Past month we (which is me and a group of other ERNW students, supported by some of the “old” guys — I hope my team lead won’t yell at me for this 😉 ) attended the Haxpo and Hack in the Box in Amsterdam. Starting from 28. May, we had three days at this great conference (HITB) and exposition (Haxpo). The two events took place in the former building of the stock exchange in Amsterdam, called: “Beurs van Berlage”. Upon entering the building for the first time we were given details on where our booth was and where the talks would take place — setting up our booth and planning the shifts was just another thing to do before exploring the Haxpo area:
Soon after that the doors opened for the public and the first talks were held. First day agenda consisted of several different talks, amongst others about security risks for journalists, WiHawk (which is a Wireless-Router vulnerability scanner), Project-S (which was about the making of the HITB-Badge) and many more. Not exactly a Security talk, but more about hacking as a creative skill was Mitch Altmans talk named “From Idea To Reality: Make A Living Doing What You Love”. Mitch Altman is the creator of ”TV-B-Gone” and other Kickstarter financed projects. In his presentation he explained the issues and difficulties that occur in the process of creating a finished product from an idea in your head. His attitude was really uplifting and encouraging towards entrepreneurship and what he basically said was: “go out there and make cool stuff!”. 🙂
On Thursday the HITB talks, which were more technical, officially started. Enno, Felix, and Matthias contributed a presentation about their critical vulnerability MS13-092 against Microsoft’s Hyper-V architecture.
Us, who didn’t have duty at the booth or holding a speech were able to join the different talks. One of the highlight talks at Haxpo that day was “We <3 SSL” by Emilia Kasper and Halvar Flake from Google. Who (no surprise) gave a great insight into the recently discovered Heartbleed bug. Besides the technical aspect of Heartbleed they explained that the OpenSSL library itself suffers from several substantial problems. Coders of the project are afraid of “breaking” the internet and therefore try to keep changes as small as possible instead of using the most reasonable solution. OpenSSL is a huge and incrementally grown library which contains very old code portions from many years ago. And several optimizations in the code are implemented by macros which lack type safety. These issues lead to a project that is really hard to maintain and contains bugs that remain in the code for many years before they get discovered.
What can we learn from this?
- Code in critical codebases should be audited more often
- Companies need to assume responsibility and give back to software projects that are crucial for them
- Backup plans for serious situations like this are not too good or non-existing
- Info leaks are a serious threat to an institution
- Brokenness of software should be assumed and not the opposite
Another interesting talk was by Jenn Lesser from Facebook. She explained how she raised awareness within the company to increase the security level. By creating a security related month (“Hacktober”) her team was able to improve security and make it fun for employees. The overall outcome was very positive and effective: Employees were talking about security subjects and were more aware of threats.
Even the original creator of PGP (Phillip Zimmermann) had a talk about a new project he is working on. Sadly the whole speech felt more like an advertisement for his new product (Silent Circle) in addition to that, he didn’t answer critical questions about it.
All in all this day felt like the most interesting day during our stay. Not only because of the talks, but also because of the Google-Party which was held in the Grand Hotel Krasnapolsky that night. We were just having fun while meeting people, relaxing and talking. 🙂
The last day — for some of us with little sleep – was filled with more exciting talks. Dominic Spill explained and showed how he had created a USB proxy to trick the communication between USB-Device and host. With his proxy he was able to manipulate the traffic between the two devices. In his live demo he tricked his laptop into assuming a copying process to a USB flash drive went fine, while in fact nothing was transferred to the drive. His plan is to develop the concept further to the point where it is a cheaper and better platform for fuzzing, monitoring and testing as e.g. the BeagleBone Black.
Definitely the funniest presentation during the Haxpo was held by Yoshinori Matsumoto. His subject was the analysis of attacks against a popular blogging software used in Japan (similar to WordPress) mainly for Otaku websites. The style of his slides was quite colorful and filled with anime characters, which was a nice contrast to most of the serious and plain slides used so far. The technical aspect was quite interesting as well: He set up a honeypot for hackers to come. But a honeypot alone is not enough; the site had to look authentic. Therefore he developed a system to fill the page with content and boost its search engine ranking, which he explained in more detail.
Last but not least, Zuk Avraham spoke about current mobile threats and development. He also warned that mobile attacks are actually more common than currently assumed and will become a bigger issue in the future.
After we had packed our booth it was about time to head back home. Too bad someone had broken into our rental… which delayed our departure for an extra hour due to calling a number of hotlines and going through call center processes.
Nevertheless we all enjoyed our stay in Amsterdam and look forward to HITBAMS2015!