44Con Trip report

Last week I attended the UK security conference, 44Con.  I went into 44Con feeling a little jaded with the overall security community, but left with a real spring in my step.  There are many very approachable and knowledgeable people doing some amazing work. It’s easy to forget if you focus on the minority of the community who bring arrogance and elitism to the table in large amounts.

44Con is now in its second year and is shaping up into a very nice conference indeed.  My views may appear slightly more biased as I’ve helped with chaperoning speakers, but if anything that would actually tend to make me more critical.

For me the key points were

  • A local conference with great, high quality content.
  • Value for money (at ~£300 its cheap if you’re based near London).
  • 4* venue in central London (with lunch and free coffee provided).
  • Access to speakers. At the bigger conferences, getting time with top class security speakers is limited.  At 44Con (I noticed this at BlackHat Abu Dhabi too), you have great access to speakers, who are all willing to spend time and talk about their work.  This is where interesting partnerships can occur.
  • Local peers – Although I try and attend Defcon London once a month, it’s really only at BSides London and 44Con that I get to meet up with most of my UK peers and have quality time to talk.

If you’re in the UK, it will be worth checking out in 2013 (as will BSides London ). For London locals, the montly DC4420 is worth a visit.

In terms of talks, these were the highlights for me:

Terrorism, tracking, privacy and human interactions:  (Daniel Cuthbert and Glenn Wilkinson of Sensepost)

This was arguably the talk of the conference. Daniel and Glenn set about creating a low budget distributed data interception framework with functionality for simple analysis of collected data.  In simple terms, they demonstrated that they could track almost anyone who carried a smart phone and link most of those smart phones to a human. Everyone in the audience, including myself, immediately reached for their phones to switch them off.

The duo created access points (AP’s) that would collect the probe requests of wireless devices as people passed by them and deployed a number of these AP’s around London.  They also provided a proof of concept that showed how these AP’s could mimic the wireless networks that devices were trying to contact, before servicing those requests. For example, if someone’s mobile device was looking for a link to say Starbucks, the AP would record the MAC address of the device and (have the potential to) respond saying “Hey, I’m ‘Starbucks’ connect to me”. At this point, any web traffic, including social media services with appropriate settings would pass through their AP (momentarily), enabling the guys to build a database of which devices were passing through which points and at what times, and also link a device to an identity based on what goes over social media. They were able to pick out people’s houses purely through SSID’s (i.e. no data interception was required. That’s interesting because via no illegal data interception, the duo can figure out where you live) and determine where people pick up their morning coffee and what time they’re likely to do that.

Finally, they also  demonstrated this using the newly released Maltego Radium tool, which adds powerful visualization to reconnaissance activities (from network enumeration to social network enumeration . The extendable nature of Maltego makes it one of my favorite tools for data analysis.  Here’s a short video demonstrating Maltego Radium

If you get a chance to see Daniel and Glenn present on this, or any other topic, I strongly encourage you to attend. They are both excellent security minds with a superb ability to communicate.

Maltego is available here : http://www.paterva.com/web6/products/maltego.php

 

Other notable talks…

Cryptanalysis of the Enigma Machine: (Robert Weiss, Password Crackers Inc and Ben Gatti, OpenVPN)

Robert Weiss and Ben Gatti wrote a tool to crack text encrypted by an Enigma machine.  They provided an excellent description of the history and some of the failures of the Enigma implementation and asked, how would Allen Turing have approached the problem with today’s tools.  Their software demonstrated, through to use of examining letter frequencies how to crack Enigma encrypted text.  I was surprised to hear that there are still some unencrypted Enigma messages out there so I look forward to seeing if they can help decrypt them.

See more here. http://enigmacrack.com/

 

Software Security Austerity – Software security debt in modern software development: (Ollie Whitehouse – NCC Group plc)

One of the key elements of Ollie’s presentation was that organizations who tackle the issue of security involvement in the lifecycle now have another problem, namely “what to do with all the issues you find”. Organizations tend to focus on High and Critical vulnerabilities and as a result accrue medium and low vulnerabilities that tend to go unfixed. This is where Ollie positions the concept of software security debt.

As the talks abstract states “What happens when you’ve implemented your SDLC or started your security mindfulness activities and got good at finding security issues? Typically you won’t be able to fix them all and as a result you start to accrue vast amounts of known security debt. This is compared to doing nothing and having large amounts of latent security debt.

The presentation will discuss the business realities when dealing with security debt, how these realities can be balanced and why there are parallels with the recent financial austerity measures we’ve seen and what we should learn from recent events.”

You can read an excellent SC Magazine article on this topic here http://www.scmagazineuk.com/paying-off-your-security-debts/article/248652/

And/or obtain Ollie’s paper here: http://www.recx.co.uk/papers.php

 

 

An Idiot Abroad:  – Don Bailey – (Capitol Hill Consultants)

Many people know Don from his work in unlocking a Subaru and starting it engine, with an Android Phone (read more).

In “An Idiot Abroad”, Don demonstrated how the components at the core of traffic control systems, IP cameras, security access units, and electrical control systems, are all affected by security weaknesses. He showed how patterns can be detected in firmware, which allow attackers to find vulnerabilities and critical sections of code quickly and efficiently.

Don’s area of focus seems to highlight that people are working on systems, often deployed in public places, where security hasn’t been a strong consideration in the design.  He pretty much answers the question of “who would want to do that?”.

