Shmoocon 2016: Hackers For Charity

January 18, 2016 by Mike Szczys 4 Comments

To one side of the “Chill Room” at this year’s Shmoocon were a few tables for Hackers for Charity. This is an initiative to make skills-training available for people in Uganda. The organization is completely supported by the hacker community.

Hackers for Charity was founded by Johnny Long about seven years ago. He had been working as a penetration tester but you perhaps know him better from his many books on hacking. Having seen the lack of opportunity in some parts of the world, Johnny started Hackers for Charity as a way to get used electronics and office equipment into the hands of people who needed it most. This led to the foundation of a school in Uganda that teaches technology skills. This can be life-changing for the students who go on to further schooling, or often find clerical or law enforcement positions. Through the charity’s donations the training center is able to make tuition free for about 75% of the student body.

The education is more than just learning to use a word processor. The group has adopted a wide range of equipment and digital resources to make this an education you’d want for your own children. Think Chromebooks, Raspberry Pi, robotics, and fabrication. One really interesting aspect is the use of RACHEL, which is an effort to distribute free off-line educational content. This is a searchable repository of information that doesn’t require an Internet connection. Johnny told me that it doesn’t stop at the schoolroom door; they have the system on WiFi so that anyone in the village can connect and use the resources whether they’re students or not.

Shmoocon does something interesting with their T-shirt sales. They’re not actually selling shirts at all. They’re soliciting $15 donations. You donate, and you get a shirt and a chit — drop you chit in a box to decide where your $15 should go. This year, Hackers for Charity, the EFF, and World Bicycle Relief were the charities to choose from. If you want to help out this 501c3 organization, consider clicking the donate button you’ll find on the sidebar and footer of their webpage.

Shmoocon 2016: GPUs And FPGAs To Better Detect Malware

January 17, 2016 by Mike Szczys 40 Comments

One of the big problems in detecting malware is that there are so many different forms of the same malicious code. This problem of polymorphism is what led Rick Wesson to develop icewater, a clustering technique that identifies malware.

Presented at Shmoocon 2016, the icewater project is a new way to process and filter the vast number of samples one finds on the Internet. Processing 300,000 new samples a day to determine if they have polymorphic malware in them is a daunting task. The approach used here is to create a fingerprint from each binary sample by using a space-filling curve. Polymorphism will change a lot of the bits in each sample, but as with human fingerprints, patterns are still present in this binary fingerprints that indicate the sample is a variation on a previously known object.
Continue reading “Shmoocon 2016: GPUs And FPGAs To Better Detect Malware” →

Shmoocon 2016: The Best Conference Booth You’ll Ever See

January 17, 2016 by Brian Benchoff 19 Comments

Shmoocon is here, and that means a dozen or so security companies have bought a booth and are out to promote themselves. Some are giving out shot glasses. One is giving out quadcopters. It is exceedingly difficult to stand out in the crowd.

At least one company figured it out. They’ve built a game so perfect for the computer literate crowd, so novel, and so interesting it guarantees a line in front of their booth. Who are they? Fortego, but that’s not important right now. The game they’ve created, BattleBits, is the perfect conference booth.

The game play for BattleBits is as simple as counting to two. You’re presented with an eight-bit hexidecimal number, and the goal is to key them into a controller with eight buttons for 1, 2, 4, 8, 16, 32, 64, and 128. The answer for 0x56 is 01010110, and the answer for 0xFF is mashing all the buttons.

To anyone not familiar with hex, there’s actually a rather handy trick to the game: you only need to memorize 16 different numbers. Hexadecimal numbers are easily broken up into nibbles, or groups of four bits. All you need to do is solve one hexadecimal digit at a time.

The controllers, or ‘decks’ as they’re, are built around a BeagleBone and a custom cape running a mishmash of Javascript and Python. When the game starts the player or players are presented with random bytes in hexadecimal format. Input the right bits in the shortest amount of time and you’ll work your way up the leader board.

This is by far the best conference booth I’ve ever seen. The creator of the BattleBits hardware, [Riley Porter], says he’ll be releasing the design files and code for this game so anyone can make one, something we really look forward to.

[Riley] also got a video of someone entering nibbles super, super fast.

Shmoocon 2016: Phishing For The Phishers

January 16, 2016 by Mike Szczys 24 Comments

After years of ignoring the emails it’s finally time to get into a conversation with that Nigerian prince you keep hearing from. Robbie Gallagher — an Application Security Engineer with Atlassian in Austin, TX — wanted to find out where perpetrators of phishing emails actually live. Of course you can’t count on the headers of the emails they send you. A better way to track them down is to actually draw them into a conversations, and this means making yourself a juicy target.

