Securi-Tay IV, a field trip

7 Elements are pleased to convey our experiences of the Securi-Tay fourth annual security conference at Abertay University. With a graduate and senior tester attending, we split up to combine our efforts to hear as many talks as possible. We have written an overview of a subset of the great talks we heard, in no particular order.

Gavin Millard, Tenable Network Security: The Five Stages of Security Grief

The first talk was by Gavin Millard, EMEA Technical Director of Tenable Network Security. Gavin spoke about the five stages of security grief and the process of aiding in the establishment of what stage different people are in their process of identifying information security issues and deciding how the problems identified are dealt with. Gavin drew upon the parallels to the Kübler-Ross model of grief (Elisabeth Kübler-Ross, 1969). Gavin discussed how this grief model had parallel applications relating to the grief and anxiety of not being able to understand what actions to take to protect an organisation from pernicious threat actors. The talk focused on elements of the human condition and the coping mechanisms often employed before an organisation moves through the five stages of security grief. The talk progressed to outline how security consultants can assist organisations in progressing though to the final acceptance stage.

Dr Greg Fragkos, Virtual terminals and POS security; How I had a chance to become a billionare.

In this talk Dr Fragkos highlighted the inherent security flaws of Point-of-sale (POS) devices and Virtual Terminals in spite of their processing of transactions by using strong encryption and secure communication channels to connect to remote authorisation servers. The talk focused on the ease of committing fraud by either using a card to purchase items seemingly legitimately without the transaction ever leaving the local payment device.

Dr Fragkos provided some helpful advice for consumers. If you have any item containing RFID technology it should be kept in an RFID blocking container.

Read more about measures against RFID skimming: http://en.wikipedia.org/wiki/RFID_skimming

Freaky Clown, Portcullis Computer Security: Robbing Banks and other fun tales

This talk highlighted the deficit of a culture of challenge within the office workplace of organisations. The talk discussed many techniques about how a social engineer prepares for a test using publicly available resources such as “Google Maps” for investigating and pinpointing the implications of flawed security implementations or a lack of physical security meant to secure digital and physical access in restricted areas within a business. This involved presenting images of incorrectly installed magnetic locks on doors, spoofing heat based movement detecting sensors and detailing methodology for bypassing measures meant to enforce controlled access at receptions.

7 Elements have also witnessed a lack of challenge culture and flawed implementation of corporate access control mechanisms. Often the security deficit stems from problems with the technology being used and instead of fixing problems related to the automated access control mechanism, the technology is sometimes simply deactivated or only partially implemented to ensure the goals related to business efficiency are being met first.

Graham Sunderland, Portcullis Computer Security: We don’t take kindly to your types around here!

This talk discussed and demonstrated relatively unknown pitfalls that may inadvertently be introduced in code. The problem stems from the lack of focus on security considerations when coding with Object Oriented Programming languages such as C++ and PHP. The focus of this talk was in the serialisation and deserialisation of objects, several common development pattern vulnerabilities were demonstrated.

Lewis Arden, Leeds Beckett University: Creating vulnerable systems containing dynamically allocated vulnerabilities

Drawing upon the needs of students studying the “Computer Forensics and Security” undergraduate course, the possibility to create systems containing dynamically allocated vulnerabilities was identified as popular vulnerable systems such as Metasploitable2, OWASP, BWA and others. These popular vulnerable systems have many walkthroughs on how to exploit different vulnerabilities online. Whilst walkthroughs facilitate creating a methodology for exploitation, the vulnerabilities that are exploited on static systems cannot serve to evaluate student learning. The dynamic allocation of vulnerabilities allows each assigned box to have their own specific set of vulnerabilities. This approach should stop students from sharing solutions, instead encouraging the sharing of methodologies, thereby establishing a cooperative learning environment. This tool is to be launched soon at http://z.cliffe.schreuders.org/index.htm.

Barry Myles, SDR for security testers

Barry Myles’ presentation was severely hit by the live-demo gods wrath. During his presentation, Barry showed how he replaced the remote control of an array of radio controlled power plugs. Unfortunately, some of the demos he had planned were not shown and others did not work was planned. However, the presentation was perfect as an introduction to Software Defined Radio and has been responsible for the acquiring of additional research hardware (aka Toys for InfoSec boys!). I believe here is a lot of security research to be made on these types of devices as they are usually built and developed without security concerns in mind.

Kevin Sheldrake and Steve Wilson, Embedded Tool Kit

This presentation was divided in two and felt like it went by really fast! Steve Wilson talked first and focused on the hardware side of security testing embedded devices, brushing slightly on required hardware and showing the process of testing a TP-Link Wireless Extender (TP-WA850). Kevin Sheldrake spoke about some tools he has been developing in assisting debugging the software running on these embedded devices. With this purpose, Kevin has developed bps (a non-interactive debugger), cliapi (a command-line utility that allows running functions in executables and libraries) and jackal (a SSL certificate cloning utility for MitM attacks).
Their tools can be found at http://rtfc.org.uk.

Steve Lord, Anonaflops: It’s part in my downfall

Steve Lord is able to keep up engaged through what is a quite technical presentation through the use of down to earth examples and essentially being able to deliver real world examples without it being overly complicated as it usually the case in the InfoSec world. He knows what he talks about and was able to simplify the usual misconceptions on anonimity, privacy and free access to information. During his talk he debunked the Anonabox project and reviewed a much better concept called Cloak.

Javvad Malik, How to hack you career path and stand out

Javvad’s presentations are always fun to watch. He is a gifted speaker and focuses in the personal growth side of being a InfoSec professional. This presentation was no different and he introduced what he called the Personal OSI Model, a collection of items someone should take into account in order to improve their professional career. I found his “Skills VS Reputation” discussion with Steve Lord when considering a prospective employer to be most thought provocative.

Rory McCune, Secure and “Modern” Software Deployment

Modern software is complex and has a lot of dependencies. Nowadays, dependencies are usually installed automatically from repositories and are almost always implicitly trusted by default.
Rory McCune’s presentation described a couple of scenarios in which he shows different ways the deployment process can be abused by attackers to gain access to unsuspecting users’ machines. The attackers and scenarios he described ranged between high-end nation-state sponsored attackers to modest ones with limited resources.

Dr Jessica Barker, Social Security

Independent Information Security expert Dr. Jessica Barker tackled the usual InfoSec adage “It’s the user’s fault!”. She challenged this view by using Rosenthal’s Pygmalion effect. The usual victim blaming approach was also illustrated by the Golem Effect. Using these explanations, she hopes it could help us as InfoSec professionals to improve the way we handle the ever important education of users in fixing InfoSec’s biggest problem: education.

Stephen Tomkinson, Abusing Blu-ray Players

Stephen Tomkinson’s presentation on abusing blu-ray players was a very nice example of good and relevant research sponsored by an employer. He showed different types of attacks on blu-ray players ranging from network attacks to physical disc attacks which would allow an attacker to get a strong foot-hold in gaining access to your local network.
The research included the development of a new tool that will surely lead other researchers to finding other vulnerabilities in this ever growing connected world.