yojimbo

Thoughts that should have a longer lifetime than my Mastodon posts ...

CHCon ADEL KARIMI – SEEING THE INVISIBLE: FINDING FINGERPRINTS ON ENCRYPTED TRAFFIC, https://2019.chcon.nz/talks/adel/

Encryption is a warm snuggly invisibility blanket both for us and for attackers. So how can we tell if encrypted network traffic is malicious? This talk will explore techniques you can use to fingerprint encrypted network traffic including RDP, SSH and SSL/TLS, and how to use these techniques to hunt for badness! Network metadata and fingerprints can also be used to profile and cluster internet-wide scans! I will share some of the interesting activities observed by my honeypots, and show your how TLS fingerprinting and visualization helped me discover a new evasion technique!

  • Relying on the unencrypted setup of most protocols
  • Fingerprinting the most variant fields (JA3, HASSH etc)
  • Graphing IP-to-Fingerprint reveals deviant behaviours
  • There is still a role for network-based detection in the face of encryption

CHCon JED LAUNDRY – PUTTING THE ARR BACK INTO RBAC, https://2019.chcon.nz/talks/jed/

Are there more than 50 people in your organisation? So, you don’t know everyone’s life story and current employment agreement by heart? Uh-oh, that probably means there’s accounts in your systems that should’ve been removed a long time ago, and the accounts that should be there probably have permissions that they shouldn’t. Wouldn’t it be great if you could do The Great Account Audit more often than annually, by breaking up the work into manageable pieces and using “Logic” and “Rules” instead of “yeah nah, looks good!”? In this talk, Jed will take you through how to make credential lifecycle management a real part of your organisation, and demo the system he’s developed to make it easy for organisations to stay on top of it. Note: this presentation does not require Microsoft E11 licences.

  • Actual access control checking is important
  • Never run business processes from a spreadsheet :–)
  • A Drupal app might be a better choice ...
  • Security might run them, but (line manager + service owner) are needed to do the actual approval

CHCon PETER JAKOWETZ – DELETED MEMORIES, https://2019.chcon.nz/talks/peter/

How far gone are your hard drives after a format? How far gone is your data when you sell your old phone on Trade Me? What data did I find on drives being sold at the second hand shop? This talk will have a look at the scenarios above as well as seeing if we can meet the requirements for NZISM hard drive destruction using back yard methods.

  • There are only two GCSB-approved secure disk drive destruction facilities.
  • Physical shredding is probably best, destruction can be fun

CHCon SAM SHUTE – PUTTING A BACKDOOR IN YOUR FRONT DOOR, https://2019.chcon.nz/talks/sam/

These days everyone has a pocket full of access card that they use to get in and out of buildings. However few people every stop to think about how this technology they use every day works. In this talk Sam will cover the basics of how card based access control systems work, and how for the low cost of $2.50 you can get a copy of everyone’s card in a building.

  • Got a door-access cardreader? We all know about cloning these cards ...
  • But only one screw opens up access to the wires going from the reader to the controller. The “Wiegand Interface” is well-documented and unencrypted.
  • Devices to tap in to this have been expensive and difficult to use, but for ~NZ$10 you can now tap in a bluetooth-enabled wire tapper and signal generator.

So my Day 1 highlights from CHCon?

'The hacker known as “Alex”' has an excellent presentation style, very accessible to a wide audience. Good fun and technically informative, although TBH it was a very limited attack ...

Matthew Ruffell – one of the few people I've seen who can throw up a function call graph from IDA and tell you honestly that you can understand it, because all you need to do is find out where this call came from, not what it's doing ... and then throws in how to 'break' symmetric encryption and all sorts of other things as an aside ... and it all makes sense to pretty much everyone in the audience ...

Pete Nicholls, not just because I've known him for years, but also because he's talking about the same thing I'm finding on my plate right now at $dayjob. We might not always agree about how we're going to address our respective situations, but it'll be a thoughtful disagreement!

