Div0 Blog Editor
Area41 Security Conference Report
This is to report and reflect the experiences and content of the recent Area41 security conference in Zürich on 2-3 June. The conference was held in an old industrial building used for concerts and other cultural incidents, but also one of the session rooms used to be the venue for a strip club.
The event started on Monday morning, which was a rather odd choice for the hacker conference, but understandable and also might have had its connections to financials or other reasons. The keynote session accomplished to mention that there is the ongoing struggle in the cyberworld of power therein and that some actors are eagerly trying to demonstrate an omnipotent capability to conduct security in the name of universal values. This led to a very interesting situation at the moment, but however which was noted, that as this being a techie conference, left the social and political opening of the keynote speech a bit in the air. Also to mention in the context of the keynote, while not directly about that, is the disclaimer they put on the conference leaflet. They write there, that nothing presented in the conference was against the Swiss law, and that the participants were responsible to ensure that being in the possession of any of the information or the tools presented in the conference is also OK for their local jurisdiction, or otherwise they were denied entry. This clause also included some additional details. While understandable in the contemporary context, this raises severe questions about the participants' capability to conduct such a confirmation, leading many of them practically in a somewhat grey area being unclear whether or not they actually are living according to their local standards or violating them. Again, one could argue, that this is not something purely limited to the context of this conference, but has its connections to many other events too. Having this clause printed out is, of course, seem fair from the point of view of the organisers, but again does not solve the issue in any way, as clearly the participants are not able to carry on the load of the risk of the cases against them being in the possession of information about, for example, SOHO router remote management vulnerabilities (TR69).
The next session did try to present mostly free defences to tackle some common attacks in the rogue online world. While his presentation did somewhat remind of browsing of a catalogue or such, he did successfully cover a wide range of incidents, describe them in detail, and give a good insight for junior and rookie security professionals. One of the most important things he did raise, while recordings are notes are missing and therefore not able to confirm that he was indeed the one who presented the thing but assumed here so, was his presentation of Active Directory watchdog which was able to identify an illegitimate Windows admin hash being used in the local network to log in as domain admin around, and alert about that to change the credentials hence invalidating the leaked session hash. This was a commercial product though, but worth presenting. Furthermore, during his session he seemed to be conducting a survey of some kind, maybe to benefit of the case to face such a large group of professionals, asking many and many questions from the audience about how many of them have been there and done that. Doing a couple of these during a session is good, but repeatedly moving the responsibility of the show to the audience is something one might want to avoid.
After the session of this, was another about the subject of vulnerability databases, reports, standards and classifications. While presenting the, or a, concept and implementation of the such a system to categorise, classify, store and relate to each other the vulnerabilities, the presentation did lack the deeper question of the vulnerabilities described as such in the light of the concept of the securitising or security overall. One could claim that the vulnerability reports do have their connection to that what for example Ulrich Beck calls the development of risk society, and also to the imposing of specific governance models and ideologies (such as spheres of influences and obedience, at least). Understandably, such topics were not fully covered, it was also heard during the breaks in the hallways of the venue, that more conceptual and high-level topics were considered lacking in the talks and that some of them were too low-level, technical and maybe even naïve. This would indicate that having such a feeling was more spread in the audience and hence might require attention from the organisers in the light of and during the planning of the next event.
Finally the third session, after a boring and somewhat inadequate lunch break, the first impressive session was conducted, in the old strip club room, which still had its decoration partly in place. Having this kind of open and uncovered topics presented in this room clearly had its connections to its karmic history (will it never free itself from the karmic tendencies, one might want to ask). As such the place was perfect, and also when the session was not recorded, at least not publicly, the presenters were given more space for their expression rather than performance. This session was about the vulnerabilities, quite serious ones, in the .NET form state management, where insecure configuration caused session hijack to lead to injecting of arbitrary objects to the server to execute, under its privileges and care. This was demonstrated by injecting a simple Samba callback to be received by Metasploit Samba listener, causing the user hash functions to be leaked out. However only imagination was left here as the limit on what the vulnerability would cause when exploited. He pointed out having had discussions with Microsoft about the topic, and that they had already provided fixes for the vulnerability. However while he had had a collaboration with the vendor, it still left out something which was also in the air of the conference and elsewhere, that how the software or operating system vendors should compensate the ones who do their job in securing their applications. It was also discussed along the hallways of the conference, that for example its a severe issue that the actual researchers remain with a t-shirt received if even that, but that at the same time illegal market might provide them funds to do housing or stuff instead. This question did not give an answer in during the conference, and why could it have had, but at the same time, there was another session about financial models planned to “buy all the vulnerabilities” which was also claiming that buying them would have been somewhat cheaper than the imagined cost of them ending up to the black market. When I was discussing with the presenter along the hallways, I expressed my doubt that whether or not this would be possible because of it assumed that there would be a single market to conduct such calculation on. And if that was possible, it was already done, as we think according to the rational humanism, that people in the economics were rational utility maximisers, and hence they already had had the interest and time to buy them all. However, this did not happen, for some reason. So maybe the presentation and the presenter has some motives behind him?
