,
270 tweets,
140 min read
Read on Twitter
Its @CHCon_nz time!! 
He used to be a chemical engineer. But he was able to make more $$ and spend time with the family hunting bugs.
Finding a bunch of related vulnerabilities & submitting them all can result in much greater payouts.
#chcon17
#chcon17
Oooh! He uses the Internet Way Back Machine to look for cleaned up JS files/vulnerabilities and see if they're still exploitable.
#chcon17
#chcon17
Now its @bikesbooksbrews talking about NZ's Cyber Strategy.
Don't worry. He's from the government & here to help.
#chcon17
Don't worry. He's from the government & here to help.
#chcon17
As we have a new incoming government, things may shift around a bit.
But this is a good opp for infosec folks to add their 2 cents
#chcon17
But this is a good opp for infosec folks to add their 2 cents
#chcon17
Things that keep Paul awake at night:
- Operation Cloud Hopper
MSP systems getting owned! Massive scale & scope.
Oh no!
- Operation Cloud Hopper
MSP systems getting owned! Massive scale & scope.
Oh no!
"You're telling me I can't have confidence anymore in the security of my IT systems?" CEs
"What do you mean 'anymore'?" Paul
Oh no!
#chcon17
"What do you mean 'anymore'?" Paul
Oh no!
#chcon17
Four pillars of NZ Cyber Strategy driven by four principles.
Everytime he says "cyber" a die a little inside.
#chcon17
Everytime he says "cyber" a die a little inside.
#chcon17
What's the best way to protect us? - Paul
*nerds yelling*
Build a big firewall!
Cut the cable!
#chcon17
*nerds yelling*
Build a big firewall!
Cut the cable!
#chcon17
Privacy & security isn't a zero sum game. Its important for us to have both.
Security shouldn't undermine privacy.
#chcon17
Security shouldn't undermine privacy.
#chcon17
We need to keep our cybers limber with regular exercises. Cyber pilates, if you will.
#chcon17
#chcon17
Need to protect the cybers of SMEs.
Cyber SMEs are cyber too.
We need to boost their cyber to protect them from the cyber.
#chcon17
Cyber SMEs are cyber too.
We need to boost their cyber to protect them from the cyber.
#chcon17
We need to build a cyber platform for SMEs to enable a cyber platform play.
We should see if Margaret Mahy is available.
#chcon17
We should see if Margaret Mahy is available.
#chcon17
Schooling boards on the cyber with babblefish
Its hard having serious conversations with boards, but they perk up for babblefish
#chcon17
Its hard having serious conversations with boards, but they perk up for babblefish
#chcon17
We're training AI to be suspicious like lawyers.
This will help the AI also become suspicious of the cybers.
Oh no!
#chcon17
This will help the AI also become suspicious of the cybers.
Oh no!
#chcon17
There are 11 norms of cyber (🤢) behaviour
1-10 use the term cyber as much as possible
11 don't be an overt (cyber) dick
#chcon17
1-10 use the term cyber as much as possible
11 don't be an overt (cyber) dick
#chcon17
IoTs are getting into the cybers.
IoT cyber surfaces that can easily be singed like cyber toast.
How do we protect our toast?
#chcon17
IoT cyber surfaces that can easily be singed like cyber toast.
How do we protect our toast?
#chcon17
Suspicious files to look at.
They LOVE tampering with Audit logs. Empty logs are super suspicious.
#chcon17
They LOVE tampering with Audit logs. Empty logs are super suspicious.
#chcon17
Lool for suspicious null erased current logins
Most log cleaners usually just null out values.
#chcon17
Most log cleaners usually just null out values.
#chcon17
Watch out for raw socket open, high PIDs, running out of suspicious directories (dev), things delete from disk but still running
#chcon17
#chcon17
Run strings command on suspicious binaries. Find hidden directories it uses to store goodies.
#chcon17
#chcon17
Never ever run debugging on suspicious binaries on a production system. It executes it!
