, 270 tweets, 140 min read Read on Twitter
Its @CHCon_nz time!!
Kicking off @CHCon_nz!

#chc17
Now it's @yappare talking about jow to get in & stay in the top 5 in bug crowd!

#chcon17
He used to be a chemical engineer. But he was able to make more $$ and spend time with the family hunting bugs.
Don't worry about the cool, sexy bugs.

Go for the boring bugs that others pass up.

#chcon17
Finding a bunch of related vulnerabilities & submitting them all can result in much greater payouts.

#chcon17
JS is your friend.

Lots of hidden bugs.

#chcon17
The main tools @yappare uses:

#chcon17
Oooh! He uses the Internet Way Back Machine to look for cleaned up JS files/vulnerabilities and see if they're still exploitable.

#chcon17
Now its @bikesbooksbrews talking about NZ's Cyber Strategy.

Don't worry. He's from the government & here to help.

#chcon17
As we have a new incoming government, things may shift around a bit.

But this is a good opp for infosec folks to add their 2 cents
#chcon17
Things that keep Paul awake at night:

- Operation Cloud Hopper

MSP systems getting owned! Massive scale & scope.

Oh no!
"You're telling me I can't have confidence anymore in the security of my IT systems?" CEs
"What do you mean 'anymore'?" Paul
Oh no!
#chcon17
Four pillars of NZ Cyber Strategy driven by four principles.

Everytime he says "cyber" a die a little inside.

#chcon17
What's the best way to protect us? - Paul

*nerds yelling*

Build a big firewall!
Cut the cable!

#chcon17
Privacy & security isn't a zero sum game. Its important for us to have both.

Security shouldn't undermine privacy.

#chcon17
The Cyber *throws up a little in mouth* Security action plan

#chcon17
WE HAVE A CERT!!! WOOHOO!!

#chcon17
We have GCSB protecting us. Yes. That's definitely what they do. Nothing else.

#chcon17
We need to keep our cybers limber with regular exercises. Cyber pilates, if you will.
#chcon17
Need to protect the cybers of SMEs.

Cyber SMEs are cyber too.

We need to boost their cyber to protect them from the cyber.

#chcon17
We need to build a cyber platform for SMEs to enable a cyber platform play.

We should see if Margaret Mahy is available.

#chcon17
Schooling boards on the cyber with babblefish

Its hard having serious conversations with boards, but they perk up for babblefish

#chcon17
We're training AI to be suspicious like lawyers.

This will help the AI also become suspicious of the cybers.

Oh no!

#chcon17
We need to deal with the cyber (🤢) crime.

We need to cooperate internationally.

#chcon17
There are 11 norms of cyber (🤢) behaviour

1-10 use the term cyber as much as possible
11 don't be an overt (cyber) dick

#chcon17
We depend on exports.

Cyber (🤢) exports are good. They flow like water into other cybers.

#chcon17
IoTs are getting into the cybers.

IoT cyber surfaces that can easily be singed like cyber toast.

How do we protect our toast?

#chcon17
We may have stolen a table.

#chcon17
Next up: command line forensics for linux by Sandfly Security

#chcon17
Don't worry about persistent attacks.

Worry about CRAP first.

#chcon17
Zero day attacks are expensive.

Very unlikely to be used on you.

#chcon17
Now its @yappare talking about how to get into the bug crowd top 5

#chcon17
Basic concepts:

Look at systems acting odd & looo in suspicious directories/files

#chcon17
Basic commands, commonly targeted directories, & suspicious directories

#chcon17
More on suspicious directories

#chcon17
Suspicious files to look at.

They LOVE tampering with Audit logs. Empty logs are super suspicious.

#chcon17
Look at temp directory. Often used as a scratchpad for malicious stuff.

#chcon17
Lool for suspicious null erased current logins

Most log cleaners usually just null out values.