Robbie gave an excellent talk on his project Honey-Phish at this year’s Shmoocon. Part of what made it stand out is his narrative on each step of exploring the social engineering technique. For instance, there is already a vibrant community that specializes in forming relationships with scammers. Those who frequent 419 Eater have literally made it into a sport called Scambaiting. The ultimate goal is to prove you’ve baited a scammer is to get the person to take a picture of themselves balancing something on their head. Now the image a the top of this post makes sense, right?

Writing personal emails to your scammer is a great system if you have a lot of time and only want to track down one scammer at a time. Robbie wants to catalog geographic locations for as many as possible and this means automation. Amusingly, the solution is to Phish for Phishers. By automating responses to phishing emails, and enticing the people originating those phishing scams to click on a link, you can ascertain their physical location.

Continue reading “Shmoocon 2016: Phishing For The Phishers” →

Shmoocon 2016: Computing In A Post Quantum World

January 16, 2016 by Brian Benchoff 50 Comments

There’s nothing more dangerous, so the cryptoheads say, than quantum computing. Instead of using the state of a transistor to hold the value of a bit as in traditional computers, quantum computers use qubits, or quantum information like the polarization of a photon. According to people who know nothing about quantum computers, they are the beginning of the end, the breaking of all cryptography, and the Rise of the Machines. Lucky for us, [Jean-Philippe Aumasson] actually knows a thing or two about quantum computers and was able to teach us a few things at his Shmoocon talk this weekend, “Crypto and Quantum and Post Quantum”

This talk is the continuation of [Jean-Philippe]’s DEF CON 23 talk that covered the basics of quantum computing (PDF) In short, quantum computers are not fast – they’re just coprocessors for very, very specialized algorithms. Quantum computers do not say P=NP, and can not be used on NP-hard problems, anyway. The only thing quantum computers have going for them is the ability to completely destroy public key cryptography. Any form of cryptography that uses RSA, Diffie-Hellman, Elliptic curves is completely and totally broken. With quantum computers, we’re doomed. That’s okay, according to the DEF CON talk – true quantum computers may never be built.

The astute reader would question the fact that quantum computers may never be built. After all, D-Wave is selling quantum computers to Google, Lockheed, and NASA. These are not true quantum computers. Even if they’re 100 Million times faster than a PC, they’re only faster for one very specific algorithm. These computers cannot simulate a universal quantum computer. They cannot execute Shor’s algorithm, an algorithm that finds the prime factors of an integer. They are not scalable, they are not fault-tolerant, and they are not universal quantum computers.

As far as true quantum computers go, the largest that has every been manufactured only contain a handful of qubits. To crack RSA and the rest of cryptography, millions of qubits are needed. Some algorithms require quantum RAM, which nobody knows how to build. Why then is quantum computing so scary? RSA, ECC, Diffie-Hellman, PGP, SSH and Bitcoin would die overnight if quantum computers existed. That’s a far scarier proposition to someone hijacking your self-driving car or changing the display on a smart, Internet-connected thermostat from Fahrenheit to Celsius.

What is the verdict on quantum computers? Not too great, if you ask [Jean-Philippe]. In his opinion, it will be 100 years until we have a quantum computer. Until then, crypto is safe, and the NSA isn’t going to break your codez if you use a long-enough key.

Shmoocon 2016: Z-Wave Protocol Hacked With SDR

January 16, 2016 by Mike Szczys 17 Comments

The first talk at 2016 Shmoocon was a great one. Joseph Hall and Ben Ramsey presented their work hacking Z-Wave, a network that has been gaining a huge market share in both consumer and industrial connected devices. EZ-Wave uses commodity Software Defined Radio to exploit Z-Wave networks. This is not limited to sniffing, but also used for control with the potential for mayhem.

Continue reading “Shmoocon 2016: Z-Wave Protocol Hacked With SDR” →

Donuts Of ShmooCon

January 12, 2016 by Mike Szczys 5 Comments

This weekend is ShmooCon, a hacker convention held in Washington DC. Brian Benchoff and I will be there, both of us for the first time. We’d love your input on what talks look the most interesting. Check out the schedule of speakers, then leave a comment below to let us know which talks you think we should cover.

It’s great hearing the big presentations, but I find a lot of times great hacks can be found in smaller venues, or just by walking around. Two examples from 2015 DEF CON: the best talk I sat in on had about 10 people spectating in the IoT village, and I had a great time trying to track down everyone who had an unofficial hardware badge. If you’re at ShmooCon and have something to show off, please find us (@szczys, @bbenchoff)!

On Saturday join us for a Hackaday meetup in the lobby of the Washington Hilton. ShmooCon is well-regarded for the quality of its “lobby-con”, what better place to gather? Look for the Hackaday crowd starting Saturday 1/16 at 8:45am. We’ll bring the donuts, and some swag like Hackaday Omnibus Vol. 02 and of course, some Jolly Wrencher stickers.