BSidesLondon Wrap Up

It was a long but wonderful day! I woke up very early to catch my train from Brussels to London and arrived just in time. The room was already full of security guys, some well known faces and new ones. Let’s grab some coffee, some muffins and my bag full of goodies. Ready for the talks! The venue is nice, there is a good Wi-Fi coverage.

The event started with an introduction about the B-Sides story. I liked the mention to the “seven tips for a con” (from blog.zeltser.com/):

• It’s always good to join a conversation
• Accept new people in your conversation
• Introduce yourself
• More from groups to groups
• Bring business-cards
• Read a name tag
• Follow up with people you meet

I fully agree with this list. That’s what makes a conference successful! After the introduction, the keynote was presented by Dr Paul Judge about “Social Media and security: Are they compatible?”. Paul came back on the history of spam and how spammers try to reach the users today (the regular spam decreased by 50% now).  There are five innovations that created risks:

• The rapid growth of the Internet (1 new domain registered each second)
• The dynamic applications (Ajax). The browser is the new operation system and not a simple tool anymore.
• Remote employees (20% work remotely, 46% of remote infection come from infected sites
• New toys (like mobile devices)
• User-generated content (no more trusted top level domain – “the lock is always open”)

According to Paul, there is clearly a need for user reputation! Like already done for IP addresses and domains. He reviewed new attacks based on new social networks like Facebook or Twitter: Automated social engineering (Facebook chat sessions), account hijackings, force follow (“accept <username>”), onMouseOver, CRSF, twt.tl (the URL shortener) or OAuth. Then Paul introduced the “Twitter reputation system” developed by Barracuda Networks. The goal is to identify true users amongst bots and fake ones. A true user is one with >= 10 followers, friends & tweets. This represents 43% of the total accounts. To check you own reputation, a tool is available online: profileprotector.com. Personally, Paul gave too much tables with numbers at the end of the presentation (IMHO) but very interesting talk!

Then, Jimmy Blake spoke about “Cloud Computing Due Diligence – WTF?”. Jimmy is busy with risks assessment of cloud applications . I performs dozens of such projects per month, so he knows his topic. Good remark about the the definition of “cloud computing“: it’s so broad! Everything is a cloud today! His main message was about the risks to put your data in the cloud: Don’t wait Jimmy’s time by putting sensitive data into the cloud. Classify your data first then decide. An interesting remark about the CSA (“Cloud Security Alliance”): Check out the partners, it looks more like hunting for new customers. The majority of them are providers of infrastructure management solutions!

Ellen Moar & Colin McLean presented one of the best talk (IMHO):  “Malware writing 101 – A script kiddie’s attempt at writing and masking Trojans”. The goal of their presentation: Prove that malwares can be written by script kiddies! Based on Google searches, they grabbed some pieces of code here and there and successfully built their own malware. During the presentation, they reviewed all aspects required by malwarse. What’s important to keep in mind:

• Assumption: to make a dump user to click on something
• UAC can be disabled once the user clicked YES 🙂
• Looking for existing Trojans? Just Google for them! (Sub7, Amitis, Beast, netbus)
• Crypto? Use an existing Trojan with a crypto. Just by choosing the right Trojan / cryptor, it can bypass 75% of the anti-viruses! Scaring, sub7 without crypto is only detected by 19 of 41 anti-viruses.
• Need to disable a firewall on Windows? Use “netsh firewall set opmode disable” or “netsh firewall set AllowedProgram “%ProgramFiles%\myexe.exe“

Anti-virus are so stupid that basic obfuscation still defeat them. Use the following method in your scripts:

  set a=net
  %a% stop yourav.exe

Don’t relay on anti-viruses, don’t click on links, use limited user accounts and UAC. Their conclusion was: User education is mandatory! Nothing new, hélas! Good job.

The next presentation was mine! I gave a talk called “All your security events are belong to … You!“. This was about my favorite topic at the moment: log management, correlation tools and how to add visibility to your logs. Here are the slides:

I got nice questions after the presentation. Thanks to all who attended!

