After a few days in Las Vegas and after BlackHat, DEFCON 25 is finally over! It was an amazing time around awesome people.
I didn’t attend all the talks, but most of the ones I saw were interesting:
- There’s no place like 127.0.0.1 – Achieving reliable DNS rebinding in modern browsers, by Luke Young.
This talk presented several ways to bypass protections against DNS rebinding, and ways to access data from an internal network using these techniques. Several mitigations were also presented, one of them being, to not use strong authentication only for external resources, but to enforce them for internal resources as well. He released Jaqen, a tool used to reliably execute DNS rebinding attacks using different methods.
- The Brain’s last stand, by Garry Kasparov.
- A New Era of SSRF – Exploiting URL Parser in Trending Programming Languages!, by Orange Tsai.
This talk presented the weird behavior of URL parsers and how to get a RCE in Github Enterprise using a chain of four vulnerabilities exploiting SSRF.
Tor developers have been working on a new generation of Onion Services to make them stronger to resist censorship and to provide several interesting features that the current generation doesn’t have. This talk also explained that {Dark, Deep}Web is not really a thing and is most of the time used as a marketing nonsense term: the biggest website using Tor Onion Services is actually… Facebook.
- How We Created the First SHA-1 Collision and What it means For Hash Security, by Elie Bursztein
This talk presented the impressive research and results from Google and CWI which led them to get a way to get SHA1-collisions after several years of work and intense computations. Some unexpected consequences have also been presented, like the Webkit repository corruption. Counter crypt-analysis mechanisms used to detect these collisions implemented in Gmail and Github have also been explained.
This talk presented internals of wind turbine control networks, and how security is totally absent from their design: unauthenticated APIs, flat network, false security claims from vendors…
- Microservices and FaaS for Offensive Security, by Ryan Baxendale
This talk presented a very cheap (but efficient) way to leverage DDoS and bruteforce attacks against websites and OTP systems, using several Microservices providers.
- Abusing Webhooks for Command and Control, by Dimitry Snezhkov
This talk presented interesting ways to use webhooks and Github as a broker C&C to exfiltrate data in a constrained environment. Github issues and comments were used as a communication channel. A proposed mitigation: to restrict outbound access to required Github repositories only.
- Demystifying Windows Kernel Exploitation by Abusing GDI Objects, by Saif El-Sherei.
This nice and technical presentation explaining the process to get Ring0 exploits primitives using GDI, and analyzing security issues MS16-098 + MS17-017 with the first standpoint.
- MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt), by Chris Thompson
This talk presented the new features and developments related to Windows Defender galaxy…. and how to get around the new defense mechanisms introduced in latest Windows 10 versions.
Apart from these talks, villages and panels were very exciting places to attend. SE-Village, Recon-Village, Crypto and Privacy Village, Voting Machine Hacking Village and Packet Hacking village were particularly great! Also, the EFF panel on Friday night was nice to get updates and discussions from EFF directors and attorneys.
Recorded presentations and workshops are available on media.defcon.org .
This was a nice (but very crowded!) edition, looking forward to next year!