I back in Amsterdam for the third time this month. Today, it is to participate to the Hack In The Box conference. This is already the 4th one, time flies! Like the previous editions, the event is organised at the Okura hotel, a very nice place. Thanks to the Easter break, roads were clear to Amsterdam and I arrived in time to register and grab some coffee.
The next edition of Hack In The Box gets closer! It will be held next week in Amsterdam. Thank to the organizers, I get a press pass and I’ll again be back for two days at the Okura hotel to cover the conference. I’ll tweet live (follow the official #HITB2013AMS hashtag) and write wrap-ups. The conference is organized in the classic format: two days of trainings and two days of high-level talks. They will be split in a three-tracks schedule. Here is my wishlist:
I had to make difficult choices due to the overlapping of very interesting tracks. At the end of the first day, I hope to be able to attend Itzik Kotler’s workshop about his new tool released just a few days ago (hackersh). The content looks amazing with very good speakers. Stay tuned for more details soon. Ping me if you want to meet!
And we are back with the second wrap-up of BlackHat Europe 2013! After a dinner with friends and some beers at Rapid7 and IOActive parties, I went back to the hotel to finish the first day wrap-up. I woke up, tool shower, grab some coffee and I’m ready for the second day! No workshop planned for today only talks. Here is a review of the one I attended.
Hello Everyone, it’s BlackHat time again! Here is my wrap-up for the first day. Yesterday evening, after a safe drive to Amsterdam with @corelanc0d3r, we went out for dinner and had good times with other friends and guys from the Rapid7 team who maintain the Cuckoo project. The conference is organized at the same location as the last edition, the Grand Hotel Krasnapolsky, a very nice place in the centre of the city. After a standard dose (but necessary) of caffeine, Jeff Moss performed a brief introduction of the conference. For this edition, 500 people registered to attend the conference. Jeff insisted on the feedback that attendees can provide to build better events in the future and choose the right directions to meet most of our expectation. New events will be organised like local (geographically) events and events dedicated to trainings only. What are the current trends? Mobile and embedded devices remain on top of the talks. Another classic, some minutes were also allowed to the main sponsor for some “marketing” messages.
Here we go with a new season of security conferences! BlackHat Europe is the first big event for me this year. The conference is back in Amsterdam this week for two days full of interesting briefing sessions and workshops. Again this time, the BlackHat organization provided me a press pass (thank again to them!) to attend and cover the event. This edition is back to a classic format: two days of trainings and two other days of briefings (last year, there was three days). I will cover the briefings in live (via Twitter) and write wrap-up’s after each day. Here is my (current) selection of sessions I would like to follow:
In parallel to regular tracks, the BlackHat arsenal is organized again by NETpeas where security tools will be demonstrated. I’ll briefly present a status of my project called CuckooMX. I just noticed that my friend and Belgian blogger colleague Peter (corelanc0d3r) has also posted his pre-conference blog post. His planning is completely different then mine. This is a good think, we will be able to provide a broader overview of the conference!
I’ll drive to Amsterdam on Wednesday evening. Feel free to contact me for a chat over a beer. See you there!
Yesterday evening, I went with friends to a traditional Swiss restaurant then we passed by the party to have a few drinks. Thanks to the sponsor for the open bar! That’s why it was difficult to wake up this morning… But, anyway, I had a wrap-up to write for you! This is a good opportunity to thank all my readers and followers. It’s always a pleasure to meet new people in conferences and hear: “Oh, you’re that guy who writes the wrap-ups! Nice to meet you!“. So, here is one for the second day of Hashdays 2012! This time, it will be shorter because I attended a workshop in the morning and talked in the afternoon.
My first choice was Jonathan Sinclair who also participated to the management session last Wednesday. Like Alexander yesterday, I was interested to see the “technical” version of his presentation: “Hypervisors and Virtual Machines – State of the Art“. It was an overview of the attacks that existed (and remain!) and currently exists in this field. First point: they are more and more hypervisors in the virtualisation landscape, so Jonathan had to focus on a specific one. He first gave some facts about the history of cloud and virtualisation. I liked a funny mention: All started in 1963 with a memo called “Memorandum for: Members and Affiliates of the Intergalactic Computer Network” (by J.C.R Libcklider). This looked extracted from Star-Trek! After all, for the oldest amongst is, isn’t just time-sharing computing? Remember BBS’s where everything was shared! You can of course exploit a lot of stuff in the cloud (Facebook, Twitter, iCloud, etc) but it’s not what Jonathan finds the most funny. He prefers to focus on “IaaS” (“Infrastructure as a Service“). Why? You have a much large attack surface and it brings most control. Once compromised you have the complete control of the infrastructure.
