5 takeaways from Las Vegas

Probably the two most important security conferences in the world are held in Las Vegas during the same week, gathering more than 15,000 attendees and offering dozens of talks. Even if you are here, you will find a situation where you want to attend 2 or 3 talks at the same time, or the frustration of attending one talk only to find there is no room left for you in the next one you wanted to attend.

So I thought it would be useful, whether you were in Las Vegas or not, to highlight the most relevant things that happened there during these 2 weeks, in my opinion:

Cracking MS-CHAPv2, by Moxie

Once again, Moxie showed the difference between theory and reality when applied to cryptography. In this case, he reduced the problem of breaking the MS-CHAPv2 protocol (mostly used in PPTP VPNs and WAP2) to the problem of breaking a single DES encryption. You can find all the details of his presentation here .

This is something that can be done with current computational power. In fact, Moxie has published an online DES cracking service. Also, he has released the tools for helping anyone extract the DES key and breaking the MS-CHAPv2 protocol, effectively allowing anyone to get the credentials of sniffed handshake login traffic.

So its time to migrate PPTP VPNs and WPA2 authentication protocol for Radius to more secure protocols. As Moxie says, any protocol based on MS-CHAPv2 should be considered insecure.

Breaking the password sniffed during the login handshake is not a really revolutionary technique. However the relevance of this research lies in reducing the problem to something that can be handled with todays computational power, and offering the tools and services available to do that. Going from theory to reality, and making it available to everyone, makes a real difference in my opinion.

Broken Hardware

This is probably not a new topic, but it seems to become more and more popular every year. Ruben Santamarta showed in his talk a nice step-by-step tutorial to reverse some of your favorite devices (energy meters) through firmware updates. FX from Recurity Labs showed how bad Huawei routers are in terms of security and how old 90s style exploits and vulnerabilities could be applied to them. Finally a few SCADA talks: Scada HMI and How to hack all the transport networks of a country.

My point here is how more and more unsuspected devices that are part of our daily life are becoming the target of security researchers on a regular basis, and how bad these devices are in terms of security. And I like the fact that security researchers highlight this: it seems to be the only way for these devices to improve in terms of security.


Mobiles, iOS and Android have been hot topics recently. I really enjoyed the talk “Safe DEX”, pointing out different evasion techniques for Android malware authors. Also the talk from Thomas Cannon on gaining access to Android user data was very interesting.

But probably the most relevant talk this year on mobile was Charlie Millers talk on NFC (near field communication) hacking tricks. This technology is becoming increasingly popular on new smartphones, and Miller demonstrated how it was possible to force someone to go to a malicious website just by staying near a vulnerable device with NFC.

What that means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your Web browser, without you doing anything, will open up and go to a page that I tell it to, said Miller.

This attack is only possible over short distances (a few inches) where this protocol operates, but it shows how the adoption of new protocols and communication methods, especially on smartphones, brings new attacking possibilities.

US CyberCommand and Feds

The presence of Feds during DefCon and BlackHat definitely is not a surprise. However this year the approach was quite different. General Keith B. Alexander, Commander of the US Army CyberCom, addressed the audience at DefCon, offering himself as an ally and asking for help and urging responsible conduct to all the attendees. Shawn Henry, former FBI director, gave the BlackHat keynote, stressing the importance of cyberespionage and cyberweapons, but in a more commercial way.

I think this change in the perception from “the guys who break things” to “the guys who may help us fight cybercrime” is a positive one, especially to the general public. Of course making general assumptions over a community so heterogeneous is not accurate, but in general talking to them as adult people instead of naughty kids is a good idea.

Are we overlooking old problems?

This final point is a very personal one. I really enjoyed Dan Kaminskys (yeah, the guy of the DNS vulnerability) talk on some old problems we are probably overlooking and that are at the root of many of the problems we face today.
From the (low) randomness that we get from servers without human interaction and how we do not apply practical (not perfect but better-than-nothing) approaches to the difficulties on distinguishing data from commands in the way we parse input. This talk addressed some of the fundamental mistakes that we do in software development and how we could do better by not trusting sacred cows and implement more practical approaches.

I really liked the talk, in the way it highlighted that we are often focused on very concrete technical problems or vulnerabilities, but we forget about more fundamental problems that ultimately lead to security leaks.

Follow me on Twitter

5 takeaways from Las Vegas

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox