 Aloha, welcome back to the Cyber Underground. I'm your host, Dave Stevens. Last week we had an attempt at a live broadcast from the floor of Def Con at Caesars Palace Las Vegas. And today we're back in Hawaii. We didn't quite get the sound right, but the episode's already been viewed quite a few times and we had interviews with the students that actually went out there. And the reason I kind of casually titled that episode, How to Be Hacker Part One, is because it's important to know that if you're going to go in to become what they call now a security researcher, you need to go see what things are being done, hear these presentations, actually put your hands on the tools and meet other people in the industry and make some contacts. That's important. Next week we're going to be taking this to the next level. How to Be Hacker Part Two will be going over the first phase of an attack, which is reconnaissance. We'll be doing some open source intelligence and giving you a view of Wireshark and some NMAP tools. Today we're going to wrap up what happened at the Def Con conference and of course the previous conference of that black hat. And we'll be talking about the presentations and some of the fears we have now. And I think our co-host Andrew had a great term for this. Andrew, the security guy, said, Brother the world's broken. Brother the world's broken, but at least I'm not wearing makeup. Like Dave, Dave's wearing makeup over there. He got some number five pancake on today, I found out. It's anti-glare, anti-glare. No worries. Amazing stuff. We got Professor Hal, we got Professor Dave, we got Andrew's dumbass over here. Anyway, we saw a lot of really cool stuff. I spend a lot of time in the arsenal and so if we can touch on some of those, I'm happy to share some of those. It's a demonstration mode. You go there and you see people demonstrate different tools and techniques that they use in the industry and you saw some that were pretty interesting. Some, some, one of the very first one I happened to walk in on was a cumulus. This guy was, actually it's a toolset that he built that works on, you know, your cloud services, but it works on account escalation and then account takeover and then actually a way to launch unauthorized payloads, right? And ultimately he showed us absolutely launching an instance of an account, setting the privileges on an account that enabled it to lock everyone else out of the original account. It was amazing. So you get command and control through this tool? Yeah, yeah, through this tool. And I was like, this is not good. This is our cloud, like we have all of our stuff and he's gonna lock me out of my stuff. I mean, but he was really, the research he was doing was trying to show you how a lot of these privilege sets are, you know, they're start-out-start, right? So that you really need to be careful when you set these instances up to go in and apply all the right controls. And that's kind of what he was able to take advantage of. So let's talk about that. The start-out-start is a notation that programmers use to say everything. Yeah, and then the directory structure and whatever I am and below me, just take it all. And the start-out-start notation has been used default. When someone's programming, it's an easy little notation to put in there and you always think, oh, come back and fix that later. But then if you don't, then you have this problem, right? Everybody at your level or below gets everything. And if you're administrator, well, the world is yours. Yeah, and this role creation tool, he had gave it that, gave that role that privilege set, right? So it was pretty powerful. Snowden did one of these, the privilege escalation, he created another account that wasn't him. And then he escalated that accounts privileges and then did his... Maybe that's where this guy learned his tool. It was really amazing stuff. So that was one. What did you see, Hal? Well, I saw so many things that made my head spin. The arsenal was the demos, right? At Black Hat. Yeah. And then we had presentations at Black Hat. They called the briefings. You go into a big room for about 40 minutes. I couldn't afford that. Thankfully, we got a teacher's discount on that. Yeah, right. Everything from social engineering and fishing to industrial systems being hacked. One of the more interesting ones that we saw, that was the car wash, where they actually had a car wash that was on the internet so that the owner could log in and configure the car wash and get statistics of, you know, how much water did we use today? How many cars did we do? But they used that internet connection to log in and hack into it. And they programmed it to attack the car. What? They drove the car? Well, like the wash, they just started beating it. The door would crash. They would spray with water. They would crash down and smash the hood. No. Where is it in the US? Or was it outside? Yeah, just in the US. What they found was that the website that they put up was in the URL, you could see that they were calling DLLs, these dynamic link libraries that were sitting on a server somewhere. And he masterfully just went through one at a time, finding out which functions were available on this and which functions actually didn't just bring back statistics and present reports, but actually had command and control of the servo motors that control the mechanics of the robotics and the car wash. And he said, Oh, look, I can control the door through the website. So this is all in the URL of the browser. The way that he was able to get administrative access was just a mistake in the code where it said if you could cause an error during the login process, instead of kicking you out, it lets you in with admin rights. Oh, that's a flaw. It was a check to see, okay. The first thing he did is