Tag Archives: Event

RSA Conference Europe Wrap-Up Day #1

October 9, 2012 22:21 | Leave a Comment |

IMG 2326 I’m in London for the next three days to follow the RSA Conference Europe 2012. This is my third edition and I would like to thank the organizers for the received press pass which allows me to write this wrap up! (and the next ones in the coming days). Compared to security conferences like Defcon, Hashdays or BruCON, this event tries to mix the business guys with the techies which is, honestly, not always easy!

During the first half-day, keynotes are presented by speakers working for the main sponsors: RSA, Symantec and Microsoft.

Read More →

Posted in: Event, Security | Tagged: , , ,

Some Bits & Bytes About #BruC0N 0×04

September 28, 2012 22:53 | 4 Comments |

TcpdumpAfter months of preparation with a growing pressure, the 0×04 edition of BruCON is already behind us! I was still on board to take care of all the bits & bytes aspects. This year was a specific one. The venue changed (we moved from Brussels to the beautiful city of Ghent). For me, this move had another major impact: the venue was provided without any network connectivity. The challenge was to build a network from scratch! As you can imagine, deploying a network services to 500 hackers during two days is not easy. Yes, dear attendees, you aren’t common users ;-)

To increase the presssure, another last minute change occurred: We were allowed to access the venue on Wednesday starting from 07:00AM (only two hours before the opening of the conference). But the challenge was completed and visitors were able to take their breakfast while surfing the web! I’d like to congratulate the volunteers of the network crew who did a great job!

The BruCON Network Crew

The Core Network

If building a network from zero is a real challenge, it has also advantages. The most important is a full-control of the infrastructure: bandwidth, switches, servers, access devices, services and… logs! Yeah, logs, one of my favorite topic. As you can imagine, everything was logged during the event. First of all to keep traces (evidences): According to the Belgian law, when you provide an Internet access, you are considered as an Internet provider and have to take care of your network. Secondly, to analyze the logs and generate nice stats. So, let’s check what our visitors did during the two days?

First, the bandwidth. If the new venue was a great location, it was also lacking of Internet point of presences! After long investigations, the only solution was to use a WiMAX link! This kind of solution being expensive, we had a limited bandwidth compared to the previous editions but, hopefully, it did not affect the visitors who surfed smoothly.

WAN Traffic for 2 days

Total Firewall Througput

What about our visitors? It looks that many of you are scary to use offered WiFi networks and prefer to use data connection via your mobile devices. I was surprise to see a very low amount of concurrent devices connected to the network (peak: 189 DHCP leases). During the conferences, we offered 10111 leases to 416 unique MAC addresses. What about the type of devices?

Manufacturers Detected MAC Addresses
Intel 189
Apple 95
Samsung 33
AzureWare 31
Hon Hai Precision 26
VMware 23
Liteon Technology 13
RIM 9
HTC 9
Cadmus Computer Systems 9

We operated our own DNS relay to log all the queries. 356885 queries were performed (only “A” records). A total of 43480 unique URLs were resolved by the DNS. Here is the top-20 of resolved hosts:

Domain/FQDN Queries
google.com 22104
ubuntu.com 21178
daisy.ubuntu.com 19569
brucon.org 18862
twitter.com 12686
thehexfactor.org 10940
e3191.c.akamaiedge.net 6776
t.co 14027
logs.loggly.com 6025
apple.com 5518
www.facebook.com 5411
www.google.com 4781
api.twitter.com 4347
google.be 3329
microsoft.com 2812
thf.brucon.org 2504
google-analytics.com 2310
icloud.com 2293
nettitude.com 1976
ssl.gstatic.com 1855

I was surprised to see logs.loggly.com in this list! This FQDN is used by the Loggly (a cloud logging service) API to submit logs! Somebody was submitting events during the conference!?

The web traffic was also analyzed. Here is the top-10 of websites visited from the BruCON network.

