I am currently attending Hack In The Box (HITB), a major
security conference in Kuala Lumpur, Malaysia.
This is the first security conference I have attended in many, many
years. So far I am highly
impressed. It’s easy to see the amount
of meticulous preparation that has gone into this event. Additionally, the talks have been really
fantastic. For this two-day event, I
will share my thoughts and impressions from each talk and my general Likes/
Dislikes of the conference as a whole.
Day 1 - Talks:
The first talk I attended was "Tracking Large Scale
Botnets" by Jose Nazario. While
there was no new ground breaking information in this talk, I did come away with
the following interesting facts:
- Botnets are sometimes constrained to geographical regions. This is due to the cultural attractiveness and the language utilized by the lures, which led to the initial malware infection.
- Although security researchers are occasionally able to hijack entire botnets way from the original operators, they never (publicly) issue a "kill command" or clean up the botnet infections. This is due to uncertain legal restrictions and repercussions.
- Some botnet operators are now using cryptographically signed command signals as a defense against hi-jacking.
- Some botnets contain a Domain-name Generation Algorithm (DGA), which operate on a timer. This DGA is used to periodically generate a new DNS domain name of the command and control server. For instance, current command and control server may be serverX.adbprmmg.com, but once the DGA triggers and calculates that the new control server is serverY.bmpkngf.com, each node of the botnet will now begin communicating with this new server. By reverse engineering the DGA portion of the botnet code, malware researchers can register the new domain name before the botnet operator does and effectively neuter the entire botnet.
Jose Nazario |
The second talk I attended was titled "Data Mining a Mountain of Vulnerabilities" by Chris Wysopal. Mr Wysopal's company, Veracode, scanned and performed analysis on approximately 10,000 applications from a wide range of sources. This talk represented an analysis of that data and sharing of a lot of facts and figures. The items that stuck out for me in this talk were:
- Introduction of a new attack trend dubbed "water holing". Basically this would be an attacker profiling a potential target and then attacking other sights of interest to the target. The example provided was the attacker may determine that a subset of the employees of target company X are fanatical about the sport of Rugby and frequent a particular website dedicate to Rugby news. The attacker would then attack the Rugby news website and host malware on it, in hopes of subsequently infecting the employees of target company X.
- A very large percentage of non-web based applications, have problems with cryptography. These are related to improper key storage and the like.
- The historical data shows that application developers are doing a better job of eliminating SQL Injection vulnerabilities from their applications. This data also showed that developers are still not making progress towards eliminating cross-site scripting issues from their applications.
The third talk I saw was "OPSEC: Because Jail is for
wuftpd" by The Grugq. This talk was
probably the most entertaining talk of the day and primarily focused on
"how not to get caught hacking".
The items that stuck out to me were:
- Multiple quotes from The Wire and the Notorious B.I.G. song, "The 10 Crack Commandments". Big props for those fantastic meaningful incorporations!
- When hacking, you do *NOT* have any friends. You only have "criminal co-defendants". Treat them accordingly.
- An anecdote of a guy who would rent hotels near business locations to do his hacking from. The guy would bring along a lot of Wi-Fi gear, hack a nearby business, and then utilized the hacked businesses networks to then attack his intended target. The multiple layers of abstraction are a really cool idea.
- Fake personas take a long time to setup and establish. These should be setup way in advance and should include things like Gmail, Facebook, and Twitter.
- There has already been some discussion about a potential marketplace for the selling of established fake personas.
- Remember to shut off your mobile phone when going to an off-site location to hack. The mobile phone signals could be used to correlate your geo-location.
- As Tor button and Tor enabled browsers are prone to "fail open" on desktops, Grugq has developed a customized version of OpenWRT to run on selected mobile access points which will force all traffic to the Tor network. This will be hosted on GitHub.
Being a fellow Thailand-based expat, I'm really amazed by
some of the stuff that Grugq speaks about.
Perhaps I am overly paranoid about a restrictive Thai government
overreacting and revoking my visa and work permit, but I'd really like to know
if he's ever ran into any issues in this regard or fears that he might one
day. Hopefully at some point tomorrow I
will be able to meet him and pose this question to him.