What are the constraints? You have the “bare-metal” hardware: Hypervisors run directly on the hardware or on top of a regular OS. It looks interesting to go to bare-metal systems because the technology is still immature regarding security and the landscape is still heterogeneous. According to Jonathan, VMware was a very good target for his researches. Why? Leadership and bare-metal installations. After this introduction, Jonathan spoke about VM penetration testing.What are you looking for? The reconnaissance phase is looking for 443, 902, 903, 8000 management ports (good candidates). Shodan and Google are your best friends ever. How to identify the hypervisor? There are tools and techniques to accomplish this: On Linux: imvirt or girt-what and on Windows: Elias Bachaalany has made interesting researches. Another interesting tip: VMware Backdoor is never fully disabled and may reveal very interesting information. Other interesting tools are:
The “pass the hash” attack method was also briefly reviewed. “Crisis” (or “Morcut”) is a root kit that as the ability to adaptively weaponise for multiple targets included VM’s. And what about VMDK? They left the building already… 
Data extrusion is possible via the VM configuration file. (vmdk errwk). Appraisal:
Virtualization is amazing for attackers, no need to break datacenters fences to reach the servers, do this from your sofa. VMotion network transmits the memory image in clear text #hashdays Who use an OoB network for this? To conclude, Jonathan gave a few words about his current project call “Parasite”. This is a project to abuse a virtualised environment. The objectives are: demonstrate capabilities of threats. Force automatic migration by triggering vMotion, sniff the network and perform reconnaissance analysis.
I skipped the other talks before noon and attended my first Arduino workshop (prepared by Jan Monsh). The Hashdays conference is reputed for their badges. This year again, it was amazing: Based on an Arduino board. Finally, I had the opportunity to play with this awesome piece of hardware!
After an introduction to the hardware and software used to compile and upload the programs, we played with some components. It was basic but for me, without a huge background in electronic, it was rewarding: we make LEDs blick, played with potentiometer and display counters on 7-digits display. I’m now the proud owner of an Arduino kit with some sensors, now I need some time to play.
After the lunch, I followed the Ben April‘s talk about NFC (“Near Field Communication“): “I don’t think it means what you think it means“. People don’t have a lot of background about NFC today. It is ant close-range wireless communication, also known as ISO-18092:2004 aka NFCIP-1 with the exchange of NDEF records. Ben reviewed the different types of card (they are four) and the different layers defined in the ISO model. Some useful applications: configure your Wifi, remind to call your girl friend or to buy some milk! Exchange of vCard or course or MIME objects. Non standard uses are: set alarm, change ring or brightness (on phones). All those applications are using NDEF messages which contain NDEF (“NFC Data Exchange Format“) records. What about encryption on NFC tags? They are solutions but nothing very strong at the moment. We are starting to see NFC enabled advertisements (in airport by example) asking you to place your phone close to the poster. Good idea? Ben explained some experimentations he performed on hotel room cards. He has a nice NFC hacking toolbox:
What can you do with this kit? Read/write tags, break MFIRE crypto, sniff NFC exchanges, emulate devices and tags. By default a phone which will read a tag will use it without notification (open an URL). There exists apps to first display the tag content. ndefeditor.com is a nice website which allows you to create/modifit NFC tags. Then Ben explained how he cloned hotel room keys. His conclusion: be very careful with NFC and most important tip: use a reader before scanning a NFC tag!
Then it was my turn to present my talk about the correlation of data across security devices: “Unity Makes Strength“. The goal is to create a toolbox which will inject data into security devices like firewalls and make their configuration dynamic and more reactive to attacks. My slides are online here.
Just after my presentation, I had to leave quickly to catch my flight back to Belgium. Unfortunately, I missed Iftach Ian’s presentation and was not able to say good-bye all the people I met. I just landed in Belgium and finishing this blog post. Thank you to the Hashdays crew for the hard work to set-up this nice event (not all of them are present on the picture) and for the opportunity to be a speaker.
I’m in Luzern for a few days but the Hashdays security conference started today! w00t! This is the first edition for me. A very nice opening session performed by the defcon-switzerland group which organises this event. They gave funny stats about this edition in terms of registration, paper used, exchanged emails, etc. After the classic security recommendation – if you see what I mean (they also operated a wall-of-sheep like I do during BruCON), they introduced the keynote speaker: Christien Rioux.
The third edition of BSidesLondon has been announced! The crew has already started to work on the event organization and the CFP is open. Block already your agenda: April 24th, 2013 – Kensington & Chelsea Town Hall. I attended the two first editions as a speaker in 2011 and regular visitor in 2012 (my wrap-up’s are here and here). It’s a free event but “free” does not mean with a lower quality. On the contrary!
The third day is already over! It started very (too?) early with Candid Wuest (Symantec) presented ”Dissecting Advanced Targeted Attacks – Separating myths from facts“. Not easy to speak so early and not a lot of people present in the room. For a while, the press plays a big role in broadcasting information about APTs and attacks. Hype or FUD?
This is my wrap-up of the second day of RSA Europe. As said yesterday, the panel of speakers was broader and much more interesting. Let’s go!
SecurityFocus Vulnerabilities