Here is a quick wrap-up of the just finished BSidesLondon. It was already the 5th edition (and my 5th participation!). This year, they moved to a new location close to Earls Court where is organized InfoSec Europe at the same time, good idea for those who want to attend both worlds: Hackers wearing t-shirts VS. Vendors wearing ties! This year, it was just a one-day journey for me, I’m writing this blog post while waiting for my train back to Belgium.
I arrived late due to transport constraints and missed the keynote but I was just in time to attend the first half-day of talks. The first one was presented by Freaky Clown:Â â€œHow I rob banksâ€. Following each others on Twitter, it was a good opportunity to also meet him in real life. Working asÂ a pentester, he made a presentation about physical security and how it can be very easy to enter a “secured” building (notice the quotes!). Like a network, once you get it, itâ€™s often game over. Freaked Clown reviewed different mistakes and how badly security controls, gates or receptions are deployed. How easy it is to â€œabuseâ€ people to allow you to enter a restricted area. All the cases demonstrated by funny pictures and stories. The conclusion to this talk could be: Information security or physical security: bothÂ fail! Bad implementations, lack of controls, procedures, installation left in â€œtestâ€ or â€œdebugâ€ modeâ€¦ About this,Â I liked the example of the super-safe gate which was left in test mode and operatedÂ itsÂ doors by itself every x minutes. Just be patient and enterâ€¦Â
The second talk was about POS (“Point of Sale“) terminal. You know, the portable device with a card reader and a PIN pad which allows you to perform transactions with your credit/debit cards. If I remember well, this was a lightning talks in 2014 but Grigorios Fragkos came back with a talk full of juicy information. A first remark: to perform such kind of research, access to devices is mandatory and theyâ€™re not easy to get and use. This must of course be performed in a lab environment. Playing with people’s money can cause you some troubles :-). The talk was a suite of abuse scenario that can be performed with POS terminals like:
- To cancel or invalidate a transaction (read: to not pay and keep your money)
- To get paid (read: to get some goods and get extra money)
There are plenty of POS models on the market andÂ most of them are easy to abuse. Of course, Grigorios did not disclose names, which is understandable. No need of magic or reverse-engineering-fu, some good combinations of keys pressed in the right order and at the right moment are enough to clear the transactions cache or to uninstall the OSâ€¦ Brilliant andÂ scaringÂ at the same time! I willÂ never see a POS device like before. A special mention to theÂ stupidÂ people who post pictures of their brand new customized creditÂ cards… Grigorios wrote a small Python tool which can generate valid credit-card numbers even when there are are missing numbers…Â
The last talk before the lunch break was proposed by Stephen Bonner, a regular speaker at BSidesLondon. He based his talk on samples ofÂ HollywoodÂ movies and series.
As you can imagine they are completely irrelevant and the problem is that people like them and have false ideas of what is information security. He showed multiple funny samples from well-known movies and demonstrated how bad they are. How to notÂ laughÂ when you listen to stupidÂ commentsÂ like in a famous US serie:
I’ll create a GUI interface in VisualBasic, see if I can track an IP address…
The conclusion: People make decisions based on what they see! Talk about security in a clear way and not in the “Hollywood way“.
After a lunch and network break, Javvad Malik came on state with a talk called â€œStay Secure my Friends – My Love-Hate relationship with secopsâ€.Â As usual, Javvad make the show with funny slides and facts
In started in 1999 and still today, vendors are trying to sell us the same sh*t. Nothing really changed. Itâ€™s just a question of rebranding but our problems remain the same. But not only vendors were targeted by Javvad, also users and us, infosec professionals. Some topics covered during the talk:
- Complianceâ€¦ the path to the dark side
- Auditorsâ€¦ the betrayals
- Separation of duties
- Privilege and identify management
All of those covered with funny (or nightmare – depending on your side) stories. He concluded with some tips for us:
- Keep in mind that conflicts are part of our job
- Get your hands dirty
- Learn to script / automate
- Embrace your limitations
The next talk was presented by Joe Greenwood: â€œCrash all the thingsâ€. Joe was an pilot before he switched to the infosec field and knows his topic. Thatâ€™s why he decided to focus his research on the communication protocols used between airplanes, specifically the ones used in collision avoidance systems. All airplanes have radio systems which allow them to exchange critical information between them and pilots get visual alerts when a risk of collision occurs. This system is based on the ADS-B and T-CAS protocols. Guess what? Those protocols are completely insecure (no encryption, no authentication, â€¦). For an airplane, any received ADS-B message is generated by another airplane! Why should it be something else? :-). The fact that those protocols are â€œopenâ€ means that anybody can listen to them, thatâ€™s why we have nice websites or apps like FlightRadar24.
