yojimbo

Thoughts that should have a longer lifetime than my Mastodon posts ...

CHCon SARAH WALKER – IAM CONFUSED: A DEEP DIVE INTO PERMISSIONS, https://2019.chcon.nz/talks/sarah/

One of the hardest things to understand in the world of cloud computing has to be AWS’ IAM – what is a role? what is a policy? how do I keep my engineers away from production systems? how do permission boundaries even work?? The aim of this talk is to try and give some practical examples to help security teams understand whats going on, and how to use this to keep their infrastructure running smoothly and safely.

  • Groot and the Guardians of the Galaxy (too many short animation loops on the slides though)
    • Allow all the Avengers to use their stuff sometimes
    • But not Spiderman, because Sony ...
  • AWS documentation is sometimes incomplete and wrong
  • AWS 'managed policies', ditto
  • Third party tools: Netflix Aardvark, Salesforce Policy Sentry
  • Principals can have permissions to take action on Resources
  • Resources can also have permissions to grant actions to Principals
  • Any explicit Deny trumps all other permissions

CHCon TOM ISAACSON – WHAT'S NEW IN WIFI, https://2019.chcon.nz/talks/tom/

The new Wifi 6 and WPA3 standards were released last year but what do they actually include, when might we see them introduced and are they as secure as they purport to be?

  • WPA3 and WiFi6 ...
  • Must admit to glazing over a little. Not sure we can trust any network any more.

CHCon ANTIC0DE & LOKIFER – TEACHING AN OLD DOG NEW TRICKS, https://2019.chcon.nz/talks/antic0de-lokifer/

lokifer and antic0de will go over a handful of bugs Insomnia Security has uncovered over the last few years which are interesting, and a bit more in depth than the common OWASP Top 10 examples. This will include code extracts, explanations, and demos of effectiveness.

  • An un-streamed talk, so perhaps I shouldn't say much about it either.
  • BUT – a live demo on the local conference LAN was disrupted because someone in the audience hit the setup URL before the attack payload demo could do so ...

CHCon JOSH BRODIE – SECURITY/ENGINEERING: AN INTRODUCTION TO INDUSTRIAL CONTROL SYSTEMS, https://2019.chcon.nz/talks/josh/

It seems that the cyberapocalypse is upon us. The news media are reporting that nation-states are all up in each other’s power grids. That’s right, Russia are not content with owning the entire US political system and have continued their streak by shelling other untrustworthy, vintage things that we wish we didn’t rely upon for safety. Battlefields are being prepared, with malware taking up residence in operational technology environments, reconnoitring industrial control systems. Well, if they’re going to be our doom, we should at least know what they are: Could it potentially be dangerous to let Windows XP boxes control robot arms with welding torches attached? Is SCADA pronounced SKAH-DAH or SKAY-DAH? Is a data historian a person who works with antique computers? How does securing and attacking operational technology differ from the same in a corporate network? This talk will answer all these questions and one or two more.

  • Talking about how ICS systems (e.g. Christchurch water system) are actually setup and operated
  • Compares to an actual incident from the US which could have been much worse than it was
  • Involves a lot of infosec trust
  • Because other factors are more important in the physical world

CHCon ADEL KARIMI – SEEING THE INVISIBLE: FINDING FINGERPRINTS ON ENCRYPTED TRAFFIC, https://2019.chcon.nz/talks/adel/

Encryption is a warm snuggly invisibility blanket both for us and for attackers. So how can we tell if encrypted network traffic is malicious? This talk will explore techniques you can use to fingerprint encrypted network traffic including RDP, SSH and SSL/TLS, and how to use these techniques to hunt for badness! Network metadata and fingerprints can also be used to profile and cluster internet-wide scans! I will share some of the interesting activities observed by my honeypots, and show your how TLS fingerprinting and visualization helped me discover a new evasion technique!

