On 24th November 10am GMT + 8, Nanosec launched their 2020 conference online via zoom that spanned over 3 days with a practical workshop at the end to increase awareness on security. I wish the event could’ve been at night or on weekends as things did not go well with my job (not to mention not having a working display/laptop to use at home at the moment). Just because its lockdown, IT staff typically have to be on site. The turn out was pretty low (mainly due to timing and malaysian work culture preventing staff from attending this online without consequences they cant bear). The event started with technical difficulties at first but a lot of the talk was pretty good with speakers from around the world including issues in security and ethics as well.
I would like to apologise beforehand for not being able to make a much better summary of each speech due to job/work/work culture constraints. I understand the topics really well in depth but wish i had more time to write and properly view the speeches and even participate as well.
Reference link: https://nanosec.asia/nsc2020/
Schedule
Below are the summaries of each speech/presentation.
Day 1:
Who stole my 100,000 Dollars’ Worth Bitcoin Wallets – catch them all with new deceptive bait by Kean Siong Tan – honeypot security researcher
What happens to files after they get on the internet within 90 days? Scanning the internet to find bitcoin wallets on webservers, scanning of specific files from webservers, including directory listings from public servers to find the files we want. How secure is your webserver? Personally i would not store wallets on a public server.
Based on search patterns you can find out about the attacker by creating a bait that will get scanned or accessed and introducing honeybag to create the bait with a way to monitor access to the file, including a shortcut web link to make the attacker browse the link and alert.
Customise your baits and be patient. Within seconds the bait was taken, and with surprising results!
https://github.com/honeybag
REvisiting Software Security – State the Art – Jaan Yeh & Nafiez (Independent security researchers)
Memory corruption exploitation used to be easy for decades. past mitigations not powerful enough to prevent exploitation. Not all manufecturers add a CVE code to their bugs or vulnerabilities.
Quite a few vulnerability mitigations that are being used, comparing different vulnerabilities before and now such as stack overflow, being able to bypass mitigations for existing popular applications such as discord. Compilers also matter too. Exploiting vulnerabilities can be done in a chain to link info, with some vulnerabilities in by design
Modern exploitation is a lot harder. Multiple vulnerabilities need to be chained. Cost of exploit development will grow (hardware and money). Getting issues fixed with vendors can be difficult since its hard to convince it is an exploit or politics from vendors can be a problem. Disclosing vulnerabilities are a team effort and require the proper info, and steps taken of when to disclose or not.
Malaysia is home to a lot of anti virus and other security products.
When a vendor tries to sue your team, that means they have no effort to secure their products. Without a MD status no one would care about you in Malaysia. Some authorities like NACSA can force vendors to fix vulnerabilities.
StreamCrime: Leveraging modern apps platform for old crimes by Randi Mulki (Short presentation)
Stream crime – live streaming. Live streaming platforms now have currency to purchase features on the platform. Lots of money poured into this everyday. On the dark side of this, it can be used for various crime from money laundering, to scams,drug dealers, gambling and so on. These sorts of virtual currencies involving streaming are abused for nefarious purposes, no limit for topup, transfer allowed and unofficial currency resellers (virtual currency being sold by 3rd party who buys from others and sells cheaply to others). Lots of new apps use this to launder money.
Chinese Police and CloudPets by Abraham Aranguren
(What happens if security is outlawed)
cloudpets is a cloud based plush for kids with mobile apps for it that allow for remote communications allowing parents far from home to communicate with their codes via their app and soft toy. The toys use bluetooth low energy, have a microphone and a speaker. They use amazon S3.
Some of the main problems exposed is that the database didnt have auth and indexed by shodan, with almost a million user records exist with denial from company. Important data was exposed even email addresses, password hashes, link to recordings. The company was alerted many times beforehand. Worse still, the toy bluetooth also used no authentication, allowing connection to the database or even to the toy from any phone easily. No encryption was used for the traffic in relation to the toy from firmware to traffic. This also allowed the toy to be used to spy on others through the microphone.
Even after fixing many of the vulnerabilities still not fixed, such as the for sale domain used for the help page. In the end toy got pulled from stores and company got bankrupt since it was used to spy on users by some while no actual effort was placed into improving security.
IJOP and BXAG – chinese police apps for getting data
(these apps install then uninstall themselves)
Used to evaluate threat level of foreigners and minority populations. Integrated Joint Operation Platform (IJOP) is a policing porgram based on big data analysis. Tracks every data possible on an individual including their opinions, and any online activities and sends alerts and suggestions to the authorities for anything out of the ordinary or ordinary of the target. Every information is used even location via wifi.
Oddly set up at UTS in australia for development. the app was reversed engineered to find the source code by decompiling the apk (thankfully java binary can be decompiled) . One of the issues with the ethics of this is how they define something abnormal (such as electricity use from one day to another) to create procedure to send a police officer where they can also request additional investigations. The more important question is, does the pattern of electricity consumption monitoring stop terrorist attacks?
