BSides Manchester 2014
The Elves, sponsors and the attendees seemed to think that last year went pretty well. So much so we decided to carry it on...
Below will give you a feel of how the 2014 event went.
pictures nicked off twitter; @drgfragkos, @NCCGroupPLC and @pentestlimited
2014 Sponsors (thank you)
Day 1 Weclome
0900 Registration and Coffee
1000 Welcome & Keynote - Theatre C2
Day 1 Keynote - Theatre C2
1000 How bleeding edge software can be safer than long term support
Why the future of secure systems is taking the risks of new features, and managing the risks of the latest versions rather than the old “playing it safe” on stable old versions. How to keep systems secure despite software needing frequent patches, and getting off the failed mindset of the reliable old version, or the software appliance.
The talk is about how we are moving towards fast patching, and away from long term support and software as an appliance. I will suggest we need to accept a lot more risk around applying updates, and be able to quickly regression tests our most important business functions well enough to stay on the bleeding edge versions of software.
Day 1 Track 1 - Theatre C2
1100 ActiveScan++: Augmenting manual testing with attack proxy plugins
This presentation will introduce ActiveScan++ and demonstrate how it can be used to easily identify complex vulnerabilities in real world applications. ActiveScan++ is an open source Python plugin that builds upon Burp Suite's active scanning functionality. This talk will cover the classic and exotic vulnerabilities it can detect, as well as the pros and pitfalls that can be found with the proxy-plugin approach to automated vulnerability hunting.
ActiveScan++ uses heuristic probes to efficiently assess the susceptibility of the target to a range of cutting edge attack techniques, such as host header poisoning and relative path overwrites. In addition, ActiveScan++ provides robust identification of blind attack issues, helping to locate rare but critical vulnerabilities such as code injection that pentesters can't afford to miss. Demonstrations of the underlying mechanics of these attacks, how they can be automatically detected, and how we can actively exploit them once they have been identified will be performed throughout the presentation.
The presentation will finish with a discussion of current research into automated detection of 'suspicious' behaviour, in a manner similar to the initial stages of manual testing. These new techniques allow generic detection of entire vulnerability classes by combining platform-independent payload sets with fuzzy pattern matching.
1300 Using a CAT for Fun and .NET Profit
The aim of this talk is to promote the value of automated source code analysis in finding and remediating security flaws and to encourage further research and development in the realm of taint and control-flow analysis.
Many web applications are written in Microsoft’s .NET framework. While .NET manages code in ways that mitigate many memory-related security flaws; .NET applications can still be coded insecurely and can be vulnerable to flaws at the application layer. While penetration testing can help find security flaws in .NET applications, the inherent black-box nature of penetration testing means that not all possible flaws may be found.
Enter CATs (Code Audit Tools), or more specifically Microsoft’s .NET Code Auditing Tool. The tool has been freely available for many years yet in the author’s opinion is largely underused. CAT.NET performs taint analysis across .NET code or binaries which allows for enumeration of many possible web application bugs based on the inputs to, and outputs from code. This talk will present the value of using CATs for expediting the identification of security flaws in applications. Research will be presented based on analysis of 30 common .NET web application frameworks. The talk will provide examples of the usefulness of CATs in quickly triaging bugs – additionally, analysis of common (or shared) .NET code in use across Internet applications will be presented, which provides interesting statistics and trends in relation to the security flaws and misconfigurations commonly found across .NET web applications.
A primitive, mildly useful, yet imaginatively-titled tool (Matt.NET) will be demoed and released alongside the talk; the tool aims to make CAT.NET even more accessible and easy to use than it currently is, to allow for quicker bug hunting yet more importantly, faster remediation of bugs.
If nothing else there will be humorous cat pics.
1400 RATS & IOC's The easy way!
RATS are used across all areas of cyber incident. From the 'Script Kiddie' looking to hijack a pretty girls cam, to APT Actors after intellectal Property and most groups in between.
There are plenty of services that offer dynamic analysis of files that record what the files do in specific sandboxed environments and watch for network activity.
All RATs contain their call home information somewhere inside the file. Most include more than just a domain name and a port; they include passwords, campaign names, install paths and a lot more besides.
Unfortunately some are also designed to hide this information from a sandbox service or dynamic analysis.
This is not a problem for static analysis; if you know exactly where and how the
config is stored in the file you can simply ‘pop’ it out.