CHCon JEREMY STOTT – THE ACCESS KEYS TO MORIA, https://2019.chcon.nz/talks/jeremy/

So you’re half way through your first hack-a-thon, and are firing up your very first server in the… cloud. Pretty neat stuff! That to-do list is coming along nicely. When you created those… AWS Access Keys… did policies sound boring, and full-access sound way more fun? Did you save them in a file on your Desktop? Are you wondering exactly how many minutes it takes for an access key uploaded to Github to be exploited? Well I have a solution for you. I’ve made a thing. It makes creating temporary access keys easy, stores them properly, but still lets you use them! If it’s your very first project, or you are in a team of 100, you no longer need to throw money down the bitcoin Mines of Moria. batteries-not-included-no-money-back-guarantee-mileage-may-vary

  • If AWS see 'bad' behaviour they will suspend all the activity of a key, which might be your entire production infrastructure ...
  • Don't put keys into your images, even test/dev ones
  • Learn IAM roles instead (see Sarah Walker, later)
  • Use Auth0 perhaps?
  • https://github.com/gogh/awsgogh

CHCon IZZI LITHGOW – CAUGHT BETWEEN THE DEVIL AND THE DEEP BLUE SEA: NAVIGATING SECURITY COMMUNICATIONS, https://2019.chcon.nz/talks/izzi/

When preparing for security incidents, we’re always hearing “it’s not if, it’s when” so security teams build process and technology solutions to rebuild the technical walls when the castle gets breached. But what we don’t often hear about is how we’re going to tell people what’s going on, and how the flow of information to our organisation’s staff, customers and anyone else who’s interested will be managed. We’re all just hoping it’s not our job to have to tell the CEO or the 6 o’clock news.

But there are people whose job it is to talk to other people, and by bringing those communications specialists into the world of security, we’ve got a better chance of getting out of a security incident alive. Izzi from CERT NZ is one of those communications specialists and she’ll share insights to help you navigate a security incident from a different technical perspective.

  • CertNZ will help to handle comms during an incident
  • Comms plans need to have actual details in them, because a non-comms organisation won't know how to learn comms when they're busy

CHCon PETE GENT – AN A-Z OF SPECTRUM, https://2019.chcon.nz/talks/pete-gent/

Inspired by last year’s Chcon talk on Window’s exploits, here’s an A-Z of spectrum for the discerning hacker.

  • There are a lot of different controlled radio spectrums!
  • And a lot of acronyms covering almost all of the alphabet
  • Most of the time, there is space for a hacker to do some private project, but don't interfere with licensed spectrum ... you will be found ...

CHCon LOUIS NYFFENEGGER – ENTREPRENEURSHIP FOR HACKERS, https://2019.chcon.nz/talks/louis/

Since starting PentesterLab, Louis has studied and obtained first hand experience of a range of topics related to startups and product design and has applied these lessons to security products and services. After talking with friends, he realised that many people are interested by this topic and run into many of the same roadblocks: “Where to start?”, “I don’t have an idea”, “How do I validate my idea?”, “How much do I charge customers?”, “MVwat?” … In this talk, he will answer these questions and help fellow hackers get started! The lessons he will share are used everyday on the road from a simple project to a successful business.

  • https://penetrationtest.com/ as the background to the story
  • I skipped this to talk to Pete Nicholls instead, and it ended up winning “best talk”. So shame on me.

CHCon AAYLASECURA1138 – WHAT GIVES $7K AND 3 CVES? A WEB BROWSER, CONFUSED ABOUT ITS CROSS-ORIGIN POLICY, https://2019.chcon.nz/talks/aayla/

The Same-Origin Policy (SOP) says web browsers should prevent one site from accessing another site, unless explicitly allowed by the Cross-Origin Resource Sharing (CORS) standard. But do all browsers follow the guidelines? Spoiler alert: no.

Can’t quite wrap your head around CSRF, SOP and CORS? Or maybe you want to get into bug bounties but, like me, just don’t know where to start? Let me tell you about my research which led me to bugs in Firefox and Chrome’s SOP/CORS implementation worth three CVEs and US$7k.

  • 113 browser versions, 100 tests, three wins.
  • This is using the scientist's “test everything” mentality
  • Plus of course an open-source 'fix' hints about what wasn't addressed at the same time ...