#chcon17
Same applies for bad logins

#chcon17
Look for suspiciously modified system files

#chcon17
See if you can spot suspicious processes

#chcon17
Watch out for raw socket open, high PIDs, running out of suspicious directories (dev), things delete from disk but still running

#chcon17
Run strings command on suspicious binaries. Find hidden directories it uses to store goodies.

#chcon17
Never ever run debugging on suspicious binaries on a production system. It executes it!

Moved to temp environment

#chcon17
Once malicious actors are in your environment you have the advantage. Pick up their actions

#chcon17
Sandfly Security is building automated tools to detect this stuff.

Keep an eye out for products coming soon!

#chcon17
Love the #chcon17 title:

Down-Downunder
Cyb_r Nuisance
Summit 2017
Now Catherine & Fiona tell us about Pizza Roulette.

Two software testers learning to hack! Pizza...

#chcon17
Brainstormed things to hack. Not many suitable for newbies. Until... PIZZA!

#chcon17
Perceived starting point vs actually starting point:

#chcon17
With the right tools (Shodan, SSL Labs, etc) you csn collect a lot of info!

#chcon17
Went and created risk profiles for all the websites to find easy targets.

Look at https headers, fiddler, burp, etc

#chcon17
Shout out to @troyhunt's hack yourself first course!

Great resource for beginners!

#chcon17
Apparently @kevinnz was a REALLY HELPFUL advisor.

"Don't get arrested! Here is the NZ crimes act!"

Sounds like Kevin...

#chcon17
A bunch of sites are redirecting https to http - naughty!

#chcon17
Can use robots.txt to find pages they don't want indexed (like logins).

So go to them & try to login!

#chcon17
They could use random order numbers to see others orders (and personal info)!

#chcon17
They found 6 of the @owasp top 10 vulnerabilities!

#chcon17
Lessons learned:

- keep it simple, stupid
- hacking takes a lot of time
- mentorship is a must (even if it is @kevinnz)

#chcon17
Catherine & Fiona decided to do the right thing and report the findings securely to @CERTNZ!

Awesome work!

#chcon17
And now we're having free pizza!

Completely unrelated to the pizza hacking talk I'm sure.

#chcon17
Temporarily escaped the madness of the con to relax at Volstead.
@rafaelmagu @pikelet @DevTroy
Now Declan from @CERTNZ telling interesting stories

#chcon17
Important to note that @CERTNZ is a CERT for all people, not just gov & corporate.

If you call, they will help you.

#chcon17
Case 1 - hacked mobile phone

Your whole life is on your phone. If gets owned your whole life gets owned.

*cough* Android *cough*

#chcon17
If your Google account gets pwnd, they can pwn your phone again & again. Csn drive you crazy & question reality.

#chcon17
For the love of all that is shiny - don't buy phones that don't receive security updates.

#chcon17
Case 2 - sweat the small stuff

Hackers aren't going to use complicated attacks if you have low hanging fruit.

#chcon17
"Absolute security is hard, but basic security is not"

Excellent advice from Declan

#chcon17
PATCH ALL THE THINGS.

Patch early & often.

Don't allow anything to be out of scope.

#chcon17
Case 3 - carefully consider any value judgement

When measuring outcomes of user awareness training, make useful judgments

#chcon17
When we say "be careful when clicking unexpected links" what does that mean? Do you click the mouse gently?

NOBODY KNOWS!

#chcon17
I'm really enjoying "ranty Declan"

#chcon17
CERT has no laws or regulatory authority. They just good people who help people.

#chcon17
.@CERTNZ averages one juicy incident per day.

There is always a fire somewhere.

#chcon17
Now listening to @kylieengineer talking about L2 attacks against virtual devices.
Exploiting Virtual Trunking Protocol to escape a VLAN

#chcon17
How to harden a physical switch:

#chcon17
How to harden a virtual switch:

#chcon17
Exploit mitigation summary:

#chcon17
Setting up a NSX install to play with (break)

#chcon17
Don't trust something just because a vendor says it's more secure!

#chcon17
Summary:

Awesome job @kylieengineer!

#chcon17
Feeling pretty tired... Hopefully all this sugar will perk me up!