This talk will show you how to extract this information in a few easy click in your own environment and finish with a quick look at malwareconfig.com which has setup to process the most common rats and provide useable information from each field of the config.
Create, for example, snort rules, yara rules, IOC files with registry keys and file names, resolve the DNS for the domain names, GeoLocate the IP and as many more functions as you can think of and write.
Finally store all the data in to a searchable SQL backend and let the research community at it with full keyword searching across all fields and daily exports of all known bad domains / IPs.
1530 Breaking "Secure" Mobile Applications
This talk examines the security of products in the mobile space that describe themselves as being secure.
A lot of mobile products like to describe themselves as being secure, offering "secure messaging", "end-to-end secure communications" and "secure device management" to name but a few of the terms banded around. This talk will challenge just how secure some of these products are, providing practical examples on how to break real world applications, including Mobile Device Management applications, secure instant messengers and password lockers.
We also discuss and describe Binary Protections, a recent addition to the OWASP Mobile Top 10, including an overview of some of the commercial and freely available solutions, plus some custom implementations encountered during consultancy engagements. We then go on to demonstrate attacks that can be used to bypass these protections on the iOS and Android platforms, with practical examples.
1630 OWASP ZAP: Advanced Features
The Zed Attack Proxy (ZAP) is an OWASP Flagship project and the largest open source web application security tool measured by active contributors. While it is an ideal tool for people new to appsec it also has many features specifically intended for advanced penetration testing In this talk Simon will give a quick introduction to ZAP and then dive into some of these features, including:
Handling single page and other ‘non standard’ apps
Client side testing with Plug-n-Hack
Advanced scanning options
Zest - ZAP’s macro language
Changing the source code
1730 Rookie: When PXE Goes Bad
The Preboot eXecution Environtment, or PXE, is a network technology often used in corportate environments. This talk will discuss the uses it has before going on to discuss some potential attacks that can be used against it. It will also show some countermeasures that can be implemented to secure systems against those attacks.
Day 1 Track 2 - Theatre C9
1100 Hardcore photography: How I hacked my DSLR
Own a DSLR? Then you own an extremely advanced piece of portable technology. Problem is most people can't actually get access to the good bits and are stuck with the factory provided menus, functionality and bugs. When I bought my Pentax K-30 DSLR I thought I was stuck in this position with the original firmware. Then I started hacking. My journey involved decrypting the original binary, performing a crazy level of reverse engineering, making changes to the firmware and most importantly trying to not brick my expensive camera.
On the way I've had help from a lot of people, included the community of Pentaxforums who bought me a new camera to hack on.
The result of this is an open source project I've called PHDK (no relation to CHDK). This allows developers to write new functionality in relative safety, without the need to the flash the camera's firmware.
Not interested in cameras? The skills and tools i'll show are applicable to a wide range of embedded devices.
1300 What #SOCFail looks like, and how to avoid it: AKA sort your “little" data out before going BIG
This presentation will look at what #SOCFail looks like, focusing on the top 10 mistakes made by organisations building Security Operations Centres. In addition, we’ll discuss how to avoid these pitfalls, discuss what a good SOC looks like and list some emerging trends in event detection, investigation and response.
1400 SSL Checklist for Pentesters
This presentation will tackle the subject of SSL/TLS testing from the viewpoint of a penetration tester. This will be a practical guide, not heavy on cryptography, but I will assume that attendees are happy with the basic concepts of the issues under discussion. The talk will be broad in scope, covering SSL/TLS protocol versions, cipher suite checks, certificate problems, poor SSL practice in web applications along with well-known flaws surrounding renegotiation, RC4, BEAST and Heartbleed. For each issue, the focus will be on what to look out for, how tools can let you down and how you can go about checking issues manually.
1530 Strong passwords and Unicode. Can we use Unicode characters to strengthen our passwords. Yes... er no... er maybe. It depends
Unicode has been around for ages, it has been created as a solution to the problem of managing input from many languages around the world with limited physical keyboard layouts. However just like IPv6, unicode is complex, generally poorly supported and definitely ubiquitous. In the western world, there is little incentive in using unicode given that standard keyboards and the ASCII character set mostly does the job. Similarly hash cracking software suffers from the same faults.
