DefCamp 2018 – live blogging from Bucharest

Hello, infosec lovers,
Ready for two full days of cybersecurity knowledge, awesome speakers and presentations, and lots of fun? 🙂

This year we’ll do live blogging from #DefCamp 2018.

We’ll try to cover as much as possible from the upcoming presentations by sharing and capturing valuable ideas, bits of wisdom and actionable tips from some of the best infosec professionals.
If you can’t attend the conference and you’re interested in a particular topic, or you simply can’t join all the amazing talks from the schedule, we’ve got you covered!
Make sure you keep an eye on the blog on November 8 and 9, for the latest updates and news from #DefCamp 2018.

Day 1, 8th November

Dan Demeter, Kaspersky Lab Romania 

Presentation: The Hitchhiker’s Guide to Disinformation, Public Opinion Swinging, and False Flags

• The information war is here.
• Dan mentions about Ion Mihai Pacepa, a former chief of Romanian Intelligence and spy, with the recommendation of reading his book “Disinformation”
• “Active measures” is a Soviet term (via Wikipedia), but London School of English says it can include a combination of white, grey and black propaganda.
• Black propaganda is information that comes from unknown sources.
• Russian disinformation-> example: the origins of AIDS,  “Who’s Who in the CIA” paper.
• Disinformation in Romania used to produce facts that people actually believed (in the past).
• We have a lot of access to a lot of information, and this is good and bad at the same time
• If you’re looking for something and it’s right there, and you may not be willing to go over the process of checking ->
• People are not fact-facking other sources, this is what disinformation is.
• Why fake news is happening? 3 reasons: tribalism,  Confirmation bias, and dangers of debunked ideas
• In Romania, a lot of fake news have gained traction, but the problem is that its threat is more real than ever
• Fact-checking is it the most important part of journalist investigation, and if you don’t have high-quality journalists than you have a problem.
• Instead of having like a global network, you create your own local network.
• Privacy is the state of being free from unwanted intrusion, in Dan’s opinion
• If you’re willing to offer your data freely, remember there are companies that will use it for diverse purposes, so don’t give out your data and try to keep it private, as much as possible.
• What to do to combat fake news? User education, high-quality journalism.
• Donate to people to do high-quality journalism in Romania: Recorder, Rise Project, etc.
• Take everything with a grain of salt.

Mike Spicer, Consultant

Presentation: Year of the #WifiCactus

• The raw amount of data gathered by year. Total project data is now over 1 TB, it’s “data collection madness”
• If you are curious about something: build it, test it, try it. This was the best way for me to learn and I encourage everyone to do it.
• Kismet software for Wifi monitoring and real-time filtering.
• A lot of data collected for the #WifiCactus project is encrypted, and it can’t be decoded.
• Tools used this year: Graphistry (creates beautiful visuals), so if you are at #DefCamp today and tomorrow, look out for Mike for some live demos. He will show you some Graphistry data, if interested.
• I want to have more storage capacity, add more wireless technology to do more research.
• In case you missed it, you can read Mike’s interview on the DefCamp blog.

Abdullah Obaied, Adjust Gmbh

Presentation: Stealing Traffic: Analyzing a Mobile Fraud

• Before moving forward, we need a plan
• What do we need to know: what happens when we open the app? / What happens when we install/uninstall other apps? / Most importantly, what happens when we install an app on Google Play Store.
• Analyze traffic sniffing activity (HTTP and Google Play related keywords)
• Android content provider  – abstract layer/wrapper for apps to access resources (files, databases, etc)
• The first thing you need to look when searching for an app is the content provider
• Educate people and devs to use Play Store Referrer API, which will help everyone to get more accurate and reliable data about app installation.
• It’s not going on with an ad blocker, and we need to stop fraudulent activity.
• Make the knowledge public, because it will benefit both the public and the community.
• If you want to learn more about stealing mobile traffic and click injection for an app, we also recommend to check out Abdullah’s interview on the DefCamp blog.

