Hanging at a2y.asm
Yesterday, I was at Arbsec’s a2y.asm “(as in Ann Arbor / Ypsilanti assembly) [which] is a mini-conference aimed at showcasing presentations on hacking and computer security-related topics by practitioners, researchers, etc. in/around the greater Ann Arbor area.” It’s a small, local, group of Michigan infosec people and it was a lot of fun. The venue was Bona Sera, a nice bar with a basement level big enough for all of our activities. The sponsors were Duo, Optiv, and Threatbutt and they had some pretty cool swag like stickers, buttons, pens, and playing cards.
The mini-con was only on Saturday, but we still packed in a lot of talks. It started at 11am and went to 6pm. For those of you that went, I was the kid sitting in the front row with a note pad trying to learn everything and anything about security so I was scribbling away the whole time. Here are a couple points from each talk.
Phishing Higher Education
A talk about phishing EMU faculty and what was learned
- Who cares? People skip, ignore, or click blindly. A lot of users just don’t seem to care about the risk of the e-mails and the links inside them.
- Don’t Threaten. E-mails like “We have your accounts, click this or we post bad things” just don’t work.
- Sometimes people just don’t check their e-mails. Not every attempt will get a response, people go on vacation or are out of office, sometimes a phishing campaign won’t get as many hits as usual.
- Emotion – Use convincing, moving, or aggravating content to get users to swallow the bait, things that got people riled up had a higher percentage of success.
- Greed and Fear. People also click for money or to avoid something that will make their life harder. Go figure.
- Food! Mom always said the fastest way to someone’s heart was through their stomach, that works for phishing campaigns as well.
Real word TLS
What is it and how to break it
- TLS is old, use SSL
- It’s not perfect: Logjam, FREAK, POODLE, and Heartbleed are all recent examples of how it fails
- Start using Zmap to try and detect other issues before they become major
Your network diagram is wrong & how to deal with it
How hackers get in and how to cope with flaws
- Diagrams are always missing something, companies grow too fast and documentation slips. That’s where hackers get in.
- Security Operations need to focus on policy and implementation, not just products and band-aids
- Both blue and red team need to consider a network’s architecture, so a correct diagram is important
Hidden in plain sight
technical details of the backdooor for DUAL_EC_DRBG psuedo-random number generator
- Elliptic curve crypto provided by NIST has a backdoor
- A “key” allows a outsider to decrypt the encryption, and it’s assumed the provider (NIST) has that “key”
- Simplifying it to produce a weakened version of this prng to attack for yourself as a test case that a backdoor exists.
WiFi intrusion detection using Raspberry Pis
Using raspberry pis with kismet and airodump to triangulate intrusive hotspots and devices.
- 1/4 the price of a similar professional set up
- Verifies interference, finds intruders, solves user problems
- Limited by hardware specs: runs on the same bus (slow) and limited scanning range (A/AC wifi only)
Malware on medical devices
Just because it’s not a laptop, doesn’t mean you can’t hack it
- Hospital equipment is hackable, there’s outdated or no security on most devices
- IoT innovations vs Security: devices are more at risk as things get connected
- Hospitals are one of the biggest examples of lacking security and the risks that could arise.
Plugin Support in mitmproxy
MITMProxy is a popular open source Python-based HTTP(S) interception proxy
- Speaker has made plugins to configured and trigger mitmproxy
- visual presentation of information
- run actionable scripts
- configurable options for settings
Hacking IoT Baby Monitors
Even babies aren’t safe from hackers
- The top 9 IoT monitors are hackable in multiple ways, even the expensive ones
- Even you can reverse engineer code on hardware, try a Pomona clip or bus pirate
- Firmware is usually more open than secure, telnet is probably open for example
- Web APIs aren’t that secure either, don’t forget XSS and default passwords.
Disclaimer: Some information was copied directly from a2y.asm however all comments and thoughts are my own interpretation of the talks. This is in no way a complete summary of the conference, I wasn’t able to understand everything 😛