Next on the line was an interestingly titled session about the two-sided files, about the file formats which do have their double identity, hence images which do conceal other images, look different when viewed by different clients and such. While the topic was titled very interestingly and in a prompting way, the content of the presentation and the subject itself was rather lame. While not all people might at first consider that having a file format misused by implementing two consecutive images in a single file causing, for example, the binary payload attached to the hidden image to remain unnoticed, this might not be hot topic enough for such a long session. And after all, the idea itself could have been explained in a single slide, in the conceptual sense, and presenting more and more examples of the same topic was maybe not necessary for the sake of the subject matter.
After the sunny break at the roof of the venue and some refreshments, it was time to head to the basement again, to see how the karmic room still functions as the venue for exhibitionists to present themselves without almost no cover. This session was of bitcoins, and more specifically about the investigative point of view of them; so to try to answer the question that what for example a cybercriminal investigator could expect to look for when having an image of suspects device mounted up. His main claim was during and with the usage of examples, that the public assumption of anonymity of wallet ID’s and transactions is not real. He was pointing out that fairly easily one could connect the specific wallet to specific accounts, and also just by observing the public transactions one could claim the identity of some of the accounts, and that in fact there were clear transaction patterns visible to ease out such an investigation. He was also, maybe quite rightly, claiming that many nations and other actors were conducting such open-source aggregative research already for their own benefit. In this case, holding up as long as possible the public conception of the anonymity of the crypto coins infrastructures does benefit the legacy governance structures as means to provide good and accurate information for them in the postnational world. He did not go so deep in the analysis of his but provided good material for others to do so. However, he claimed having done all this for hobby only, and having no professional experience in the investigative domain, really?
The rest of the Monday, the sunny Monday, was for the barbecue social event held at the venue. At this stage, and in this connection, one only needs to raise to the attention the quality of the food provided in this and in so many other conferences. While there is a real and accurate connection between the conference participants mindstate and the food they eat in, one could only be left wondering why the organisers so often invest rather less to the fooding support they provide as a part of the conference ticket. This time lunch consisted of just sandwiches, and while there were plenty of clubmates to enjoy and the endless flow of coffee, it surely is not healthy nor nutrition enough. Again and still, at the barbecue, having sausages grilled does not equal to barbecue but to cheap option instead. Here is a tip for the organisers of the next conference; look at the Chinese way of socialising and eating. Provide large tables as you did this time, but deliver food as large plates for each table, instead to leave the individuals to queue to reach their own sausage only. Employ a process consultant to optimise the process, and employ a psychologist to design the optimal social process to maximise the networking and socially constructive settings. For example, the actual work of the people, the participants, to carry on and deliver the food for their entire table would benefit the community, be building of the community more than when they are individually queuing for their bare cold and unspiced corn or carrot mash.
On the next day, or was that still the same day, the sessions experienced started by a very interesting and timely demonstration of iOS update channel vulnerabilities. This demonstration came out with concrete samples where via simple man in the middle attacks, one could permanently disable targets update channel, inject vulnerable versions and otherwise tamper with the highly insecure and completely unencrypted update channel. This leads to again the common question on why the update channels, even in the light of the recent issues, are not properly secured. Again one could claim that some players benefit of the insecure channels and at the same time some could argue that it was economy that would have caused the vendors to end up to the situation, or is it so that the conception of the security is heavily and quickly moving out of the domain of individual or human back to the state and other corporate actors? Again, in this case, he reported that Apple had received his vulnerability report, and requested even some details except just remained silent as they so often do, but did not compensate in any way or form the work provided for them. This is what is heard; they just thanked for the details and that’s it.
The second session attended after the lunch was a very interesting description of the home and small office router management specification TR69 and its various and horrifyingly vulnerable implementations in the wild. Again, as demonstrated, many and most ISP’s do very carelessly consider their customers, peoples, humans, private device access, in effect providing public-facing management consoles with no or very weak authentication which could be used easily to root out the end-users routers as well as any internal devices. Again, one could argue and claim that this was somewhat another example of the conceptual alignment and in the Foucaultian sense also the obedience of the individual to align herself in the domain and control for and because of “good fit” and “it works”. After all, we want our trusted ISP in full control of our home, don't we? Did we invite the random customer representative of the ISP to home to take care of our core objects of devotion? He was rightly asking the people, in his slide on what can we do, to raise the issue and request details and demand public policies on the matter and from their own ISPs they use. Additionally one could argue that there could be jurisdiction or international agreements which could ensure that the responsibility of the service providers remains and that they had to ensure and protect their users more than construct and provide them as vulnerable subjects for other actors.
As a whole, and at the end, this conference was top of the class, really, and something every professional security expert should become familiar with. And as all of the good things in the world are rare, so is this, as it's still unknown whether they will be able to organise it next year. So, please, the admins of the world, watch out and book your flight to the next interesting conference to meet people and learn new skills. After all, that is the best form of competence development one could expect to be done, and that of every employer should be ready to compensate. Two days in a conference equal to two years inside of the closed cubicle at the office! Also, going to conferences highlights the global nature of the business, and lessens up the somewhat uncomfortable nationalism that has been recently growing up around the cybersecurity domain.
Kristo Helasvuo, Guest Author.