About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

17 November 2013

ZaCon 5

If ZACon 5 was a true representation of the security practitioners in South Africa, it would seem that there are next to no women - after all, only 1 lady in the audience of 100 plus gives a pretty skewed demographic. Perhaps this is a phenomenon more in the hacker community itself? Perhaps it is due to the fact that the event is on a Saturday? I have commented on diversity of ZACon before, and in other respects the audience was far more diversified, be it race, organisations or age - so, it seems like gender is the final frontier :) 

Organisationally, this was the best ZACon yet - better signage, better communication, up to date scheduling (even if it did run late, and the scheduling did changed a lot), AV and sound set-up etc. As Dominic commented, ZACon is growing up, and it seems to be sustainable footing - and this is a local security conference that deserves to continue. The content was also impressive, covering a variety of interests, although there was a strong "electronics" theme. 

Dimitry started off proceedings on the use of Markov chains to create more efficient password attacks. In principle, it is a great idea, but his actual demonstration and training data was did not make sense. Password complexity rules have almost ruled out the use of plain dictionary words as passwords, and thus the solution did not have the gravitas that it could have.

Jason presented the most interesting talk, on Mains Signalling. Basically, Mains Signalling is the use of signalling on the electrical grid, allowing for controlling of electrical systems. The technology is old, undocumented, and very topical with regards to the move to Demand Side Management, across the world. Through literally years of effort, and off the shelf components, Jason managed to decode some of the signal codes - including that of traffic lights, street lights and geysers. Given that there is absolutely no authentication or authorisation built into the system, anyone with the capability to send modulated signals on the electrical grid can cause havoc - and this is something that, to my knowledge, is not addressed as part of next generation grids. Yes, it is a far more local attack - but also far more economically damaging.

Jeremy ("Panda") presented an interesting investigation on the command and control servers for the Poison Ivy botnet (and two others). Through interception of communication, NMAP and tracking IP addresses and domain registration records; and managed to identify a number of additional domains and command and control servers. And amazingly, many command anc control servers are themselves vulnerable to many attacks, due to bad configuration and vulnerabilities within the Poison Ivy system. The approach will not work for all botnets, but this is certainly a good step forward in combating botnets.

Brazilian Marcos (studying at UJ) presented the most complex talk on detecting obfuscated obfuscation routines.  The use case is better detection of malware, but could also be used to attack software that uses obfuscation as a protection mechanism. Detecting and reversing good obfuscation is difficult and although the presentation is very much in initial stages; it does have good promise.

Rhodes MSc student Adam talked about his research on active honeypots. Traditional security technologies, like firewalls and anti-virus systems have high cost in detection, but low cost in carrying out enforcement. Conversely, honeypots have low cost in detection, but high cost in actually carrying out meaningful actions. The presentation was therefore on building a converged system - low cost of detection, and low cost of enforcement. In some respects it is a better IPS - and the approach is interesting; though probably not completely scalable. 

Dave from MWR's UK office gave the scariest talk of the day - on how it is easy to hijack ad networks to infiltrate ad-supported apps on mobile devices; most notably on Androids and jail broken iPhones. Ads are effectively webkit implementation within apps; but through bad design, vulnerable implementations, intentional wish to hijack data, bad sandboxing, and ads inhering permissions of the underlying apps, ad networks are effectively able to pull various types of data, or take actions such as sending messages or making calls. This means that the attacker can effectively hijack legitimate ads for their own purposes (since ad network traffic is often unencrypted) or in an easier (but potentially tractable) attack, launch an ad campaign that sets out to attack their targets. It was  truly fascinating insight into the problems with the current mobile advertising landscape and the lack of real incentives to address the problems.

Mark, also from MWR, but the SA office, gave an insightful overview of Control Area Networks (CAN), specifically in the cars. While there was some exploration on possible vulnerabilities, it was more of a discussion on reverse engineering. There are interesting avenues to pursue - especially remotely via avenues such as keyless entry or telemetry broadcasts for race cars. 

In the past year, Robert, started a conversation on building a data diode - or a one way transmitter of data. Considering the massive cost (some over 100's of thousands of Rands) of commercial systems, Robert's solution, costing less than R5000, is therefore an amazing hack; and one that works as advertised. 

The last talk was by Shcalk, on designing a low-gain directional Wi-Fi antenna; but was really mostly about 3D printing and house-4-hack. The 3D printer itself has got awards, and this is a good showcase of entrepreneurship. It was a good follow up to Roelof's (from Paterva) talk on the basic building blocks for building a successful business. It was a good way to close off a fascinating day.