Moved to temp environment
#chcon17
Moved to temp environment
#chcon17
Once malicious actors are in your environment you have the advantage. Pick up their actions
#chcon17
#chcon17
Sandfly Security is building automated tools to detect this stuff.
Keep an eye out for products coming soon!
#chcon17
Keep an eye out for products coming soon!
#chcon17
Now Catherine & Fiona tell us about Pizza Roulette.
Two software testers learning to hack! Pizza...
#chcon17
Two software testers learning to hack! Pizza...
#chcon17
Went and created risk profiles for all the websites to find easy targets.
Look at https headers, fiddler, burp, etc
#chcon17
Look at https headers, fiddler, burp, etc
#chcon17
Can use robots.txt to find pages they don't want indexed (like logins).
So go to them & try to login!
#chcon17
So go to them & try to login!
#chcon17
Case 1 - hacked mobile phone
Your whole life is on your phone. If gets owned your whole life gets owned.
*cough* Android *cough*
#chcon17
Your whole life is on your phone. If gets owned your whole life gets owned.
*cough* Android *cough*
#chcon17
If your Google account gets pwnd, they can pwn your phone again & again. Csn drive you crazy & question reality.
#chcon17
#chcon17
Case 2 - sweat the small stuff
Hackers aren't going to use complicated attacks if you have low hanging fruit.
#chcon17
Hackers aren't going to use complicated attacks if you have low hanging fruit.
#chcon17
Case 3 - carefully consider any value judgement
When measuring outcomes of user awareness training, make useful judgments
#chcon17
When measuring outcomes of user awareness training, make useful judgments
#chcon17
When we say "be careful when clicking unexpected links" what does that mean? Do you click the mouse gently?
NOBODY KNOWS!
#chcon17
NOBODY KNOWS!
#chcon17
Now listening to @kylieengineer talking about L2 attacks against virtual devices.
Basically it takes images & vectorises them and then maps that to paths for the nozzle to follow.
#chcon17
#chcon17
But who wants a slightly inconvenient working pancake bot when you can mske it slightly mlre convenient and/or break it?
#chcon17
#chcon17
Many issues making pancake bot.
Mostly things kept blowing up!
But much more fun playing with something when you csn eat result.
#chcon17
Mostly things kept blowing up!
But much more fun playing with something when you csn eat result.
#chcon17
Now @nzkarit telling us 2FA war stories
Battleship cards: often people just take a picture & store alongside passwords.
Never saved in PW manager
#chcon17
Never saved in PW manager
#chcon17
Allow multiple phones so users can keep old devices enrolled to authorized new devices. Otherwise you need to disable 2FA to change
#chcon17
#chcon17
You need to keep the TOTP seed values secure. Don't show the TOTP value at any time outside of the initial setup
#chcon17
#chcon17
Day 2 of #chcon17 kicking off!
Even when we see people rummaging through rubbish bins or grabbing info from a desk we often don't report it.
#chcon17
#chcon17
Airport business lounges are amazing places for visual hacking. Lots of sensitive information floating around!
#chcon17
#chcon17
How to mitigate visual hacking:
Training is important - need to include ourselves in practice
Need to create solutions for users
#chcon17
Training is important - need to include ourselves in practice
Need to create solutions for users
#chcon17
Suggestion that if users NEED to have passwords written down, they can find passwords in existing doc normally in the office
#chcon17
#chcon17
Anything you put in bins in public is now public info. You want to ensure that any important info is destroyed prior.
#chcon17
#chcon17
Design strategies that discourage breaches in physical security.
Also effective against visual hacking.
#chcon17
Also effective against visual hacking.
#chcon17
Huddle all of your people working on confidential info into spaces that are easier to secure. Where they're harder to approach.
#chcon17
#chcon17
"Have you, as a mitigation strategy, tried just shaming people? We use a topless photo of David Hasselhoff"
#chcon17
#chcon17
Do we need to get a "no Bluetooth" medical bracelet? Or a chain mail shirt to block signals?