#chcon17
Look! I'm feeling better already!

#chcon17
Now its @ch4db0t talking about his pancake bot!

#chcon17
Basically a 2D CNC machine that makes custom pancakes!

#chcon17
Basically it takes images & vectorises them and then maps that to paths for the nozzle to follow.

#chcon17
Whats in the box?

#chcon17
But who wants a slightly inconvenient working pancake bot when you can mske it slightly mlre convenient and/or break it?

#chcon17
Using Marlin firmware that is well commented and actually works!

#chcon17
The Franken-pancake bot

#chcon17
Future plans for pancake bot:

#chcon17
Many issues making pancake bot.

Mostly things kept blowing up!

But much more fun playing with something when you csn eat result.

#chcon17
Next up: @PeteChestna on building developers into security champions

#chcon17
We're getting hacked all the time & getting owned for really stupid reasons.

#chcon17
Release timelines and team sizes for development teams:
Waterfall vs agile vs devops

#chcon17
Now @nzkarit telling us 2FA war stories
SMS 2FA is a trash fire.

Its expensive & telecos are now responsible for your security.

#chcon17
Often trivial to swap the user's phone number onto a new SIM

#chcon17
Also exploits that allow interception

#chcon17
Battleship cards: often people just take a picture & store alongside passwords.

Never saved in PW manager

#chcon17
TOTP tokens: people just point webcams at them.

Such convenience!

#chcon17
No known exploits on U2F. But people still lose them...

#chcon17
Allow multiple phones so users can keep old devices enrolled to authorized new devices. Otherwise you need to disable 2FA to change
#chcon17
Only allow each 2FA token one use to defend against replay attacks

#chcon17
You need to keep the TOTP seed values secure. Don't show the TOTP value at any time outside of the initial setup

#chcon17
Email IS NOT 2FA.

#chcon17
Use 2FA everywhere. No excuses.

#chcon17
How to encourage users to use 2FA:

#chcon17
Wraps up thoughs on 2FA

#chcon17
Day 2 of #chcon17 kicking off!
Now Drew Hinkley is talking sbout visual hacking

#chcon17
Visual hacking: the oldest form of hacking.

Gathering info without digital footprint

#chcon17
Kinds of information.

How much do you care if it gets out?

Meh?
Oh no!
🔥
🔥
🔥

#chcon17
How vulnerable are we to visual hacking?

Pretty damn vulnerable!

#chcon17
Even when we see people rummaging through rubbish bins or grabbing info from a desk we often don't report it.

#chcon17
Airport business lounges are amazing places for visual hacking. Lots of sensitive information floating around!

#chcon17
How it works:

I take a step - what can I see?

#chcon17
Resource rooms are a gold mine!

#chcon17
Unattended workstations left unlocked!

#chcon17
Visual hacking used for targeted surgical attacks to aquire specific high value info

#chcon17
How to mitigate visual hacking:

Training is important - need to include ourselves in practice

Need to create solutions for users

#chcon17
Suggestion that if users NEED to have passwords written down, they can find passwords in existing doc normally in the office

#chcon17
I see where Drewe is going here, but I'm still a bit dubious...

#chcon17
Anything you put in bins in public is now public info. You want to ensure that any important info is destroyed prior.

#chcon17
Design strategies that discourage breaches in physical security.

Also effective against visual hacking.

#chcon17
Huddle all of your people working on confidential info into spaces that are easier to secure. Where they're harder to approach.

#chcon17
"Have you, as a mitigation strategy, tried just shaming people? We use a topless photo of David Hasselhoff"

#chcon17
Now its Agnetha telling us about hacking medical devices!

Also mountain unicycling?

#chcon17
Thats less than ideal.

Better take grandma in for a firmware update...

#chcon17
What if you want to play with a new device?

FDA often publishes all the specs! Helpful!

#chcon17
Must be some easy way to change settings on these med devices. Doctors aren't hackers!

#chcon17
Live demo hacking medical devices with Agnetha!!

