FishermansEnemy

Musings of an infosec nerd


My first BruCON experience

  •   Fri 23 September 2011
  •   InfoSec

BruCON logoI've been back from BruCON for a couple of days now so I think it's about time I put my thoughts in order and write up my experience of going to this awesome event.

After playing musical platforms at Brussels airport train station and finally getting to the hotel at about 22:00 most people would probably hit the sack to make sure they are bright eyed and bushy tailed for the high technology to follow the next day. Not the BruCON crowd however. I arrived too late to make it to sushicon at the Kabuki Japanese restaurant, but a quick check of the #brucon hashtag on twitter and the horde was located in the Delirium  cafe in central Brussels. A couple of us were checking in at the same time so we left the hotel together and brave the Brussels public transport system. This Sunday was a little special in Brussels as it was the annual "No Car Day" where cars are banned from the city and public transport is free. The Brussels public transport system isn't the easiest in the world to understand, but at least we didn't have to figure out what ticket to buy, and google maps told us what station and stops that we needed. Onwards!

After getting of the tram we made our way to Delirium to try and find the hackers. Normally this wouldn't be hard as we are quite a unique bunch, however your standard Brussels pub go'er tends to be the dressed in black with lots of tatto's variety, at least where we ended up. Luckily for us I spotted the distinctive beard of @BaconZombie at the bar, and from there we were good to go. Now, here are some tips for anyone doing this next year. Number one, stick to the "lighter" Belgian ales that are less than 5%. Number two, if you fail number one then at least don't drink the stronger ones out of a glass boot. Number three, if numbers one and two have gone by the wayside then at least don't do number two twice. Finally although hanging round with Jimmy Blake, Dan Kaminsky, BaconZombie (I never did get his real name) and a bunch of other hackers that came be to called #beardcon is a lot of fun, perhaps staying out until 4am isn't the best idea in the world, even if you do and up hugging Dan Kaminsky. Also, normal people go to these pubs as well and when they ask you why you are here, they tend to take it badly when you point out the crowd you are with is here for a week long hacking conference.

A couple of hours sleep later and I am on the bus to the con, thankful that transport has been provided and I can postpone thinking about stuff for a little while longer. Another tip, Brussels traffic is insane and if you can avoid driving I recommend it. The Belgian highway code seems to be a document that not many people have actually read. Thankfully if you do need to get around the public transport system is quite good, and there is a train from the Gare Du Midi where the hotel is to Etterbeek station just outside the event. Registration went quite fast and I picked up my active RFID badge and headed downstairs for 0xCOFFEE and pastries. Feeling more human it was time to head upstairs for the keynote. At this point it is probably worth pointing out another tip, the workshop tracks have to be booked in advance if you would like to attend them. I don't know if there was supposed to be an email go out to attendees about this but I never got one, so when saturday came round and I looked at the website to plan my event I found that most of the workshops were already full. Because of this I missed out on the Lockpicking workshop by TOOOL NL and the web application hacking toolchain by Jason Haddix.

Although this was a pain, it was actually helpful in the end as in my rush to get the bus I had left my painkillers at the hotel, and the one or two cracked ribs that I am nursing from a cycling accident last week were starting to become a problem I couldn't ignore. I head back to the hotel by train and pick them up, along with some red bull and I am back in time for the end of lunch.

image1After lunch came the lightning talks for day one. Anyone can talk about anything they like, with or without slides, for 5 minutes. There were quite a few takers, including how to pick up chicks at the after party, featuring WickedClown and BaconZombie as test subjects. This was basically a primer on social engineering techniques. If I manage to get to BruCON next year then  I will definitely think about doing some of my own research and presenting it on stage. It is a great opportunity to practice your public speaking.

After the lighting talks came the first workshop that I had signed up for. Now, this is probably my only complaint about the conference so far. The workshop was titled "Hacking your conference badge - Open AMD" and was by the people who were running the conference RFID tracking system and built the conference badges. As this was the only information available I went along with @ydoow expecting this to be a hands on workshop where we could mod our badges and do some cool hardware hacking. It wasn't. It was a 15 minutes description and a hour and a half lecture on the impact of positional tracking on privacy. Now, this is a subject that I am interested in, however none of there has any reason to expect that this was the nature of the workshop and if I had known I would have probably gond to see the presentations on the main track instead, or done the WiFi malware workshop.

Worksop over, and it was time to get some dinner. It was a bit of a crush in the food lines, but there was a nice choice of difference pasta to fuel you through the conference. There was plenty of drinks on offer to keep you hydrated and I decided to stay away from the the beer and drink the Club-Mate instead. If you've never tried it then you should take the opportunity if it comes up. It's a naturally caffeinated iced tea type drink made from a south american plant and the hacker con beverage of choice. At 20mg/100ml it's about 2/3 the strength of Red Bull but is much lower in sugar, and the natural caffeine is much easier on the metabolism than the extracted stuff in other energy drinks.

