For the second year running I attended BSides Manchester conference, held at the Manchester Metropolitan University Business School on Thursday 16th August. This is a technical cybersecurity conference that is organised by a dedicated team of volunteers. I was really impressed by last years conference so was really keen on attending this year.
After collecting a decent amount of swap I attended the first talk of the day, which was Joe Gardener with his talk Tricking binary trees: the (in)security of machine learning. Joe looked at machine learning security systems in use and how it was possible to 'poison' them using different techniques. The ultimate aim here was to show how they could be bypassed and then how to protect against that kind of attacks. The talk was full of lots of theory and was well organised to disseminate the sometimes complex information.
Next up was Welcome home: Internet open telemetry, with Martin Hron. This talk looked primarily at Internet of Things (IoT) devices and the MQTT protocol that can be used to report and control those devices. Martin went from showing how MQTT could be used to automate a home and then went onto show how poorly these systems are secured on the internet. In fact, Martin showed a few examples of data that he had captured from systems that people were using. One example was where he captured the GPS information from a person's phone that was synchronised back to a MQTT dashboard and showed them travelling around an area on a map for a period of a few days. Matin finished by showing an example of MQTT dashboards that can be easily found on the internet and demonstrated what kind of things people left exposed. Through this he was able to turn people's lights on and off, play music, see if doors were open, and even view security camera footage. Scary stuff, and I was amazed how easy it was to find these completely unsecured dashboards.
After a quick coffee break I went to see Chris Boys talk about The Digital Entropy of Death. Chris talked about what companies are doing about their users who have either died or become incapacitated. Previously, many companies did nothing and as such many accounts were hacked. This made it seem like dead people were suddenly becoming active again, which was quite distressing for people. More recently, many companies have created the concept of inactive accounts where users can't log in but their accounts remain present on the internet. This talk also looked at the wider concept of digital rot where websites, pictures and links were going missing without warning.
After lunch I then went to see It's a PHP unserialization vulnerability Jim, but not as we know it, with Sam Thomas. Looking mainly at PHP Phar files, this was an investigation and demonstration of how they can be used to deliver code into vulnerable systems. Sam demonstrated that he could create a polyglot file containing a jpeg header and a Phar payload and use this to execute PHP code on a number of different PHP based CMS systems.
I then went to see Burp Replicator: automate reproduction of complex vulnerabilities, with Paul Johnston. Burp Replicator is an extension for Burp Suite that allows security consultants to send vulnerabilities to developers so that they can test the same situation to ensure that the exploit is fixed. Once fixed the replicator tool shows the status of the vulnerability and allows security consultants to re-test the mitigation. Paul unfortunately had a bunch of technical issues during the talk, but was able to show off the tool enough that everyone understood what was going on.
The penultimate talk of the day was with James Kettle, who talked about Practical web cache poisoning: redefining "unexploitable". James showed how he had started on the idea of trying to poison cache systems by throwing random headers at websites. He demonstrated that sites were using these headers and altering the page to include information form those headers. This wasn't a problem until the cache layer got involved and cached the altered response. Sites like RedHat and Unity 3D were vulnerable to the attack and he was able to inject code into them using just headers and have them cached for other users to pick up. He then started talking about a header called X-Original-URL, which I thought was a little familiar. James then went onto show a vulnerability that he found in Drupal that I had been working a couple of weeks ago to patch. The attack was caused by the Drupal internal caches being poisoned using this X-Original-URL header and external cache systems exposing that poisoned cache. He finished up by saying the best defence against this situation was to not use cache systems, although did say that this was impossible for most sites. Ultimately, cache poisoning is not theoretical and frameworks can often hide lethal breaches that can be difficult to spot as cache systems can hide this. After the talk I went up and thanked James for his efforts surrounding the Drupal security patch.
The final talk of the day was Incident response for dummies from Julian Pileggi. Detailing what to do with a system after an attack has been noticed including some do's and don'ts regarding investigations into said attacks. Julian then went into investigating an attack on a Windows machine, which was really interesting but not really useful from my perspective having not used Windows for at least 6 years.
Overall, a really good conference that has left me thinking about some important subjects. Videos for all the talks are available from the BSides Website so I will be catching up on some of the talks that I didn't get to see this year. I'm looking forward to next year's conference already!