Websites Visits
google-analytics.com 2926
google.be 1775
google.com 1486
facebook.com 1264
twimg.com 1230
twitter.com 1185
scorecardsearch.com 913
quantserve.com 839
double-click.net 781
googlesyndication.com 719

What about companies present at BruCON? Using a simple grep, it’s easy to retrieve a list of organizations. Often, the internal domain ends with “.local” or “.corp“. As some visitors are still using corporate devices during the conference (ouuuh, bad!). We extracted some names and were happy to have visitors coming from (a very short list):

  • altum.local
  • certezza.local
  • erasme.local
  • kpnnl.local
  • nsense.local
  • swift.corp

Amazing, just for the swift.corp domain, I collected 29 unique internal server names! Like the previous edition, there was also an IDS (standard config & rules). It remained calm and nothing special was detected (this does not mean nothing happened! :-)

IDS Events

All communications were blocked between clients to avoid internal floods, scans and other funny stuff. Finally, a few words about our wall of sheep which was successfully tested (and approved? ;-) by some our visitors:

Wall of Sheep 2012

I can’t resist to give you some numbers (again):

  • 4506 events logged
  • 4 protocols detected (SNMP, HTTP, POP, FTP)
  • 76 unique logins detected (real: ~50 due people playing with the wall)

Unfortunately, we could not provide IPv6 connectivity this year, it’s on our todo list for the next edition. Other data were collected but they will be covered in another blog post… Stay tuned!

Posted in: Belgium, Event | Tagged: , , ,

OWASP Belgium Chapter September 2012 Wrap-Up

September 12, 2012 21:42 | Leave a Comment |

Steven Van Acker on stage

The holidays are gone, kids are back to school. For the security landscape, it means that security meetings are also back! The first OWASP Belgium Chapter was organised tonight. Here is my quick wrap-up.

This time the meeting started in the afternoon with a technical workshop organised by SPION. Due to agenda conflicts, I did not attend this one. I joined the meeting for the second part organised in a classic format: after a brief introduction with news about the Chapter and the OWASP foundation in general, two speakers came to present their researches.

The first one was Steven Van Acker who talked about remote JavaScript inclusions. They are plenty of publicly available JavaScript libraries on the Internet. It’s very easy for developers to do some shopping and use them without reinventing the wheel. Steven presented the results of a research about  the usage of those libraries in websites. Is it really safe to use them “as is“? Always keep in mind that browsers don’t care about what they execute. A crawler was developed to download websites content from the Internet (approximatively 3.3M URLS where visited) and included JavaScript content was extracted. Steven gave some statistics. The one which hit me was about the top-10 of JavaScript code used: 50% of this top-10 is related to Google services! (mainly Google Analytics) Once we saw the amount of JavaScript code included in websites, some questions arise:

  • Should websites trust remote providers?
  • Can we safely execute their code?
  • What’s the quality of their maintenance?

Then, again based on the finding, some weirdness:

  • Cross-user scripting (ex: http://localhost/script.js)
  • Cross-network scripting (ex: http://192.168.2.1/script.js)
  • Stale IP-based remote inclusions
  • State domain-based remote inclusions
  • Typo-squatting XSS
This last example was really weird. They found some sites trying to load JavaScript content from googlesyndicatio.com (with a missing “n”). What they did? They registered the domain and got hits! That’s an easy way to compromise websites. And what about the countermeasures? Steven gave two:
  • Executing the remote scripts in a sandbox (not always easy).
  • Download the script locally.
If the second one looks interesting, it could make difficult to implement. It’s do-able only if the files do not change often. A very nice presentation with clear explanations.
After a short break and pizzas, the second speaker for tonight was Dave van Stein. He talked about “modern information gathering” or how to grab interesting data from your targets event without sending any packet to them. The talk was a brief presentation of techniques and tools used by pentesters or auditors to collect information. Here is a short list of tools covered by Dave:
  • shodanhq.com
  • serversniff.net
  • robtex.com (with a good domain visualisation feature)
  • Google advanced searches (intent:, inurl:, filetype:, etc)
  • Google Hacking DB
  • Search engine optimisation tools (can crawl target websites for you)
  • FOCA
  • Maltego

Most of them are classic ones. But that was a good reminder or a good way to populate your bookmarks! That was a good meeting to start the new season!

Posted in: Belgium, Event, Security | Tagged: , , ,

Visitors of Music Festivals Sharing Their SSIDs!

July 6, 2012 14:45 | 4 Comments |

WiFi ZoneIn January, I developed a tool to sniff Wi-Fi SSIDs. I decided to call it ‘hoover‘ (based on the vacuum cleaner brand). The original post is here. I’m often running this tool in my area to detect the presence of some people in the neighborhood or when I’m staying at hotels. But usually, the scan scope is very limited.