After dinner it was time for "Pentesting high security environments" by Joe McCray and Chris Gates. A great talk about the dreaded APT and how current pen testing techniques are not going to protect you if someone is out to get you. Look for the video when it's posted up, this is well worht watching.

The final presentation of the day was one that really hot home with me. This was Abusing locality in shared hosting environments, a talk about how a shared web hosting services exposes all of the customers sites hosted on the same server to each other. It boils down to the fact that each server may be hosting several hundred sites on the same OS and software. Even though file system permissions are in place to stop customers being able to read and write in each others area the software that runs the web apps, like PHP, use a shared resource and a single account to maintain state information. You can exploit this as you are able to read other sites session data and force them to use state data that you have written to the shared store to authenticate you on their site. This also allows you to elevate privileges. I am now looking at how much it will cost to move fishermansenemy.com to a dedicated host so I don't have to worry about the 1300 other sites on this server coming after me!

That was it for day one, a lot of people went of to the IOActive after party at the Havana Club, but I needed my sleep so decided to call it a day. Reports from the party go'ers were that it was "off the hook", and from the the videos I saw ("Dan Kaminsky doing the Dan Kaminsky dance") I agree with them! If I manage to get their next year I'll pace myself a bit better on day one so I've got the energy to make it.

Day 2

Waiting in the hotel lobby on day 2 you can tell by those that have got up in time for the bus that the party the night before was quite the event. There were a few faces missing but most people made it to the first presentation and day 2 started with a bang. Ian Amit started of day 2 with "Pushing in, leaving a present and pulling out without anybody noticing" a great talk about data exfiltration techniques where traditional methods of getting your data out are not available. The lesson that I took away from this was that if an attacker gets in then all the DLP in the world won't stop your data leaving. My favorite techniques were encrypting the data and printing it out on an internal printer, then waiting for the "corrupted prints" to be thrown own and simply lifting them from the dumpster. Taking over a MFD and faxing the data out via the pstn, and my number one favorite, converting the data to a sound file with a script written by Ian and then phoning it out to a google voice mailbox, or answer phone that the attacker controls. Proper bad ass spy stuff!

Next talk was a history of Botnets and how they are using browsers for c&c and information stealing by Aditya K Sood. I won't try and summarise it here as I would not be able to do it justice however it is well worth watching when the video is available.

Time for lunch, and I found myself eating a hotdog with @ydoow, @digininja, Chris John Riley, Dan Kaminsky and a few others. We ended up talking about the breaking news that researchers were going to announce at a security conference in Buenos Aires next week that they had a practical attack on SSL and TLS v1.1 and below. After a lot of back and forth Dan came up with a convincing technique that they might be using, I am eagerly awaiting the announcement to see how close we were to the actual attack. This was one of the highlights of the conference for me as you hardly ever get to talk shop like that with the luminaries of the security profession and get to take part in the kind of brainstorming from which cool new hacks are born. I could do that all day.

After lunch we had a great introduction to Social Engineering and becoming a human lie detector by Dale Pearson, again I won't try and summarise here as I Dale did a stand up job of explaining this subject, and you should check out the video when it becomes available. After Dale we had Jack Jones talking about myth busting the notions that most of us have about Risk Management. Once again I could not do this justice on here but Jack did a great job of explaining exactly why what we think of as impossibilities in properly measuring risk are really not, and we can do a proper measured analysis of risk and use it to drive action in the organisations that we work in. WATCH IT.

The last presentation of the conference was Alexander Polyakov and Dmitry Chastuhin discussing vulnerabilities in the SAP J2EE Engine. This was interesting to me as my company uses a lot of SAP and the java J2EE engine is something I have never had chance to get into. The technical content was great, and the slides mixed humor and data in a way you come to expect from these conferences. The only let down was that the speakers did not seem to be well prepared and the demos didn't work at all. A little more polish and preparation would have made all the difference.

This closed out day 2 for me as I had a flight booked back that night, so my last tip would be to sta over the night of the last day if you can to make sure you can get to all of the presentations. I missed out on the lighting talks on day 2 which was a shame as I really wanted to see Tomasz Miklas talk about SPAM pinning, and the 99 cent heart surgeon dilema by Stefan Friedli.

My first experience of bruCON is one that I will always remember, and I cannot stress how valuable it was to be able to socialise and talk with all of the infosec superstars that you only normally get to interact with over twitter. Hopefully I'll see you there next year, and if you're in the UK you should check out BSides London 2012 coming up next April.

About
The personal blog of a UK based penetration tester