rather than bragging about it on Pastebin") gradually compromise more and more of the target's network until it's nearly impossible to lock them out because so much of the network's been subverted. Some targets are known to have been compromised for a year or more; some have been compromised for far longer than that. This is another presentation that simply has to be watched if you work in infosec or IT because McCray not only knows your pain but he's found a way to articulate it. When a link goes up I'll definitely post it.
Then we went in search of hibachi for dinner, almost anti-climactically. En route we discovered a small local computer store called Intrex that we decided to check out. Hey, we were at a hacker con, right? Why not see what they have to offer... we discovered that they had for sale a 4 foot parabolic antenna designed for use with 802.11 wireless networking hardware. After pinching ourselves to make sure we weren't dreaming it took us all of thirty seconds to buy it for a song along with the necessary gear to rig it up to one of our laptops. Intrex has lots of gear that hackers will find interesting and potentially useful - pay them a visit if you're in Raleigh! Tell the manager that Ben the Pyrate, Haxwithaxe, and the Doctor sent you. After a strangely tasty dinner at the fast food Japanese hibachi restaurant we headed back to the hotel to assemble the dish and do some distance shootouts in the parking lot with it to see what kind of range we could get before resorting to an amplifier. Haxwithaxe and Sitwon assembled the dish in our hotel room and rigged up a carrying harness for it while I prepped the cabling and a node to plug it into. The three of us gathered no shortage of puzzled looks as we hauled the "Parabolic Antenna of Where the Hell Did You Guys Get That?" +5 through the hotel lobby, past a prom and what appeared to be a wedding reception. We messed around with it for a while in the hotel parking lot, finding another bug in Byzantium that we need to fix in the process. Our baseline tests with unaugmented wi-fi gave us some surprising results, what with Ben the Pyrate being completely out of visual range (and thus line of sight) and still sending and receiving a fairly powerful signal. In so doig we missed all of the Saturday evening presentations because we spent the whole evening in the parking lot hacking around.
The rest of the evening was spent hanging out at McCray's party on Saturday night, networking with other hackers and making new friends. The party was such that none of us got to bed until 0130 or therabouts on Sunday morning, which meant that we got something of a late start the next day and didn't make it to any presentations until Deral Heiland's talk on hacking multifunction printers. Deral's tutorial included a demonstration of making hacked Xerox firmware images that do various dastardly things. All in all, it was a fascinating talk and well worth the time spent. After that we hooked up with some of the folks we'd met at the party the night before and talked at great length about Project Byzantium and some of the issues surrounding it. I have a feeling that some good things will come of that meeting of the minds. We returned to CarolinaCon in time to catch Omar Santos' presentation It's 2012 and My Network Got Hacked. Let's face it, it's Visigoths 7-Romans 1 in the infosec game, the bases are empty, and the pitcher's started throwing cranium-seeking knuckleballs. Please note that this will be the only baseball metaphor I will ever use in this blog; aside from the fact that no security scheme is perfect and time is the great equalizer, we're still getting our asses handed to us. Omar discussed some metrics that can be used to keep a closer eye on what's happening on our networks and help detect when something shady is going on earlier, hopefully early enough to do something about an intruder.
Steve Pinkham's presentation on Declarative Web Security, which sounds a little like ACLs but for what a particular functions the website allows the web browser to do rather than what the user is allowed to do. DWS has potential applications for minimizing the risks prsented by various sorts of vulnerabilities in web applications under different circumstances. Pinkham talked about the web browsers that are responsive to those new HTTP headers, to what degree the standard is implemented, and which aren't. Internet Explorer, predictably, is still well behind this particular curve so don't trust in the next new thing just yet. The final talk of the con was DJ Palombo's discussion of what the Raspberry Pi might mean for hacking in the future. His talk was mostly about using Raspberry Pi ultra-small computers as burners - cheap, disposable computers that can be bought, set up, and then abandoned without much monetary loss. At $25us each they're certainly much cheaper than second- or third-hand laptops on Craig's List but they are also very difficult to get these days due to high demand. In theory, once they become popular they'd be ideal as backdoors into networks, deniable DDoS nodes, and even disposable servers. This kicked off a discussion that got a few of us thinking: Raspberry Pi's were developed as low-cost computers for low-income and underprivileged children to learn on. Right now they're so difficult to get because everyone wants to hack on them that it doesn't look like they will see their intended use anytime soon, which when you think about it is something of a problem. Who needs them more, kids trying to learn or hackers like us who have more options?
After the closing eremonies of CarolinaCon we finished packing up Sitwon's SUV and set a course for home. Due to travel time and work on Monday we regrettably had to pass on LobbyCon, though we would have liked to stay and hang out with everybody. After getting stuck in traffic for an hour or two and then making some more progress on the road we stopped off for dinner and a stretch for an hour or so and made it back to Maryland around 2330 EST5EDT on Sunday night. We stopped at Haxwithaxe's domicile to drop him off, then at my place to offload my kit and I, whereupon I headed upstairs to unpack and get to bed at a halfway reasonable time to get up in time for work. Once again, I took no pictures because, as the zeitgeist seems to be going in the twenty-first century we have enough pictures taken of us that taking more at hacker cons seems rather gauche to me. No doubt a few are floating around someplace but none of them are mine. To sum the weekend up, I've never felt so at home at a hacker con before. I will definitely be going back next year, possibly as a presenter but at the very least as an attendee. If you're a hardcore 'board-punching hacker or simply curious about one or more fields, CarolinaCon would make an ideal first convention. You'll definitely learn a lot there, and the people are all top-notch.