[](https://www.bsidesmsp.org/)
Today I attended day one of two of an event called Security B-Sides MSP, which is a free, open registration security conference, held yearly. I'm not a security pro but I signed up because it's an interesting topic and I wanted to see what people would be talking about. The presentations were still very interesting and educational. I did not take complete notes but wrote down the things that I found interesting.
## Opening Keynote - Nate Cardozo
Delivering the opening presentation was the [Electronic Frontier Foundation](https://eff.org)'s [Nate Cardozo](https://www.eff.org/about/staff/nate-cardozo), a Senior Staff Attorney on their digital civil liberties team.
Photo by [@thisisDaveLee on Twitter](https://twitter.com/thisisDaveLee/status/741273702491246592)
His presentation was part history of government challenges to strong encryption and part present reality of government challenges to strong encryption, and how today's news is the same old story repeating itself, but this time with more ignorant pressure against its use. Notes:
### All Writs and Wiretap Act
Regarding the All Writs Act cited by the FBI in their cases against Apple, trying to set a precedent where they are able to force companies to custom tailor exploits for their own products if the FBI requests it: It failed because to run iOS, Apple needs to sign the software with their key. Doing so would be an affirmation of its legitimacy, an affirmation that Apple did not wish to make. Therefore it would have been compelled speech and unconstitutional to force them to. He mentioned the next litigation front will be citing the Wiretap Act's "technical assistance" provision against WhatsApp. More info on these cases [here](https://www.eff.org/deeplinks/2016/03/next-front-new-crypto-wars-whatsapp).
### Anti-encryption Ignorance
Among other completely ridiculous things, the idiotic Burr-Feinstein anti-encryption bill would have made any computer, from a TI graphing calculator to your laptop and phone illegal, because it could be used to strongly encrypt information. He made the point that code is speech, programmers communicate with it, and thus is protected under the first amendment. This means that even if the US government has legal leverage over corporations, it has zero leverage against free open source software.
### It's Magic
One of his own personal points about the crypto-ignorant politicians and law enforcement is that they don't understand the technology that has been designed to be dumb enough for them to be able to use it, the iPhone or Android phone in their pocket. So they think it's magic, and that if the wizards of Silicon Valley can make a magical phone that they can also make a magical secure encryption that also has a backdoor that will only be accessible to one party. Their own words indicate that if they just ask hard enough, the nerdwizards of the world will be able to do it. What they really are doing is demanding the impossible of reality.
### Neo-CALEA
He mentioned a new [CALEA](https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act)-type bill may be introduced specifically targeting internet communications. He went on to say this type of proposed law might only apply to corporations.
### Ethiopia is a Nation-State Attacker
Nate mentioned that he represented an Ethiopian-American citizen who lives in Maryland who sued the government of Ethiopia for targeting him with a trojan horse. They had full control over his computer and recorded its use by him and his family, including eavesdropping on their Skype calls. [More info here.](https://www.eff.org/cases/kidane-v-ethiopia)
### Rule 41, not to be confused with Rule #34
He touched on the proposed changes to [Rule 41 of the Federal Rules of Criminal Procedure](https://cdt.org/insight/issue-brief-proposed-changes-to-rule-41/), saying it would give way too much power to all magistrates judges to issue warrants for electronic hacking and surveillance, and implied it would be abused.
### Chinese Packet Traps
He mentioned that in China, WPA2 is banned, and they mandate the use of their own WIFI encryption called [WAPI](https://en.wikipedia.org/wiki/WLAN_Authentication_and_Privacy_Infrastructure), which is presumably backdoored.
### Dud Torpedo
Prompted by an audience question, he talked about the Tor exploits used by the FBI against a hidden service for child porn. He said that by what he'd read in their documents, they used two exploits, one 0-day for high value targets and one already-known exploit for most others. The refusal of the FBI to provide the exploit vector to the defendants is costing them their evidence and thus the cases. He also explains that the evidence they gathered was poor. It didn't deliver the infected host's ip address, rather just the MAC address, and did so in plaintext over the internet, with no proper chain-of-custody.
## Inside Real APT - Tim Crothers
Tim is a Senior Director of Cyber Security for Target Corporation. In his presentation he used actual Windows console logs from a successful intrusion to illustrate the formula of a persistent hacker targeting a Windows network. He stressed the point that professional hacking outfits, often state sponsored, have a playbook they go by and thus will have hallmark TTPs: tactics, techniques, and procedures. These can be used to profile who you might be up against, and detect their intrusions better.
Photo by [@ashanas on Twitter](https://twitter.com/ashanas/status/741299866316349442)
In his example, the hacker used the same staging directories, used the same set of tools, and always loaded onto the target machine in the same manner. The hacker also made errors over a large sample of the machines he hacked, which gave important info away. Some more generic profiling things to look out for are encrypted .rar files, as the Asia Pacific region likes to use them, and it's very unlikely any normal circumstances would have an encrypted .rar file in an internal corporate network. He also recommended using domain statistics to look for outlier processes running on just a few machines to detect intrusion.
Tim mentioned that if you're dealing with a pro team, uploading any questionable files to VirusTotal is a bad operational security, as anyone can buy a subscribtion to its feed and a team that's on the ball will have done so and will be on the lookout for their own malware. Tipping them off means they can switch or elevate their tactics making it harder on the defensive network security team.
A real interesting thing Tim mentioned was that Russia apparently has developed a full remote administration tool (RAT) trojan that only uses Windows Management Instrumentation (WMI). Meaning that it doesn't need to load its own executable, it is entirely executed with Windows commands.