Leo Neagu, Adrian Tudor, SecureWorks

Presentation: Catch Me If You Can – Finding APTs in your network

• APTs = cyberattack that will “fly under the radar” and your AV/IDS will not let you know about it
• The goal is to get into an organization as soon as possible and establish persistent access and steal your most valuable data
• APT- is like a stealing ninja that you can’t see it
• APT attack mechanism is focusing on delivery, exploitation, installation, Command, and Control (C&C), action and objectives.
• Example: Aurora operation conducted by APTs
• Implement multifactor authentication inside your organization for more security
• Example: Quasar RAT – easy to use/deploy – used in attacks
• Check out https://attack.mitre.org/  -> a “globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.”
• Are you ready to detect an APT?
  1. Assess your current state (identify your assets and know about your vulnerabilities)
  2. know your enemies (use threat intelligence, tools, tactics,
  3. Design and implement your vision (multi-layered endpoint and network protection, threat hunting to boost chances to find APT attack and stop it)

Stefan Tanase, Ixia

Presentation: Internet Balkanization: Why Are We Raising Borders Online?

• It’s all about collaboration and working together, and the fact that we need to share about the work we do, and #DefCamp is such an opportunity to do this.
• We are living in different bubbles, and we like to share and connect with like-minded people, but these different bubbles don’t communicate with each other
• We, the IT people, often don’t like to think, because we are doers. But we should think about of things we are doing that can really help have a broader perspective over the world
• Understand the consequences of the code devs/programmers are writing
• Example: The Manhattan project which developed the world’s first nuclear weapons.
• “Internet censorship is getting closer and my biggest fear is nothing will change”
• The amount of data companies collect is actually scary (look at their databases)
• In order to evolve, we need to have a real choice.

Jason E. Street, SphereNY

Presentation: You’re right, this talk isn’t really about you!

• When it comes to our biggest flaws, we don’t try to fix them, we ridicule them because it’s easier this way.
• There is no patch for human stupidity
• Something we need to understand: “We’re not looking at protocols, we are looking at people”
• Employees will do what it is required to do. We are not making them part of the responsibility (to be security conscious), so why do they care? It is not extra work, it’s what they (employees) need to do.
• We have to start showing users the consequences of not caring about security, but, same time, we need to train them about protocols and training, to educate them.
• Employees need to understand: there are real-world consequences to what happens online.
• Your employees should be a layer of security -> “If your employees don’t know that security is part of their job, it’s your fault as a company”, added Jason
• Make it easier for employees to see and report suspicious e-mails (ease of use)
• For companies -> Do you really understand WHAT are you trying to secure? What data needs to be protected? What is critical for your systems? If you don’t understand these things, you can’t do proper protection.
• You have to make sure you admit when you DO a mistake, cause that’s the moment when YOU LEARN.
• Lead by example – a useful reminder for both the management and employees.
• Tell your employees that technology helps, it is part of the solution.

Jelena Milosevic, Nurse/Independent Researcher/Speaker

Presentation: The challenge of building a secure and safe digital environment in healthcare

• • • In hospitals, there is old device & software, but connectivity is required (connected, but not protected)
    • The healthcare system needs to communicate, learn to know from each other needs and work together
    • Insecure apps for medical records (why connected to the public Internet)
    • Employees can easily download documents from different links
    • When criminals manipulate the results and info, doctors will make a wrong diagnostic for patients
    • The security department within a hospital should be independent of the IT department and do mandatory consulting and training
    • Keep it simple and less tech as possible when it comes to awareness training;
    • Don’t put things on the Internet, if they don’t have to be there!
    • Healthcare without (basic) security is like surgery without sterile instruments

Panel – CPU vulnerabilities, how to resist future attacks, new technologies, and future trends in IT Security (Multiple guests)

• Advice: Never trust the memory!
• Attack limitations: a) difficult to do, it’s required an amount of work to do – conventional attacks typically easier / b) via the network/ c) mitigations on the way (partly deployed via microcode and OS upgrades)
• Fixes are on the way, but we do not know what else is there
• Why we have vulnerabilities? Some of them hard to find/detect.
• At the end of the day, it is all about resilience – > how to make our systems/networks more resilient
• We have to build better software and do better training, think about the hardware design, and also consider better detection to prevent future attacks
• Companies choose not to disclose vulnerabilities so attackers can’t exploit them
• Attacks work so differently on technique level, and it’s difficult to anticipate them
• Securing the hardware is really tough because you can’t secure everything 100%
• Everyone is affected, what is different is the result. No system is secure so you have to do everything (technologically wise) to make it safe
• Financial investments are needed to protect systems and networks within organizations, but aside from that,  there is a demand for infosec professionals. Most companies lack experts from the industry to handle the data, researching for problems and put all the efforts to tackle these attacks.
• What to expect in the future? More attacks like SQL injection, side-channel attacks.

