Defcon 18 quickly summarized

I skipped Defcon last year, so I made a point to be there all 3 days. I strongly recommend arriving Thursday evening. Registration is no hassle, you get the official badge, and you get to check out the facility at your leisure. Even though Defcon has been at the Riviera for years, I still need a walk-through to remember how to get around. Maybe casinos hope that lost hotel guests will gamble more.

Defcon is generally well organized and with few exceptions the talks are first rate. My main complaint is the long line to get into just about every talk. I suspect they have greatly oversold admission. I wanted to attend the SCADA track on Saturday, so I showed up almost an hour early for the first session, and remained in my seat for as many sessions as biological needs would permit.

The best session was given by Fyodor on scripting nmap. He gave a very useful and clear explanation of how to customize nmap using the Lua programming language. Fyodor is also a very engaging speaker. I was very fond of his dry wit.

Dan Kaminsky and Paul Vixie gave a double-shot of DNS on Friday. Vixie discussed the use of passive DNS to gain information useful in tracking malware and criminal activity by flagging malicious use of DNS. Kaminsky gave a talk similar to Toorcon 2009, on the use of DNSSEC to provide a true, usable public key infrastructure. Using signed DNS records can authenticate destination sites. DNS authority can also be delegated more elegantly (and more usefully) than X.509.

The SCADA track was interesting, with the talks varying between those concerned with general risk discussions, technical information systems, and general discussions of plan operations. If you've ever wondered how a small water district works, this was your chance.

"Wardriving the Smart Grid" gave an overview of the technology used for wireless monitoring and control of electrical utilities. Exploitation of field tech boxes would provide privileged access to these networks. The speaker suggested that it is only a matter of time until software for these boxes is available on bit-torrent.

"SCADA and ICS for Security Experts" gave a definition of SCADA and discussed what systems can be called SCADA and which ones aren't really SCADA. SCADA involves interconnected sensors and controls under central management. Not all industrial control systems (ICS) are SCADA. Electrical "Smart Meters" are really a billing system, not a remote control system, for example. The hard part of attacking SCADA and ICS isn't getting into the network - it is understanding the physical impact of various logical controls.

Speaking of Smart Meters, "The Night the Lights Went Out in Vegas" covered some of the details of Smart Meter networks. Radio communications involves either 900 mHz licensed spectrum and GRPS, with a small number of other methods like powerline RF.

"Cyberterrorism and the National Drinking Infrastructure" gave an overview of operations at a small public water district. There are a lot of fail safe mechanisms that make it difficult to effectively attack a drinking water system. Water districts themselves are highly fragmented, meaning an attack would likely be local in scope, confined to a single municipality.

Aside from SCADA other notable topics included cyber-warfare and hardware hacking. "How to Build a Cyber Army" discussed a possible budget for a hypothetical cyber-army (North Korea was the example). Having agents embedded in the target nation's critical infrastructure is essential - remote attacks would not have their full impact without this. The final budget came out to something short of $50 million (I'm relying on memory here).

Hardware hacking included hacking WiMAx customer boxes, basics of the Arduino ("Hardware Hacking for Software Guys"), and building electronic weapons (a variant of the old Defcon "Build your own HERF gun" talk).

It wouldn't be Defcon without some controversy. Here's a short rundown:

• A talk on Chinese cyberattacks was canceled due to objections of the Taiwanese government, ever desirous of not offending the mainline Chinese. The key speaker was a Taiwan national, so his government's request carried the day.
• A talk on evading censorship by using TOR had one of the key speakers, affiliated with Wikileaks, detained by US authorities upon entering the country from the Netherlands. His electronics (computer, cell phone, etc.) were seized.
• A talk on jackpotting ATMs went on as scheduled. It was pulled last year due to pressure from the presenter's employer (Juniper). He now works fo IOActive, who had no objection.
  
• GSM-based cell phone communication was intercepted using a mock base-station built using $1500 of equipment. Lots of notices were prominently posted warning people not to use your cell phone during this time!

Lastly, one of my favorite things was the exhibit of old computer technology. A fully functioning DEC PDP-11 was featured that brought back memories of my first computing experiences.

And while I fully support the EFF, I did *not* get a mohawk, thank you

Another entry in the broken cert hall of shame

Noted this when trying to log into gmail using my secure POP client. I hope this is just a quirk in Google's cert management

OCEAN AS/400 Conference Notes

I attended the July 16 OCEAN annual technical conference on the iSeries (which I will always call the AS/400). I've spent a good chunk of my professional career working on this system and while it seems to be slowly fading away, I still like to keep up on it. Who knows when you might run across one? Being one of the last people around familiar with this technology may prove useful.

Some general notes: There was a session on iPhone integration with the iSeries, showing this venerable back end is still being adapted to the latest client gadgets. A whole series of PHP development sessions was provided, including ones on the Zend environment.

My main focus here is the session on security, given by John Earl (who immediately recognized me in the audience after over 10 years). He covered some of the laws governing breach reporting and personal information protection, noting that Massachusetts has the strictest state laws in the US. His main focus was on insider threats, as he believes the iSeries is hard for an outsider to attach without some sort of inside access and knowledge.

John noted that default passwords are still a problem, especially for vendor software. The ANZDFTPWD command will help by checking for many of these. Unencrypted passwords on the wire is another problem, with FTP, telnet and the iSeries Access Servers (formerly Client Access). He noted some common mechanisms for finding user IDs and user profile information that can be exploited even with a limited capability account that supposedly restricts command line access. Read access to a user profile provides the ability to take over the profile - so do not allow *PUBLIC (world in unix-speak) read access. Taking over a profile involves using it in the SBMJOB commands, in a JOBD, or through ADDJOBSCDE (look these up if they don't make sense!). John is a strong believer in relying on object authority rather than exit programs for security.

Having been outside the iSeries world for a while, it was discouraging to hear the same flaws mentioned that I had known about ten and fifteen years ago. The approach to taking over an AS/400 seems similar to that used in Windows systems - get the authentication credentials, execute a command using that credential, use the command to gain command line access. What ADDJOBSCDE does in an iSeries, "schtasks" (or "at") does for Windows.