My trip to BSides Lisbon 2013

On the 4th October, I flocked to BSides Lisbon 2013 to talk about Cell Injection.

It was the first meeting of this kind in Portugal (for infosec people by infosec people, open to the general public, free admission, international speakers and attendees). There were about 180 people there in both rooms.


Other than my talk, here’s a rundown of what I saw.

Convincing your friend that a Website sucks by Colin McLean

Colin tried to prove to his friend Mark a website he used wasn’t that safe… and failed. The end result – and a big win – is this talk. We should realise that after all this time, since the beginning of the World Wide Web, we still haven’t been able to prove automatically and successfully if a site is doing something malicious. Colin’s initial solution is a smart mix of proxying, analysis and IDS techniques. It looks very promising. I just hope Colin is able to find a grad student that tackles this issue and fixes it for us!

Security (A)SAP by Bruno Morisson

This talk is about the hugely complex and prevalent CRM system in most large companies in the world and the challenges in keeping these kind of critical systems secure and healthy. Some of the work presented resulted in a Metasploit module for SAP pen-testing. A typical talk at these gatherings.

Digital Forensics on todays’ digital world by David Marques

In this talk, David gave us a general and introductory overview of Digital Forensics. Starting with digital forensic’s history, describing different mindsets between the technical forensicators and legal crowd (judges and lawyers), existing software and usage, explaining current (and future challenges) as a forensics company. Unfortunately, in the end, Q&A fell back to the oldest discussion in the books: “Open-Source” vs “Proprietary” Software. A very good intro to the Digital Forensics’ world, nonetheless.

All your sites are belong to Burp by Tiago Mendo

A plain talk that had a bit for everyone, an introduction to Burp for the newbies and developers and tips that experienced users always enjoy (Macros and Extensions). I also learned about using both Intruder and the Scanner to optimize testing. I actually overheard someone in the room say “where do I sign to get this fantastic piece of software?”. Oh, and I do believe Dafydd Stuttard deserves every penny he is paid for Burp!

“there is no spoon” – The art of “bending” a vulnerability with the power of mind by Pedro Cabrita

Revisiting the idea that automated vulnerability scanning is worth what it is worth, Pedro described several vulnerabilities on a custom tailored app that some of the automated vulnerability scanners couldn’t find. Some of these vulnerabilities were quite basic and immediate that even a more unexperienced tester would find them. While the topic isn’t new, it made a good point since it explains the skewed reality perception organisations have after being submitted to testing. Testing for security isn’t a case of point & shoot or point & click in our case. Just as attackers are somewhat artistic in their trade, so too should testers be. Automated testing tools are just that, tools. Give a skilled tester some good tools and he will deliver.

Revisiting Mac OS X Rootkits by Pedro Vilaça

Unfortunately, I only saw the end of this talk since I was at Pedro Cabrita’s talk but from what I gathered, Pedro is one of the world’s authority on OSX Rootkits and his work is interestingly mindblowing and an eye-opener regarding OSX’s security. One of my favorite talks.

Securing Password Storage – Increasing Resistance to Brute Force Attacks by Tiago Teles

As recent years have shown, storing passwords securely has been proven quite dificult judging by all the password leaks and disclosures even for big players like Yahoo!, Twitter and LinkedIn. After an introduction, design decisions and evolution of hashing functions for password storage, Tiago from Cigital proposed an HMAC based solution to storing user passwords. It was quite an interesting and technical talk with some food for thought on the future of secure password storage and management for organisations.

Man vs Internet or The future of Authentication by Luís Grangeia

Why is it so hard for people (even us, infosec professionals) to properly and securely manage our digital online selves? In his talk, Luis talked about the Mat Honen digital life theft case, authentication and the management of digital identities. It was a basic subject but still something we haven’t completely figured out and often leave to superficial thinking and management without realising we are putting ourselves at unecessary risk with high likelihood of exploitation. Luis finished the talk with some ideas on how to increase our security and raised awareness of these topics. A very interesting talk with a lot of food for thought.

I’m the guy your CSO is STILL warning you about by Gavin Ewan

Gavin is a funny and gifted speaker. He has the heart of a Social Engineer, he lures you in and you’re hopelessly captivated. His words debunk common Social Engineering misconceptions, juicy targets and successful results. It’s funny as legal compliance information disclosure and leaking results so often help out the attacker, especially because they usually end up not being uber-nerdy-obssessive-technical-proficient attackers…. just really motivated beings. Information acquisition is, more often than not, one Google search away! You just need to be smart in how to use it.


Other that the talks, there was a crypto-challenge – decrypting a file containing an encrypted version of the SGFja2VyJ3MgTWFuaWZlc3Rv (spoiler avoided by b64-encoding) – and two attendees signed up for lightning talks. For this, the participants won the possibility of having dinner with the speakers.

Dinner ensued at a brazilian meat restaurant “Orizon” where almost all speakers met (I missed all the other Scots who traveled to Portugal for the event!) followed by drinks at Expo’s Peter’s for wrapping up.
All in all, a good InfoSec informal meeting. I was pleased to see that some of the talks developed on ideas from previous shorter talks from “Confraria da Segurança Informática”, a monthly InfoSec meeting very much in the spirit of BSides only smaller. They have an active community there.

Congratulations to Tiago Henriques and Bruno Morisson for making this event happen. Next year, we might have a BeachCon…
Looking forward to BSides Lisbon 2014!