A friend had the wonderful idea to run hoover during a major Belgian event: The Rock Wechter music festival! Belgium is a wonderful country for music lovers. Plenty of festivals are organized across the country during the summer. They are covering all music styles! Such public events are great places to find good samples of citizens. During four days, 139.000 unique people attended the festival (source). And guess what people are always carying with them? Their smart phones of course!

Read More →

Posted in: Event, People / Places, Security | Tagged: , , ,

HITB Amsterdam Wrap-Up Day #2

May 25, 2012 21:02 | Leave a Comment |

I’m just back at $HOME. Let’s go for the second day wrap-up! This morning, I walked to the hotel in the sun to take a breakfast. Very nice weather over Amsterdam again today! Bruce Schneier was the second keynote speaker.

Read More →

Posted in: Event, Security | Tagged: , , ,

HITB Amsterdam Wrap-Up Day #1

May 24, 2012 16:39 | Leave a Comment |

IMG 1969

I’m back in Amsterdam for the third time to attend the Hack in the Box security conference! Thanks to the organizers, I received again a press pass to cover the event. Thanks to them! So, here is my wrap-up of the first day. This year, I was also present as a speaker for SIGINT. SIGINT is a bunch of “small talks between the talks” where people are free to present their research, their tool in a limited time window. After a safe travel from Belgium and the classic registration procedure, it was time for a small breakfast before the start of the busy day.

Read More →

Posted in: Event, Security | Tagged: , , ,

Hack in Paris and La Nuit du Hack (10th Edition)

May 5, 2012 10:03 | Leave a Comment |

Hack in Paris Logo

The French hacking event is back! This year is a special one, it’s the tenth edition of “La Nuit du Hack” which follows the conference “Hack in Paris“. Yes, as the previous editions, there are three distinguished parts in this major event. Trainings are organized from June 18th to 20th (more info here). Then, two days (June 21st – 22nd) of talks with famous speakers. And finally, an “event into the event“: La Nuit du Hack will be held on June 23rd.

During the last edition, 950 hackers registered to follow more talks and participate to the CTP challenge. This year, a public wargame is also available! Feel free to test the 2011 challenges!

I’ll be present the Thursday and Friday to cover the talks and I’ve also some gifts for you: Like for the previous edition, the organization provided me 10  discount codes (-10%) on “conference onlytickets. The contest is now open! The first ten people who drop me an email (xavier{at}rootshell{dot}be) will receive a discount code… (FIFO!)

Posted in: Event, Security | Tagged: , , ,

London… a Nest of Infosec People

April 26, 2012 06:09 | 3 Comments |

BSidesLondon Track 1

I’m back from a small trip to London where is happening some kind of a “security marathon” this week! In parallel to InfoSecurity Europe 2012, several “alternative” events where organized in the same area. However I did not visited InfoSecurity. I was present at the Benelux edition a few weeks ago and saw enough vendors/products (ties overflow). After a nice ride under the sea and having dropped my luggage at the hotel, I reached my first step: the Information Security Blogger Meetup. The pub was fully dedicated to people from InfoSecurity (sponsored by Firemon) and a space was reserved to the bloggers but not so many people present (although 40 people registered). It was a bit disappointing but, anyway, it was a good opportunity to meet Andrew & Kelly Hay and Javvad Malik. Thanks for the sponsor for the open bar! By the way, I missed Brian Honan with a bow tie! ;-)

Read More →

Posted in: Event, People / Places, Security | Tagged: , , ,

Some News About HiTB Amsterdam

April 20, 2012 17:10 | Leave a Comment |

HiTB AmsterdamSome news about the upcoming edition of the “Hack in The Box” security conference. This third edition (already!) will be held at a new venue: The hotel Okura in the center of Amsterdam. Apart of trainings, the conference itself will be organized during two days (May 24th – 25th) and propose a quad-tracks schedule. You can already have a look here (warning, this is still a draft version). Two great keynote speakers were already announced: Andy Ellis, Chief Security Officer of Akamai on day 1. Bruce Schneier (do we need to present him again?) on day 2. Based on the current agenda, here is my wishlist:

  • Turning Android inside-out (forensics)
  • One flew over the cuckoos nest (automatic malware analysis)
  • Whistling over the wire (Twitter & URL shorteners security)
  • Security threads in the world of digital satellite television (set-top-boxes security)
  • PostScript – danger ahead
  • Automatically searching for vulnerabilities (taint analysis)
  • Bypassing the Android permission model (mobile security)
  • Attacking XML processing
  • Smashing VMDK files for fun and profit (virtualization)

The CFT contest is also back but in a new format called “Bank0verflow“.  Based on both attack and defense modules, it will see teams of three provided with a set of custom vulnerable services and web applications. Teams need to exploit their rivals’ machines to retrieve pre configured flags to score offensive points and obtain defensive points by keeping their own vulnerable services running. Another new “event in the event“: The Hackaton will be organized for the first time in Amsterdam. The principle is simple: put hackers in a room and let them write some code during 12 hours. The topic of this edition is the implementation of a proof of concept to problems related to browsers and their extensions. First price will be: 1337 EUR in cash!

A few words about the talks, the proposed topics are not only focusing on classic computers but also other electronic devices that we use daily. Adam Gowdiak will present his researches about  security flaws in digital satellite TV set-top-boxes and DVB chipsets used by many satellite TV providers worldwide. The hackers (aka “iOS Jailbreak Dream Team”) who released the jailbreak of Apple’s popular iPhone 4S and iPad 2 devices will also be there to present their research.

Finally, SIGINT sessions (15-30 minutes max) will be organized during coffee & lunch breaks to let other people to present their project or researches. During one of those sessions, I’ll present my tool pastemon and the associated blog leakedin.com. This will be my (very small) contribution to this event.

I’ll attend the conference and write a wrap-up. Feel free to ping me if you want to meet…

Posted in: Event, Security | Tagged: , ,

Trainings? Because Infosec is an Ongoing Battle…

April 14, 2012 15:05 | Leave a Comment |

Working in information security is an ongoing battle! That’s why we have to learn new things every day! But the opposite is also true. As commented by somebody on Twitter recently: “Sometimes, it’s also good to forget things“. We also have to learn by our mistakes and the information security landscape is full of bad stories to learn from! To resume: We have to train ourselves all the time…

Self-learning is (almost) free. It just cost you spare time and requires access to a lab or documentation but could quickly become limited. How to submit questions? How to exchange useful tips & tricks? Real trainings add a social layer which helps you to learn better and quicker. How to select the training which suits your requirements?

Aside your preferences, they are different types of training that can be attended. I see there three big areas for trainings:

  • Vendors trainings
  • Certification trainings
  • Learning “by doing

Vendors trainings are only useful when you need to be ready as fast as possible to go “to the front” (read: to go to customers) to massively deploy the vendors solutions. You’ll learn the basics but don’t expect going very deep. To go deeper, attend buy a new training! Finally, to successfully complete the training, you’ll have to pass the certification exam based on wonderful questions like:

  To achieve the configuration of "A" when "B" is deployed in "C"
  mode, you use the command:
    a) cmd -C
    b) cmd -c
    c) cmd -s

I hate this kind of questions! You need to know how things work but how to apply them? RTFM! Usually, vendors trainings are mandatory for your company to remain a “certified partner” ($$$!) and not difficult to attend.

Certification trainings are broader and don’t focus on products. Most os them are theoretical:  procedures, frameworks and best practices have no secret for you. Here again, after the training (often called a “boot camp“), you have to pass the certification exam and finally reach the holy grail also called “CISSP“, “CISA“, “CISM“, “ITIL“, “CEH” etc… If they are very useful to build the basics of information security, once you got them, they will help you to be put on the top of a stack of resumes and to pretend to be an “infosec guy” (I insist on the verb “pretend“!)

Finally, the third type is learning “by doing” or “looking under the hood“. In my humble opinion, that’s the best way to learn. By practicing and going straight to the point! This last type of trainings is usually organized during security conferences. Hélas, they are not given for free: good trainers are not easy to find and traveling abroad might increase the total costs by two (flight, hotel, …). So, why not benefit of a good opportunity to attend top-notch trainings organized in the center of Europe in a place not far from everywhere: Belgium! The BruCON security conference announced the schedule of  trainings for its 4th edition:

This is an excellent opportunity to attend trainings provided by people recognized as  excellent trainers in the information security field! Registrations are open for a few days and early bird prices are available until 31st of May 2012. Spread the word!

Posted in: Belgium, Event, Security | Tagged: , ,