BruCON 2013 conference (Part 1 of 2)
Date : November 18, 2013
In September, Cert-IST attended the BruCON security conference near Brussels. This is the 1st time we were at this event (this is the 5th edition): on the security conference scene, BruCON is not so well known, but it is indeed a good event: large audience (350 people), good speakers (about 7 from Europe / 4 from the US), in a very friendly atmosphere.
The presentation slides are available on the conference website (at this location). For each presentation, we give below a link for the video recording of the talk, as well as the link to the presentation slides when available.
Our BruCON review is splitted in two parts. This month, we publish the 1st part. The second part will be published next month.
Keynote by Amelia Andersdotter (video, slides)
The opening speech for the conference was given by Amelia Andersdotter, a member of the European Parliament on behalf of the Swedish Pirate Party. She presented the difficulties to regulate on technology topics, and took as an example for this the work on the electronic identity made in 2012 by the European Commission. Besides the difficulties to stay neutral about the underlying technologies, the presentation highlighted the difficulty to find the right balance between the need for traceability (e.g. when a citizen access online government services) and the need to protect citizens’ privacy.
HTTP Time Bandit (video, slides)
Presented by: Vaagn Toukharian (Qualys)
"Time Bandit" is a DDOS diagnostic tool for web servers. It searches for the critical pages of the website by measuring the response time of each page: the slowest pages are those that are most susceptible to be targeted by DDOS attacks, and must therefore be particularly protected. The tool can be used by attackers, as well as the system owner, to identify critical resources. It is available on GitHub.
The speaker then presented various means to protect against DDOS attacks:
- Add a load-balancer to be able to easily increase server resources.
- Subscribe to an anti-DDOS commercial service. Those services are however quite expensive, and are not invulnerable (see for example this Blackhat 2013 presentation: Universal DDoS Mitigation Bypass).
- Use anti-DDOS Apache modules. The speaker mentioned several such modules, and recommend using “mod_evasive” in addition to the standard Apache directives (such as « MaxConnPerIP »).
Taking the BDSM out of PCI-DSS through open-source solutions (video, slides)
Presented by: Erin Jacobs and Zack Fasel (UrbaneSecurity.com)
The speakers present a feedback about the PCI-DSS certification, and explain in particular, how open source tools can help achieve compliance. First, the speakers insist on the difficulty in interpreting the PCI-DSS requirements: they are often ambiguous and the most common response of PCI experts when asked about the meaning of a given requirement is often: "It depends of the context!".
From all 12 areas of PCI requirements, 6 are difficult to achieve:
- Logging (PCI-10 area): this is the area that causes most problems when implementing PCI-DSS. The speakers recommended to use the tools fluentd (for storing log) and Ossec (for integrity checking).
- Patch management (PCI-6 area): the speakers agree about the difficulty, but do not provide concrete solutions to it.
- 2 factors authentication (PCI-8 area): several solutions are presented: certificate-based authentication (VPN, Jumpbox), authentication via SMS, OAUTH and Yubikey.
- Antivirus (PCI-5 area): the issue here is that according to PCI-DSS, an antivirus must be installed on all systems. As there is no requirement on the antivirus technology used, this can be satisfied on exotic systems, by implementing an "application whitelisting" system which prohibits the execution of unknown code on these systems.
- Pen testing (PCI-11 area): PCI-DSS requires that external vulnerability scans are performed by accredited vulnerability scan providers. It is consequently not possible to do it yourself using open-source solutions.
- Policy (PCI-12 area): no specific comments were made about this topic.
CobraDroid (video, slides)
Presented by: Jake Valletta (Mandiant)
Several tools already exist to analyze Android applications, but most of them proceed by static analysis. For his part, the speaker has built a dynamic analysis tool called CobraDroid. The overall principle is to create a runtime environment on a PC where the Android applications will be run. This environment is a modified version of the Android kernel. The presentation presented the main features of this environment:
- Memory dump thanks to a customized version of LiME,
- SSL communication interception,
- Parametrable API interception (hooking).
The project is currently built on an old version of Android (version 2.3), but the speaker now thinks about developing a new version based on Android 4.0.
Realtime analysis and visualization of internet status : from malware to compromised machines. (video, slides)
Presented by: Tiago Balgan Henriques, Tiago Martins, João Gouveia (PtCoreSec.eu and AnubisNetworks.com)
AnubisNetworks first presented its main product, which is called « StreamForce ». It is a front end to query and visualize in real time data collected by AnubisNetworks on the Internet (example of such data is the list of computers infected by botnets). StreamForce has been designed to process very large sets of data (for example, the 6000 events per second generated by the « Cyberfeed ») and uses for that technologies such as Node.js (to build fast communicating web applications) or MongoDB and Redis (to build bulk data repositories on NoSQL technology). AnubisNetworks also presented an impressive 3D visualization tool that shows an animated globe with all the infection detected.
PtCoreSec has presented a distributed architecture in which the task to handle (for example, scan the whole Internet space) is divided between multiple autonomous actors which they called Minions. As a demonstrator Minions has been built on RaspberryPi micro-servers to perform port scanning.
Note: Scanning the whole Internet, with distributed scanners (such as Minions) or with ultra fast scanners (such as zmap or masscan), seems indeed becoming a regular activity…
For more information:
- Presentation materials:
http://files.brucon.org/2013/
- Public reports published :
http://www.cupfighter.net/index.php/2013/09/brucon/
https://www.attackdebris.com/?p=117