## Fast Furious and Secure: DevOps Edition - Ty Sbano
Ty is a Sr. Director of Product Security at Target Corp. I actually didn't take any notes from his presentation, but his main point was to educate developers on security matters to streamline secure code development. The goal is to have "agile" but secure development, without having to backtrack too much when it is audited for security. He's a great speaker, the topic just wasn't in my field of interests.
## Maintaining Focus - Russ Steiger
Russ is the Lead Security Analyst within St. Jude Medical's Cyber Threat Action Center (CTAC). St. Jude is a fairly large company that makes medical devices, and from what I gathered, were having issues with corporate espionage hackers taking their intellectual property. So they reorganized their cyber security team and built this crack security operations center (SOC) called the CTAC. Acronyms galore!
Photo by [@mjharmon on Twitter](https://twitter.com/mjharmon/status/741345131564007424)
His presentation was about his team's experience in building a focused and effective SOC within the company. They threw out their cubicles and custom built a room for themselves. They built an isolated room to keep issues internal to their team and prevent needless panic from other groups working near them. In this room, all tiers of security specialist work together. It features a desk for each of the 6 team members and a 7th "hotel" desk so that they could have someone from within the company sit down and join them from eye level to better understand what they're up to. The desks face the back of the room where there is an array of screens that they can all see to monitor their network. The physical buildout of the room was interesting too. To keep the rest of their office from thinking they were a secretive club, they installed a window facing the hallway (with blinds if needed). They painted the ceiling black to reduce eye fatigue. They used double-baffled ventilation, double-paned window glass, and sound absorbing materials on the walls to keep sound in. To me this almost sounded a little overboard but it's usually better to overdo security than slack on it I guess.
## Automating Malware Analysis - Paul Melson
Paul is a Director of Cybersecurity at, again, Target Corp. He started his talk by saying that to understand what malware does is to understand the goal of the adversary, so detailed analysis of the malware itself is very useful. During his talk he did live static analysis demonstrations on his "zoo" of a crapload of malware executables, which he had curated into a neat and searchable database within a "binary management and analysis framework" called [Viper](http://viper.li/).
Photo by [@mjharmon on Twitter](https://twitter.com/mjharmon/status/741365720978690053)
Viper can automate indicator and information extraction from malware, allowing the person analyzing multiple binaries to find connections. Using Viper with a plugin called Yara, Paul was able to successfully map connections and find clusters of malware using indicators that he said most people wouldn't treat as useful, such as the binary's compile date. He was able to notice connections in falsified compile dates, as shown in the picture above. Using cluster graphs of these indicators he was better able to map the adversary's malware and command and control connections. Using a large "zoo" of samples allows him to have a large reference base when he's analyzing new and unknown malware.
## Bridging the Gap - Matt Nelson
Photo by [@mjharmon on Twitter](https://twitter.com/mjharmon/status/741379470494302208)
Matt is a Red Teamer/Penetration Tester. I missed the first bit of his talk but caught up while he was talking about some advanced ways of extreme privilege escalation in a Windows network environment using PowerShell. He talked about PowerView, a tool useful to both network attackers and defenders in having a full picture of the network. He spent some time talking about exploiting trust vulnerabilities in Windows domains, where a compromised domain controller in a child domain allows full access to the entire domain 'forest'. He brought up mimikatz, a tool that can use this to create a "golden ticket" to the entire Windows network. He also brought up a swiss-army-knife tool called Empire which is a full-featured PowerShell-based malware agent.
Finally he strongly recommended Windows admins to upgrade to the latest PowerShell v5, as it is more secure, though still not perfect. He also mentioned the possibility of still using PowerShell v2 even if v5 was installed.
## Botnet C&C: Up close and personal - Alex Holden
Photo by [@mjharmon on Twitter](https://twitter.com/mjharmon/status/741393840221757441)
This one surprised me with how interesting it was. Alex is a Ukrainian American who led with his method of botnet intelligence: just get talk friendly with the hackers and get them to brag about it. I think his knowledge of Russian and Ukrainian comes in handy with this. Alex really seems to love botnet surveillance.
He talked about the business and economics of botnet software. It's amazingly sophisticated. He explained how botnet malware providers offer multi-tiered or customized products to their customers. For example a customer can opt for antivirus evading plugins, for a higher price. The botnet controllers will try to infect specific groups using demographic or geographic information. For instance one of the botnets he showed had the vast majority of its infected machines with French ips, because the botnet owner was targeting users of specific banks in France.
He did live demos of different off-the-shelf botnet software GUIs. Some of them are amazingly advanced. They provide the botnet owner (or renter) detailed statistics on their compromised hosts. They can inject "grabber" webpages to their infected users, say when they access online banking, with real-looking prompts asking for personal information, which is then collected and exploited. Phone alerts can even be set up by the botnet owner to let them know when this attack was successful. **This web injection can even go so far as removing the fraudulent transactions and simulating the victim's bank balance as if they hadn't happened.** By the time the customer realizes he's been defrauded it will then be too late.
The security arms race has made them more resilient as well. More often today they do not rely on any centralized command and control server, instead forming a mesh network which is much harder to bring down.
Finally Alex talked about the growing field of sophisticated smartphone botnet commodity software available. He mentioned one, called DroidJack, which can control every conceivable feature on a smart phone (including reading/sending SMS and receiving or making phonecalls), and use any one of its inputs (front/rear camera, microphone, accelerometers, GPS) for eavesdropping. This can be done without a person knowing their phone is compromised.
---
That's it for day 1. It's a crazy security world out there. I'm not an expert but I understand tech well enough that I am just barely understanding most of what I've reported here. If you're an infosec expert please comment! And if you're not, but found any of this fascinating, please let me know too. Now to sleep for day 2.
#pfunkblog
hiveblocks