The keynote was surprisingly political. Marcus J. Ranum (Tenable Network Security) talked about Cyberwar – A Matter of Logistics and Privilege and made witty and thoughtful points. So he asked questions such as whether Stuxnet was an act of terrorism and whether its victims could sue the US to get their damages reimbursed. Highly interesting subject, highly interesting speaker.
Jens Liebchen from the awesome Redteam Pentesting did again a nice presentation this year. They got a new “Multi Function Printer” like a Canon C5051i (so a huge thing…) and had certain requirements regarding its security. He presented a threat model and shared some insights he gained while dealing with the vendor, and, more importantly, after having analysed the machine himself. It turns out that the device has a regular hard drive and runs some flavour of Linux with a big BLOB for their services. However, data was found to be spread over the partitions even though they bought a licence for “secure deletion” of data. They, rightfully, did not expect to find traces of their print or scan jobs. He mentioned that the security properties of such devices were not assessed yet. So there are loads of toys to play with.
Also funny was the work of Benjamin Kahler and Steffen Wendzel who did “Wardriving against building automation“. Basically, the question was how easy it is to break into a network and remote control the building, i.e. open doors and windows. Turns out, there are standard products which are not well secured and the deployment is usually not done properly either, so that network boundaries either don’t exist or can be passed easily.
The security of Android-App’s SSL/TLS usage was presented by Matthew Smith. They examined many many “Apps”, decompiled them and statically analysed how well they handle various conditions when building up a TLS connection. Apparently, many programs just do not care about the security properties of their TLS connection so that they just disable the verification of the certificate chain. The model is said to be too complex and too burdensome to set up during development. They also recommended to introduce a new privilege, namely sending data unencryptely. So that a user could select that an application must not transfer data as plain text.
Besides listening to the talks and chatting to people, I tried to get on the wireless in the hotel. Turns out, they interfere with your traffic, i.e. they block everything and redirect your web traffic to present you a landing page from which you are supposed to log in to the gratis wireless. The credentials to be entered were the room number and the last name of a guest of that room. Well, given the speakers and attendees list (or some knowledge of popular names in the region) it seems easy enough to just poke some data in and hope for the best. Or, instead of doing that manually, have a program doing that for you. Voila, je vous presente “petitelysee”. A simple Python script to try to log in to a landing page. As I’ve said, it’s the result of three hours or so work. So it’s not very nicely done and I obviously didn’t try it out. It has just been coded in a way that I *think* might work.