Threat Research

DefCamp 2016

By Axelle Apvrille | November 18, 2016

This was my first time at DefCamp in Romania, and it was definitely a good experience. DefCamp was an interesting mixture of not so technical talks (but with acute insights) and technical ones.

Among the "not so technical" ones, I liked the following:

Do Tinder bots dream of electric toys?

Tinder is a match-making/dating application. Inbar Raz decided to test it. He created a profile according to online guidelines (images with animals, images looking official, etc.) and quickly got many matches. turned out that they were all bots. The names were sometimes real, but the picture different, and a bot was obviously answering, and in the end, always pointing to a shady website.

Real-world lessons about spies every security researcher should know

David Jacoby and Stefan Tanase talked about strange encounters security researchers occasionally have (e.g non-ethical hackers, government agents, etc.) Their talk was also an illustration of how social engineering can affect security researchers. Spies live a different life, and they made a good case that we security researchers should stick to our research roles.

Split personalities: the psychology of social engineering

This was an entertaining talk by Dave Chronister. He insisted that people who fall for social engineering are not stupid  but just human. I tend to agree: everybody can fall for social engineering if the 'scenario' fits the situation or our experience. We tend to trust people. Our emotions often have us make non-rational decisions - even if we try to find a rational justification for them afterwards. ;)

On the technical side, I appreciated Amihai Neiderman's two talks.

DVB-T hacking

This talk was quite amazing. Amihai dumped the firmware of his DVB-T equipment from an onboard flash memory chip. Then he decided he needed a debugger. Of course, there's no such debugger online. So...he wrote his own! And that's how I began to understand (surely only parts) the work required for writing a debugger.

Then, using his debugger, he spotted a vulnerability in the implementation of the DVB-T standard: there is one structure out there which is meant to have a variable length, but the implementation assumes there will also be only one entry. I won't pretend I understood how he then exploited that, but he did.  ;) I'll have to read his slides again, and so will you. ;)

How I hacked my city

This talk did not uncover any extraordinary new hack or exploit, but the methodology was interesting and I appreciated that Amihai detailed how he worked his way through (port scanning (note that this is illegal in some countries), then identifying the device, retrieving the appropriate firmware, unzipping it, having difficulties with a squashfs filesystem...which turned out to be a ext2 filesystem etc.)

It seems this talk has been given at several conferences BSidesTLV, Hack.Lu, and you can watch it here.

Sidenote: I see that many peers re-use talks in several conferences. I know it's so much work to prepare a talk. However, I think it's fair that organizers and speakers are explicit about it – they just need to say "this was also presented here and there." Otherwise, you feel you are hearing exclusive content, and it's a bit disappointing to find out later that it's not. I myself try at least to add a few novelties in each of my talks. If not, from now on, I'll be explicit about it. Just saying. But that research was cool.

My own talk: Infecting Internet of Things

This talk was on the technical side, with a PoC ransomware and a PoC trojan on smart glasses, and a PoC SMS dialer on a smart watch. And my PoCs on the smart glasses hadn't been shown to previous conferences – it was a special exclusive for DefCamp attendees :=) I'm sure many people attended the talk just to see my strange look with the smart glasses on and showing them what I saw. If you attended, I hope you appreciated it, and I apologize for the presentation issues I experienced with displays (no mirroring because no compatible resolution between my screen and the presentation), which made the talk not go as smoothly as it should have. My slides will be available on the website shortly.

Meanwhile, my colleague, Raul Alvarez, gave (at exactly the same time in the other track) a talk on Reversing a polymorphic file-infecting ransomware. I heard it went well too, although obviously I could not attend ;)

-- the Crypto Girl