 

 

Hacking and Forensics on the Go:  (Prof. Philip Polstra – Hacker in Residence at University of Dubuque)

Phil introduced “The Deck”, a BeagleBoard configured for hacking and forensics on the go.  The Deck runs an Ubuntu-based linux OS with many of the tools from Backtrack also present, including: wireshark, Metasploit (complete with backend database), Jack the Ripper, remote access tools, nmap, and wifi tools.  The Deck is small, lightweight and doesn’t demand much power, perfect for more covert operation.

Many people left Philips talk discussing the potential for creating or extending devices such as those discussed in Daniel and Glens talk (above) and deploying these data collection devices using RC and/or UAV’s.  This sort of deployment neatly defeats a number of physical controls, such as high fences with barbed wire.  Of course, there are many less ‘black hat’ applications possible. As a keen skier, I like the idea of using the heads-up SDK for the Recon goggles and adding a twitter feed, a geographical map of where my buddies are, which restaurants have the shortest queue etc.

 

 

2012 in review: Tor and the censorship arms race: (Runa Sandvik – The Tor Project)

Provided an overview of Tor and showed how/where it was getting blocked. Runa described the cat and mouse tactics of seeing the Tor block, then updating Tor to by-pass the blocks.  For me, the most interesting Tor block was in Ethiopia. At first glance I wondered why Ethiopia would be interested in blocking Tor, until Runa explained the business relationships between China and Ethiopia.

With censorship/restriction very much in the news (Arab Spring, London Riots 2011), I found this both timely and informative.

Slides available here: http://encrypted.cc/44con-2012-09-07.pdf

 

 

IPS Reconnaissance and Enumeration – false positive (ab)use:  ( Arron Finnon – activityim.com)

Arron has been working on IDS and IPS evasion for a number of years and this year looked at using false positives for enumerating infrastructure. As his abstract states “the very reaction to a “False Positive” in the first place may very well reveal more detailed information about defences than you might well think.”

He goes on to state “With a simple crafted email it is possible to tell that clamAV is running on a mail server, or a  simple fake URL parameter could well inform you that SNORT is defending a web application”

Arron is an expert in this field so worth tracking down if you’re working on IPS/IDS solutions.  He’s incredibly approachable and collaborative.

 

 

Malware Analysis as a Hobby: (Michael Boman and Siavosh Zarrasvand)

“How can one with limited time and budget create an environment that analyses suspected sites and software for malicious behavoir  at speed?”.  As a father of 5, Michael wanted to see how one could simplify the process and make it accessible to the masses.

“I collect malware like stamps with detailed analysis on their behaviour and where they were first seen, where they have been seen and if any sample is more spread then others. I do this on a near non-existent budget (I quit smoking and now spend that money on hardware instead) with almost non-existent time. If I can accomplish this kind of work under those circumstances, how can a well-founded organization go from here”

Chatting over a drink, Michael explained that his goal is to make a low cost device available to the masses (he’s not in this for profit though).  My data-geek nature instantly wondered what interesting relationships and predictions might be observed from taking the output of such malware analysis and turning the data over to Kaggle.com to see what predictions could be made (Kaggle host data science competitions).

 

 

I’m the guy your CSO warned you about: (Gavin Ewan – Student at University of Abertay)

I have a conflict of interest here, I’m incredibly interested in Psychology in relation to social engineering so I usually make a b-line to watch Gavin talk.  I first saw Gavin Ewan speak at BSides London, where he gave a fabulous presentation titled ‘A salesmans guide to social engineering’. It’s available on YouTube and well worth watching, if only for his comedic genius.

At 44Con he gave another superb talk looking at what tools a hypothetical bad guy (or gal) could use against an organization. The aim of this talk is to raise awareness of how much damage a bad guy can do with only a handful of tools and an internet connection, social engineering for the modern age.

 

 

Securing the Internet: YOU’re doing it wrong (An INFOSEC Intervention):  (Jayson Street – CIO Stratagem 1 Solutions)

Finally, Jayson Street gave a passionate talk about the state of the security community, encouraging new blood to get involved and for old blood to leave their ego’s at the door.  His point (or my interpretation of it) is largely that some of “InfoSec rock stars” are quick to shoot down new contributors to the security community, ultimately stifling the sharing of ideas and information.

Jayson then ‘walked the talk’ so to speak, by talking to more people than most.  His “Awkward Hug” initiative really captured the imagination of Con-goers; even palace guards couldn’t escape one.  While it may seem whimsical, it really seems to send out a fun and positive message.

 

Talks I didn’t get to see, but heard good things about.

 

I’m sure I’ll hear of more.

 

 

Conclusions

My biggest take-way was that the ubiquity of lightweight, portable devices, coupled with the ease of deploying them makes all manner of enumeration and analysis more pervasive and more discreet. Whether it’s in relation to Daniel and Glenns talk or in Malware Analysis, it’s clear that the future is small, powerful and easy to hide. If I think about my interest in psychology and Gavin Ewan’s talk, it looks like momentum and research is building in-relation to layer 8 attacks, with these small, portable devices being the perfect (if spooky) accompaniment.

 

Finally, finding ways to get what you really want out of the data will likely be an increasing skillset for security pro’s and in one field at least, is something the guys at Paterva (Maltego) have been working on for a long time at an accessible price. It’s encouraging to see the fields of security and data science grow as they are doing.

 

 

Note: For those looking at the Carbon Black demo on the USB wrist band, it seems that it didn’t include a couple of useful PDF files on there. Visit this link http://44con.com/2012/09/10/44con-usb-carbon-black-404/#more to read more.