Saturday, 4 June 2011

Confidence Cracow 2011, pictures, slides and experience

Update 13/06/2011: Replaced "this guy" by "Kacper Szcześniak", I was given his name today, thanks Marek!

NOTE: Thank you to the Confidence team for letting me link to many of their images directly. Please note that there are more photos than I can use in a blog post, for the full listing of official photos please click here (I think there are even more pictures here). And most slides have already been published here (slides are also referenced below on each talk summary, but only the slides to talks I attended are there).
NOTE 2: If you see any mistake or have more info on anything please let me know and I will try to update the blog post. Thank you.
So .. the time arrived and Confidence 2011 Kraków (in Cracow, Poland) started on the 24th of May 2011. I was at this conference a couple of years back in Confidence 2009 Warsaw, which was pretty cool too.
The first thing that impressed me was the venue itself:
And when I entered the venue, just prior to registration I found this funny poster right before the main entrance:
Then at registration they gave us this cool booklet with a couple of snort toys:
The booklet also contained the map of the venue, very handy :)
Because we arrived a bit earlier we started to mess around in the venue, which was really equipped with plenty of food (apart from lunch later on -for those that paid for it-):
There were also 3 consoles, a Nintendo, a Sony (ahem, ahem :)) and something else I do not remember the name about. Basically we could play (from right to left):
Monitor 1 - Mortal Kombat: since I am not a gamer I tried choosing the hot chicks to distract the oponents but after a round or two they got used to it and beat me anyways :).
Monitor 2 - I think this was the Nintendo because people had to move crazily with the controls :)
Monitor 3 - This was a "guitar" for one player and drums for another
The are some pics of the consoles here (you can see even staff and penguins got addicted!):
But most importantly the booklet also contained the schedule!. Let's get started .. Day 1
Day 1 started with Deviant Ollam and Babak Javadi with the talk "Your Network Security Starts at Layer Zero"
The slides are now available here. This talk was obviously about lockpicking, they talked at how weak most locks are and how easy they are to pick, we experienced ourselves that this was not as easy as it may seem for a novice and requires some skill at the lock picking village later, however with some patience we finished opening a lot of stuff (more on this later!) :).
Obviously the point of the talk was basically that no matter what your network security controls are, you can never forget physical security: physical security tends to be the weakest link, people just forget about it or make mistakes that have a high impact like using poor locks or like on one of their slides ... to hold the lock together with the lid with a few screws that can be taken away in a couple of seconds! :P.
Now comes the moment where I cannot do justice to everybody: It is a conference, there is a lot of cool stuff going on and I have to choose one track or the other, this made me miss plenty of cool talks but I catched up with some of the speakers that I missed later on :).
I went for the talk by Raoul Chiesa: "The Son of Stuxnet aka 'the very next scenarios'" here is a picture of him at that talk:
You can tell he was making a lot of jokes here:
The slides are now available here. This talk was really interesting, it was about the milestone Stuxnet has set: Now governments know it is possible, they can spend a lot less money to hack into the critical infrastructure or nuclear plant of an enemy nation (compared to purchasing tanks, missiles, heavy artillery, finance a military operation or a war and train and equip soldiers, etc) and most importantly they can deny what happened later.
During the Lunch break Raoul Chiesa and Michele Orru were very approachable and nice to everybody:
Also during the Lunch break Travis Goodspeed was kind enough to show me some of his research on wireless pace-makers and wireless electronic voting devices for students. After thinking about this for a while (basically plenty of this research is focused on tampering with the wireless protocols themselves) I asked why is crypto signing not used since that would defeat the tampering (if properly implemented) and he said there is just not enough processing power at the moment in these small devices (it is all based on shared secrets and stuff like that, he can reverse engineer the secret from the chip using some chemicals to open the chip sometimes and it all goes downhill from there).