#chcon17
Using device's built in debuggers to explore the device and figure out how it works.

#chcon17
Now hacking Bluetooth, is that a @ryankurte OnePlus3?

#chcon17
"Now we're running a Bluetooth Smasher"

#chcon17
Now scanning for all the Bluetooth devices in the room

#chcon17
You can build your own Bluetooth LE fuzzing tools!

#chcon17
Do we need to get a "no Bluetooth" medical bracelet? Or a chain mail shirt to block signals?

#chcon17
Please, med device makers, make your devices more secure!

#chcon17
Med device hacking tools!

#chcon17
Its fun watching @jsstott still working on his slides.

:D

#chcon17
Now Frank Keating talking about Free Open Source Network Security Monitoring using Security Onion

#chcon17
Kaikoura earthquake caused building security system to go into "resident evil" mode. They were able to get by removing a window

#chcon17
You want to try and sneak malicious stuff into user's normal workflows.

#chcon17
Even big, well resourced companies have security breaches

#chcon17
Why use security onion?

Its super super easy and it just works

#chcon17
Most breaches have average of 146 day dwell time.

Thats AGES.

#chcon17
Security Onion is a very flexible solution

#chcon17
Security Onion does full packet capture - you can analyze full traffic!

Full intrusion detection tools

#chcon17
Use squil or squert to filter alerts so you only get the good stuff!

Enterprise log search & archive.

#chcon17
You need logging & alerts to show you where to look.

Then use that info to dig into the issues

#chcon17
ELK stack is not secure by default.

But Security Onion secures it with single signon across all deployed services.

#chcon17
Use sysmon or osec to gather data on endpoints to import it into security onion

#chcon17
Demo fail! Oh no!

#chcon17
It turns out the demo ia plugged into the CTF network. And nobody would mess with it there, oh no!

#chcon17
Now its @NileshPisces & Logan Woods talking about physical security testing: a wolf among the crowd

#chcon17
Goals: gain access 6o sensitive areas

#chcon17
Approach: recon, recon, & recon

#chcon17
Open source intel/recon is surprisingly powerful.

Lots of info freely available

#chcon17
After OSINT next step is light touch recon

#chcon17
Physical security recon leads to vulnerability assessment. Look for low hanging fruit to breach

#chcon17
Apparently the favoured Aura Security method is hiding in the bathroom. Recent record was over 3 hours

#chcon17
Try and install a sneaky lan turtle to gain remote network access.

Keep it subtle to avoid detection.

#chcon17
You can make your own visitors badge so people THINK you signed in

#chcon17
If you have a lanyard and an access card everyone assumes you're legit!

#chcon17
First access

#chcon17
Breakout spaces are good spaces to hide in plain sight. Just look like you're working and people will assume you're legit

#chcon17
Communal spaces are great places to mingle with employees and do some social engineering

#chcon17
Build multiple, persistent acc2and avoid IT like the plague.

#chcon17
Asked for an access card after being seen around the office.

Just said "I'm working on X project with Y"

Access granted!

#chcon17
Social Engineering - Level 2

"Hi, I'm from IT" You'd better know about IT when they ask you other questions!

#chcon17
Gain more access.

Lock picking is an excellent skill to have.

#chcon17
There are ALWAYS postit note passwords.

#chcon17
"Treat your passwords like your underwear: don't have any" @rafaelmagu

#chcon17
Jackpot!

Leads to server room selfies!

#chcon17
What do you do when you get caught?

"People almost never get caught"

Also have a letter of authorization if shit hits the fan

#chcon17
Almost nobody is protecting themselves well.

Ensuring physical security is very hard with determined attackers.

#chcon17
You want to come in with a simple pretext. The simpler the better.

#chcon17
Make sure you can deliver on your pretext.

If you say you're a plumber make sure you can plumb!

#chcon17
Now listening to @ss2342 tslking about Tor and Onionland Explorers!

#chcon17
Threat model:

Tor is not going to protect you against the NSA or a global adversary.

It WILL protect you from protocol attacks.

