HITB Malaysia - Day 1
Day 1 - Talks:
- Botnets are sometimes constrained to geographical regions. This is due to the cultural attractiveness and the language utilized by the lures, which led to the initial malware infection.
- Although security researchers are occasionally able to hijack entire botnets way from the original operators, they never (publicly) issue a "kill command" or clean up the botnet infections. This is due to uncertain legal restrictions and repercussions.
- Some botnet operators are now using cryptographically signed command signals as a defense against hi-jacking.
- Some botnets contain a Domain-name Generation Algorithm (DGA), which operate on a timer. This DGA is used to periodically generate a new DNS domain name of the command and control server. For instance, current command and control server may be serverX.adbprmmg.com, but once the DGA triggers and calculates that the new control server is serverY.bmpkngf.com, each node of the botnet will now begin communicating with this new server. By reverse engineering the DGA portion of the botnet code, malware researchers can register the new domain name before the botnet operator does and effectively neuter the entire botnet.
The second talk I attended was titled "Data Mining a Mountain of Vulnerabilities" by Chris Wysopal. Mr Wysopal's company, Veracode, scanned and performed analysis on approximately 10,000 applications from a wide range of sources. This talk represented an analysis of that data and sharing of a lot of facts and figures. The items that stuck out for me in this talk were:
- Introduction of a new attack trend dubbed "water holing". Basically this would be an attacker profiling a potential target and then attacking other sights of interest to the target. The example provided was the attacker may determine that a subset of the employees of target company X are fanatical about the sport of Rugby and frequent a particular website dedicate to Rugby news. The attacker would then attack the Rugby news website and host malware on it, in hopes of subsequently infecting the employees of target company X.
- A very large percentage of non-web based applications, have problems with cryptography. These are related to improper key storage and the like.
- The historical data shows that application developers are doing a better job of eliminating SQL Injection vulnerabilities from their applications. This data also showed that developers are still not making progress towards eliminating cross-site scripting issues from their applications.
- Multiple quotes from The Wire and the Notorious B.I.G. song, "The 10 Crack Commandments". Big props for those fantastic meaningful incorporations!
- When hacking, you do *NOT* have any friends. You only have "criminal co-defendants". Treat them accordingly.
- An anecdote of a guy who would rent hotels near business locations to do his hacking from. The guy would bring along a lot of Wi-Fi gear, hack a nearby business, and then utilized the hacked businesses networks to then attack his intended target. The multiple layers of abstraction are a really cool idea.
- Fake personas take a long time to setup and establish. These should be setup way in advance and should include things like Gmail, Facebook, and Twitter.
- There has already been some discussion about a potential marketplace for the selling of established fake personas.
- Remember to shut off your mobile phone when going to an off-site location to hack. The mobile phone signals could be used to correlate your geo-location.
- As Tor button and Tor enabled browsers are prone to "fail open" on desktops, Grugq has developed a customized version of OpenWRT to run on selected mobile access points which will force all traffic to the Tor network. This will be hosted on GitHub.
- Back in the day, the computer enthusiasts were sharing a BASIC program between themselves. This was common practice in those days, but for some reason Bill Gates because upset by it. Bill Gates ended up being the first person to ever consider that software should be "closed".
- As the client did not define parameters around "testing the security", the speakers decided to review from 3 different perspectives:
- As a "Geek User". Could they install other software packages on this router? Could they install OpenWRT?
- As a "Paranoid User". Were there backdoors present? What remote services were installed? Was any surveillance type software present?
- As a "Bad Guy". Could they pentest against the PayTV infrastructure? Could they attack other routers and build a botnet?
- Check for the presence of setuid binaries and attempt to exploit.
- Try to download and decompress the firmware.
- Run "strings" against the firmware.
- There are a lot of similarities with Thailand.
- There were also a lot of subtle differences with Thailand.
- I would love to do an "extension" of this talk to focus on my observations based on my time in Thailand.
Overall Conference Likes:
- Well organized and planned.
- Good selection of local Malay food for lunch and great desserts.
- Free bottled water widely available throughout the conference area.
- Ease of registration.
- The booth babes at the Time Networks booth. I know some would consider this sexist, but booth babes are still very common in South East Asia, particularly in Thailand. This is simply part of the culture, where oppressive fears of being non-politically correct don't run rampant. So what some in the West may deem sexist, I deem it to be embracing of the culture I've chosen to immigrate into.
Overall Conference Dislikes:
- The photographers and videographers spend too much time filming and taking pictures of the audience. As someone who detests having my picture taken, I find it annoying to have a video camera pointed in my face every time I look up.
- There is loud techno music being played in the common area throughout the event and additionally in the conference rooms between talks. This is quite disturbing to the talks, as every time someone opens the door to come or go during a talk, the music can be heard through the open door. I really wish the conference organizers would either select a less annoying form of music, turn it down a bit, or just play "Gangnam Style" on an infinite loop.
Day 2 Plan:
- Talk 1 - Silo Busting in Information Security: The ISC SIE Approach - Paul Vixie
- Talk 2 - How to Get Along with Vendors Without Really Trying - Katie Moussouris
- Talk 3 - XSS & CSRF Strike Back Powered by HTML5 - Shreeraj Shah
- Talk 4 - iOS Panel Discussion
- Talk 5 - Messing Up the Kids Playground: Eradicating Easy Targets - Fyodor Yarochkin
- Talk 6 - Information Warfare & Cyberwar: What's the Story Morning Glory? - Raoul Chiesa
- Talk 7 - Element 1337 in the Periodic Table: Pwnium - Chris Evans