Quick impressions from BSides Budapest

Posted by    on   Mar 8, 2017

At Virus Bulletin, we love the BSides concept and we have attended several of the BSides events around the world. So when Peter Karsai, who is soon to join the VB team, offered to write something about his experience at BSides Budapest, we jumped at the chance to publish his post.

 

Growing up in Eastern Europe during the final years of the Soviet bloc, my primary connection to the West was through the VCR: bootlegged Hollywood movies from Germany, copied a hundred times, with ridiculous home-brewed Hungarian voiceover, over German voiceover, over Mr. Miyagi from The Karate Kid. It was our esteemed family VCR that first introduced me to the concept of "economies of scale": when the light fell at the right angle, the built-in display revealed placeholder symbols for functions not available in our entry-level model. I was startled, so my brother took up the duty of explaining that it is often cheaper to produce zillions of the same device and let some functionality lie unused in some of them than it is to manufacture a custom device for individual models. When setup costs are high, producing many of the same brings your per-item costs down. He added that this is called "economies of scale" – because that's exactly the sort of term an eight-year-old finds indispensable in his daily adventures.

 

512px-Vacuum_fluorescent_1.jpg

A vacuum fluorescent display from a typical VCR.
By Atlant assumed (based on copyright claims). [GFDL, CC-BY-SA-3.0 or CC BY 2.5], via Wikimedia Commons

 

Fast forward to 2017 and BSides Budapest, and Tobias Schrödel's presentation on smart device hacking gave a glaring example of this concept at work. He started his demonstration by showing the audience how to hack a camera-equipped RC car and enable HD camera resolution for the cheaper, SD-only variant of the toy car. Economies of scale: when setting up and changing production lines is expensive, and software configuration is cheap, it actually makes a lot of sense for the vendor to cut costs through software and not to be too concerned about plunging sales of the HD version among hacker types. However, cost efficiency and a lack of concern can be a lot more damaging when it results in a complete disregard for basic security. Much to the amusement of the audience, Tobias demonstrated this vividly by hijacking a camera-equipped adult toy (yes, it's a thing), and then just to wrap the show up he gave a handy demo of how to bring a big stage light show to your neighbour by hacking their smart lightbulbs (which is only fair payback for using the angle grinder at 7AM on a Sunday morning, I suppose).

The presentation given by Zoltán Balázs of MRG Effitas on IoT device security – and the lack thereof – only reinforced the message that vendors really need to get their act together on this front, no matter the pressure from the market to ship fast and early. Mirai, anyone?

Feeling that these two presentations had warmed me up sufficiently for more serious work, I joined the workshop on Cuckoo Sandbox custom module development. Note to self: take an intermediate subject only after your understanding of the basics is fairly solid.

via GIPHY Artist's impression of my understanding following "Welcome to the Cuckoo workshop".

The coffee breaks between conference sessions allowed for a little chat amongst fellow attendees; I loved these as much as the presentations themselves. For instance, somebody casually showed me how one could get, er, free WiFi from certain cable modems on the UPC network. This is actually a fun one: turns out that the default WiFi password of certain Ubee modems that UPC commonly deploys for consumers can be guessed from the advertised SSID. This has been a known issue for several months now, yet I had no difficulty whatsoever in finding vulnerable WiFi networks when I tried the key generator app – so maybe this is less a 'fun one' and more a 'holy macaroni!' one.

 

routerkeygen-yolosec.png

 

Returning from lunch, I just managed to catch Jeff Hamm's presentation on the attack and forensics arsenal offered by PowerShell and his case study on how PowerShell was utilised in a successful attack against a bank, eventually gaining the attacker access to the SWIFT subsystem and the ability to transfer money out, before destroying the systems affected. You can't say that it's called PowerShell for no reason, right?

I had to leave a bit prematurely, but the first BSides Budapest left me with very good impressions. Kudos to the organisers and sponsors for bringing together a wide variety of talks for security professionals and enthusiasts alike. And on my way home I might have won them another attendee for next year: the cab driver listened quite intently to my stories from the infosec world and said he would totally consider a second career in this area. If only it hadn't happened right after explaining ransomware-as-service – I can only hope this was responsible disclosure. See you at the next #BSidesBUD event, blackhat cab driver!

BSides-small_logo_website.jpg

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Firefox 59 to make it a lot harder to use data URIs in phishing attacks

Firefox developer Mozilla has announced that, as of version 59 of the browser, many kinds of data URIs, which provide a way to create "domainless web content", will not be rendered in the browser, thus making this trick - used in various phishing…

Standalone product test: FireEye Endpoint

Virus Bulletin ran a standalone test on FireEye's Endpoint Security solution.

VB2017 video: Consequences of bad security in health care

Jelena Milosevic, a nurse with a passion for IT security, is uniquely placed to witness poor security practices in the health care sector, and to fully understand the consequences. Today, we publish the recording of a presentation given by Jelena at…

Vulnerabilities play only a tiny role in the security risks that come with mobile phones

Both bad news (all devices were pwnd) and good news (pwning is increasingly difficult) came from the most recent mobile Pwn2Own competition. But the practical security risks that come with using mobile phones have little to do with vulnerabilities.

VB2017 paper: The (testing) world turned upside down

At VB2017 in Madrid, industry veteran and ESET Senior Research Fellow David Harley presented a paper on the state of security software testing. Today we publish David's paper in both HTML and PDF format.