In my last post, I provided a high-level summary of each of the three Las Vegas conferences, but no real technical meat about what I learned while in the desert. I'm going to take a few moments to type some notes or musings about the talks I attended for posterity.

BSidesLV

• Skull And Bones (And Warez) - Secret Societies of the Computer Underground (and why you should create one too): This talk provided a history of the early days of the "hacker community" and how this model of escaping persecution (be it minor or major) has been prevalent through history long before the information age. While this was not a technical talk, it was very interesting to learn about the early "warez" scene and early demo groups active on dial-in BBSes.
• Strategies Without Frontiers: This talk provided a primer on game theory and worked into long-term, repeating games, or games in which the payoffs change over time. This was empirically shown using a Haskell type system to model populations of different player times as the game continued. I felt as if the speaker did not have enough time to tie the background back to information security during the talk, but it should be interesting to see how this synergy evolves.

Black Hat USA 2014

• Cybersecurity as Realpolitik - This keynote was excellent and I encourage all to watch it as my summary will not do it justice.
• Attacking Mobile Broadband Modems Like a Criminal Would - While the technical meat of this showed some embarrassing (and likely never fixed in current/old models) attacks possible on USB 4G/WiMAX modems, the part I liked most about this talk was the mindset: think like the criminal/adversary, and your actions/reactions may be different than your natural instinct. Especially in a venue like Black Hat, where there is significant competition to get a speaking slot, many speakers (myself included) get so caught up in the "elegance" of the attack, that we forget how it will be used by an attacker not motivated by personal technical interest or pride. In this light, the speaker showed some very simple attacks that most infosec researchers would scoff at, but would be the most effective at making money for the attacker. I think researchers improving security and defense would do well to heed this lesson and focus on hampering an adversary's end goal over a more nifty counter.
• A Survey of Remote Automotive Attack Surfaces - The "celebrities" of the DARPA Cyber Fast-Track program returned to Las Vegas to provide a more general, abstracted view of the state of car hacking. This talk was mostly an overview of how newer features demonstrate attack surface and the increased control the ECU and other processors have over the physical car. Nothing too ground-breaking, but presented very well as expected and the end three minutes showed how easy it is to jail-break your Jeep (or other domestic car)!
• The Beast is in Your Memory: Return-Oriented Programming Attacks Against Modern Control-Flow Integrity Protection Techniques - Another talk I was very excited about, this talk showed how most anti-ROP systems work and strike a balance between speed and security, and how that trade-off can be exploited. They developed gadgets from Windows libraries that would allow them to bypass EMET and execute a successful ROP attack. This area of research is moving very quickly, and I'm excited to see where it goes from here.
• Reflections on Trusting TrustZone - Culminating in an exploit to get control of the Qualcomm TrustZone (TZ) kernel to unlock a Moto X device, this talk highlighted that even with the hardware protections integrated into the TZ & ARM platform, there is still code that can be exploited running in TZ and successful exploitation will reap significant benefits.
• Creating a Spider Goat: Using Transactional Memory Support for Security - An interesting talk on using Intel TSX (which recently was disabled due to errata) to monitor sensitive memory (such as a system call table) at a much more granular level. It was neat to see a technology used predominately for performance used to enhance security, as I find that to be rather rare.

DEF CON 22

• The NSA Playset: RF Retroreflectors - I knew Mike would give a good talk, and sure enough he delivered. In this talk, he reverse-engineered the leaked ANT catalog for an active emissions attack. He showed a few different bugs (all powered by radio illumination) to tap into PS/2 keyboards, VGA and discussed other future work.
• Extreme Privilege Escalation On Windows 8/UEFI System - After talking with Xeno and Corey at Black Hat for a while, I knew they were very knowledgeable, so I had high hopes for this talk. Essentially, they found a few bugs in Intel's open-source UEFI runtime services implementation (which is mostly copy-and-pasted by the OEMs) that allowed the exploitation from ring-3 to a persistent SMM implant. The implant would scan memory looking for a signature, then execute the following code, allowing remote execution of incoming packets, even if they are dropped by the firewall! The lesson here is that UEFI is very new, and being open source, should prove easier for attackers to explore.
• Mass Scanning the Internet: Tips, Tricks, Results - After seeing Robert's lecture at Dartmouth, I had high hopes for another technical lecture on how to optimize code for high performance. Alas, it did not pan out that way, more on funny quirks of scanning and how they have gotten many people angry with them for scanning.
• Summary of Attacks Against BIOS and Secure Boot - A survey talk, covering low-level attacks over the last eight years. While interesting to someone not versed in low-level research, for someone who has kept up with the current state-of-the-art, it was all recap.
• Weird-Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System - One of the talks I was most excited for, perhaps that is why I was so disappointed that is was the worst talk I'd ever sat through in my life. There were countless things wrong with it, but there was a steady flow of people leaving and shaking their heads in shock. It really soured my opinion of IOActive which up until that point had been very high from seeing Chris' work and meeting folks at the IOasis.