Posted by Martijn Grooten on Jul 10, 2017
BSides London has been a regular fixture on the Virus Bulletin agenda for the past few years, but its international audience (thanks to the event being held in parallel with InfoSecurity Europe) makes it a bit of an exception: most BSides events are organized by and for local communities, with only a small number of 'outsiders' travelling to the host city. Such was the case for BSides Budapest, which my colleague Peter attended earlier this year, and also for the second BSides Athens, which I had the pleasure of attending two weeks ago.
The conference in the Greek capital opened with a keynote from Akamai's Dave Lewis on 'The Unbearable Lightness of Failure'. Failure is, of course, a subject security professionals like to talk about, especially when it concerns the failure of others that leads to security incidents, but Dave's talk mainly focused on mistakes he had made himself, and the lessons he had learned from them. It was an interesting and wide-ranging talk, with many anecdotes. For me, the most memorable was the story of an organization Dave once helped defend its network from attacks coming from a single IP address. Frustrated with the attacks, he managed to get access to the offender's network and left a number of messages urging the attackers to stop their activities – which, ethics aside, was all fine in those early Internet days, except that he had mistyped the IP address, thus making this a valuable lesson in the debate on whether 'hacking back' should be allowed.
Failure is also very relevant to BSides, where the low entry level implicitly allows people to 'fail' in their presentation and learn from the experience. That said, I was pleasantly surprised by the quality of both the programme and the individual talks, and while the speakers no doubt learned a lot from the experience of delivering their talks, none of those I saw came even close to failing.
Following the keynote, the conference split into three parallel streams. I next attended a talk by Trustwave researcher Thanassis Diogos on defending against Anunak/Carbanak. This is one of the most advanced cybercriminal groups around, and one that goes for the big fishes rather than the small change in financial theft. Yet again, we saw that even the most advanced attackers use basic social engineering in their attacks, in this particular case by following a malicious email with a phone call to ensure the target really opens the email, thus bypassing all security controls that an organization would have in place.
A talk from Konstantinos Kosmidis, a recent graduate from the International Hellenic University of Thessaloniki, covered the research from his M.Sc. thesis. It dealt with the popular subject of the use of machine learning to classify malware samples, in this particular case by first visualizing them into images. It was an interesting approach with possible practical use, which actually reminded me of an interesting VB2017 paper by Qualys's Ankur Tyagi, which I read a few days before the conference.
Eirini Anthi's talk also dealt with her university thesis, in this case her B.Sc. thesis from Cardiff University on mobile apps sending sensitive data to third parties. I found her approach perhaps even more interesting than the conclusions she drew, as it required her to perform a man-in-the-middle attack on the apps which, due to the encrypted connection and the use of certificate pinning by various apps, was a far from trivial thing to do. Frustrating though it may have been for Eirini's research, I was pleasantly surprised to learn that a number of banking apps simply refused to work when they detected the device they were running on had been jailbroken.
ENISA's Alexandros Zacharis looked at the security of internal browsers in software. For obvious reasons, web browsers have long been the focus of white-hat and black-hat security researchers alike. However, an often overlooked class of browsers are those that run inside an application, or as a separate app used by an application. Such browsers tend to be locked down to only perform the tasks required by the app, such as displaying ads or connecting to a cloud service, but in practice this locking down tends to leave some holes open, allowing for various kinds of phishing and social engineering. Alexandros even showed how, under certain conditions, he could turn Skype's internal browser into a listening device.
In 'I Thought I Saw a |-|4><0.-', Thomas Fisher (of Digital Guardian and BSides London fame) gave an inside view of hunting for threats on a network. His approach was based around four A's: Assess, Analyse, Articulate and Adapt. Logs are your best friend when hunting for threats (including anti-virus logs, as this helps you deal with the many known threats easily and efficiently), but so is a good understanding of what is normal for your organization. Combining these could help you find anomalies such as a PowerShell script connecting to the Internet, which in most organizations should never happen.
A talk by Xavier Mertens (who himself wrote a review of the conference) linked in nicely with Thomas's, as it showed how various security tools can be made to work together to better detect threats. Threat detection, Xavier rightly argued, isn't just about buying a box that solves your problems. Rather it is about using multiple tools in as efficient a way as possible, to get the most out of each of them. And to that end, it can help a great deal to 'RTFM'.
Hacking conferences have a reputation of being heavy on 'stunt hacking', but this wasn't the case at this event and I can't say that was a bad thing. Even Anna Stylianou's talk on car hacking didn't focus on some new esoteric attack, but rather gave an overview of the subject, in particular focusing on the Engine Control Unit present in most modern cars. As these units have effectively turned cars into computers on wheels, it is possible that many of the attacks we have seen on ordinary computers, including ransomware, could also find their way to cars.
Finally, Theo Papadopoulos (Gotham Digital Science) gave a talk on current techniques used in red teaming. Though aimed at red teamers and pen testers, I thought it was equally useful for those on the defensive side of security, as red teamers tend to use the same techniques as actual attackers: from malicious Office documents and PowerShell to obfuscating payloads. The trick of re-assigning the popular Ctrl-V hotkey to first execute a payload and then, as expected, paste the content of the clipboard, was one I hadn't seen before and would be a clever and subtle way for an attacker to maintain persistence.
After having attended the inaugural edition of BSides Athens last year, where I delivered a talk, it was great to see how much more professional the event has become in just a year. It was an honour to attend, and I am already looking forward to the 2018 edition of the conference.
Photos used with permission from BSides Athens. More photos can be found in their gallery.