After the lunch (very good!), Steve Lord spoke about the pentesters with a presentation called “Breaking, Entering and Pentesting”. This was an excellent session! Steve described the different types of pentesters:

• The Nessus monkey : he can run tools, wandering off-scope, even can get root
• The expert in training: he has written a tool, knows a programming language, has read an RFC and uses the CLI
• The JAded Cynic: he hits the tech ceiling, changes dates on reports and submit of resets 🙂
• Finally… the Jedi Master: He is relentless , has tigersheme blood, commercially aware, thinks beyond attack trees

Nice remark from Steve: it’s almost impossible to cover 100% of a pentest in the assigned time window. Even if your scope is clearly defined, it’s an ongoing project as new types of attacks or vulnerabilities are discovered daily!

Dear Terminal Servers administrators, they care! Wicked Clown was back! He presented his “Breaking out of restricted RDP” research! Basically, you can pwn a TS in a few minutes. Videos are available on his website. Crazy!

David Rook presented his tool: “Agnitio: its static analysis, but not as we know it”. He introduced the concept of static analysis: review applications security without executing it. It can be performed manually or via tools (automated). Classic error: security issues are fixed too late in the SDLC process and cost a huge amount of money! A nice comparison was done between developers and drivers: What if we taught drivers in the same way as developers? Instructors will tell driver about the different ways to crash and inevitably the driver will crash! Then David switched to a deeper presentation of his tool “Agnitio“:

• Tool to help in manual static analysis
• Checklist based with reviewer & developer guidance
• Produce audit tails and integrity checks
• Single tools for sec code review, report & metric

Oraya Viloria Montes de Oca talked about “You built a security castle and forgot the bridge…now users are climbing your walls”. Unfortunately, I came late and saw only the latest slides. I’m so sorry GeekChickUK!

Another great session performed by Brian Honan: “Layer 8 Security – Securing the Nut Between the Keyboard and the Screen”. Hopefully, due to a last agenda change, I was able to follow him! My dear friend Brian explained why the problem is often between the keyboard and the chair! 48% of security incidents are generated by insiders. 90% require human interventions and 100% of success compromised the “human”. Thinking that “security is not my job” is a big fail! People are often lazy, too busy and make mistakes! People don’t like security awareness program. It’s like the security on road: How many of you already drove drunk even if but awareness campaign are organized by authorities. Your security awareness training are often a failure: What remember the attendees? The food? Drinks? Zzzz? You’ve to adapt your communication to the audience! This is also a recurring process.

And, last but not least, our four crazy guys Chris John Riley / TheSuggmeister / Arron “finux” Finnon / Frank Breedijk made the show with “Security YMCA”:

You can get new ideas, make a difference or three,
I wonder how that would feel…

Young man, I was once in your shoes.
I said, I was down and out with the blues.
I felt no man cared ’bout se-cu-ri-ty
There’s just too much in-du-vi-du-a-li-ty

That’s when someone came up to me,
And said, young man, take a walk on the street.
I really, want to know what you say
If only I could only un-der-stand you

You must communicate A.S.A.P.
You must communicate A.S.A.P.

…

After the B-Sides event, a “Beer-Sides” event was organized by the DC44220 (The Defcon London). People from Defcon, B-Sides and InfoSecurity joined to follow two other talks:

• Steve Lord again on pentesting and more precisely how to evade defenses (“My #dc4420 talk is so dark light just falls into it. Good job they’re all whitehats there so it’ll only be used for good.“)
• And a fun talk: “cccamd, spartacus, and the largest sat-card sharing ring in the world” by Neil ‘mu-b’ Kettle.

And of course, lot of beer and social networking! To conclude, a BIG THANK YOU to the whole B-Sides London crew for the organization! A great event which proves that money is not all in a conference! I’m expecting the new events as soon as possible! The talks were recorded and should be available soon on the B-Sides London website.