BSidesLondon 2014 Wrap-Up

BSides BannerThe fourth edition of BSidesLondon is already over! I remember the first one in 2011, things have changed! Year after yesar, it looks more and more professional! As usual, here is my quick wrap-up. I arrived a bit late due to a strike in the London tube. Bad timeing but it’s not a strike which will prevent hackers to meet! 🙂 According to a tweet from the organizers, 70% of attendees were nevertheless present! Travelling early from Belgium, I was also in that case, it was not easy to get to the venue but I arrived… late but I was there!

As usual, the event started with a keynote. I did not saw the beginning but Trey Ford spoke about “Viruses! Malwares! And threats! Oh my!“. The main line of the talk was that cyber-criminals are so motivated and have so many resources that they’ll always get it. So let’s be prepared. Trey explained how we are working, us, the “infosec pro“: What we are doing good and what we are doing bad. He reviewed some facts like the truth of the curve of knowledge: “The more you know, the less you know you know” or “Doing a good job is marginally more expensive than doing the job, and expoentially more effective“. Think about this!

The first regular talk I attended was “LOL – Layers of Layers” by Rafal Wojtzuk. The talk idea was to explain how to bypass end-point security products. The presentation started with a description of a modern operating system. Basically, you have the kernel mode and user mode. In kernel mode, which is also represented as the ring “0”, everything is allowed. That’s why attackers try to execute code at this level. A classic attack has the following stages:

  • Code execution in user mode (e.g. at the brower level)
  • Run kernel exploit code
  • Run useful kernel code payload

This kind of attack is not new. In 2013, 76 CVE’s were assigned to issues with the Windows kernel mode! Then Rafaf, explained the features provided by Microsoft to protect against malicious code execution (EMET, SMET, etc). It was interesting but I left the talk to move to the room reserved to lightning talks. I was intrigued by a tweet which announced a lightning talk about PoS (“Point of Sale“).  It was given by Grigorios Fragkos who asked to not take note or any recording. So, I won’t explain what I’ve seen but… I’ll never see a PoS as before! The information provided by Grigorios was very… exciting!

The next talk was about CSRF. What could be said about this attack? It is a common vulnerability on many website. Right but there is no automatic way to test/abuse it. That’s the topic of Paul Amar‘s talk.  Paul developed a toolkit to exploit CSRF. He was looking for something light, portable, cross-platform and open-source. He did not found one so he wrote his own solution. After a quick review of CSRF attacks, Paul explained how his toolkit is working. To recap, it works like BeeF: the victim loads a malicious Javascript. Then Paul made demos against a vulnerable website. There are two attack methods:

  • Using a special value (change a user’s password)
  • Dictionary attack (try to log the user in)

He also wrote a tool in Python to automate the attack process. If you’re doing pentests, Paul’s toolkit could be very useful! So many website are vulnerable: think about all the “Internet of Things” or SOHO routers! But how to mitigate? Here are some tips: Use request tokens, re-authenticate users, use Captcha, timeout or tools like NoScript with ABE. I really liked his presentation.

My next choice was “Poor man’s statis analysis” by Jon Butler. The idea of the talk was to present a way  to better track bugs in code. Get rid of “grep” commands to search for strcpy() calls. The idea looked interesting but I was quickly lost in Jon’s slides. It was too oriented to developers.

After the lunch break, Craig Young presented “A day in the Life of a security researcher”. Craig is a “bug hunter”. He likes to find vulnerabilites and report them. He explained what are the common vulnerabilites in different areas:

  • Web based applications
  • Firmwares

How to identify them? The security testing relies on: fuzzing, static analysis, source review & firmware analysis.  He reviewed some web based application vulnerabilities then focused on hardware and  HTTP management interfaces (on IP cams). One of quote to remember from this talk: “Expect the unexpected!“. Craig’s conclusions were:

  • Vulnerabilities are everywhere
  • The first step is to always learn
  • Testing is better then code review
  • But take care: never pentest without agreement, scope, permission & disclose responsibly!

Then the famous Jack Daniel (do we have to present him?) made a last-minute talk due to a missing speaker. Without any slide, he just spoke… About the success story of the BSides event which are not available all over the world!

Jack Daniel

The next talk was also a last-minute: “RATS & IOC’s, the easy way” by Kevin Breen. It started with good reminders about RATs or “Remote Access Tools” used by attackers but not only! There are also the favourite tool of script kiddies! What’s interesting with RATs: they are deployed using a single binary. What does it mean? It contain ALL the necessary information to study how they’re working and how to defend against them. What can we find?

  • C&C domains & IP addresses
  • Password
  • Installation files, paths, pocesses
  • If the RAT is using encrypted data, the key(s) and algorithm used!

The idea of Kevin was to analyze those RATs and extract the useful information. Once you get the stuff, you can defend (create firewall rules, IDS rules, check your logs for suspicious activity, etc) but you can also attack the attacker. Afterall, you know everything about him! But the most valuable is to share with the community. To do that Kevin created the website: malwareconfig.com. Very interesting talk with lot of details to grab IOCs (“Indicator Of Compromise“).

My last talk was the one of Ollie Whitehouse: “Why defensice research is sexy too…“. The idea was to explain why doing research in defensive security is also interesting compared to offensive security where it looks to be easier: no time nor money constraints, more technologies, etc.

I also following some rookie talks. For the second time a “rookie” track was organized with 21 (!) 15-minutes talks! Some of them were very good! Besides the regular talk, there was also workshops and other interesting initiatives like:

  • A panel about women in infosec
  • A CV & career clinic room (to exchange jobs)
  • A quiet room with power plugs (very good idea!)

And of course lot of new or old friends… Too bad that some interesting talks were cancelled due to a missing or sick speaker… Anyway, see you in 2015!

8 comments

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.