yojimbo

Thoughts that should have a longer lifetime than my Mastodon posts ...

CHCon IZZI LITHGOW – CAUGHT BETWEEN THE DEVIL AND THE DEEP BLUE SEA: NAVIGATING SECURITY COMMUNICATIONS, https://2019.chcon.nz/talks/izzi/

When preparing for security incidents, we’re always hearing “it’s not if, it’s when” so security teams build process and technology solutions to rebuild the technical walls when the castle gets breached. But what we don’t often hear about is how we’re going to tell people what’s going on, and how the flow of information to our organisation’s staff, customers and anyone else who’s interested will be managed. We’re all just hoping it’s not our job to have to tell the CEO or the 6 o’clock news.

But there are people whose job it is to talk to other people, and by bringing those communications specialists into the world of security, we’ve got a better chance of getting out of a security incident alive. Izzi from CERT NZ is one of those communications specialists and she’ll share insights to help you navigate a security incident from a different technical perspective.

  • CertNZ will help to handle comms during an incident
  • Comms plans need to have actual details in them, because a non-comms organisation won't know how to learn comms when they're busy

CHCon PETE GENT – AN A-Z OF SPECTRUM, https://2019.chcon.nz/talks/pete-gent/

Inspired by last year’s Chcon talk on Window’s exploits, here’s an A-Z of spectrum for the discerning hacker.

  • There are a lot of different controlled radio spectrums!
  • And a lot of acronyms covering almost all of the alphabet
  • Most of the time, there is space for a hacker to do some private project, but don't interfere with licensed spectrum ... you will be found ...

CHCon LOUIS NYFFENEGGER – ENTREPRENEURSHIP FOR HACKERS, https://2019.chcon.nz/talks/louis/

Since starting PentesterLab, Louis has studied and obtained first hand experience of a range of topics related to startups and product design and has applied these lessons to security products and services. After talking with friends, he realised that many people are interested by this topic and run into many of the same roadblocks: “Where to start?”, “I don’t have an idea”, “How do I validate my idea?”, “How much do I charge customers?”, “MVwat?” … In this talk, he will answer these questions and help fellow hackers get started! The lessons he will share are used everyday on the road from a simple project to a successful business.

  • https://penetrationtest.com/ as the background to the story
  • I skipped this to talk to Pete Nicholls instead, and it ended up winning “best talk”. So shame on me.

CHCon AAYLASECURA1138 – WHAT GIVES $7K AND 3 CVES? A WEB BROWSER, CONFUSED ABOUT ITS CROSS-ORIGIN POLICY, https://2019.chcon.nz/talks/aayla/

The Same-Origin Policy (SOP) says web browsers should prevent one site from accessing another site, unless explicitly allowed by the Cross-Origin Resource Sharing (CORS) standard. But do all browsers follow the guidelines? Spoiler alert: no.

Can’t quite wrap your head around CSRF, SOP and CORS? Or maybe you want to get into bug bounties but, like me, just don’t know where to start? Let me tell you about my research which led me to bugs in Firefox and Chrome’s SOP/CORS implementation worth three CVEs and US$7k.

  • 113 browser versions, 100 tests, three wins.
  • This is using the scientist's “test everything” mentality
  • Plus of course an open-source 'fix' hints about what wasn't addressed at the same time ...

CHCon BEN KNIGHT – CLASSIC PLAYSTATION HACKING, https://2019.chcon.nz/talks/ben/

The PlayStation Classic is a throwback to the original PSX; for the nostalgic types. Sony ships this cheap Linux box with an open source emulator to play 20 original PSX games. But wait, no Crash Team Racing? The PlayStation Classic has been out long enough that there’s plenty of tooling to load more games. But how do the tools work? What’s the hax? Ben will demonstrate the manual exploitation of the vulnerable update process. Flash storage was dumped, UART serial connected and crypto mistakes were made.

  • The box came with the private key embedded. Why???
  • Also sounds like a fun box to play games from, if only I had more inputs on my TV ...

CHCon EDWARD ROBINSON – DISASSEMBLING DIABLO, https://2019.chcon.nz/talks/edward/

In this talk we will go through the fundamentals of game hacking using Diablo 1 to show entertaining examples. We’ll explore what happens when applications trust clients too much and discuss how carefully considering what your own applications interact with can be an eye-opening, and potentially scary, exercise.