that whoever logged in, it escalated you to admin. You're the administrator. Then it said, let's do this check to see if you're supposed to be admin. So if you threw something in there that made it fail, it would just go to continue. Wow. And continue means leave the person at administrator. And so this is bad code. This is horrible. This was really bad code. Someone had really messed up on this. We know it's 95. And do some kind of C code. This was also a website and I think HTML. Yeah, like try catch. This was in. No, this is just a regular if then else. Oh, wow. Yeah, it wasn't even a try catch, I believe. So that yeah, the error condition was just continue as administrator and let the person do what interesting a glitch that glitching attack. I saw another one where this was in the arsenal. It was called chip whisper. And this guy's been at this for a little while. And they basically monitor the power consumption of a chip, right. And by monitoring it, you can actually see the differences in the type of data that's clocking through it to the to the point where you can see the bits and the bytes and you can then decipher what they mean. So he is actually by by capturing the power on the chip. When it hashed an RSA 1028 key, he was actually able to decipher that key with the software he built that that, you know, decipher that power registry, you might say that that that piece of code, or the power monitoring that that chip did when it brought that key across. And he has to do it by introducing a glitch in the power wave to find out where it starts to see where the base. Yeah, base. So once he once he can restart it, and which he does by just just minor power fluctuation, then he can because it has to re initiate and so when it does, it hashes the key. And so then he could see that. And he's decrypted the key right forth right there. So I mean, it took minutes. This is why Red Bull and Monster are so popular and are doing so well right now. Because can you imagine how many Red Bulls you'd have to drink to stay awake and do this work and figure this out? This was that must to be in Yeah, this tremendous amount of work. This yeah, and this, you know, something I'm a feel I'm familiar with old scopes, I'm familiar with power waves and what I'm looking at, but I had just never seen someone take it to this level. And these are the chips that are like in our phones and stuff like that. There are chips apparently you can buy he talked about this some industrial grade chips that offset some of this problem where they they they they process like dual process or they process a one and a zero at the same time. So it it biases the power. So you really can't read this. But manufacturers don't want to pay for those. So they buy the cheap chips. And you get this hacking capacity or capability. I was very impressed with that. They made me feel like nothing safe. So that that process called probing. And you can do that with leads and the old scope. And there are chips out there that, you know, the DoD DHS all those people, they use the chips like you're saying, they offset some of that. So you can't probe them. But some of the chips, since probing actually can apply heat, you know, you can't you can't help it. As soon as those leads apply a certain amount of heat, the chip knows it's being hacked and burn itself will take the master two leads and connect them. And that's it. You're you have a permanent short and chips debt. They talked about the SIM cards in your phone. If you've ever seen a little sim chip, do the same thing. If it gets a serious error condition or you try to probe it, it'll burn itself. So they are safer than I think they are safer than you think. But it's just a matter of time. It's just someone's going to break it. If you make it, they'll break it. And if you look back at his this is a historical lesson for you and players out there, please listen to me. Don't ever think the walls of Troy will keep out the enemy. Over history, no matter how big the city was know how many how many men in your army there have been, no matter how good you are at fighting, someone takes you over. Sparta fell to Rome. Troy fell. Everybody falls. So build your walls. But just expect them to come down if you don't keep changing and adapting and doing things like going to these conferences and seeing what the latest hacks are. For instance, and this one just blew my mind, we sat in a presentation of the new Microsoft threat protection and Microsoft threat analytics. So this is the enterprise system that they put out on a master server controls the system where every host, which is a physical device on the network, actually runs this little piece of software called advanced start protection by Microsoft. And it's kind of like antivirus and malware and it reports back to the mothership, the ADA analytics engine. And this is great. And it runs as a host based security system. The DOD has been doing this for years. McCaffey at E policy orchestrated. It's the same thing. And it's kind of a it takes a village theory, you know, every piece of the network is participating. So you can analyze all the traffic and compare it to previous attacks and see if you should shut this one down and isolate that system and so forth. And it's already been hacked. What? Yeah, it demonstrated this right right in front of a demonstrated and then said, Oh, yeah, this is really advanced. But you know, just use this, you know, go over here, use this port from SQL server. It's not looking. And here's the ports that are looking for here's the process. He had it to the process IDs and the task manager and windows. These are the process IDs that if you're faking something, don't use those. It's you it's looking for those. I see. Yeah, I listed like five of them. Wow. It's already been broken. It