Quick impressions from BSides Budapest

Posted by    on   Mar 8, 2017

At Virus Bulletin, we love the BSides concept and we have attended several of the BSides events around the world. So when Peter Karsai, who is soon to join the VB team, offered to write something about his experience at BSides Budapest, we jumped at the chance to publish his post.

 

Growing up in Eastern Europe during the final years of the Soviet bloc, my primary connection to the West was through the VCR: bootlegged Hollywood movies from Germany, copied a hundred times, with ridiculous home-brewed Hungarian voiceover, over German voiceover, over Mr. Miyagi from The Karate Kid. It was our esteemed family VCR that first introduced me to the concept of "economies of scale": when the light fell at the right angle, the built-in display revealed placeholder symbols for functions not available in our entry-level model. I was startled, so my brother took up the duty of explaining that it is often cheaper to produce zillions of the same device and let some functionality lie unused in some of them than it is to manufacture a custom device for individual models. When setup costs are high, producing many of the same brings your per-item costs down. He added that this is called "economies of scale" – because that's exactly the sort of term an eight-year-old finds indispensable in his daily adventures.

 

512px-Vacuum_fluorescent_1.jpg

A vacuum fluorescent display from a typical VCR.
By Atlant assumed (based on copyright claims). [GFDL, CC-BY-SA-3.0 or CC BY 2.5], via Wikimedia Commons

 

Fast forward to 2017 and BSides Budapest, and Tobias Schrödel's presentation on smart device hacking gave a glaring example of this concept at work. He started his demonstration by showing the audience how to hack a camera-equipped RC car and enable HD camera resolution for the cheaper, SD-only variant of the toy car. Economies of scale: when setting up and changing production lines is expensive, and software configuration is cheap, it actually makes a lot of sense for the vendor to cut costs through software and not to be too concerned about plunging sales of the HD version among hacker types. However, cost efficiency and a lack of concern can be a lot more damaging when it results in a complete disregard for basic security. Much to the amusement of the audience, Tobias demonstrated this vividly by hijacking a camera-equipped adult toy (yes, it's a thing), and then just to wrap the show up he gave a handy demo of how to bring a big stage light show to your neighbour by hacking their smart lightbulbs (which is only fair payback for using the angle grinder at 7AM on a Sunday morning, I suppose).

The presentation given by Zoltán Balázs of MRG Effitas on IoT device security – and the lack thereof – only reinforced the message that vendors really need to get their act together on this front, no matter the pressure from the market to ship fast and early. Mirai, anyone?

Feeling that these two presentations had warmed me up sufficiently for more serious work, I joined the workshop on Cuckoo Sandbox custom module development. Note to self: take an intermediate subject only after your understanding of the basics is fairly solid.

via GIPHY Artist's impression of my understanding following "Welcome to the Cuckoo workshop".

The coffee breaks between conference sessions allowed for a little chat amongst fellow attendees; I loved these as much as the presentations themselves. For instance, somebody casually showed me how one could get, er, free WiFi from certain cable modems on the UPC network. This is actually a fun one: turns out that the default WiFi password of certain Ubee modems that UPC commonly deploys for consumers can be guessed from the advertised SSID. This has been a known issue for several months now, yet I had no difficulty whatsoever in finding vulnerable WiFi networks when I tried the key generator app – so maybe this is less a 'fun one' and more a 'holy macaroni!' one.

 

routerkeygen-yolosec.png

 

Returning from lunch, I just managed to catch Jeff Hamm's presentation on the attack and forensics arsenal offered by PowerShell and his case study on how PowerShell was utilised in a successful attack against a bank, eventually gaining the attacker access to the SWIFT subsystem and the ability to transfer money out, before destroying the systems affected. You can't say that it's called PowerShell for no reason, right?

I had to leave a bit prematurely, but the first BSides Budapest left me with very good impressions. Kudos to the organisers and sponsors for bringing together a wide variety of talks for security professionals and enthusiasts alike. And on my way home I might have won them another attendee for next year: the cab driver listened quite intently to my stories from the infosec world and said he would totally consider a second career in this area. If only it hadn't happened right after explaining ransomware-as-service – I can only hope this was responsible disclosure. See you at the next #BSidesBUD event, blackhat cab driver!

BSides-small_logo_website.jpg

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Didn't come to VB2017? Tell us why!

Virus Bulletin is a company - and a conference - with a mission: to further the research in and facilitate the fight against digital threats. To help us in this mission, we want to hear from those who didn't come to Madrid. What is your impression of…

Montreal will host VB2018

Last week, we announced the full details of VB2018, which will take place 3-5 October 2018 at the Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada.

VB2017 preview: Beyond lexical and PDNS (guest blog)

In a special guest blog post, VB2017 Silver sponsor Cisco Umbrella writes about a paper that researchers Dhia Mahjoub and David Rodriguez will present at the conference this Friday.

Avast to present technical details of CCleaner hack at VB2017

The recently discovered malicious CCleaner version has become one of the biggest security stories of 2017. Two researchers from Avast, the company that had recently acquired CCleaner developer Piriform, will share the results of their investigations…

VB2017 preview: Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

We preview the VB2017 paper by Kaspersky Lab researchers Juan Andrés Guerrero-Saade and Costin Raiu on fourth-party collection and its implications for attack attribution.