The next talk I saw was "A Historical Look at The
Personal Computer and The Phreaking Scene" by John 'Captain Crunch'
Draper. It was great to hear tales of
days gone by from a legend in the industry.
The item I found most interesting in this talk was:
- Back in the day, the computer enthusiasts were sharing a BASIC program between themselves. This was common practice in those days, but for some reason Bill Gates because upset by it. Bill Gates ended up being the first person to ever consider that software should be "closed".
The next talk I saw "Pwn@Home: An Attack Path to
'Jailbreaking' Your Home Router" by Fredric Raynal & Gabriel
Campana. This talk focused on a previous
customer engagement where the speakers where contracted to "test the
security" of a settop box and home router. The talk was fairly technical in nature, but
the thing I found really cool was:
- As the client did not define parameters around "testing the security", the speakers decided to review from 3 different perspectives:
- As a "Geek User". Could they install other software packages on this router? Could they install OpenWRT?
- As a "Paranoid User". Were there backdoors present? What remote services were installed? Was any surveillance type software present?
- As a "Bad Guy". Could they pentest against the PayTV infrastructure? Could they attack other routers and build a botnet?
A few weeks ago, I was examining the security of my own
newly purchased home router. This
particular router forces the use of DNSPROXY and will only distribute the
single internal IP address of the router as the client DNS server via
DHCP. I started digging in the router
and eventually was able to get a shell and access to the file system. I found many troubling things (more on this
in a later posting!). I was eventually
able to make the changes I wanted (which were lost upon reboot), but I was
never able to get *FULL* root access and was soon distracted by other
tasks. Seeing this talk makes me want
to revisit this and try the following:
- Check for the presence of setuid binaries and attempt to exploit.
- Try to download and decompress the firmware.
- Run "strings" against the firmware.
The final talk of the day was "'I Honorable Assure You:
It is Secure': Hacking in the Far East" by Paul Sebastian Zieglar. This talk was also very entertaining and after
almost five years as a security professional in SE Asian myself, it hit really
close to home. This talk focused on the
cultural mindset of Japan and Korea and how that applied to the realm of
security. There were so many great
points made in this talk, they are too numerous to list. My thoughts on this talk were:
- There are a lot of similarities with Thailand.
- There were also a lot of subtle differences with Thailand.
- I would love to do an "extension" of this talk to focus on my observations based on my time in Thailand.
Overall Conference Likes:
- Well organized and planned.
- Good selection of local Malay food for lunch and great desserts.
- Free bottled water widely available throughout the conference area.
- Ease of registration.
- The booth babes at the Time Networks booth. I know some would consider this sexist, but booth babes are still very common in South East Asia, particularly in Thailand. This is simply part of the culture, where oppressive fears of being non-politically correct don't run rampant. So what some in the West may deem sexist, I deem it to be embracing of the culture I've chosen to immigrate into.
Overall Conference Dislikes:
- The photographers and videographers spend too much time filming and taking pictures of the audience. As someone who detests having my picture taken, I find it annoying to have a video camera pointed in my face every time I look up.
- There is loud techno music being played in the common area throughout the event and additionally in the conference rooms between talks. This is quite disturbing to the talks, as every time someone opens the door to come or go during a talk, the music can be heard through the open door. I really wish the conference organizers would either select a less annoying form of music, turn it down a bit, or just play "Gangnam Style" on an infinite loop.
Day 2 Plan:
- Talk 1 - Silo Busting in Information Security: The ISC SIE Approach - Paul Vixie
- Talk 2 - How to Get Along with Vendors Without Really Trying - Katie Moussouris
- Talk 3 - XSS & CSRF Strike Back Powered by HTML5 - Shreeraj Shah
- Talk 4 - iOS Panel Discussion
- Talk 5 - Messing Up the Kids Playground: Eradicating Easy Targets - Fyodor Yarochkin
- Talk 6 - Information Warfare & Cyberwar: What's the Story Morning Glory? - Raoul Chiesa
- Talk 7 - Element 1337 in the Periodic Table: Pwnium - Chris Evans
Be sure to follow me on Twitter @WetFdStamp for more pics and highlights from HITB Day 2!