  • Single-player games don't worry about their attack surfaces.
  • Cool hacks result in Mods – hello Half-Life and Counter-Strike

CHCon PETE NICHOLLS – BECOMING A SECURITY-CONSCIOUS SOFTWARE COMPANY, https://2019.chcon.nz/talks/pete-nicholls/

How do you adopt best security practices at your software development company? Earlier this year the company I work for decided to get serious about security, and gave me the task of figuring out how to do that. Here’s everything I wished I knew when I started.

  • “Buy, Measure, Bake & Share”
  • Metrics via OKRs (John Doerr, What To Measure)
  • Get buy-in, work out how to measure “improvement”, get everyone involved, and open-source your process
  • Don't dictate, give people tools to be responsible for getting better themselves

CHCon MATTHEW RUFFELL – THE STORY OF THE “UNCRACKABLE” LOCKBOX, AND WHY HACKERS NEED TO WORK ALONGSIDE DEVELOPERS, https://2019.chcon.nz/talks/matthew/

I was scrolling reddit, and a post came up from a developer with their own homemade encryption program. They issued a challenge: break open the time sensitive uncrackable Lockbox, and you will receive 0.02 BTC. Just in it for the entertainment of seeing how bad their encryption was going to be, I had the Lockbox open two hours later. I wrote up a blog post detailing how I managed to break in, and thus started a series of new challenges, each more complicated than the last, as I worked with the developer to strengthen their program. All challenges had the same thing in common: The developer kept making fundamental mistakes when it came to security, and I defeated five of his challenges with simple attacks straight from the security 101 textbook. In this talk, we will reverse engineer five versions of the TimeLock program, review the disassembly of simple vulnerabilities and use our debugger to exploit the program into revealing its secrets.

  • An excellent tale of how someone thought they could write a security-related program without understanding how attacks work, and how they were (co-operatively) educated by simple reverse engineering ...
  • Don't roll your own crypto code
  • Don't trust the machine your code is running on
  • Don't trust “the Internet” to tell the truth

CHCon MICHELLE BURKE – FOR GOOD OR EVIL: WHY DO YOU NEED MY DATA?, https://2019.chcon.nz/talks/michelle/

Our lives are lived increasingly inside the tubes of the internet and our data is flowing freely through it. Some of us have better opsec than others (and our families are probably terrible and don’t even understand what opsec means), but how we build the applications that we use for interacting often collect more than they need to. Are you actually doing the right thing or making the world a little worse?

  • Because too much data are being collected for “no valid purpose”, perhaps you should feel free to provide details that don't uniquely identify you in the same way.
  • Who doesn't like to receive that store voucher addressed to “Dear Princess”, just in time for your seasonal/christmas shopping sprees? You don't have to provide your real details.
  • Because some places that you “trust” make terrible mistakes (https://www.stuff.co.nz/national/health/115586450/new-zealand-depression-website-exposed-test-results-to-thirdparty-companies) and when they say “All user information collected on www.depression.org.nz is non-identifiable – no identifying information eg, names, email addresses etc are collected” they are forgetting your session cookies which link your details from other places.

CHCon “ALEX” – STEALING CHROME COOKIES WITHOUT A PASSWORD, https://2019.chcon.nz/talks/alex/

If you steal someone’s Chrome cookies, you can log in to their accounts on every website they’re logged in to. Normally you need the user’s password to do it, but I found a way to do it without the password. You just need to be able to execute code on their computer. It works by using Chrome’s Remote Debugging Protocol. To my knowledge this is the only way to extract a user’s Chrome cookies without their password, and by far the easiest way. It involves plugging together several extremely forbidden and undocumented Chrome features, as well as figuring out how to speak the websocket protocol stealthily on a victim’s machine. This talk is about how the technique was found, how it works, and what you can do with it.

  • “Alex” (Purplecon organiser) has found a new way to get Google Chrome to give up its cookies, if you can run commands as the targetted user. https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
  • TL;DR – The Remote Debugging Protocol combined with a Headless browser, pointed at the same Profile directory as the user's real GUI browser, will let you extract their secrets.