Like any other HackerCon there are good and bad things, so I will jump right into the interesting stuff. The start of the conference was a little slow taking less of an attacker security approach, which I prefer. In any event around midafternoon was a talk called “Wipe the Drive!!! Techniques for Malware Persistence”. Mark Baggett and Jake Williams discussed some amazing techniques used by attackers. I mean things that even memory forensics don’t catch. They were discussing persistence tactics like:
- You remove malware and later your computer scans for a wireless access point as a part of normal activity and that scan releases the malware again.
- Your remove malware and later you plug in a standard clean USB key. At this point the trigger of the key being plugged in releases the malware and infects the system.
Again their entire suggestion on the talk was to suggest wiping the drive is again the only safe way to possibly remove malware and to think otherwise might be foolish.
Day 2 and More
On the second day I ended up attending a few different sessions. There was a talk on running a CTF that went through some of the tactics but mostly explained the amount of time it takes to setup and run a CTF. Several of the other talks I went to were less than technical in my opinion and I felt everything could be Googled in about the same time I was in the presentation. There was one exception, Carson Zimmerman packed the room (seriously no sitting space) with his talk on “Ten Strategies of World Class Computer Security Incident Response Team”. I came in late, but what I saw was good.
Other activities at the Con were always entertaining. The Lockpick village always provides a good time filler in-between sessions. I enjoyed spending some time handing out a few Hacker&Agent card decks to kids. Also, there was plenty of hacker and security speak in the evenings at the hotel bar. Otherwise if you like games there were some contests on the Xbox or I would suggest testing your skills by taking a stab at Shmooganography. If you get a chance and get into the 2014 conference its worth at least taking a look. Below is a preview of the 2013 contest.
Again overall a good Con, but I think some of the talks need to be more technical and in-depth next year.
Hands down Day 1 of Recon the Magic Bus by Travis Goodspeed and Sergey Bratus took the show. Great informational and entertaining presentation! I encourage anyone to check out the hardware Travis has developed and his papers if you are into understanding key security issues with the Bus.
Next I found the presentation by Rolf Rolles some of the best work I’ve seen in this field. The presentation was focused on Syntax and Semantic based methods for reverse engineering.
Under the Syntax based methods Rolf talked about looking for patterns that can help identify signatures such as packers, FLlRT, etc. It seems like this could be a good idea for an offshoot tool. However, it important to note that he said an attacker could possibly avert these patterns when a reverser is using Syntactic methods by recompiling or doing complex obfuscation. Guess this is another reason we should all be doing obfuscation in the commercial world.
For this discussion Rolf described scenarios for an automated key generator, automated bug discovery, etc. Most of the talk was explaining the mathematics behind the analysis which overall appear to very basic in nature. However the way Rolf has applied the math in the analysis is quiet interesting and very intelligent.
Without going into too much detail he simply replaced concrete semantics (i.e. x,y) with abstract semantics (i.e. +(positive), – (negative)). Then using truth tables on Bits (standard bit analysis either 0 or 1) (unknown bit analysis using 0,1, ½; ½ represents unknown) he is able to map out patterns.
In general the rest of the day was filled with other speakers who were interesting but just didn’t seem to catch my full attention. With that said Tarjei Mandt did a good job explaining atoms and string based attacks.
All and all a pretty good first day especially since Montreal had a music festival running with Dissonant Nation, which made a great evening of entertainment.
On strategic risk assessments not testing the anti-virus signatures before being deployed should be considered a vulnerability. Many of my customers believe this is ridiculous and not practical, however I report it anyway. Whatever the case, the organization has the decision to accept the risk, as I am only there to point it out. There is a great example published where a routine update caused serious problems forcing customers to have to re-install the operating system.
So you decide. Should Anti-virus software be tested before deployment.
Malware is everywhere and becoming one of the most common security threats in the industry. The link below provides some insight into the seriousness of this issue.
There really is not a great solution for this problem at this time, but how can a company that serves adds mitigate the risk. There are several ways.
Ensure all ads that are uploaded are hashed in some way to ensure the add being delivered is the add uploaded by the client.
Use file monitoring tools like tripwire on image servers to help ensure that adds are not modified. This will also help provide proof if there is an actual attack on the add server.
Scan adds with anti-virus software. Although this will not catch everything it will catch some of the files.
Scan adds for known malware URL’s to prevent phishing type attacks. (This is like a signature based solution and takes a great deal of maintenance to keep up with the attackers)
Hope someone comes up with a good solution that can regularly scan all the adds for malware.
The above will help limit the liability of the ad company serving adds and has some preventive measures that can be implemented to protect both the add companies brand and their customers who may be uploading malware adds without knowing it.