Monday, 30 April 2012

BSides London 2012

Recently, both Ben and I were lucky enough to get our grubby mitts on some BSides tickets, which turned out to be a mixed bag, but was still a very worthwhile and well organised event. Overall, it was well thought-out despite one of the speakers going AWOL (Kizz MyAnthia - Mapping The Penetration Tester's Mind: 0 to Root in 60 Minutes). In fact, to fill this slot Paco Hope (@pacohope) from Cigital filled in, with his really interesting talk around online Gambling security focussing on random number generators and shuffling algorithms. This was, very much, a cheeky bonus.

However, I digress. The conference managed to have plenty going on throughout the day, which meant that even if there wasn’t a talk you were particularly interested in, you could either attempt a CTF (with Campbell @zyx2k) or try your hand at the ubiquitous-at-hacking-cons lock picking table. In addition to the two main tracks of talks, there was also a third track which appeared to be an open forum for impromptu talks, for anyone who had something interesting to say. I really liked the idea of this and I managed to catch two of the talks on there. The first talk I saw on this track was more of a discussion, talking about formal education for hacking and how this would serve the industry. I found this quite interesting having done a degree and currently reading a masters by research (MRes) in security and hacking related fields. I gladly proffered my experiences, opinions and advice and found it quite ‘nice’ to be able to be able to muse without needing to have a talk prepared. I’d like to see more of this in a formal setting at cons. The second talk I caught in this track was an impromptu SAP overview by Steve Lord (@stevelord). This was a great talk (as much as I hate SAP and have only done one test), but he made some really good points around the in-house lifecycle of SAP customisations and rushed deployments and misapprehensions by large corporate businesses. Awesome. And what a knowledgeable guy to do it all off the cuff.

On the main two tracks, there were two real highlights for me; HTML5 - A Whole New Attack Vector by Robert McArdle (@bobmcardle) and UPnP - The Useful plug and pwn protocol – revisited by Arron Finnon (@f1nux).

McArdle’s talk walked through the most notable features of HTML5 then progressed onto basic attack vectors including the <video> tag and browser pop-ups. Following this, he discussed the concept of browser botnets and the impact of their creation within a corporate environment. This was a particularly appealing talk as HTML5 has been on my ‘to-do’ list for a while now, due in-part to the uptake of HTML5 moving at the same rate as IPv6 (what’s the name of that Paula Abdul song with the animated Cat?). I often tell myself (and after speaking with other testers I realised that I’m not alone) it can wait a little bit longer as there are 101 things (including my job as a Penetration Tester for HP in there somewhere) to research and learn first. However, it’s now leapfrogged a few places up the list. It’s certainly worth going to and reading up on potential vectors and reading some of the white papers. Great job Robert.
F1nux’s UPnP talk was great also. Having been in the independent state of ‘Web-app-land’, in terms of personal research and learning, for the last year it seems, it was great to see new things being done with an older protocol (that likes to say ‘Yes’ – SEVERE lack of ‘Mum jokes’ following this, but maybe my sense of humour never ventured beyond the playground). The talk explored around the protocol and the information that was freely given by supported devices and several vectors were discussed regarding home routers and the opening of ports via UPnP. I really want to look at the possibilities of screwing with this in VOIP. I really LOVE this type of low-tech elegant hack (worth mentioning how great @wickedclown is at that sorta thing here!) and F1nux really ripped it up (again).

As much as a hate to be negative about a free con, which was informative, well organised and had a free bar at the end, it’s good to be constructive.

So, my main feedback would be to pick more technical talks as my feeling was that some of the talks were a bit too ‘social sciencey’ and didn’t really give any information beyond a message or way of thinking that may be counterintuitive at first. I feel that these types of talks can be delivered by anyone with a point of view who’s been hacking, penetrating or researching  for a year or more, so I found some of them a bit disappointing. Following on from this, I felt that perhaps the target audience was slightly wrong for me as an experienced penetration tester / security consultant. I felt the con wasn’t so much aimed at people like me, but at people who’re new to the industry or grads. In one talk, asymmetric encryption was explained with Alice and Bob (and Eve), I thought this was a little strange and half-expected Bruce Schneier to jump out from behind the curtain with Alice’s private key.

Overall though, a massive success! Thanks to everyone at BSides for putting on an amazing conference and I look forward to repeated hitting CTRL+F5 in my browser next year to get tickets again.