  • Relying on the unencrypted setup of most protocols
  • Fingerprinting the most variant fields (JA3, HASSH etc)
  • Graphing IP-to-Fingerprint reveals deviant behaviours
  • There is still a role for network-based detection in the face of encryption

CHCon JED LAUNDRY – PUTTING THE ARR BACK INTO RBAC, https://2019.chcon.nz/talks/jed/

Are there more than 50 people in your organisation? So, you don’t know everyone’s life story and current employment agreement by heart? Uh-oh, that probably means there’s accounts in your systems that should’ve been removed a long time ago, and the accounts that should be there probably have permissions that they shouldn’t. Wouldn’t it be great if you could do The Great Account Audit more often than annually, by breaking up the work into manageable pieces and using “Logic” and “Rules” instead of “yeah nah, looks good!”? In this talk, Jed will take you through how to make credential lifecycle management a real part of your organisation, and demo the system he’s developed to make it easy for organisations to stay on top of it. Note: this presentation does not require Microsoft E11 licences.

  • Actual access control checking is important
  • Never run business processes from a spreadsheet :–)
  • A Drupal app might be a better choice ...
  • Security might run them, but (line manager + service owner) are needed to do the actual approval

CHCon PETER JAKOWETZ – DELETED MEMORIES, https://2019.chcon.nz/talks/peter/

How far gone are your hard drives after a format? How far gone is your data when you sell your old phone on Trade Me? What data did I find on drives being sold at the second hand shop? This talk will have a look at the scenarios above as well as seeing if we can meet the requirements for NZISM hard drive destruction using back yard methods.

  • There are only two GCSB-approved secure disk drive destruction facilities.
  • Physical shredding is probably best, destruction can be fun

CHCon SAM SHUTE – PUTTING A BACKDOOR IN YOUR FRONT DOOR, https://2019.chcon.nz/talks/sam/

These days everyone has a pocket full of access card that they use to get in and out of buildings. However few people every stop to think about how this technology they use every day works. In this talk Sam will cover the basics of how card based access control systems work, and how for the low cost of $2.50 you can get a copy of everyone’s card in a building.

  • Got a door-access cardreader? We all know about cloning these cards ...
  • But only one screw opens up access to the wires going from the reader to the controller. The “Wiegand Interface” is well-documented and unencrypted.
  • Devices to tap in to this have been expensive and difficult to use, but for ~NZ$10 you can now tap in a bluetooth-enabled wire tapper and signal generator.

So my Day 1 highlights from CHCon?

'The hacker known as “Alex”' has an excellent presentation style, very accessible to a wide audience. Good fun and technically informative, although TBH it was a very limited attack ...

Matthew Ruffell – one of the few people I've seen who can throw up a function call graph from IDA and tell you honestly that you can understand it, because all you need to do is find out where this call came from, not what it's doing ... and then throws in how to 'break' symmetric encryption and all sorts of other things as an aside ... and it all makes sense to pretty much everyone in the audience ...

Pete Nicholls, not just because I've known him for years, but also because he's talking about the same thing I'm finding on my plate right now at $dayjob. We might not always agree about how we're going to address our respective situations, but it'll be a thoughtful disagreement!

CHCon JEREMY STOTT – THE ACCESS KEYS TO MORIA, https://2019.chcon.nz/talks/jeremy/

So you’re half way through your first hack-a-thon, and are firing up your very first server in the… cloud. Pretty neat stuff! That to-do list is coming along nicely. When you created those… AWS Access Keys… did policies sound boring, and full-access sound way more fun? Did you save them in a file on your Desktop? Are you wondering exactly how many minutes it takes for an access key uploaded to Github to be exploited? Well I have a solution for you. I’ve made a thing. It makes creating temporary access keys easy, stores them properly, but still lets you use them! If it’s your very first project, or you are in a team of 100, you no longer need to throw money down the bitcoin Mines of Moria. batteries-not-included-no-money-back-guarantee-mileage-may-vary

  • If AWS see 'bad' behaviour they will suspend all the activity of a key, which might be your entire production infrastructure ...
  • Don't put keys into your images, even test/dev ones
  • Learn IAM roles instead (see Sarah Walker, later)
  • Use Auth0 perhaps?
  • https://github.com/gogh/awsgogh