This was already the third edition of BSidesLondon today! Time flies! Being busy yesterday, I just reached London in the morning and arrived just in time for the administrative tasks (registration, pick-up a t-shirt, goodies), grabbing some coffee and shaking some hands. BSidesLondon is definitively growing in size and quality: A huge number of attendees, two tracks, a rookie track, a job fair, workshops and lightning talks. Even the sun was present over London, no fog at all! Two tracks means you have to make choices! Here is the brief overview of my schedule.
The first presentation I attended was “Pentesting like a Grandmaster” by Abraham Aranguren. The talk was split in two parts. FIrst, Abraham started with an interesting comparison: “Pentesting == a chess game“. This can be resumed with the picture below:
How far can you go with “your” intelligence? The success is always possible. They are many examples of great people who made awesome stuff with a normal IQ. Intelligence does not warranty success. One fact: it’s important to start early; this is an advantage. The talent is something natural and skills must be developed by hours and hours (days or months) of training. The comparison continues with the chess game. As reported by many chess champions: “You can only be good at chess if you love the game“. It’s exactly the same in information technology (generally speaking – not only security). Some quotes are so true: “No pain, no gain” (Arnold Schwarzeneger), “Pain is temporary” (Mohamed Ali). The next question could be how to stay motivated. Like in high level sports, your must remain healthy (in your body as well as in your mind). Another interesting quote I liked:
“Smart people learn from their mistakes. But the real sharp ones learn from the mistakes of other people” (Brandon Mull)
Abraham reviewed good tips to stay healthy and keep your attention. In the second part of the talk, he explained why the game preparation is a key (again in chess and pen testing). Before the game: scope better, do better. Know the enemy but know yourself (strengths & weaknesses). Finally, some examples were reviewed of how a good preparation helps to pwn your target easily.. But keep in mind: When media report an exploit “in seconds“, it took usually days or weeks to prepare it. The examples were demonstrated using Abraham’s project: OWTF. I liked the comparison between the two worlds which initially have nothing in common. Great talk to start the day.
For the second talk, my choice was to follow Javvad Malik about his own story “How to build a personal security brand that will stop the hackers, save the world and get you the girl“. What a program! The room was crowded with people sitting on the ground! This is always a good sign. Javaad is a showman, have a look at his Youtube channel about information security, a must see. His talk was a reflexion about people who are “bankable” in information security. Starting with a fact: why everybody found Mother Theresa a personality? It’s the same in information security. Javvad showed a nice graph of knowledge vs fame. Then he defined three levels: echo chamber, industry, public and put famous people on it:
The key is the message you have to pass and how to deliver it. Today, we have access to the same tools and services as professionals a few years ago to promote ourself. How to find the right idea to promote ourself? Via podcasts, blogs, mentors & continuous feedback. Often security people act like the actors doing the promotion of Hollywood movies: they visit many places, are facing the same questions and constantly repeat the same sentences. Same message is broadcasted again & again. But what makes a good infosec guy? Javaad showed two pictures of Fish & Chips. Prepared with the same food but presented differently. The same may apply with blogs: a blog post could be a very good research but badly presented. Also, the message we have to deliver is often bad news: “you got owned“, “you lost data“, etc. Then the procrastination and comfort zone are part of the game. Being a “public” man forces you to remain visible. Question to the audience: Who has a blog and did not updated it for a long time”. I personally know this feeling. We make this on our free time but have wife, kids. Another tip: “Do not feed the troll“. There is a difference between trolling and criticism. Javaad’s receipt was:
- He discovered himself
- He created his own rules
- He believed
Excellent non-technical presentation but with true content and lot of fun.
The third talk was presented by my friend Chris John Riley: “Defense by Numb3r5” or “Making problems for script k1d13s and scanner monkeys“. Chris started with a description of the use of HTTP return codes. You know the 2xx, 3xx, etc. Some are common, others less like 206 which means “partial content“. Most of them are defined in the RFC 2616 and divided on five classes of response:
- 1xx (info)
- 2xx (success)
- 3xx (redirection)
- 4xx (client error)
- 5xx (server error)
Personally, I like the 402 – “payment required“. Chri’s question is why talk about numbers? For security reason of course. What can we do with them? Unpredicatability is at your advantage in your defense layer. Increase attacker costs, delay operations. There was already some ideas about this topic but not very deeply analysed. So, how to use this? Browsers have to be flexible. This leads to interpretation! But wait, there are RFC for that? They’re more than a guideline. What can possibly go wrong? Chris made some testing using a MitM proxy written in Python. Goal of this proxy: If the response code is not 200, respond with a 200 :-). A exampe of script is available on his blog:
- Browser fingerprinting (UA can be spoofed but behaviour no)
- Proxy detection
Let’s put all the stuff together. Simply fuck with things and defeate attackers (slowing down, case false positives/negatives etc). By changing the answers to HTTP requests performed by crawlers and scanners, Chris demonstrated the different kinds of results with, depending on the cases, many false positives or false negatives. Finally, he had the idea to write an HTTP Tarpit: attacks detected by a WAF are send to a bad list to the server which rewrites all the responses to those IP’s. Even more funny, Metasploit performs attacks also based on HTTP response code (>800 occurrences found in the code). Chris’s concluion: “No match, no shell“. Script kiddies go away! The MitM proxy code is available here.