After the lunch break there were the lighting talks and a discussion panel. I went to the lock picking village at that time but I later on (on the Chill out party, this is why I know this) met Kacper Szcześniak who found a zero day in Gadu Gadu (Polish equivalent to Skype) with pretty serious security implications and did a lighting talk about it, I cannot find his name or his slides but here is his picture. I will update this blog post if someone lets me know these details:
So, at this time I was at ... yes at the lock picking village! trying to get those locks open, I managed to open the progressive locks 1 to 5, had issues with 6 which I think I did not open in the end.
This is only a small subset of all the lock picking gear that was around:
You can see us all n00bs trying to learn what lock picking is about here:
Later on during the conference there was the Gringo Warrior competition, which I sadly missed because I was attending some talk at the time, I think. I post some cool pictures here since this is related to lock picking:
Off course the person who ended up winning Gringo Warrior was ... Renderman!
Eventually we used my lock picking set from BSides London to open the hostel door, this was tricky because you actually had to pick the door twice as the key required 2 turns :). The photographer was nice enough to take a picture of us poor lock picking n00bs to celebrate the hostel door opening challenge, which I happened to win (even though I did not open some locks others managed to open, it's weird!). On my left hand the culprit basic lock picking set I won at BSides London:
I have to be honest here: when we really needed to open the hostel door (i.e. when lock picking would have really been useful) and I tried to pick the lock again the lock got stuck in the first turn and we had trouble to open the door even when we finally got the key!. Bottom line: Do not do this with your home lock!
ok, after the lock picking village after lunch I think they changed the schedule and I really went to Andreas Bogk's talk: "The Future of Defense: Why we will have more secure computers - tomorrow". I tried hard but I could not find any picture of this guy from the photographer so I will put his picture from the bio page:
The slides are here. I found this talk extremely theoretical and clearly coming from a person heavily involved in traditional security (buffer overflows, heap overflows and stuff like that). I understood what he meant: that we can make it much harder to write vulnerable code and in fact, we have already done some progress with programming languages that are not vulnerable to buffer overflows by design like C# and other similar initiatives. But as complexity explodes in the web my opinion is that vulnerabilities (specially subtle ones like UI redressing and similar tricks that chain smaller vulnerabilities) are only going to increase. We could however apply many of the concepts in this talk to make the platforms and frameworks force the developers to write secure code by default and make it as hard as possible to write insecure code. Even then, small things like validating URL access according to complex business logic rules are hard to build into any framework or platform and will eventually be coded by hand... and inevitably ... every time a developer takes a security decision there is risk ... :)
I could obviously not miss Mario Heiderich's talk (this guy is a freak! ;)): "The forbidden image - Security impact of Scalable Vector Graphics on the WWW". This talk basically took my blog post "XSS myths: input validation is not enough!" to a whole new level and demonstrated with practical examples how attack vectors increase amazingly with the complexity we insist in pushing into the web. Here is a picture of Mario at the talk:
The slides are here. This talk was truly interesting to me as it may open some doors in future web application penetration tests :). An incredible eye-opener of cutting-edge research of the kind that only people of Mario's or Gareth Heyes' calibre can put together (seriously). Plenty of cool demos, nice explanations, etc. SVG is basically a vector-based image format that can be represented in HTML but ... it can also contain JavaScript code in a number of different ways ... slacker style ;). SVG seems particularly attractive to use to bypass XSS filters and perhaps even in some file upload variants to get JavaScript to execute and get an XSS where there would otherwise not be any.
We later joked with Mario after his talk that his SVG talk "invalidated" Andreas' talk in that the security implications of new technologies are only discovered too late, when things are already deployed, standard, etc. :). The SVG talk was very scary and really proved that imagination is the only limit for new attack vectors. It looks like when you create a new technology (such as SVG) and put it together so that it interacts with existing technologies (like HTML) the security consequences are unpredictable during design and deployment but eventually researched and discovered :).
Bottom line: Complexity means that there are too many combinations to take into account and security will likely fall through the cracks.