doesn't come out till next month. Oh, wow. And Microsoft presented this or was it was a security researcher aka hacker. And these guys get on the advanced list, you know, Microsoft push out his stuff for testing. And he's one of the guys that tested it. And I hope he told Microsoft, but I'm sure Microsoft has representatives walking around gathering this in Intel, right? I'm hoping. But yeah, it was hacked right in front of us. He told us five, six different ways to do it on the machine and on the network as a whole to capture the network. So these are these are important security conferences people present. We also saw a healthcare presentation that was just the most depressing thing I've ever seen in my life. Depressing. Oh, it's depressing. It is the state of some healthcare organizations, especially the smaller vendors in the more rural county, they just don't have budgets allocated properly, so they can upgrade their systems, secure their systems, hire the right people, or hire them at wages that actually will attract the talent. Yeah, that's a big problem, right? The islands are experiencing that. And that's something I just harp on all the time. If you hire the right talent, you need to show them that they're worth, you know, what you're looking for. If not someone else will. I mean, you know, two million people projected shortage. So you know, if you got good people, you better better try to hold on to them. Yeah, we don't have those people yet. We keep trying to train them at all. There's a couple. I wish I was one of them, I could make some serious money. Yeah, but Silicon Valley takes them and Seattle, Chicago, New York, Manhattan is a big consumer of those people. Austin, Denver, Lake City, I mean, the tech hubs are coming up everywhere, man. That's right. Salt Lake City, and Sioux City, South Dakota, Sioux City, Sioux Falls. Yeah, Sioux Falls. Yeah, yeah, exactly. Falls, yeah. Tech hubs are changing. Yeah, what other presentations do you guys see that just freaked you out? We got a couple minutes for the break. Alright, I got I got a one, I got a cool one. This was this was interesting because it wasn't so much of a technical hack as this guy was had been contacted by companies that wanted to be able to fight drones. How can I detect the drones coming onto my property or coming looking at my development or my research or whatever. And so he went and tried to find some way to help these guys defend. Well, all of these people that advertise they have all this anti drone technology. He could find none of it that was actually available. He couldn't purchase it from anyone. They're like, Well, we're in we're in beta and we're in development. And these guys who showed you probably saw the trained eagles and the trained falcons. Well, there's like one of those that's been sold to this some military, right? And so like, it was really fun and you probably see people with drones carrying nets and drones shooting people shooting net guns and all this kind of stuff. And he did have one of those he got hold of and it's supposed to shoot like 50 feet and he shot it goes like 10 feet. Like it was it was just ridiculous. So it was really funny how he exposed that this anti drone industry that doesn't it doesn't really exist, you know, but it's apparently it's coming and if you and no one will give him prices for anything either. So he couldn't figure out what anything would actually cost if they actually did make funding. Yeah, that was an interesting one. Okay, so we're going to take a little break here to play some bills. We're going to come right back. Don't go away and stay safe. Aloha, my name is Steven Phillip Katz. I'm a licensed marriage and family therapist and I'm the host of shrink wrap Hawaii where I talk to other shrinks. Did you ever want to get your head shrunk? Well, this is the best place to come to pick one. I've been doing this. We must have 60 shows with a whole bunch of shrinks that you can look at. I'm here on Tuesdays at three o'clock every other Tuesday. I hope you are to Aloha. No, you're going to get home a lot. For every game day, a sign a designated driver. Welcome back. Thanks for staying through the break. I'm Dave Stevens host of cyber underground with me here today. The Professor Hal and Andrew the security guy. Hello everybody. We're talking about the wrap up what we saw and what freaked us out. How the world is broken at Black Hat and Def Con. And I wanted to share how and I were at Def Con. We actually met the inventors of this tour watching this demonstration. We couldn't quite figured out. So we actually asked the kid who invented it 19 years old. He and his dad came over and told us about it. This is this freaked me out. So most people will think if you if you put a device on a network to X fill data or we draw data off your network, they'll use regular Wi-Fi channels, which is about 2.4 gigahertz to 5 gigahertz summer in the range, right? And and he said people are looking for that. So he invented this one, he plugs in a network and it X fills data over FM on the which is I think 15 kilohertz on up to like 1.9. Okay, it's the lowest band. But he said wherever you go, you have to look to see where the radio stations are so you don't overlap on a radio station. But then you use regular FM and nobody's looking for it. And it broadcasts to everywhere just on an FM channel. So they don't know there's no endpoint written in, right? So you can be anywhere within and you just tune to it and you can download whatever it's broadcast. That's right. It's probably not all your data, but FM frequency. Well, it's modulating. How incredible. And he said he's trying to modify this this unit so that you could plug it into a network. It could compromise the network, take over whatever the network is. And it costs $5 and