BSides Manchester 2016
BSides Manchester is in its third year and they very kindly invited me back to be the MC for track 1.
I drove up to Manchester the night before. It was an uneventful trip, barring the usual average speed cameras on the M1 and the roadworks on the M6.
I’ve clocked up a fair amount of motorway miles these last couple of weeks, having been in the Scottish Highlands a week ago. During this time, I’ve discovered one of life’s biggest annoyances. Truck drivers who decide to overtake another truck when they are only going 2mph faster than the truck they are deciding to pass. This clogs up two lanes of the motorway for at least 5 miles as one truck slowly inches its way ahead of another.
Truck drivers aside, BsidesMCR is unique in being the only Bsides I attend that doesn’t coincide with another conference. This means there’s no running between venues and no looking for people at the wrong event.
Track 1 was my home for the day and I settled in by honouring the BsidesMCR tradition of taking a selfie. Unfortunately, most attendees were in track 2 so it was a largely empty room. But still, traditions are traditions and must be upheld.
But it wasn’t all about selfies, I got to meet many excellent friends and peers. I won’t even try to name everyone, but it was a pleasure to meet everyone there.
And now onto the talks – given that I was in track 1 all day, it only makes sense that I summarise them all. Which reminds me – a great chap named Cooper drove all the way from Holland / Belgium? (Somewhere in Europe) with all his recording equipment to film all the talks. At the conclusion of Bsides, he was set to drive back home, only to get packed to fly off to another conference! Sounds crazy – but totally appreciated. Look out for the talks being made available at some time in the near future on the BsidesMCR website.
Talk 1: Gavin Millard
Breaking out of the echo chamber
Gavin gave a talk on how to communicate outside of security circles. Illustrating how infosec coverage is common in the media and how vulnerabilities like Heartbleed get their own logo.
Metrics were touted as the universal language that the business spoke, which, in Gavin’s experience was something infosec was terrible at. To illustrate the point, if a marketing manager was asked how many leads they could generate with $1m, a metric-based detailed answer would likely be provided. But if a security executive was asked the same question, it would be unlikely to be equally articulate.
The NIST Cyber Security Framework, SANS top 20 critical controls and other standards were quoted as having good metrics that security teams could use.
“Thanks for the 300 page security report”, Nobody, Ever.
Dashboards was another area Gavin said are often weak. Sharing a mock of a good dashboard, Gavin suggested infographic tools or similar could be used to spruce up dull and difficult-to-read power point presentations.
To conclude, Gavin stated that security professionals should learn to ‘communicate like a suit’.
Talk 2: Ben Turner
21st Century War Stories
Ben is a red teamer, a charismatic speaker, and likeable guy. His talk setup the importance of red-teaming as opposed to simple vulnerability scanning, assurance reviews, or limited-scope penetration tests.
His talk was filled with some great real-life examples which included getting into the core banking system of a bank via an ATM in a mall in the middle east.
Ben spent some time talking through his tools of choice, why reconnaissance up front is perhaps the most important step, and why it’s important to know what the objective is. Stating that popping a shell isn’t the objective. That’s the starting point – the real objective begins after that.
In closing Ben shared a red-team testing tool that he wrote with his colleague Dave Hardy called PoshC2. It’s maintained, free and open source, and I’ll try to carve out some time in the coming weeks to take a closer look at it.
Talk 3: Jerome Smith
From CSV to CMD to qwerty
Jerome was enlisted to do a pen test in a locked down environment. It was so tough, that he wasn’t even allowed to take in his own testing laptop. So he had to McGuyver his way into creating malicious CSV files. But excel generates lots of notifications whenever there is embedded content within a file.
The talk chronicled his journey to crafting better payloads that will run in excel generating little or no warnings.
A very well-presented and engaging talk.
Talk 4: James Kettle
Hunting Asynchronous Vulnerabilities
James is perhaps the only speaker that has presented at BsidesMCR all three years, so he must know his stuff.
It was a very informative talk in which James discussed the invisible attack surface which forms the asynchronous vulnerability world. Asynchronous vulnerabilities are a bit like blind second order injection attacks, in which you get no immediate feedback. That means no error messages, no detectable time delays, and no differences in application output.
All of this makes them very difficult to discover – which, I guess is part of the fun.
The solution to this was to issue a payload that triggers a callback out-of-band from the vulnerable application to an attacker-controlled listener. It does rely on perfectly crafting an exploit.
James also touched upon how Burp Suite has a lot of functionality built in to assist with hunting asynchronous vulnerabilities.
Mind-meltingly good stuff.
Talk 5: Andy Davis & David Clare
Vehicle cyber security & innovation
You didn’t need to be into vehicle security to appreciate this talk by Andy and David. Some proper worrying stuff divulged. Simply looking at the massive attack surface connected road vehicles have is enough to give someone a big case of “nope” and moonwalk right out of there.
The pair talked through their assessment methodology including vmap, which is kind of like nmap, but for vehicles. They showed some videos during their presentation of exploits in action, such as killing the ignition or locking up the steering wheel of a moving car.
Other attack avenues that the duo explored were related to the ECU, USB, video protocols, media protocols, mifi, rear seat entertainment, tyre pressure monitoring system, remote keyless entry, DAB, and GPS.
The talk concluded with some tips as to what needs to be done. These were:
- Greater awareness for manufacturers and developers
- Embedding of cyber security standards into vehicle manufacturing
- Independent security assessment
Talk 6: Ken Munro & Dave Lodge
Hacking a Mitsubishi Outlander. A lesson in automative IoT Security
In the second of two vehicle-related talks. Ken and Dave gave two talks for the price of one.
Part one focussed on the Mitsibishi outlander and the security risks they found, and how they found it.
The pair shared how when they first approached Mitsubishi with their findings, they were dismissed as being of no consequence. However, when the media picked up the story, Mitsubishi quickly reversed their stance and deemed it a serious issue they would fix immediately.
The second part of the talk was around hacking IoT devices. They stated that hacking most IoT devices is like hacking a linux box that hasn’t been updated since the mid 90s with the tools and knowledge from 2016.
They even demonstrated (almost) how they were able to install ransomware on an IoT thermostat.
Talk 7: Richard Crowther
Designing systems to be hard to attack
After a day of mostly breaking talks, the final talk of the day was far more up my street in terms of examining how to design secure systems.
Richard works at the newly-formed National Cyber Security Centre and shared some great insights into how CESG and the Government look to design and architect systems that are more secure.
Ultimately, a lot of the older security principles still apply equally well today as when they were originally published.
Richard spoke about the things that need to get in place first, followed by security architecture design goals such as designing services for easy maintenance without large windows of time where patches can’t be applied. How to reduce the impact of a compromise by segmenting a sercice, anonymising data, and regularly rebuilding core components.
He went on to discuss malware mitigation techniques and secure design principles. Overall a very intellectual talk to end the day on.