#chcon17
If someone has enough money they can de-anonymize you.

#chcon17
Proposal to protect again guard node attacks to de-anonymize users using vanguards

#chcon17
Can also attack tor browser bundle.

Major issues are in Firefox.

Block all JS

#chcon17
Attacks on end user idiocy:

Pretty easy to tell you're using Tor. That may be enough to out you

Don't crack under interrogation

#chcon17
Demo time!

Onion Scan

If all those Twitter mentions don't wreck it...

#chcon17
"If you were planning to run a drug market, I think it would work pretty well!" @ss2342 on his Freedumb hosting software

#chcon17
Now its @pipeline_tux talking about a pentesters guide to automating network security

#chcon17
Just some basic home network stuff very similar to a SMB setup.

#chcon17
Figure out you threats

#chcon17
Every server should be secure even if every other server on you lan is pwned

#chcon17
Get rid of all unused services/features on all servers/boxes.

Used ansible for hardening.

Or devsec.io

#chcon17
Create a host based firewall with IP tables.

Set a few rules and then drop all other traffic. Tweak as necessary for server role.

#chcon17
Checking the toilets for any hiding @AuraInfoSec folks.

#chcon17
Centralized login monitoring is absolutely key.

Set it up in a log stack. Using ELK stack & beats on servers

#chcon17
Set up & enable automated updating.

PATCH PATCH PATCH!

And enable 2FA on everything (yubikey)

#chcon17
Keep an eye on the logs & monitoring.

Is everything working?

Alerts pointless if you don't look at them.

#chcon17
Next up! @_tonijames talking about CTF: capture the flag - the gateway drug

#chcon17
How did she get into security?

ISIG, @CHCon_nz, @kiwicon, and TWITTER!

#chcon17
She uses Twitter grudgingly, but for good! Supporting women in tech & security.

#chcon17
Capture the Flag is a good approachable way into security & hacking

Shout-out to @_TheyCallMeToni

#chcon17
Recruit some peeps to do CTFs with you.

Toni got @GracieNoLag & @kevinnz to join in. Some good peeps!

#chcon17
I'm beginning to wonder if Toni's candy is a CTF that I'm losing...

#chcon17
Doing CTF with friends can get a bit competitive.

I mean, who DOESN'T want to beat @kevinnz?

#chcon17
CTF is great because you can work it around your schedule.

Most people have busy lives - need to work around those commitments.

#chcon17
"Realistic Simpsons would use octal instead of decimal"

30 sec later @jsstott can't stop laughing. "its bc they have 8 fingers!"

#chcon17
Is @ryankurte still working on his talk?

We'll find out soon!

#chcon17
Is @ryankurte working on his talk?

No.

He found another doppelganger & now they're taking selfies

#chcon17
.@ryankurte starts his talk by accidentally swearing into a hot mic

#chcon17
Now its @ryankurte telling us how to build a public certificate authority using yubikeys

#chcon17
At the beginning we had computers and it was good.

Then we invented the internet and we haven't recovered since.

#chcon17
What is public key infrastructure?

#chcon17
In which Ryan explains public/private key crypto with emojis

#chcon17
But you need root CAs to sign your certificate. And CAs are a trash fire

#chcon17
.@letsencrypt is good, but boring... So let's build our own CA!

#chcon17
How do we build a CA?

We need to store them on a FIPS certified device... Which includes A LOT of random junk

Lets use Yubikeys!

#chcon17
Lots of code magic to create a root certificate & cross sign it.

OpenSSL goes badly.

Ryan is sad.

#chcon17
Now Ryan is live creating his Yubikey CA which requires an increasing number of yubikeys

#chcon17
We could go through the normal CA channels or... We could just publish it on the internet!!

#chcon17
Now @jsstott (who is a REAL security person now) is telling us about his bug bounty adventures!

#chcon17
Oooh! A Netgear bounty! How hard could it be?

#chcon17
But all the in scope devices are expensive...

Is this a bounty program or a sales scheme?

