
This second talk by Anna Shirokova was very interesting, the researcher told the whole story of bruteforce-based malicious software since 2003 to now.
The first real known malware spreading through bruteforce was detected in 2013 by DrWeb, despite a piece of code acting the same way discovered in 2009. This malware discovered by DrWeb, dubbed FortDisco, was using bruteforce to spread on the Internet but also to drop other malicious code on the impacted servers. In 2015, the malicious piece of code Aethra was discovered and targeted misconfigured routers (well, using weak passwords to be precise) in order to infect them with malware. And this kind of malicious software made its way to 2017, as a new malware doing the exact same attacks, dubbed "Stantinko", was recently discovered by ESET.
Spreading malicious software by abusing weak passwords is still working and widely used, not only targeting servers with vulnerable administrative accounts but also various content management systems such as Wordpress to name a few.
See the slides of this conference here.
Slawomir Jasek asked me before BruCON if I could co-animate his workshop on Bluetooth Low Energy smart lockpicking, and I accepted his proposition with great pleasure. I've presented at various conferences some vulnerabilities I found on these smart locks and padlocks, as did Slawomir during the previous few years.
It was also a good way to show how Btlejuice, our Bluetooth Low Energy Man-in-the-Middle framework, works and to demonstrate its efficiency.
We spoke about the security of various smartlocks and smart padlocks, as well as their vulnerabilities and weaknesses. Slawomir demonstrated how easy it is to "pick" these locks wirelessly or simply steal a pin code used by a specific lock. We both answered attendees' questions and gave our experience feedback about intercepting and hacking Bluetooth Low Energy devices.
I enjoyed this workshop and hope other fellow hackers would find an interest in hacking all these smart objects relying on the Bluetooth Low Energy protocol.
This year, Google sponsored the Mentor/Mentee initiative at BruCON. This initiative is a novelty of this 9th edition, as it tries to bring to the same place seasoned security professionals and students or security enthusiasts. The idea behind this initiative was to allow IT security rookies (mentees) to ask experienced people (mentors) to share some piece of advice regarding this community: who to follow, the must-reads, how to submit a talk and why you should submit even if you think you're not skilled enough or your research is not interesting, etc. I participated to this event and met many students and professionals and had a lot of great talks, among other trolls.
This initiative was really interesting and should be in my humble opinion renewed during the next edition. And why not spread to other security conferences.
The second day of the BruCON conference started with a good breakfast and friendly chats. After having drank one or two bottles of Club Mate, it was time to sit in the amphitheater to see the keynote (as I missed the previous one).
Chris drew a short history of how hackers and hacking were seen during the last decades and explained how a group of hackers originally considered by authorities as a criminal gang came to testify in the U.S. Senate, thus changing the way the world sees them. He insisted on the fact that hackers innovated a lot in the IT security field: they invented the vulnerability scanner or the first packet manipulation tool. These tools are nowadays considered as standard and widely used by pentesters and system administrators.
Hackers also created some of the most well-known security conferences, like DEF CON held each year in Las Vegas. Chris also mentioned that many U.S. agencies sent some of their agents because it was the only way to learn and discover the latest cybersecurity trends, asking them to behave and look like hackers. Today, they do not hide anymore and even contribute to these events, as well as other law enforcement agencies from other countries.
During his presentation, he also insisted on the fact that hackers made their way to where they are now by making a lot of noise and trouve, through many attacks and vulnerabilities publicly disclosed. They changed the way they were seen and showed the world they could be useful, the expression "ethical hacking" was born. But these pioneers are now old and we need some fresh blood: hackers must make noise and trouble again in order to move things in the right direction.
Chris gave as an example his idea of "Security Champions": a team member trained by security professionals and that would act as a referee in companies developing software or services, providing the correct answers and bringing security during the design process.
See the slides of this conference here.