Quick impressions from BSides Budapest

Posted by    on   Mar 8, 2017

At Virus Bulletin, we love the BSides concept and we have attended several of the BSides events around the world. So when Peter Karsai, who is soon to join the VB team, offered to write something about his experience at BSides Budapest, we jumped at the chance to publish his post.

 

Growing up in Eastern Europe during the final years of the Soviet bloc, my primary connection to the West was through the VCR: bootlegged Hollywood movies from Germany, copied a hundred times, with ridiculous home-brewed Hungarian voiceover, over German voiceover, over Mr. Miyagi from The Karate Kid. It was our esteemed family VCR that first introduced me to the concept of "economies of scale": when the light fell at the right angle, the built-in display revealed placeholder symbols for functions not available in our entry-level model. I was startled, so my brother took up the duty of explaining that it is often cheaper to produce zillions of the same device and let some functionality lie unused in some of them than it is to manufacture a custom device for individual models. When setup costs are high, producing many of the same brings your per-item costs down. He added that this is called "economies of scale" – because that's exactly the sort of term an eight-year-old finds indispensable in his daily adventures.

 

512px-Vacuum_fluorescent_1.jpg

A vacuum fluorescent display from a typical VCR.
By Atlant assumed (based on copyright claims). [GFDL, CC-BY-SA-3.0 or CC BY 2.5], via Wikimedia Commons

 

Fast forward to 2017 and BSides Budapest, and Tobias Schrödel's presentation on smart device hacking gave a glaring example of this concept at work. He started his demonstration by showing the audience how to hack a camera-equipped RC car and enable HD camera resolution for the cheaper, SD-only variant of the toy car. Economies of scale: when setting up and changing production lines is expensive, and software configuration is cheap, it actually makes a lot of sense for the vendor to cut costs through software and not to be too concerned about plunging sales of the HD version among hacker types. However, cost efficiency and a lack of concern can be a lot more damaging when it results in a complete disregard for basic security. Much to the amusement of the audience, Tobias demonstrated this vividly by hijacking a camera-equipped adult toy (yes, it's a thing), and then just to wrap the show up he gave a handy demo of how to bring a big stage light show to your neighbour by hacking their smart lightbulbs (which is only fair payback for using the angle grinder at 7AM on a Sunday morning, I suppose).

The presentation given by Zoltán Balázs of MRG Effitas on IoT device security – and the lack thereof – only reinforced the message that vendors really need to get their act together on this front, no matter the pressure from the market to ship fast and early. Mirai, anyone?

Feeling that these two presentations had warmed me up sufficiently for more serious work, I joined the workshop on Cuckoo Sandbox custom module development. Note to self: take an intermediate subject only after your understanding of the basics is fairly solid.

via GIPHY Artist's impression of my understanding following "Welcome to the Cuckoo workshop".

The coffee breaks between conference sessions allowed for a little chat amongst fellow attendees; I loved these as much as the presentations themselves. For instance, somebody casually showed me how one could get, er, free WiFi from certain cable modems on the UPC network. This is actually a fun one: turns out that the default WiFi password of certain Ubee modems that UPC commonly deploys for consumers can be guessed from the advertised SSID. This has been a known issue for several months now, yet I had no difficulty whatsoever in finding vulnerable WiFi networks when I tried the key generator app – so maybe this is less a 'fun one' and more a 'holy macaroni!' one.

 

routerkeygen-yolosec.png

 

Returning from lunch, I just managed to catch Jeff Hamm's presentation on the attack and forensics arsenal offered by PowerShell and his case study on how PowerShell was utilised in a successful attack against a bank, eventually gaining the attacker access to the SWIFT subsystem and the ability to transfer money out, before destroying the systems affected. You can't say that it's called PowerShell for no reason, right?

I had to leave a bit prematurely, but the first BSides Budapest left me with very good impressions. Kudos to the organisers and sponsors for bringing together a wide variety of talks for security professionals and enthusiasts alike. And on my way home I might have won them another attendee for next year: the cab driver listened quite intently to my stories from the infosec world and said he would totally consider a second career in this area. If only it hadn't happened right after explaining ransomware-as-service – I can only hope this was responsible disclosure. See you at the next #BSidesBUD event, blackhat cab driver!

BSides-small_logo_website.jpg

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Test your technical and mental limits in the VB2017 foosball tournament

As has become tradition, VB2017 will once again see a security industry table football tournament. Register your team now for some great fun and adrenaline-filled matches in between sessions in Madrid!

The case against running Windows XP is more subtle than we think it is

Greater Manchester Police is one of many organizations still running Windows XP on some of its systems. This is bad practice, but the case against running XP is far more subtle than we often pretend it is.

Hot FinSpy research completes VB2017 programme

Researchers from ESET have found a new way in which the FinSpy/FinFisher 'government spyware' can infect users, details of which they will present at VB2017 in Madrid.

Transparency is essential when monitoring your users' activities

Activity monitoring by security products in general, and HTTPS traffic inspection in particular, are sensitive issues in the security community. There is a time and a place for them, VB's Martijn Grooten argues, but only when they are done right.

VB2017 preview: Android reverse engineering tools: not the usual suspects

We preview the VB2017 paper by Fortinet researcher Axelle Apvrille, in which she looks at some less obvious tools for reverse engineering Android malware.