BruCon 2010 Training & Conference Wrap-up

Brucon is a security conference held in Brussels, Belgium. This was the second year of Brucon and it was comprised of two days worth of training and two days worth of presentations. It’s a decent sized conference of about 300 people total, including speakers and attendees. Everyone at the conference was extremely nice and very hospitable. The organizers went above and beyond to make sure that attendees had a good time, were able to get around the city and (most importantly) share ideas about information security in an open environment.

Advanced Nessus Training

I ran the "Advanced Scanning Techniques Using Nessus" course, which is a two-day class designed to explore all of the Nessus features, including the impact of various settings, scanning with credentials, customizing audit files, web application scanning and using the Nessus API. I have to say that the students in the class were outstanding. We even had some extra time and were able to do some more advanced stuff such as run Hydra from within Nessus along with some extra debugging.

Every time I teach this class, the students tend to have a few of what I call "Aha!" moments. Most of my students are already familiar with Nessus, know how to run basic scans, review results and configure scan policies. After taking this class, they learn about some of the other Nessus capabilities such as:

• How Nessus can scan web applications. I break this down into three categories:
  1. Identifying vulnerabilities in the operating system, database or web server the web application is running on
  2. Identifying known vulnerabilities in installed web applications
  3. Fuzzing the web application parameters for several different types of vulnerabilities
• The power of .audit files - We customize a Nessus .audit file and run it against the target provided in class. Students really like the ability to be able to run a Linux command and check the results from within a .audit file.
• Making use of the API

I can't wait to teach this course again, and I already have ideas for several updates and additions including:

• Writing your own small script to use the Nessus API and scan systems
• Writing and modifying NASL scripts
• Adding more vulnerable web applications to scan

Presentations

There were several excellent presentations at Brucon. I will provide a brief summary here of some of the talks I attended. For more detail, check the Brucon web site for the presentation papers and slides:

Joe McCray gave a talk titled, "You Spent All The Money And You Still Got Owned…" Just from the title, I could relate to where he was going with this topic. Joe pointed out that at one time it was not difficult to impress clients. You could "scan" the network, find vulnerabilities, exploit them, gain shell access, tell the customer to patch the vulnerabilities and collect a check. The industry has evolved significantly over the years; according to Joe, organizations have learned how to scan themselves and implement patches (I couldn't agree with these practices more!). However, incidents still happen. Web applications are hacked and information is stolen. Joe then covered several techniques for bypassing IPS, IDS and web application firewalls - all technologies that should keep us safe, but can be bypassed with varying levels of effort. Joe has come up with some defensive measures that go beyond patching and has written a document detailing his methods, which you can obtain by contacting Joe via email (joe [at] learnsecurityonline.com).

If Samy wasn't my hero before, he is now. I met Samy Kamkar, most famous for the "MySpace" worm, right before his talk titled "How I met your girlfriend". I had only really known Samy from his code. I studied the original MySpace worm code and was amazed how he was able to design the worm to avoid filters and weave his way through the protections in place. I then found out that he got into a bit of trouble for creating the worm, not by MySpace, but from the U.S. government. After some time away from computers, Samy was back and could talk openly about the MySpace worm and some new attacks he had been working on. In the ten minutes before his talk he asked if anyone had any questions or topics to discuss. I raised my hand and asked him to tell us about the Javascript obfuscation techniques he used in the Myspace worm (I guess it’s hard for me to not be a podcast host asking questions!). He covered all sorts of interesting techniques, that you can read more about in his original write-up. As for his current research, Samy presented techniques for brute forcing PHP session cookies in about an hour, opening up ports in users’ home firewalls and locating people's homes based on a wireless SSID and MAC address.

Chris Nickerson gave an entertaining talk titled "Top 5 ways to steal a company 'Forget root, I want it all'". I think some people missed the point on this one. Chris covered several ways in which attackers "could" disrupt operations of an organization. The basic premise is that people's lives could be affected, industrial plants could have horrible accidents or business operations could be completely shut down due to attackers penetrating the security of a network. As security professionals, we need to do a better job of explaining these risks to management. Chris says that security assessments often point out that an attacker could just "get shell", but we need to go deeper.

I gave a presentation titled "Embedded Systems Hacking and My Plot to Take Over the World". I took a humorous approach to pointing out the sad state of embedded systems security and outlined a plan for world domination largely based on exploiting vulnerabilities in embedded systems. Since embedded systems are everywhere, no one pays attention to them until they are broken, and they are vulnerable to very easy-to-exploit vulnerabilities such as default passwords. They’re a prime target to aid in a plot to take over the world. The goal of the talk was to raise awareness about how serious and wide-spread the embedded system security problem is, and how we need to work together in order to get vendors to change. A new web site was launched called http://www.securityfail.com/ where people will be able to register for an account, log in and write-up their stories on how embedded systems security has failed them.

Workshop - Learning DVWA (Damn Vulnerable Web App)

I got the chance to meet Ryan Dewhurst, the author of DVWA.. He gave a workshop that showed people how to use DVWA and enumerate the vulnerabilities present in the application. I only spent a small amount of time at the workshop and was able to pick up a few new techniques. For example, in the post where I described how to create a new PHP file that allows for command execution, I explained that you need to provide a valid table name. In the example Ryan gave, he used "null" for a table value and was able to accomplish the same attack. The workshop went well and all participants received a DVWA DVD that contains a VMware image with all the software installed.

Podcaster Meetup

For the first time, security podcasters from three different continents joined together to record a rare international edition of the security podcasters meet-up panel discussion. As if that is not groundbreaking enough, we had a fantastic discussion with each other and the crowd! We covered quite a few topics, such as:

• How to learn about security and penetration testing
• The best ways to mentor and teach people
• The best way to educate developers and the state of software security

The audio is available for download on various security podcast feeds, or from the Brucon podcast media page. For those sensitive to explicit language, you may want to skip this one.

Conclusion

Brucon is a fantastic conference and I highly recommend it. You can find out more information about the conference, including links to all of the slides from all the presentations (and eventually videos) on the Brucon web site.