Thursday, June 4, 2015

BSides London 2015 In Review

Hey guys, thought I would give a quick update as to some of the stuff that is going on in my life. Yesterday I went down to BSides London for another yearly event of meetups and talks. The event was great and I bumped into a whole bunch of people I hadn't seen in quite a while including some mates of mine from uni, and some pentester mates (@TheXero, @Zy0d0x, @n0x00, Duncan, and some other mates)

The keynote presentation was by Wendy Nather and it touched on the importance of privilege and usability within digital security and how assumptions about how users will interact with a system could result in client frustration and the creation of insecure systems.

The next presentation that I attended was @__Freakyclown__'s "How I Rob Banks". This excellent talk covered some of the security failings __Freakyclown__ had encountered when testing the security of modern banks. In particular it drove home the point that even if the company purchases the most top notch digital security gear, that does not necessarily mean that they spent as much money on their physical security. To highlight the simplicity of some of these issues he walked through some examples he had encountered in past engagements and how he managed to bypass the security mechanisms in place in each of the scenarios.

One particularly interesting example demonstrated was the bypassing of a invisible fence which used microwave waves to detect intruders. The only problem is that microwaves don't pass through all surfaces. Because of this, he was able to bypass their defences by crawling on the ground and using a group of low shrubs (which were blocking microwaves from passing through) to get past their initial external security.

Following __FreakyClown__'s talk, I decided to do a little bit of HallCon and grab some of the free lunch that was being offered. At this point I happened to bump into several people that I hadn't seen in quite a while and spent some time catching up with them. A noticeable difference from last year's BSidesLondon was that the conference venue seemed to be much more organised this year with a larger focus on HallCon, as evidenced by the chairs and tables in the vendor room as well as the ample free space throughout the conference.

Having completed caught up with people, I then decided to go to the workshop "Dradis Framework 3.0 - We Are Back!". To be completely honest I felt this workshop was a bit of a let down. Although Daniel Martin was an excellent teacher and was happy to help out, the Dradis 3.0 framework itself was found to need a lot of work. The reason for this was although the ready to go packages came with all of the prerequisites needed to run Dradis 3.0, it did not come with any plugins to import results from other tools. Futuremore, it was not currently possible to add additional plugins to this readily deployable version of Dradis without considerable time and effort.

Speaking with Daniel Martin (@etdsoft), he revealed that the original plan for these prebuilt packages was to strip all the plugins out and allow people to install them as they desire, however he has found that this doesn't work at the moment without a long and very complicated install process. As thus, he is planning to release a future version with all of the plugins installed from the start so people can remove the plugins as they desire. Hopefully this will be fixed in future releases, as I have heard many good things about the tool and seen some very interesting things that it is capable of doing.

The last workshop that I went to was Ruben Boonen (@FuzzySec) and Francesco Mifsud (@GradiusX)'s "Windows Privilege Escalation". The room was pretty full for this one, which was to be expected given the amount of interest it had generated :) The workshop covered some common issues within Windows services and applications that would allow one to escalate their privileges on Windows machines. The class went really fast, however thankfully they added notes into the material that they released in case anyone fell behind so it was pretty easy to catch up.

I learned a lot from this one from simply just going through the slides and materials and trying stuff out so it was well worth it. That being said however I think I need a lot more practice as there were quite a few commands that I either had never used before (such as findstr) or with which I was only vaguely familiar. Overall this had to be one of the better talks that I attended and I hope Ruben and Francesco decide to continue it in the future as I think it helped quite a lot of people out.

At this point the day was pretty much wrapped up and the only thing left was the closing remarks which consisted of some quick comments and some raffle draws/prize handouts.

Overall the event was thoroughly enjoyable and I really hope to go again. I can honestly say this was one of the few events where I didn't find a single major issue with the whole event, which was a rather pleasant surprise. I hope I can attend next year and that BSidesLondon will continue offering amazing talks and events.