* Recent high profile hacks against web applications * A number of local and network based attacks consist of extracting password hashes with the purpose of cracking them.
* Password cracking hardware and software is improving but some tools nearly don't handle unicode at all and the vast majority of dictionaries available on the Internet are purely ASCII.
Consequently a password hash generated with unicode characters would be very difficult to crack using typical techniques, especially if the attacker is not explicitly considering the unicode character set. Even if it did, the character set is so large that a straight brute force attack would increase in complexity by a few orders of magnitude.
The question that we seek to address is whether or not it is possible to use unicode characters in today's software to strengthen password hashes.
We will present our research in to the handling of Unicode by several operating systems, browsers and application frameworks. Can you use Unicode to increase password security? Yes and no. Use it in the wrong place and you run the risk of locking yourself out!
We will also demonstrate the challenges of cracking hashes including Unicode characters - it's harder than you might expect.
We also show how Unicode is not interpreted correctly in some cases, causing unexpected problems.
1630 A Crack in The Foundations: Overcoming Web Framework Risk
Frameworks continue to enable developers to innovate faster than ever before, however the popularity of The Framework also proportionally magnifies the risk when vulnerabilities are found within it. In this talk, Jerry Hoff examines recent framework vulnerabilities; explores in detail the issues that put millions of applications worldwide at risk; shares the steps that organisations can take to mitigate these risks; demonstrates the opportunities for attackers to exploit these loopholes; and looks at what further threats we can expect going forward.
1730 Rookie: How Much Are You Worth?
A look into how I went from having $440,000 in my bank account to scoping out the cyber underworld into the late hours. I will be answering the question "How much are you worth to a cyber criminal and what do they want from you
Day 2 Weclome
0900 Registration and Coffee
Day 2 Track 1 - Theatre C2
1000 POS Devices: you could…live for free!
Dr Gregorios Fragkos
Nowadays, very few people carry cash for their everyday transactions. Most of the daily transactions are performed by a debit or a credit card using a Point of Sale (POS) device. The device’s temporary storage, the card data, the overall transaction information and the established communication channel to the authorization server are protected by strong encryption and a number of security features. However, these devices have a number of “features” which can be used to allow someone to deviate from payment process in a number of different ways. More specifically, it is possible to complete a transaction without actually being charged, pay with someone else’s card without knowing the PIN or even get paid instead of paying. The presentation will give you a good understanding on how these devices work and it will basically demonstrate a number of “magic tricks” on how you could actually live for free!
1100 How I rob banks
Freaky Clown @__freakyclown__
A lighthearted trek through my daily job of robbing banks (amongst other things) both physically using social engineering techniques and digital hacking.
1300 U Plug, we play
Smart devices are just about everywhere. Many of them adopt UPnP to make their operation seamless and to cut out the need for users to spend time configuring them to function and interoperate. Usability often takes its toll on security.
In this talk I will introduce a new open source toolkit which allows you to identify, interact with, learn and spoof UPnP devices. I will discuss how the tool works and what I have observed by using it with a range of UPnP devices. I will then delve deeper into the UPnP stack and present my analysis of the UPnP implementations of popular devices (mobile devices, set top boxes and operating systems). I highlight the inherent security weaknesses, good and bad vendor practices and vulnerabilities I identified along the way.
1400 Who Said the Good Old Days Were Gone? Analysing the Dark Seoul Malware Campaign
At the beginning of 2013 some 35,000 systems in the Republic of South Korea were hit wit a massive cyber attack. The interesting aspect was that rather than silently inﬁltrate each of these machines for data theft or further network penetration, the malware attempted to delete or destroy data held on the hard drives and network shares attached to these machines - a behaviour more commonly associated with malware of yesteryear.
The aim of this talk will be to present an abstract of the campaign as a whole, a walk-through of the disassembly of the malware samples provided and a demo to show the consequences of infection.