The latest talk I attended on Day 1 was by Jim Geovedi and Raoul Chiesa, it was called "Hacking a bird in the Sky: The Revenge of Angry Birds". Here is a picture of them:
The slides are here. This talk had nothing to do with "Angry Birds" the game and all to do with Satellite Hacking. It basically explained that in nations like Indonesia (where Jim is from) that are composed of a multitude of islands satellite communications are simply the only affordable way to do certain things like ATM transactions and other sensitive things. Furthermore, because satellite communications have a high latency some implementations even turned encryption off because otherwise the latency was "just too high", the security implications of this are obvious and Jim went on to explain what he found in a very interesting security test that involved satellite hacking.
End of Day 1!
What about the after-party you ask? These guys were the kings of the party :)
(As mentioned initially there are more pictures here)
Time for Day 2!
I started the day going to the talk by Marcus Niemietz: UI Redressing: Attacks and Countermeasures Revisited. My poor Polish skills immediately identified something odd going on in the name: "Marcus" seemed German to me (Marek is the Polish equivalent) but "Niemietz" seemed Polish to do something with "German". Later on a native Polish attendant who also happened to know this guy told me that it is an interesting situation: He is German, lives in Germany, but his mother is Polish and his Surname means that he is German in Polish :). I got a chance to talk to him later and he confirmed, that's awesome man! :). Here is a picture of him at the talk:
The slides are here. This talk was a very nice summary on what UI redressing is and perhaps most importantly very practical with lots of demos to show what he was talking about (UI redressing is something you have to see to understand what is going on sometimes ;)). There was a cool phishing demo he had but he did not want to push it too much :).
Anyhow, very cool UI summary with special corner cases that may be useful whenever you pen test a rich application that takes HTML from a source you control.
After that I went to Alexey Sintsov's talk: "DNS for evil". Here is a picture of him:
There are currently no slides on the conference page for this talk :(. I really enjoyed this talk, he talked about a very special pen test he had to carry out where the workstations could not directly connect to the internet: They could not browse to websites, but they could receive email and resolve domain names (however, they did not need to resolve domain names!). His challenge was something I can relate to: security tools tend to suck a lot: they crash, lack the option you need and in the end you always find cases where you have to write your own script to do something you feel the tool should be able to do :).
Alexey, in the scenario he had, chose Email to deliver the attack and DNS tunneling to get connectivity to the compromised machines: basically he tried to use the existing freely available DNS tools without success: as usual, they were crappy, crashed, slow, unreliable. So he went on and wrote his own protocol!. Yes: he went ahead and created a C&C server and Bot client code, his protocol was built to use IPv6 and he used DNS queries to resolve names instead of TXT records (can't remember the reason).
Although the slides are not available yet, the following materials are available:
- C&C server plus bot code (he tweeted this himself)
After Alexey's awesome talk I went to Michele Orru's talk: "Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF", here is a picture of him at the talk:
The slides are available here. This talk was truly outstanding, apart from all the "not for vegetarians" jokes in the middle of it which were very funny (to me), the talk showed the direction BeEF is taking:
- How it has improved a lot after the port from PHP to Ruby
- How there is even more eye-candy now
- How you can now even pivot from the browser itself to attack other resources in the network
- How more and more attacks are being automated
- More metasploit integration, etc
At the lunch break we could see Jim and Michele having fun :)
After the lunch-break as a converted fan that has followed slakers for a few years I of course had to go to Mario's talk again: "Locking the Throne Room - ECMA Script 5, a frozen DOM and the eradication of XSS". It is important to note here that Mario was the only speaker that spoke twice on his own at the conference because he just rocks like that ;) -Raoul also spoke twice but once it was with Jim-. Here is another picture of him from a bit further away that shows how just much work went into this conference taking the time to even do this graffiti on the walls:
More graffiti work:
There are currently no slides for this talk. In this talk Mario proposed a solution to the XSS problem, basically he went on to show that a solution on the server side will never fully work because it cannot see -for example- some DOM XSS attacks, a solution on the browser side will not fully work because it has no way to know -for example- about Stored XSS. So he suggested that the solution should be in the DOM itself, at the DOM-level he can intercept most dangerous event calls and stop them before they can do any harm. He said that the solution is still a prototype and has a couple of weaknesses but for the most part is pretty solid. He needs support from the browser vendors so that they push for a standard that limits these weaknesses and then the XSS problem could be solved!.