The goal of Joeâ€™s research was to test if it is possible to send bad messages to anÂ airplaneÂ and generate false alerts in the cockpit? Itâ€™s ofÂ course not easy to test that in real life. Joe built his lab with a HackRF (a classic device when you need to send some packets over the air) and GNURadio. The victim was a flight simulator. Modern simulator, being multiplayer have features to receive ADS-B message from 3rd parties.
Joe explained how are constructed ADS-B packets and he wrote some tools to generate them on the fly. The presentation ended with a live demo of a Kali VM sending ADS-B message to the flight simulator running on the same laptop. Crazy to suddenly see 10 ghost airplanes displayed on the radar! What about the countermeasures? If they are plenty of ground stations which can detect rogue flights, an airplane has only one antenna which make the always vulnerable. Can you imagine a Raspberry or a Beaglebone with a HackRF dropped close to an big airport and remotely controlled? Very nice talk!
My next choice was to follow an introduction to the WifiPhisher tool by George Chatzisofroniou. Today, wireless networks are deployed everywhere and people use them all the time. This remains definitively a good attack vector based on the following fact:
75% of the Americans would feel grumpier after one week without WiFi than without coffee!
Before speaking about his tool, GeorgeÂ explained how his tool works (and any other apps of the same kind). 802.11 has many weaknesses that keeps it vulnerable to classic attacks even if encryption is used (WEP/WPA/WPA2). The management frames (beacon frames & probe requests) are always send in clear. What happened when a device see two access-points with the same ESSID? Usually, the network manager choose the one which has the stronger signal. Based on all these information, we are facing classic attacks like Karma, Evil Twin. Those were also explained by George. Nothing brand new but always a good reminder. The second part of the talk focused on the tool WifiPhisher. It looks to be interesting because it integrates all the steps to collect passphares and/or credentials from targeted users (a typical target for WifiPhisher are users being a capture portal). A nice feature is the detection mechanism of the access-point using the MAC address to propose to the victim a specific fake webpage. Note that if youâ€™ve a PineApple (link), you can basically achieve the same results with extra infusions.
Then, Jessica Barker proposed a non-technical but interesting talk: â€œBringing Infosec to the massesâ€. She discussed the fact that we are talking different languages. She started by speaking in Klingon. Nobody understood! Itâ€™s the same in the information security field: we are talking to people with the wrong language. The goal is to reduce the gap between people and technologies but using the right words toÂ attractÂ their attention. We, as infosec, are trying to protect computers used by people that do not think asÂ ourselves!Â
Finally, the event was wrapped with a talk about â€œIntelligence-led penetration testingâ€ by Cam Buchanan. Why this talk? While a customer ask a pentester to test its security, often the scope is restricted to classic stuff like the perimeter, a DMZ, a website, etc. But for a while, many organisations are targeted by very malicious piece of codes which do not follow any rules and do not stick to a restricted scope. Camâ€™s idea was to use the same techniques to perform the pentest. For each step of a classic attack, he reviewed how it can be applied to a â€œlegalâ€ pentest with theÂ caveatsÂ of all steps. Interesting idea! IMHO, not all organisations are ready to allow aÂ so-broad and risky scopeâ€¦
Thatâ€™s the wrap-up of the talks that I attended. There was 3 slots in parallel (two main rooms and the rookie track) with some workshops. From what I eared, the rookie track was very successful. I hope to see all the presentations online soon! Next event for me, BSidesLisbon in one month.