Day 2:
Qiling Framework: Instrumenting the Uninstrumentable – KaiJern Lau (Lab director, JD Security)
(Lots of code and demo, but sadly was not able to view the stream, only listen)
Virtual Machines especially QEMU have limitations, especially for hardware emulations. Introducing the Qilling framework. Instrumentation is important and can emulate any CPU architecture, useful for debugging and testing of software if it has malware safely emulating hardware and configs based on localisation and comparing different frameworks for user emulation.
Instrumentation at every level allows for better debugging, runtime changes quickly and easily. Much more control over the fuzzing process in the middle instead of starting again.
I CAN Fuzz my Junks for less than 50 dollars – Jay Turla (Manager, Security Operations (PH) At Bugcrowd Inc)
(hacking cars)
Introducing The car hacker’s handbook by Craig Smith
Cars have a lot of computer hardware (ECUs) accessable via CAN, OBD-2, OBD. Requires physical access for most cars. Hacking cars may start cheap but not all hacks are cheap, with some being expensive and some cheap and various attacks can be carried out. Airplanes and Motorcycles have CAN too to reduce the amount of wiring needed. Lots of tools (both hardware and software) available to help get into car research and hacking.
CAN has a protocol and can be easily access through terminal via linux. (check presentation/video for demo).
Hardware list needed:
– ubuntu/kali box
– instrument cluster speedometer (peugeot 207)
– starter pack (determine the pins of the cluster)
– nano-can PCB by mintynet
– arduino nano + MCP2515
– port to wire
Who owns your servers: scavengers of cybercrime Examining “Living off the land” malicious infrastructure by Fyodor Yarochkin & Vladimir Kropotov (threat researchers from TrendMicro)
(Who owns your servers?)
So who owns your servers? Access to large corporation networks/data sold on the net. This also includes access to web cameras. Are credentials shared? Compromised servers turned into hosts for others sold through underground networks mostly for other criminal activities from spam, malware, data acquisiton and assets of the victim corporation,…. These assets/services are very profitable that can be sold for huge sums of money and can be repeated. This attack is visible to server owners, but a lot of damage can be done before the incident response team finally realises and fixes the problem.
Plenty of ways to compromise servers, from vulnerabilities, to compromised credentials, even phishing, brute forcing, sessions and more. Access is then monetised. Old vulnerabilities, ryuk, Active Domains and more can provide admin access as well.
Introducing Bullet, an open sourced tool which requires configuration provided by user.
Prepare better, save time in incidents as response time is crucial.
Review incidents and monitor
Use cloud monitoring tools to analyze behaviour of your cloud components.
Ensure your data is protected using the frameworks provided by your cloud platform.
Lowering of prices of compromised servers increases intensity of attacks
EW & SIGINT: Swiss Army Knife of Modern Combat by Harshit Agrawal & Himanshu Mehta (RF Security Researcher)
(A good speech about military and intelligence operations in relation to cyber security and some history about electronic warfare and the need to cybersecurity and curing insomnia, sadly i was missing too much to my job to make notes)
Changes in the Cyber Security Industry by Saumil Shah SK Chong & Fyodor Yarochkin (TrendMicro)
The more things change, the more things stay the same in the overall game of security.
Lots of tools exist to exploit different things. Blackhat is currently more rewarding (hard to get caught, pays more, etc). Tools for fixing problems on the legit side have too long ROI. Phishing catches a lot and a lot easier than trying to find a way to bypass system security.
Modern tools are better at monitoring and making use of expertise. A lot of attacks target the user, the human factor bypassing technical factors. A lot of effort has been done in software hardening but not user harderning. Follow the money. Lots of big data, AI and processing for profitable things first such as deep fakes, faking others while looking convincing such as voice, faces, etc usually in the wrong fields first before it gets to the right fields due to investment needed. Current path of AI makes social engineering easier. AI is used as buzzword everywhere even in places that dont use AI. Ai is actually bad at big data after looking through a lot of existing solutions for data crunching.
Biggest fear in industry is ransomware, is a very profitable business and hard to track the attackers, The victims are also scammed too. Data decryption isnt just hostaged, but the data itself is threatened to be public as well to maximise profits on the data. Even if paid the data can still be made public.
Its all about the data. The simple solution would be to use non local storage like git, backups, centralised servers can mitigate most ransomware problems. Its not just about recovering your data, but it should also not get to public hands in the first place.
(my personal opinion, dont trust the criminals at their word, they can still sell your data even after you pay). Getting hit by ransomware lowers public perception/reputation of you as an organisation. Regulations and fines can help reduce the problem to ensure that data especially customer data are protected.