BruCON day 1 – Impressions

This morning I arrived well in time for registration at the beautiful venue that welcomes the BRUCON conference for the second consecutive year. Eager to expect useful and exciting content,  I wandered towards the most important place at such an early time of the day: the lounge, breakfast had been served and there was fresh 0xC0FFEE. 🙂

I had selected my pick from the very informational content to be presented.

Memoirs of a Information Security streetfighter, by Mikko Hypponen.

This presentation took us back in time to 1986 when first the pc virus was created/detected, called BRAIN. We would today call it a Rootkit. Hypponen took us down to memory lane giving an overview of the history and evolution of virus and malware and the ways we fight them. A few trends: the first virusses were “pranks”, evolved into destructive malware and lately we see more and more ransomware or malware to make money such as banking trojans. A second trend is delivery speed. From the speed of travel (on a floppy) to the speed of light (fiber optic of the internet). Another trend is, who is behind this: last century it was competing hacker gangs, while now we see highly professionally organised criminals.

Lessons learned or taken away: We should ask ourselves if the traditional approach of the currently existing antivirus and antimalware solutions are still valid.

Malware and virusses are still a problem, we have not really come nearer to a solution. Malware is still a danger.

I spent all this money and still got 0wned, Joe McCray.

Synopsis of the talk. Very interesting and creative ways of using different tools and common sense can learn you a lot about the security solutions in place. With that information in mind, how do you go about avoiding/bypassing them? Very interesting presentation. One interesting take is learn to read HTTP headers so you can see how they change. It will show you which load balancers or web application firewalls are between you and the target.

Lessons learned : how to develop rule sets that are difficult to bypass. Deliberately send an invalid request to the target to try and determine what measures are in place. Think creatively about how you set up systems/infrastructure or computer ecosystems to discover if you might have introduced weaknesses.

GSM Security – Facts and Fiction, by Fabian van den Broek

Summary of the talk: globally there is more coverage in GSM network than access to drinkable clean water. From a security point of view, it’s back to the eighties. We are making the same mistakes again, e.g. the communication between a cell phone and the nearest tower only requires the phone to authenticate, allow to MitM the conversation because you can pretend to be a cell tower.  Proof of concept shown.

Taken away from this presentation: use 3G minimal or use crypto on your mobile if it allows. To actually crack the GSM and eavesdrop, there are some practical problems: e.g. frequency hopping is making eavesdropping more difficult while it was intended as a sort of QoS.

“The monkey steals the berries” – the state of mobile security, Tyler Shields

Data is moving more and more to mobile devices, and as such those devices and the apps running on them are getting the attention of cybercriminals. Target of Choice: the iPhone, because of attack surface. More units sold, more apps in the app store.

Today, there are already commercial (benign) and malicious softwares that mine data from mobile devices and are monitored from a Command & Control server.

The problem is detection of malware can be done effectively only by binary analysis of the code which is very difficult to do. Third parties sign code or apps and as such enable a kind of a trust between the application “store” and the end user. But is that trust justified? Are the controls put in place by Apple, RIM and others before the approve apps sufficient for ensuring secure apps on your phone?

Points of interest: we are having too much trust in third party “application distribution points”. Source code analysis is not done thoroughly enough. As far as mobile security goes, we are making the same mistakes as we did with pc security.

Embedded systems and a plot to take over the world,

Global domination needs money, power and stealth. Embedded systems are ideal to attain it. Lots of them are used to access services where a financial transaction is involved, nobody even cares about them because you plug them in and they just work.

However, they are inherently insecure because they tend to be cheap and the cost saver unfortunately is mostly security.

Cyber(Crime/War) connecting the dots, Ian Amit.

It’s a controversial topic because even the US cyber czar denies there is one going on. Nowadays, cybercrime is being used to conduct cyberwar. Ian showed that in modern warfare, the conventional way of waging war is supported by or enforced by cyber attacks on the critical infrastructure of nations. Several nations are already building up a cyberdefense capability.

The WOMBAT project

Europe is sponsoring a project to setup sensores to collect and analyse data about “malicious” networks. Two important parts are TRIAGE and FIRE. The first is a way of clustering malicous occurences by multicriteria decision analysis based on the collected data. The second is a way to discover Malicious networks.

There is a difference between malicious networks and benign ones with infected hosts on them.

One of the goals of the project is to attribute attacks or clusters of attacks to certain domains/networks, distilling a fingerprint for each attack class.

Final Talk i followed: was about project Skylab, by Craig Balding. He is currently trying to develop a framework based on cloud technology  that will allow you to build your own infosec lab in the cloud. Very promising project, which I look forward to seeing completed.

Stay tuned for more on the second day @brucon.

Stay secure!