#chcon17
#chcon17
Now Frank Keating talking about Free Open Source Network Security Monitoring using Security Onion
#chcon17
#chcon17
Kaikoura earthquake caused building security system to go into "resident evil" mode. They were able to get by removing a window
#chcon17
#chcon17
Security Onion does full packet capture - you can analyze full traffic!
Full intrusion detection tools
#chcon17
Full intrusion detection tools
#chcon17
Use squil or squert to filter alerts so you only get the good stuff!
Enterprise log search & archive.
#chcon17
Enterprise log search & archive.
#chcon17
You need logging & alerts to show you where to look.
Then use that info to dig into the issues
#chcon17
Then use that info to dig into the issues
#chcon17
ELK stack is not secure by default.
But Security Onion secures it with single signon across all deployed services.
#chcon17
But Security Onion secures it with single signon across all deployed services.
#chcon17
It turns out the demo ia plugged into the CTF network. And nobody would mess with it there, oh no!
#chcon17
#chcon17
Now its @NileshPisces & Logan Woods talking about physical security testing: a wolf among the crowd
#chcon17
#chcon17
Physical security recon leads to vulnerability assessment. Look for low hanging fruit to breach
#chcon17
#chcon17
Apparently the favoured Aura Security method is hiding in the bathroom. Recent record was over 3 hours
#chcon17
#chcon17
Try and install a sneaky lan turtle to gain remote network access.
Keep it subtle to avoid detection.
#chcon17
Keep it subtle to avoid detection.
#chcon17
Breakout spaces are good spaces to hide in plain sight. Just look like you're working and people will assume you're legit
#chcon17
#chcon17
Asked for an access card after being seen around the office.
Just said "I'm working on X project with Y"
Access granted!
#chcon17
Just said "I'm working on X project with Y"
Access granted!
#chcon17
Social Engineering - Level 2
"Hi, I'm from IT" You'd better know about IT when they ask you other questions!
#chcon17
"Hi, I'm from IT" You'd better know about IT when they ask you other questions!
#chcon17
What do you do when you get caught?
"People almost never get caught"
Also have a letter of authorization if shit hits the fan
#chcon17
"People almost never get caught"
Also have a letter of authorization if shit hits the fan
#chcon17
Almost nobody is protecting themselves well.
Ensuring physical security is very hard with determined attackers.
#chcon17
Ensuring physical security is very hard with determined attackers.
#chcon17
Make sure you can deliver on your pretext.
If you say you're a plumber make sure you can plumb!
#chcon17
If you say you're a plumber make sure you can plumb!
#chcon17
Threat model:
Tor is not going to protect you against the NSA or a global adversary.
It WILL protect you from protocol attacks.
#chcon17
Tor is not going to protect you against the NSA or a global adversary.
It WILL protect you from protocol attacks.
#chcon17
Attacks on end user idiocy:
Pretty easy to tell you're using Tor. That may be enough to out you
Don't crack under interrogation
#chcon17
Pretty easy to tell you're using Tor. That may be enough to out you
Don't crack under interrogation
#chcon17
Get rid of all unused services/features on all servers/boxes.
Used ansible for hardening.
Or devsec.io
#chcon17
Used ansible for hardening.
Or devsec.io
#chcon17
Create a host based firewall with IP tables.
Set a few rules and then drop all other traffic. Tweak as necessary for server role.
#chcon17
Set a few rules and then drop all other traffic. Tweak as necessary for server role.
#chcon17
Centralized login monitoring is absolutely key.
Set it up in a log stack. Using ELK stack & beats on servers
#chcon17
Set it up in a log stack. Using ELK stack & beats on servers
#chcon17
Set up & enable automated updating.
PATCH PATCH PATCH!
And enable 2FA on everything (yubikey)
#chcon17
PATCH PATCH PATCH!
And enable 2FA on everything (yubikey)
#chcon17
Keep an eye on the logs & monitoring.
Is everything working?
Alerts pointless if you don't look at them.
#chcon17
Is everything working?
Alerts pointless if you don't look at them.
