For the first time I have been to the BruCON security conference. And it was great! It's a small nice conference with a lot of nerds. I was feeling at home! And it was in Gent, a really nice and old city in Belgium. The slogan for this year was hacking for b33r, and that's really the idea for the two day's. During the conference you had the talks, workshops and a room with different activities (IoT room). And last but not least, a retro gaming room! I played Duck Hunt again!
The waiting line for most workshops was not too bad, but next year I have to sign in for workshops before the conference starts. The conference has a subscription for workshops and on paper they were all fully booked. If you want to join, you have to wait in line if there any places available. All the workshops I wanted to participate, was not full at all.
Workshop: Analyzing Malicious Office Documents
Microsoft Office is not really my cup of tea. I'm a LaTeX fan and for my calculation needs I usually use a database. That's all the office I need. However it's always good to look at the dark site. And it really was a look at the dark side of Microsoft Office documents.
Didier Stevens was giving the workshop and he has a lot of experience with analzsing office documents. He developed some tools (oledump) to analzse documents. It is really suprising how the file structure works and what other code could be put into documents! I was really suprised! Even compiled code is found in documents. You really have no control over the code in documents.
Workshop: Hunting Malware with osquery at scale
How does Facebook handle all their servers? Do they really log into every server and look for abnormalities? The answer is no. They had some trouble managing that lot of servers, so they developed osquery. The interface is really like sqlite, but your fire your queries over the server data. You can query during your search for malware and files. Really cool!
The workshop was given by Nick Anderson, Jackie Bow and Erik Waher, all from Facebook. At the start of the workshop, they had some problems setting up the lab, but the idea is clear. Send all the data to a central collector and you got yourself a perfect setup for finding problems in your servers. A side note, it's really in development. There are some problems and the Windows version is still missing a lot of features. But the project is promising! One way of investigate every OS. I really have to play with this!
Workshop: 802.11 Leakage: How passive interception leads to active exploitation
The workshop I was waiting for! I already played with collecting SSID broadcasts from wireless devices. So I was really curious what Solomon Sonya could tell about it and how he did it! Wireless devices don't 'just' connect to a wireless network. They jell around names of networks they want to connect to and a base station is answering this call. If you collect this information...
He developed a system with collectors and dashboards to visualize people walking around with their mobile devices. It is called Project Theia. The collector collects the broadcasted SSID and power of the device and the location (GPS) of the collector. You can send it to a central management server where the data will be enriched by other meta-data. For example, you could look up de SSID in the online Wigle database. Collecting information about a person gives you an idea where that person will live or work. An other option is to connect different collectors together on different places. You can triangulate the persons his position and follow him during his walk. This will take some more work to set up, but it's really possible.
You will end up with the information of somebody where he is working, living, visiting and how he is walking. Just from collecting some radio waves. Pretty scary, but also really nice!
Talk: New Adventures in Active Defense, Offensive Countermeasures and Hacking Back
Last was something I really like. Countermeasures! And this was a really cool way of 'hacking back'. John Strand of Black Hills Information Security was giving a nice presentation which can be found on the BruCON site. Hacking back is very effective, but not always legally accepted.
Bottom line of his talk is that, despite all the costs and effort put into security, we all are walking far behind. So may be we don't have to secure our self, but frustrate the attackers. Try to keep them busy so they can't attack other people. They made some software for this purpose, ADHD. You can find the documentation on there github site. But some of them I want to mention:
- Cowrie, SSH honeypot written in Python
- Honey Badger, collect geo information about your visitors
- Weblabyrinth, a website which will fill up attackers disk space
Go play with it, it's really cool! But start with a clean virtual, only for ADHD if you are using there installer. It's really not a clean installer. However fun to play with!