After a sunny lunch break outside and some Club-Mate, my schedule continued with Stephen Bonner and his “Make cyber-love not cyber-war” talk. Based on slides with pictures only, Stephen reviewed the current situation of cyber-war and explained why he does not like this expressions. Very good speaker, good interactivity with the audience but I was not attracted by the topic.
Then followed “Pentest automation – Helping you to get to the pub on time” with Rory McCure. The goal of this talk was to review different ways to optimise your time during pentesting activities to go back early to home … or to the pub! Rory started with a general question: Why automate?
- To save time!
- Repetition is boring and we are all lazy people
- For accuracy: how to not miss interesting stuff?
- To encode your knowledge! If you script it, you won’t forget what you learned
It’s a fact, if you’re a pentester, you must be able to write some code. The next question which will arise is: In which language(s)? Rory’s recommendation is to pick up one and stick to it. How to choose? The language should be
- Provide an Interactive shell
- Focus on development speed
- And have a good 3rd party library support (to easily add extra features to your scripts).
Another tip: use source code control (subversion, git, etc), it will save you time and headaches. To better learn, find real examples you need to solve. Then Rory reviewed some nice scenarios where scripts can be helpful. His examples were written in Ruby:
- Expanding a subnet in an IP addresses list. Easy but so convenient
- Writing a template using the ‘mechanize‘ Ruby library to automate a dual-steps authentication process.
- Parsing the output of tools like nmap.
Scripts can also be used to automate very boring tasks: reporting! Major security tools can be extended using plugins or extensions (whatever you name them). Think about Metasploit or Burpsuite. Contribute and add your own code to automate your tasks. A final remark to the presentation: If infosec guys complain about the bad quality of code delivered by customers, they are also writing bad code to automate their tasks. Try to write secure code yourself! The examples reviewed by Rory are available on his github account.
The last talk was the one of Alex Polychronopoulos about “Going Stealth: Staying off your AV radar“. Again an interesting topic for pentesters who have to fight often with anti-virus programs and try to evade their detection mechanisms. Today’s AV features are:
- Some of them implement more funky stuff like built-in IDS, browser add-on, etc ($VENDORS have always plenty of ideas)
Anti-virus evasion sometimes can be quite easy (some files are simply not scanned like *.tmp or *.ocx files) and less than 5% of new threats are detected. Alex reviewed the different type of analysis. Static analysis is not efficient today. Detection based on signatures are out of business for new threats. The code can be easily obfuscated (via “packers“). Today, dynamic analysis is better (it executes the malicious code and observes its behaviour) but the main weakness of emulators is… the emulation! The malware can slow down execution (using multiple sleep() calls), use uncommon CPU instruction sets or simply detect the emulator (and not perform any malicious activity). How to evade? First tip: See big! Most anti-virus have a file size limit for performance reasons. Second, what about destroying the AV itself? After all it’s also a software like any other with bugs. Research is always helpful to find new evasion techniques. What about packers? Their goal is to produce a new executable from… an executable and make it more difficult to be detected by AV. Problem: they do not like self modifying code! Better packers encrypt the code. The key can be randomised for each payload (polymorphism). If you don’t like encryption, use your math classes and implement other algebra transformations to build a better packer. Don’t forget to hide your strings! (can also be used a signatures). Don’t forget that any packer, best of all, will always become a signature at a time. What about metamorphism? Examples: Use random registers, substitute instructions, randomly add track code. Put all this techniques together to write your best packer. Interesting stuff but lacking of real examples. Some packed files passed through antivirus would be funny (with a low detection rate of course).
In parallel to the regular tracks, the rookie track given the stage to new coming speakers. There was some interesting topics like:
- Blinking hell – Data extraction through keyboard lock states
- External assessments
- ICMP – The proxy your admin hates to block
I hope that slides will be released soon! Kudos to the BsidesLondon team for the great event!
After some beers at the after party, I went out for a dinner with friends to discuss about security arround Italian food. Tomorrow, let’s dive into the $VENDORS jungle at InfoSecurity Europe before travelling back to Belgium!