#chcon17
Capture the Flag is a good approachable way into security & hacking
Shout-out to @_TheyCallMeToni
#chcon17
Shout-out to @_TheyCallMeToni
#chcon17
Recruit some peeps to do CTFs with you.
Toni got @GracieNoLag & @kevinnz to join in. Some good peeps!
#chcon17
Toni got @GracieNoLag & @kevinnz to join in. Some good peeps!
#chcon17
CTF is great because you can work it around your schedule.
Most people have busy lives - need to work around those commitments.
#chcon17
Most people have busy lives - need to work around those commitments.
#chcon17
Is @ryankurte working on his talk?
No.
He found another doppelganger & now they're taking selfies
#chcon17
No.
He found another doppelganger & now they're taking selfies
#chcon17
At the beginning we had computers and it was good.
Then we invented the internet and we haven't recovered since.
#chcon17
Then we invented the internet and we haven't recovered since.
#chcon17
How do we build a CA?
We need to store them on a FIPS certified device... Which includes A LOT of random junk
Lets use Yubikeys!
#chcon17
We need to store them on a FIPS certified device... Which includes A LOT of random junk
Lets use Yubikeys!
#chcon17
Lots of code magic to create a root certificate & cross sign it.
OpenSSL goes badly.
Ryan is sad.
#chcon17
OpenSSL goes badly.
Ryan is sad.
#chcon17
We could go through the normal CA channels or... We could just publish it on the internet!!
#chcon17
#chcon17
Used some staples to wire the arduino up to the camera.
We're in!
But bootloader is PW locked...
#chcon17
We're in!
But bootloader is PW locked...
#chcon17
Coming back months later Jeremy actually found a bug! 💵 💵 💵
Learning:
90 days is long! Make sure you read the policy! Do recon
#chcon17
Learning:
90 days is long! Make sure you read the policy! Do recon
#chcon17
Next, Jeremy decided to hack a switch. Basically this talk was a justification so he could tell his wife he bought it "for work"
#chcon17
#chcon17
Now its @dunderhay (a @ryankurte doppelganger) showing us Project Walrus. RFID card cloning!
#chcon17
#chcon17
Hacking poor Diana (not her real name). Set some ground rules.
Got email from LinkedIn & phone from searching Google!
#chcon17
Got email from LinkedIn & phone from searching Google!
#chcon17
And @troyhunt is referenced again!
Using @haveibeenpwned to see if an email was in any breach.
#chcon17
Using @haveibeenpwned to see if an email was in any breach.
#chcon17
And "Alex" JUST HAPPENED to have the Tumblr dump which included password hashes.
Shenanigans ensure
#chcon17
Shenanigans ensure
#chcon17
So lets create a email account that looks like it came from Microsoft.
But can't use "Microsoft", so let's use omicrons for "o" s
#chcon17
But can't use "Microsoft", so let's use omicrons for "o" s
#chcon17
So we send her a phishing email with link to a google doc to review. It prompts for password but she enters one we've already got!
#chcon17
#chcon17
So, we set it so it that it says the password is rejected for the first 3 tries so we can collect more passwords
#chcon17
#chcon17
He got it!
Read the whole story here. There is much, much more!
defaultnamehere.tumblr.com/post/163734466…
#chcon17
Read the whole story here. There is much, much more!
defaultnamehere.tumblr.com/post/163734466…
#chcon17
And thats a wrap!
Thanks to the amazing @CHCon_nz team:
@kevinnz
@phage_nz
@mrdanwallis
@binarymist
Fucking excellent work!
#chcon17
Thanks to the amazing @CHCon_nz team:
@kevinnz
@phage_nz
@mrdanwallis
@binarymist
Fucking excellent work!
#chcon17
First prize for speakers went to Fiona and Catherine!
Awesome work!
(they ran away too quickly!)
#chcon17
Awesome work!
(they ran away too quickly!)
#chcon17
In case anyone at #chcon17 want any of my horrible photos, you can find the whole (unedited) lot here:
dropbox.com/sh/d48re1t2t8o…
dropbox.com/sh/d48re1t2t8o…
