I recently attended the BSides Manchester conference, which was held at Manchester Metropolitan University Business School on 17th August 2017. This was a security and hacking conference that was free to attend, but had a very limited number of tickets available. After missing the first two releases of tickets I managed to get one from the waiting list.
After some introductions we got started with the first talk of the day, which was Dominic Chell & Vincent Ylu talking about A Year In The Red. As a non-security professional I had to Google exactly what some of the terms in this talk meant. So apparently red team refers to a security consultancy who are hired to attack a system or network. Conversely, blue team is a security team that is resident within an organisation. A funny talk with some good demonstrations of hacking attacks.
Straight after was James Kettle with Cracking The Lens: Targeting HTTP'S Hidden Attack-Surface. This was a look at some research that James had done on sending requests to websites and essentially seeing what happens. It turns out that quite a lot happens really. James was able to craft HTTP requests in such a way as to allow him to access machines within a network via a mis-configured proxy server. This was one of the better talks of the day and clearly demonstrated that poor (or just default) configuration can lead to severe security problems.
Once I had refueled on coffee I went to see Leigh-Anne Galloway with a talk about Money Makes Money: How To Buy An ATM And What You Can Do With It. Leigh-Anne gave a good introduction about how to go about buying an ATM, what to do with it once you had it, and some insight into the security of a typical ATM. Much of the talk was devoted to actually getting an ATM, which turned out to be quite easy by simply approaching the supplier and buying one. It turns out that an ATM weighs quite a lot and Leigh-Anne had a big problem of where to put a machine that weighed over 700kg. It weighs so much that it even broke the concrete floor of the converted warehouse where she lives. What was interesting about the security around an ATM was the fact that everything is geared towards not allowing access to the internals. Once you have access to the internals then, the average ATM is pretty open and you can do whatever you want with it.
After a very nice lunch I went to see Michael Hegarty talk about The Impact Of Steganography On Electronic Communications. Steganography is the process of hiding a message in plain site, but this talk was focused on the use of steganography in images. To hide a message in an image you just change the colours of that image slightly to encode an image within it. Doing this in noisy images allows the message to be hidden in a much more effective manner. There are apparently many tools to aid in encoding messages into images and the technique can be used for watermarking images or just sending hidden communication. Michael looked at the use of steganography on the web, and downloaded images from ebay to see if there was any steganography in play. As it happens the image processing that ebay does on images (in order to reduce their size) appears to strip the steganography out of the images and Michael found very little evidence of it being used. This is in contrast to vk.com, where he did the same analysis and found some evidence of steganography.
The next talk was meant to be called Enemies Of The West, which was a look into the Sony Pictures hack from 2014 from Neil Lines. Unfortunately, Neil swapped the talk last minute with a look at how to get a powerscript shell past email systems. This ended up being not all that interesting and boiled down to Neil finding an exploit in 7 year old software that had been patched long ago. I would have far preferred the Sony Playstation hack talk.
The penultimate talk of the day was Fast Forward 10 Years: Fact, Fiction & Failure with Ian Trump. Far from being a bunch of guess work this was an extremely well researched and thought out talk on the future of technology, cyber-crime, cyber-warfare, automation and the Internet. Ian looked at current events and how the result of that event would effect the world going forward. This was events like the recent NHS hack to things like driver less cars. Hands down one of the most interesting talks of the conference and I have encouraged people to watch the video to get and idea of how the world will change in the next 10 years.
The final talk of the event was Scott Helme with Revocation Is Broken, Here's How We're Fixing It. This was a look at what happens when a SSL private key is stolen. If a SSL private key is stolen then it's possible for an attacker to pose as you, which makes man in the middle attacks much easier to pull of and much harder to spot. As it turns out, there isn't an awful lot that can be done currently. Scott worked through some different models that are currently being worked on and how they go towards solving the problem. Technologies like OCSP stapling allow you to continually prove that the certificate you issue is the current, secured, certificate. Ultimately, the reason these technologies are being worked on is because certificates that have an expiration of 2 years are common place. Services like Let's Encrypt are changing this by allowing certificates with expiry dates of days to be issued.
Overall, BSides Manchester was a fantastic conference with a really friendly vibe. Really interesting to see such an active security community in Manchester and to be a part of it for the day. I have posted the links to various YouTube videos in this post and I would advise watching them. More can be found on the slides and video page on the BSides Manchester site. I thoroughly recommend attending next year's event.