it leaves no clues. Well, the Raspberry Pi. So it's just this big. Yeah, just hide it somewhere on the network. And it just goes to work. Yeah, it should be the the rest should be fairly similar. There's enough of those tools built on USB sticks and stuff that I'll be able to get you in. Oh, sure. I mean, I would think that'd be a he's already done done that by now since it's been a week. Well, there's multiple barriers to overcome right. And as long as you're, you're grabbing an IP on the network, now you got to shelter your IP, you can't pretend to be a host on the network that's protected by a security system, it's going to see as a rogue IP on the network. But I'm sure he's figuring all these things out, because there's not old. This is not new information. Yeah, or come USB through someone else's connected machine that is allowed there, right, something like that. Right, right. So and this is, I mean, that to me was genius. Wow. The more low tech you get, the easier it becomes. For example, we saw a presentation on email phishing. So they were they're putting up these these images of some of the actual legitimate emails coming from some of the providers which I won't mention. And they're textual based. They might have an email link in there or something you to reset your password or there's something wrong, but contact us please. But it's very plain Jane teched with a little bit of like an email link in there. But people are replicating this feature, they're doing another email, and they're putting all kinds of fancy graphics and HTML and CSS in the email. And it doesn't look anything like the legitimate email, but it's got a higher click through than the legitimate really now. Wow, that's sad. So people are going for what's pretty and neglecting to think, Oh, does that what it actually looks like a lot of time? Oh, they must have just changed her style or something like that. People just assume that the fancy is pretty. It's looking one must be the valid one, right? Because hackers won't put that much work into it. Yeah. They must be able to afford to make it make it appealing. Yeah. Wow. This is something to look for because I use Amazon Web Services for some stuff. And they have features in there like lambda, which has been broken. I won't say how they did it because it was so simple. It was horrible. I'm sure AWS will fix this in no time. But when they send you emails, it's kind of plain Jane. But I've got phishing emails from people that are beautiful. I mean, they did wonderful graphics and CSS embedded into my emails. I mean, and then of course the JavaScript, which would work if I clicked on it, right? It's just amazing amount of work that goes in there. I guess the the output what they gain must be tremendous to put that much into it. Yeah. More people that can own. Yeah. Oh, they can get this just flashed into my mind. We were going to talk about this. Mark Hutchins, the man who is credited in was Great Britain, right? He's credited with stopping the first outbreak of WannaCry. So WannaCry, the ransomware, was infecting machines in Great Britain and the national health system going rogue. And he figured out that every time this virus activated, it needed to go to the internet and look for this one website. If the website did not exist, then the ransomware would continue doing its evilness. But if the website was there, it would figure that whoever created the Frankenstein, WannaCry, it would think, oh, he wants me to stop. So the kid just went out and registered the website and put an HTML page up there and done, stopped WannaCry. And it helped the US a lot, right? Because he did it before it really took off here. Yeah, it really I think it shut it down within a couple of days, right? He was just he was right on it. It must have taken a tremendous amount of work. Kids are absolute genius. And he came to DEF CON. And presented that. I think he talked about how he found that. On his way out at the airport. FBI swoops in and picks him up and wears him. For Chronos, the Chronos hack. He's the Chronos hack. So I think he currently they're saying he was involved with some of the malware creation or distribution of Chronos, which was ultimately led to some banks losing some money. So I don't know details but that's what they're saying. I think this is one of the main topics we need to discuss at some time. These security researchers are all people that have had a colored past. Let's just do you think? Yeah. And to get these people to come to speak is it's like bringing them to a honeypot where a law enforcement can just swoop in and take your pick. And I don't think I don't think that's right. I think we need to hear from these people. And good or bad the stuff that they bring to the table is actually helping us defend our country. And if they're afraid to come speak, if they're afraid to even to put something on the web, we're never going to know. And the attacks will be even more prevalent. So this transparency, this open network that they want to construct and keep working. Law enforcement, I think, needs to work with these guys. What do you think? Yeah, I hope so. But I mean, if you stole, you know, you should probably come clean and go talk to them about it. Like, you know, nowhere's like, you know, it's risky. If you committed crimes in your past, and you're going to be out there, but they don't really stop looking, you know, actually. So, you know, you should just say congratulations. Here's a new apartment. Well, you should maybe get us, maybe get a lawyer and have the lawyer reach out to him and let you know and admit your involvement and see what you can negotiate for yourself. I mean, you know, if you, if you truly are guilty of crime, I'm sorry, but they're probably looking for you. You know, they have ways of learning