BSides Manchester is in its third year and they very kindly invited me back to be the MC for track 1.
I drove up to Manchester the night before. It was an uneventful trip, barring the usual average speed cameras on the M1 and the roadworks on the M6.
I’ve clocked up a fair amount of motorway miles these last couple of weeks, having been in the Scottish Highlands a week ago. During this time, I’ve discovered one of life’s biggest annoyances. Truck drivers who decide to overtake another truck when they are only going 2mph faster than the truck they are deciding to pass. This clogs up two lanes of the motorway for at least 5 miles as one truck slowly inches its way ahead of another.
Truck drivers aside, BsidesMCR is unique in being the only Bsides I attend that doesn’t coincide with another conference. This means there’s no running between venues and no looking for people at the wrong event.
Track 1 was my home for the day and I settled in by honouring the BsidesMCR tradition of taking a selfie. Unfortunately, most attendees were in track 2 so it was a largely empty room. But still, traditions are traditions and must be upheld.
But it wasn’t all about selfies, I got to meet many excellent friends and peers. I won’t even try to name everyone, but it was a pleasure to meet everyone there.
And now onto the talks given that I was in track 1 all day, it only makes sense that I summarise them all. Which reminds me a great chap named Cooper drove all the way from Holland / Belgium? (Somewhere in Europe) with all his recording equipment to film all the talks. At the conclusion of Bsides, he was set to drive back home, only to get packed to fly off to another conference! Sounds crazy but totally appreciated. Look out for the talks being made available at some time in the near future on the BsidesMCR website .
Talk 1: Gavin Millard
Breaking out of the echo chamberGavin gave a talk on how to communicate outside of security circles. Illustrating how infosec coverage is common in the media and how vulnerabilities like Heartbleed get their own logo.
Metrics were touted as the universal language that the business spoke, which, in Gavin’s experience was something infosec was terrible at. To illustrate the point, if a marketing manager was asked how many leads they could generate with $1m, a metric-based detailed answer would likely be provided. But if a security executive was asked the same question, it would be unlikely to be equally articulate.
The NIST Cyber Security Framework, SANS top 20 critical controls and other standards were quoted as having good metrics that security teams could use.
“Thanks for the 300 page security report”, Nobody, Ever.
Dashboards was another area Gavin said are often weak. Sharing a mock of a good dashboard, Gavin suggested infographic tools or similar could be used to spruce up dull and difficult-to-read power point presentations.
To conclude, Gavin stated that security professionals should learn to ‘communicate like a suit’.
Talk 2: Ben Turner 21 st Century War StoriesBen is a red teamer, a charismatic speaker, and likeable guy. His talk setup the importance of red-teaming as opposed to simple vulnerability scanning, assurance reviews, or limited-scope penetration tests.
His talk was filled with some great real-life examples which included getting into the core banking system of a bank via an ATM in a mall in the middle east.
Ben spent some time talking through his tools of choice, why reconnaissance up front is perhaps the most important step, and why it’s important to know what the objective is. Stating that popping a shell isn’t the objective. That’s the starting point the real objective begins after that.
In closing Ben shared a red-team testing tool that he wrote with his colleague Dave Hardy called PoshC2 . It’s maintained, free and open source, and I’ll try to carve out some time in the coming weeks to take a closer look at it.
Talk 3: Jerome Smith From CSV to CMD to qwertyJerome was enlisted to do a pen test in a locked down environment. It was so tough, that he wasn’t even allowed to take in his own testing laptop. So he had to McGuyver his way into creating malicious CSV files. But excel generates lots of notifications whenever there is embedded content within a file.
The talk chronicled his journey to crafting better payloads that will run in excel generating little or no warnings.
A very well-presented and engaging talk.
Talk 4: James Kettle Hunting Asynchronous VulnerabilitiesJames is perhaps the only speaker that has presented at BsidesMCR all three years, so he must know his stuff.
It was a very informative talk in which James discussed the invisible attack surface which forms the asynchronous vulnerability world. Asynchronous vulnerabilities are a bit like blind second order injection attacks, in which you get no immediate feedback. That means no error messages, no detectable time delays, and no differences in application output.
All of this makes them very difficult to discover which, I guess is part of the fun.
The solution to this was to issue a payload that triggers a callback out-of-band from the vulnerable application to an attacker-controlled listener. It does rely on perfectly crafting an exploit.
James also touched upon how Burp Suite has a lot of functionality built in to assist with hunting asynchronous vulnerabilities.
Mind-meltingly good stuff.
Talk 5: Andy Davis & David Clare Vehicle cyber security & innovationYou didn’t need to be into vehicle security to appreciate this talk by Andy and David. Some proper worrying stuff divulged. Simply looking at the massive attack surface connected road vehicles have is enough to give someone a big case of “nope” and moonwalk right out of there.
The pair talked through their assessment methodology including vmap, which is kind of like nmap, but for vehicles. They showed some videos during their presentation of exploits in action, such as killing the ignition or locking up the steering wheel of a moving car.
Other attack avenues that the duo explored were related to the ECU, USB, video protocols, media protocols, mifi, rear seat entertainment, tyre pressure monitoring system, remote keyless entry, DAB, and GPS.
The talk concluded with some tips as to what needs to be done. These were:
Greater awareness for manufacturers and developers Embedding of cyber security standards into vehicle manufacturing