Day 2 Track 2 - Theatre C9
1000 History of PC malware
This talk will describe development of malware from it starts with Brain.A virus. We will look at how malware developed from something people were doing for fun to something underground organizations are using for generating profit. Currently hot topic is how the secret governmental organizations are using malware for spying and sabotage. In this context we will describe two of the most sophisticated malwares seen until today - Stuxnet and DoQu. Talk will cover topics described in paper that can be found here: http://arxiv.org/pdf/1302.5392v3.pdf
1100 The doer alone learnth - Building a better understanding of your NIPS/NIDS
Arron ‘Finux’ Finnon @F1nux
NIDS/NIPS (or whatever 3 letter abbreviation is used) have a very rich and documented history of being subverted. Almost as rich as their history of failing at detecting intrusions. This has led to the somewhat universal decleration of their death amongst many security practitioners, and yet even amongst this deathly chorus NIDS/NIPS are still being deployed in great numbers. Regardless of how much we hear these obituaries of a "dead" technology, many organisations still have no choice but to manage and maintain these systems. With no viable alternative in sight it seems we are left with only one option; to mitigate!
The Germany philosopher Friedrich Nietzsche has been quoted as saying "The doer alone learnth", which could be interpreted as saying "knowing about 'something' is not the same as doing 'something' and 'experiencing' it.". Essentially this quote is the underlying theme throughout security testing. Until you're tested, its only theory! When it comes to NIDS/NIPS few even consider testing them, and even fewer know where to begin. Only by "experiencing" a NIDS/NIPS weaknesses can we begin to start mitigating the problems.
This talk looks at why auditing and testing of security devices such as NIDS/NIPS is beneficial to organisations. Why the current NIDS/NIPS environment is limiting in a testing context, and what steps can be taken by organisations to conduct a worth while test of these devices. Additionally the talk will also discuss what current steps are being taken by the security community itself to better test and maintain devices such as NIDS/NIPS.
Rookie afternoon - Theatre C9
1300 Rookie: I Heard You Say Android Is Insecure
Many people say that Android is insecure and you hear statistics saying that there is lots of Android devices infected with malware.
In this talk I will give an introduction to Android architecture and the way it implements security and how it incorporates Linux kernel and prove that Android's Architecture is not inherently insecure and then talk about reasons why there are many infected devices.
1330 Ensuring Password Cracking Ain’t Easy
This talk will look at why using traditional hashing algorithms no longer cuts it and what we should be doing instead. Key Derivation Functions are the future of password storage, the resulting digest requires far more computational power to crack than traditional hashes. Variable work factors also allow us to scale the algorithm as hardware increases in power.
I’ll briefly cover how hashing works, then move on to examine 3 Key Derivation Functions(KDF): bcrypt, scrypt & PBKDF2. Next I’ll talk about the computational power required to generate and crack the resulting digest from each KDF. The talk will finish with a recommendation on which DKF to use and optimal work factor for each of the KDFs.
1400 Using Configuration Management to Pivot and Persist
While configuration management tools remove the repetition and pain of updating systems, they also provide a valuable target to hackers. Using configuration management tools, a hacker can guarantee permanent access to a system and expand his control of the network. This talk will cover installing backdoors, adding users and reintroducing vulnerabilities via CFEngine and Puppet.
1430 Two Factor Authentication, Cyber Security Snake Oil?
With more and more sites enabling two factor authentication having a username and password with malicious intent isn't as useful as it used to be. But what is two factor authentication, should you enable it, is it just another inconvenience and can it be beaten? Where there is a will there is a way... a cheap, dirty way. Lets just hope the demo works!
Day 2 Keynote & Wrap up - Theatre C2
1530 Fear and Loathing in Cyber Security
The biggest problem facing cyber security, the greatest threat the Internet faces, is the fear. Too often the cyber security industry trades on the threats that lurk and the low level of understanding and awareness that most users have (and I say that as a cyber security consultant…). The average user, meanwhile, is aware that there are dangers in cyber space, that there are ‘hackers’ who can ‘steal’ their information, but they do not know how that really happens or why they should, for example, have strong passwords. As we all know, a lot of users do not even know what makes a strong password or, if they know, they do not understand well enough to actually bother. The ‘how’ and ‘why’ is very rarely explained.
The problem with fear is that it is not empowering. Fear is undermining, off-putting and breeds insecurity. Literally, in this field, fear causes cyber insecurity.
This talk borrows from psychology and sociology to argue that if we want better cyber security, we have to connect the dots for people. Rather than simply scaring people with the threat, we need to explain how what they do fits into the bigger picture and, most importantly, we need to give them a clear map of good behaviours.
1630 Wrap up
This is when we will say our final farewells and thank you's as we part ways, it's going to be emotional. Sponsors will also do any prize givings from competitions.