who you are eventually and what you've done. And so, you know, they've been mad at a lot of people lately. So it brings up another problem, though, right? Security research depends on people saying, yes, you can come research what I'm doing. But if they say no, right, the car washes, the three different car washes said yes, you can, you can do this. So the car washes were OK. But if you want to hack something like Microsoft's threat protection system or a bank or a bank, probably going to say no. No one's going to say yes. How do you research how to attack? Well, well, you can, you can do the research without stealing the money. You can, but you're still broken in. You're still broken. Of course. And so then that's where that ethics, you got to come up, go to the bank, say, look, here's what I've been able to do. And you need to talk to their people, right? Like, you might have to do it. And you can get arrested on the spot. You might, but probably, probably not unless you stake their money. If you take their money, it's different. I think you need to talk to them first before you even try to do, you know, to break into anything, because otherwise. Because you know when you're in, like, you know, the researcher knows when he's in. What's his hack work? Getting in and then doing things once you're in. There's a there's a line there. Once you're in, you've broken the law. I agree, but you can also go to them and say, this is that you have a flaw and this is how I can get in. And I don't know. Getting in and doing stuff is different. Well, if I came to you for your company, you were a bank and I said, hey, man, I actually got in. I didn't do any damage, but I got in. I'd say thank you. I think I'd pay you some money. I think you're unique. The banks might say, well, thank you very much and call the call the FBI. They may call the FBI on you, but I mean, is your crime getting in? Is your crime presenting the research? I don't know. I mean, it's definitely an area of business to deal with, because we need the research to happen. We need this. Yeah, we need the research. And I think everyone would agree that they need it to happen, including the bankers of the world and the critical infrastructures of the world. You know, we need to know what these problems are, but don't don't go in and open the dam. Don't go in and drive the nuclear rods up and don't go in and take money from this guy and put it in your account. I mean, come on, there's where the illegal action occurs is, you know, I think if I were smart enough to figure out some of these hacks, I think I would risk the taking it to them and saying, here's the vulnerability that I found. I think if you find you go through these steps, you can gain root access to this and then let them go through it. You know, you can share your research with them without, you know, doing it. And you can even say, someone showed me this, doesn't even have to be you that you did it. The people that are training these kids to do this, it's kind of a liability now. I mean, we're training the foot soldiers in this new war. Oh, you guys are definitely, you guys are accomplices. Like, we're accomplices to, we're going to make all the audience accomplices next week, we start showing them in-map and all this stuff. That's right, an app and Wireshark, you're going to go over the stuff that, so that there's pretty much seven agreed to phases in it. Yeah, in a kill chain. The first one is recon. So we're going to go over a little bit of open source intelligence, you know, how to get, you know, stuff that's already out there, it's in the public and, you know, scanning the network with Wireshark and just capturing traffic in promiscuous mode, which you just grab everything or in-map actually starting to poke out there and see what's open and why. See what's open and why. But even so, we should, we should say that you should use this on your own network or network that you have permission to probe. You don't want to use this on the wrong network. Yeah, in Apple, it breaks a lot of IoT devices. Yeah, it's powerful, which is cool. I want to talk about this other thing, because this had to do with probing. This other one I went in was the guy who was researching the CAN buses in the cars, right? So cars and aircraft, I use this CAN bus to talk, you know, from your everything's digital, right? So that's talking when you push the gas pedal, that's all digital, that it shows up on your thing, that it actually accelerates the car, all this kind of stuff, right? So all these, and there's multiple CAN buses in the car. So what he does is he gets, and he works for car manufacturers, but he's built a tool that allows him to insert data, junk data, problem data to see what happens to these CAN buses. Well, it's not good. So he was just showing us like the whole, one of them like the car just keeps running, you can turn it off, you can disconnect the battery, there's nothing you can do about it, it just won't quit running. And then, and then another like so, so he had it disconnected and it would quit and it's, without doing anything else, you just hook the battery back up, it just comes back on, you know, and all the lights are going like it's, so these systems are very fragile. Totally vulnerable. And he was able to demonstrate this. So he's, but his, his research has led him to say, look, these guys need help understanding what can be done to these, because they just, they look to make them work, not to break them. Well, we're gonna have to wrap it up. Is that it? Every car has this now, that's scary. Okay, maybe next week we'll do some more. Thanks for joining us on the Cyber Underground. We're gonna come back next week with how to be a hacker part two on the recon phase of an attack. I hope you join us next week until then, stay safe.