#chcon17
After taking it apart it took ages to discover the debug ports!

Score!

#chcon17
Used some staples to wire the arduino up to the camera.

We're in!

But bootloader is PW locked...

#chcon17
Apparently @mjg59 then tweeted that the security was "basically acceptable" which is high praise.

Not good for Jeremy!

#chcon17
Coming back months later Jeremy actually found a bug! 💵 💵 💵

Learning:

90 days is long! Make sure you read the policy! Do recon

#chcon17
Etiquette for dealing with bug bounty programs:

#chcon17
Big bounty programs are public record, so watch out what you write!

#chcon17
Next, Jeremy decided to hack a switch. Basically this talk was a justification so he could tell his wife he bought it "for work"

#chcon17
Frustrating to see other people owning the bits he needs!

Tableflip.gif

#chcon17
So, he decided to see if he could exploit the screenshot tool.

#chcon17
Somebody else had already done some of the hard work

Interesting!

#chcon17
Suggestions for bug bounty newbies and ideas for future adventures!

#chcon17
Now its @dunderhay (a @ryankurte doppelganger) showing us Project Walrus. RFID card cloning!

#chcon17
Access control is important! But what if you can clone those cards...

#chcon17
So many exploit tools!

#chcon17
Plenty of difficulties.

No common tools or databases. :(

#chcon17
Like all good ideas, Project Walrus started in his parents basement.

#chcon17
Now its looking good! Slowly adding support for more cloning devices.

#chcon17
What a hacker in action actually looks like:

#chcon17
Holy shit! That demo was fucking amazing.

Terrifying shit.

#chcon17
Final thoughts

#chcon17
Now its @mangopdf (a hacker known as "Alex") talking about hacking his friend.

Also, don't hack your friend

#chcon17
Hacking poor Diana (not her real name). Set some ground rules.

Got email from LinkedIn & phone from searching Google!

#chcon17
And @troyhunt is referenced again!

Using @haveibeenpwned to see if an email was in any breach.

#chcon17
And "Alex" JUST HAPPENED to have the Tumblr dump which included password hashes.

Shenanigans ensure

#chcon17
Found the password! But it was old... Oh no!

#chcon17
Lets do phishing instead!

This is phishing, right?

#chcon17
Jk. We'll actually do this:

#chcon17
So lets create a email account that looks like it came from Microsoft.

But can't use "Microsoft", so let's use omicrons for "o" s

#chcon17
DAYUM that looks legit.

But... She never clicked it

#chcon17
Aerobatic hosting is great for hosting phishing pages apparently...

#chcon17
Setup a fake Google account. You can enter ANYTHING!

#chcon17
So we send her a phishing email with link to a google doc to review. It prompts for password but she enters one we've already got!

#chcon17
So, we set it so it that it says the password is rejected for the first 3 tries so we can collect more passwords

#chcon17
He got it!

Read the whole story here. There is much, much more!

defaultnamehere.tumblr.com/post/163734466…

#chcon17
And thats a wrap!

Thanks to the amazing @CHCon_nz team:
@kevinnz
@phage_nz
@mrdanwallis
@binarymist

Fucking excellent work!

#chcon17
The thumbs... They are tired...

#chcon17
First prize for speakers went to Fiona and Catherine!

Awesome work!

(they ran away too quickly!)

#chcon17
.@jsstott wins for best use5of a speaker pack by winning... A speaker pack!

#chcon17
Somehow I won an award... Oh no!

#chcon17

And @PeteChestna wins a door!

I bet that'll fit in his carryon...

#chcon17
There will be a @CHCon_nz next year!!

#chcon17
And.. The @CHCon_nz is growing! @_tonijames is joining the crew!!

Much excite!!

#chcon17
Thanks to the friends of @CHCon_nz. Except for @Metlstorm

#chcon17
Now its after party time!

Danner out!

#chcon17
In case anyone at #chcon17 want any of my horrible photos, you can find the whole (unedited) lot here:

dropbox.com/sh/d48re1t2t8o…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jason Danner
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!