“This way please,” says one of the officers pointing to a corridor lined with small rooms for interrogation.
“Purpose of your visit?”
“I’m a speaker at the Hacker Halted 2015 conference.”
After a half-hour conversation, we get our luggage back, leave the airport and then we’re hit by the hot air and jet lag. Welcome to the United States.
The research was prepared in cooperation with Maria Garnaeva specifically for Securelist
Hacker Halted USA 2015
The Hacker Halted USA event organized by the professional organization EC-Council (yes, the same organization that developed the Certified Ethical Hacker course that is now renowned in our industry) is held once a year and, as usual for this kind of conference, it brings together technical experts in the field of information security as well as a business audience. The choice of Atlanta was no coincidence: the climate suits sun worshippers, while the heat during the day deters you from leaving the hotel, and is possibly an additional “motivation” for some to listen to the presentations.
The main theme of the conference, which was touched on in one way or another in the speakers’ reports, was “The Cyber Pandemic” – associating technological imperfections with a kind of plague sweeping our society. And, as you can probably guess, the speakers had to analyze the details of this social “disease” and come up with a “vaccine”.
At Hacker Halted USA 2015 there was nothing to distract participants from the main content, such as separate rooms for fans of CTF or hack quests, and no workshops. On the one hand, it allowed the attendees to concentrate on the presentations and take in more information; on the other hand, it may have got a little tedious for those who like hacking things. The audience at the conference, in our subjective opinion and after chatting with other participants, appeared to be weighted more towards business. Proof of this came at a separate section with the companies’ stands. But, having said that, there was also a dedicated section for aficionados of “hardcore” presentations.
The exhibition highlighted a lot of start-ups and small companies from the IT security industry that are almost unknown in the Russian market and which focus on a narrow niche. Some might find it unsurprising, but if you draw a parallel with the typical Russian IT security exhibition, where every stand belongs to a real industry heavyweight, the information security market in the United States resembles more of a supermarket with a huge range of goods and services.
About the reports
As is traditional, the first day was given over to the key reports. After the opening speech delivered by Jay Bavisi (President of EC-Council) and a monologue about lofty matters and “The Cyber Pandemic”, we went to the “Cut the Crap – Show Me the Hack” section. As you might guess from the name, all the reports here were focused on practical aspects of information security, and thus were of special interest for us.
The report entitled “SAP Afaria – One SMS to Hack a Company” by our compatriot Dmitry Chastukhin lived up to the theme of Show Me the Hack most of all. There was a lot of technical information about the features of the system that was analyzed, a description of vulnerabilities and various shortcomings in its configuration, as well as a demonstration of the operating script on a small stand.
“Dima, you’re up in five minutes. Ready?”
“Yes, I’m just thinking of a quick video demonstration…”
The BYOD (bring your own device) policy is becoming a corporate standard, and businesses require security solutions that take into account their mobile ecosystem. MDM (mobile device management) solutions are the answer and the Afaria platform from SAP is one of them. Its popularity is confirmed by the fact that over 130 million mobile devices are running under its control in more than 6,000 organizations.
One of the vulnerabilities mentioned by Dima allows the attacker to send corporate messages from the Afaria server to the mobile phone. These messages are intended for remote mobile infrastructure administration and allow the administrator to perform a variety of critical actions, such as remotely wiping the data, blocking the device, disabling Wi-Fi, etc. However, an attacker who knows the IMEI of the employee’s mobile device can generate a corporate message and send it to a corporate mobile device. As a result, the data could be wiped from the phone or it could be blocked, etc. In addition, the attacker could use social engineering techniques to trick the owner of the device and continue the attack on the corporate infrastructure. This may lead to significant reputational and financial damage and even bring a company’s operations to a complete halt.
Another interesting vulnerability mentioned in the report is the XSS stored on the administrative console of the MDM solution, but with one special feature: the attacker only has to send a specially generated packet to the port of the MDM server that will embed the JS code in the page of the administrative console. The subsequent attack scenario typically unfolds as follows: the administrator enters the console, the code is automatically executed, and the attacker gains administrative control.
About our presentation
“The theme of user de-anonymization in the dark net is becoming increasingly important. Our report analyzes the methods of exploiting vulnerabilities on onion resources and some of the configuration shortcomings that make it possible to get information about a Tor user” – this is the abstract from our report which we delivered in the “Show Me the Hack” section. Hundreds of eyes on us, dozens of questions after the presentation, swapping of contact details and business cards – all this suggests the report was of some interest to the audience.
Another report attracted attention with its title containing only the name of the speaker – “Sean Bodmer”. Mr. Bodmer is the founder of a company developing something similar to a honeypot, but no ordinary honeypot – it is proactive. Legally speaking this is something of a delicate matter – is it permissible to attack the attacker? These types of solutions are designed to confuse the attacker, to waste his time, energy and resources on studying the targeted system.
Sean Bodmer’s report contained a few valuable thoughts. For example, if the attacker has already penetrated the infrastructure, its owner can do whatever he wants with him. The key point is that all counter measures are performed within the compromised infrastructure, because execution of code on the attacker’s machine is illegal (unless you are a government agency that has been attacked by an enemy state).
Finally, one of the most anticipated presentations was that of Chris Roberts, famous for his tweets about “breaking the plane”. Of course, no practical things, zero-day vulnerabilities or the attack scenarios were mentioned for obvious reasons, but the report contained valuable ideas that were very well presented by the speaker. Chris tried to explain to businesses why cybercriminals are constantly trying to hack them, how to interpret incidents correctly and, most importantly, how to communicate with the “offensive” guys (researchers) and their initiatives (providing information about bugs). A man who once had his wings singed attempting to publish information about vulnerabilities in aircraft onboard systems shared his invaluable experience and conclusions. Don’t shoot the messenger!
The Hacker Halted conference, despite a noticeable bias towards business, has left only positive impressions. Continuous dialogue with the speakers, participants and just people we met on another continent, is about more than just participating in a conference. Reports are always informative, but the main value of any event is meeting and communicating with people in person.