Afterwards, I went to Krzysztof Konkowski's talk: "IPv6 Security demonstration", here is a picture of him:
No slides available at the moment for this talk. I felt so sorry for this guy, he had so much more kung-fu in him but over-relied on his skills and the demo-gods failed him ... he basically had something like 8 IPv6 security demos, but in the first demo a few things went wrong so it took a while until he figured out what was going on and fixed it, then somehow, he managed to finish until demo 4 mostly ok, but then he ran into another tough issue and mostly ran out of time.
I have heard this from pro speakers a few times: you have to have a recorded video just in case the demo fails. Some speakers, like for example, Wicked Clown at BSides London, had the demo completely recorded, I think that is a significant advantage not only because the demo should work (i.e. you only need to play a video and do not even need network connectivity for that) but most importantly because the speaker can then focus and calmly explain everything as the demo moves along.
If you attended this talk, you could see this guy knew what he was talking about: he was using scapy like I would use a fork at lunch :). He could basically forge packets to demonstrate things very quickly and even improvise pretty well when things went wrong, not only that but also to explain why it did go wrong, etc.
For that reason, I think this guy could have done much better with the knowledge and experience he had and I am sorry the demo gods failed him, we -all the attendants- missed so much because of it. He tried to compensate by saying that he would stay for those who would want to remain at Track 2 in the audience and keep going and answer questions, which was very cool of him.
He put together a lot of hardware equipment I think he had 3 laptops and 3 cisco routers, he explained the weaknesses of IPv6, how router ACLs that should work do not work in IPv6 unless you do certain things and a couple of attacks against Router Advertisements if I recall correctly.
Finally there was Travis Goodspeed's talk: "Practical attacks on the Freescale MC13224 ZigBee SoP":
The slides are available here. This was just ridiculous, the reverse-engineering skills of this guy are just over the roof, he just melted a chip to see how it was built, learned how it worked, assembled it on his own little motherboard, figured out how to unlock memory so that it could be read and reverse engineered the whole deal. You have to look at the slides to see the pictures of chips corroded by acid and how he did the whole thing, it is very impressive :).
After this talk were the conference prizes, some were chosen at random:
Slawomir Jabs from the Confidence crew showing the prizes available:
And the winners!!:
Yes .. female attendants .. they do exist! :)
Other curiosities:
Sandy Clark (pictured) showed me a truly awesome pro lock picking set during Deviant's talk (I was sitting pretty close to her), I was impressed! where do you get those? :P
She was also apparently in pretty good shape!
This German guy was pretty cool, I did not participate in the CTF but he did. Basically nobody could p0wn the vulnerable HP web server during the whole conference. From what this guy told me he tried I am pretty sure SSH password cracking or downloading and reviewing the potential web app open source component for more direct vulnerabilities than XSS might have been the only ways in.
This is the guy from HP, the server that left the con without being hacked, unlike most other conference Polish people -who spoke English so that everybody could understand-, this person would only speak Polish so you could see all the non-polish speaking folks -like me- asking the polish guy beside them: "what did he say?" :)
True portrayal of the grill outcome .... :)
This guy's hat was awesome:
I owe this guy a beer:
I was told Renderman was so flexible that he could move his hands from his back to the front over his head without any apparent effort!. Renderman personally told me the kilt he was wearing was the result of a bet but he did not get into details :).
These folks were pretty cool and some of them participated in our hostel door lock picking competition -which I won so they owe me a beer ;)--
Finally the Confidence crew were so kind that they pasted the Chill out venue details on their backs so that we did not get lost:
Other blog posts:
- SecuriTeam (Noam attended some talks I didn't)