Day 2, 9th November

Dimitri Van Giesel

Presentation: What happened behind the closed doors at MS

• Dimitri tells the story of breaking into Microsoft servers back in 2000 at the age of 19.
• That time ( in 2000), there were no bounty programs when you reported a bug
• He sent three security notice to MS informing the company about it, but no one answers
• The fourth time another e-mail was sent to report the access on MS servers. He received no answer after 4 days, so he went to the press, and in November 2000, it was in the news.
• In 2003, he came back to MS, as he found another vulnerability in Microsoft Commerce Server. Following the same procedure, he sent multiple emails to MS until he received an answer. Months later (from March to August), in August, Microsoft released Service Pack & Security bulletin regarding the vulnerability.
• Advice for young hackers: You have to push it to get higher bounties for discovering bugs.

Mushegh Hakhinian, Intralinks

Presentation: Building application security with 0 money down

• A good program can be started without major investment in tools
• You need smart investment to have great tools and focus on security
• “Everything-as-code” means “most-of-things” can be fixed in code
• Keep in mind that the app security process is a difficult process on many levels (testing, fixing issues in production, penetration testing), so you need to set up attainable goals and reach them.
• Find you glaring issues, catch issues before coding starts
• Use free tools such as SonarQube for code analysis, Dependency checker for 3rd party components, Clair for docker container analysis, Microsoft Threat Modelling tool.
• Have a process inception checklist which includes using special tickets to track vulnerabilities, get stakeholder commitment to fix critical issues (it’s important to have support from all departments: support, sales, dev), get a commitment to patching 3rd party components.
• Your learning process tells you how to fix things, and all the initial steps give you learning experience to set up an application security
• Establishing a continuous assessment is very important in the maturity journey of building the app
• Integrate with commercial code analysis tools: budget for commercial tooling, scan for viral licenses, scan for non-patched components, perform static code analysis for each build
• It’s important to catch issues in very early stages
• Measure what you’re doing and communicate with people who invest money.
• YOU have to show what you are doing, in order to get money from people who want to invest in the app
• Ultimately, people make the program work.

Alex “Jay” Balan, Bitdefender

Presentation: Privacy between Hype and Need

• Rogue gsm cells: If you see 2G on something, they are vulnerable to attacks, as the network is not encrypted
• Hackers stealing your security recording feeds from smart cameras
• Data leaks are relevant because we share info and we share the provider our data, and this is a mistake
• A company has the obligation (when processing and storing data) to TELL YOU there is a breach.
• Any form of privacy is a myth. You have to pay attention to the kind of data you want to secure. Treat everything else as compromised.
• Truecaller / sync.me / facebook  -> When no matter how paranoid you are, your friends may be less paranoid than you are (fake identity
• Everything that you share with your friends will be leaked
• “Passwords (in all forms) should die” -> He recommends copy-paste passwords, because if you type a password is compromised
• Treat everything that you have as shared with the others as being compromised.
• Browser extensions have access to everything that you search/use and can be easily compromised – > be very mindful about that!
• By design, privacy is a utopia in today’s society
• When I choose a vendor, I focus on having a better security posture than other vendors.
• Bug bounty programs – “I can be surprised on a daily basis by the creativity of other people”

Stephan Gerling, ROSEN Technology & Research Center GmbH

Presentation: Remote Yacht Hacking

• Hacking yachts, mostly the private ones or chartered, celebrities
• US Navy involved in 4 collisions in eastern Pacific in 2017
• Modern vessels become swimming IOT devices (VTS, AIS, GPS, radar,
• VTS (Vessel Traffic Service) -> monitoring system established by port or harbor authorities, similar to air traffic control for aircraft
• Automatic identification system (AIS) used on ships and by vessel traffic services (VTS)
• Electronic Chart Display and Information System (ECDIS)  used for nautical navigation
• Possible attack vectors: Internet router, manipulating mobile devices, GPS systems in which 2 scenarios are possible: jamming (quite simple) and spoofing (complex)
• Securing GPS? – Research project “Galant” by DLR – > Institute of communication and navigation, example: Labsat GNSS Simulator), .
•  NMEA bandwidth capabilities of less than 1Mbit/s – > connects devices using Controller Area Network (CAN) technology originally developed for the auto industry.
• https://www.shodan.io/ -> engine for Internet-connected devices; it also shows live ship tracking
• The future is cloud / autonomous ships

