Defcon is 20 Years Old in 2012
Defcon 2012 marked its 20th anniversary with unexpected speakers, some pretty tough content, and the cultural dark magic that buzzes the conference every year.
The Dark Tangent welcomed Mark Weatherford. an ex-Navy and Raytheon security guy that became the CISO of the State of Colorado and California and then CSO at the highly regulated NERC before recently moving on to a top spot at the Department of Homeland Security. Weatherford provided some insight into the amount of attacks he sees every day, and then moved on to explaining that some of the best people he is working with don’t have a college degree and some recruiting – they are hiring.
The next, huge name that Dark Tangent brought out was General Keith Alexander, Commander of the US Army CyberCom and Director of the NSA/CSS. It seems to be a sign of the times that the hacker community would be approached by the individual building out what is becoming the largest group of “cyberwarriors” in the world, attempting to draw shared principles and parallels between the groups. The guy was genuinely funny, rolling out jokes throughout his talk and Q&A answers, inviting kids onstage and showing off multiple tshirts. Aside from the explanation of their mission and the recruiting talk, a couple other interesting topics came up. According to Alexander, folks should know better than claiming that the NSA maintains files on every individual in the US, and he thinks that the Cybercom doesn’t need to become larger than the current US Navy, partly because of the power that automation and smart work provides. Oh, and they are hiring. It was a repeated theme this past week.
A couple of the talks were shocking in their presentation. FX from Phonoelit and Recurity Greg analysed just how bad Huawei router code really is from a security perspective, it was almost unbelievable for a product line from a $21 billion company. Their preso began with a Code Quality slide that they claimed was almost left empty. Every slide’s content made it seem like Huawei security practices and implementation couldn’t be worse than suggested by the previous slide, but it did. And it was bad. After pouring over the router codes’ open services and inability to be disabled, they described a lack of security advisories and updates, interrupt tables with RWX access, a Chinese-only debug interface, a lack of any communication channel whatsoever for reporting vulnerabilities, and a lack of real security development lifecycle throughout the code development, they followed Huawei’s lead and copy/pasted their decades old Cisco IOS exploit code into exploits developed for these Huawei routers, targeting 90s style vulnerabilities. The company clearly has’t also taken security lessons learned from Cisco’s experience in this space.<img src="http://www.viruss.eu/wp-content/plugins/wp-o-matic/cache/b9d60_6a2fe834b0twitter-wb-fm.png"
At first, I was disappointed that the “Dr Strangelove” nuclear power plant SCADA system talk was cancelled without notice to attendees until arrival at the talk. It was replaced with a talk on SCADA HMI (or human management interfaces) security issues from Wesley McGrew titled “SCADA HMI and Microsoft Bob: Modern Authentication Flaws With a 90’s Flavor”. At face value, it sounded comparably uninteresting. But, it was eye-opening. The talk itself weaved through known, commonly approached technical problems that were met with disturbingly juvenile, incorrect security implementations – these systems are critical infrastructure and security requirements are not being met. This talk was complemented by Alberto Garcia Illera’s pen-testing adventures in the transportation systems of Spain, using simple, unforeseen flaws in publicly accessible systems, to peel layers back until they reached the poorly protected SCADA systems called “How to Hack All the Transport Networks of a Country”. The first talk revealed incredibly weak implementations in SCADA systems, and the second revealed exactly why those weaknesses need to be fixed and better understood by their developers and vendors.