Cosmin Anghel & Ionut Georgescu, SecureWorks

Presentation: Back to the future: how to respond to threats against ICS environments

• Network protocols are important in ICS environments
• All the production should be orchestrated efficiently to have the products ready for delivery
• Frequent ICS Environment issues encountered: the lack of authentication, missing encryption, Internet access to trusted sources, lack of security monitoring, lack of patching, security protocols in place.
• Cyber kill chain for ICS -> collecting as much data as possible from the network triggers/vectors for ICS attacks: malware incidents, suspicious behavior of ICS devices, egress trigger for perimeter, defense systems (the engine can stop)
• Attack vectors for ICS environments: spear phishing, waterhole, trojanized versions of ICS software installs
• ICS incident response – the main purpose: maintain safe and reliable operations, forensic data should be acquired, the timely analysis need to be performed, how to eradicate threats.
• ICS environments: Take a backup and use a configuration that is changed every 9 months, simply because the configuration doesn’t change so often.
• Common challenges for ICS environments: a large number of ICS protocols, lack of network layout knowledge, widespread infrastructure with limited or no remote access, lack of engineer knowledge of infosec, unknown embedded/proprietary OS.

Kirill Puzankov, Positive Technologies

Presentation: Mobile signaling threats and vulnerabilities – real cases and statistics from our experience

• SS7 (signaling system) is the control plane that is used for exchanging data between network devices in telecom networks
• If a hacker connects to the SS7 network of a mobile network, they can attack subscribers of any operator around the world.
• Government and global organizations recommend not to use SS7 networks (worried about its security)
• Mobile operators are aware of this issue and they started to implement a firewall, home routing, security monitoring of the network.
• Stats: voice calls could be intercepted in 53% of cases, incoming SMS messages intercepted in 90% of cases, while subscribers can be geographically tracked on 75% of analyzed networks.
• Almost 99% of attacks are connected with disclosing confidential subscriber data. SMS home routing bypass, STP (Spanning Tree Protocol)  attack, SMS spam through SS7

Stefan Mitroi & Mircea Nenciu, SecureWorks

Presentation: Trust, but verify – Bypassing MFA

• Multi-factor authentication (MFA) is a security system in which individuals are required to authenticate through more than one security/validation procedure.
• Authentication factors: something you know/have/are
• Deployment modules for:

-> A. Something you have: soft token, hard token, phone (call/SMS)                                                        
– >b. Something you are: facial/voice recognition, fingerprint (these authentication factors can’t be stolen, so they are pretty secure)

• Benefits of MFA: the added layer of security, simplified login process (no password/credentials required), reducing data loss (the attacker could not get access to sensitive data in case of a phishing attack)
• Challenges of MFA: cost, confidentiality, availability, compatibility factors that need to be checked, user convenience
• Have security included from the start, and not in the end as a solution.
• Securing incidents can include bypassing SPAM filters  -> use an online tool (example: free email security check), use spam filtering tool.

Raluca Stanciu, Bullguard

Presentation: Economical Denial of Sustainability in the Cloud (EDOS)

• Dyn, one of US important DNS provider, was involved in a cyber attack in 2016 and down for about 11 hours – > clients affected: Netflix, Amazon, etc
• If you ever want to see live DDoS attacks, you can check out the Digital Attack Map site
• GitHub recently suffered a massive DDoS attack (reflection attack) in which Memcached servers were exposed.
• DDoS protection in the cloud -> How to protect yourself against these attacks? Solution: You have to buy DDoS protection, and always consider time-to-mitigation = money (which also implies: losing clients, downtime, opportunities)
• To reduce attack surface in the cloud -> expose ONLY if necessary, and if exposed, protect, protect and PROTECT! + anti-spoofing protection, firewall rules,
• Be prepared to scale by choosing an SLA (Service Legal Agreements) with automatic scaling, use elastic IP addresses, proper elastic computer type, elastic load balancing
• Create your cloud business architecture with resilience in mind
• Choose a product which can properly protect both good AND bad traffic (what if your web service has a legit spike of clients?)
• Third party DDoS protection services: Akamai, CloudFare, Gladius blockchain DDoS mitigation
• Conclusion? Anything which has an IP address CAN and WILL be used against you.