Tuesday, October 19, 2010

Hack In The Box SecConf, Kuala Lumpur, Malaysia 2010

Last week, we were invited at the famous HITBSecConf event organized by L33tdawg and his extended team (people from NL + MY). This amazing event got hundreds of people coming from all over the world, down to the center of Kuala Lumpur. You could easily meet either evil/good hackers, phone phreakers, IT managers, lockpickers, senior IT security people, etc. 

Many activities were proposed to the attendees, like special technical workshops, hacking challenges, lockpicking activities, and of course international talks & advanced trainings.

The first couple of days, we organized a new offensive training in a room full of 16 students coming from very interesting places like cutting-edge | sensitive | huge companies (Fortune 500...), and also from government agencies all around the world. 

This 2-days course was called "Hunting Web Attackers", and has been created to prepare white-hats and to improve their skills in this already running cyber-struggle against web attackers. 


We explained how to improve detection of web intrusions, and also how to strike-back in order to either identify the assailants or to neutralize their actions, etc.

During this special training, we shared tools, methods and techniques used for real by real attackers worldwide, and we released eight 0-days (the funny concept was one couple of students = one 0day...).

This training was based on multiple hands-on exercises, and we ended with a live hacking session where the students had to strike-back and neutralize a remote threat, based on a real recent code from  the Zeus exploit kit, stolen from evil attackers over Internet. We wanted to prepare our students at being able to firstly detect strange behaviors on their systems, and then to identify the tools or methods used against them, in order to prepare a potential active response against the intruders. 


HITB KL post-party event
We got many thanks from our 16 students, who probably enjoyed the fact that we worked on real technical exploits / 0days / malware sources, compared to theory shared in some talks / books / blogs. As always, working on technical examples is quite better than looking at slides or documents. 

Of course, the blackhats tools and methods shared in this room were proposed under an official signed NDA document, in order to avoid complex legal issues. Most of them came from forensics operations, private honeypots, etc.

Sometimes, sharing too offensive stuff might lead to legal threats or law issues, even if our goal is to help law enforcement teams, government & IT security teams, so that they are better prepared to protect themselves compared to feeling secure thanks to a paper of certification obtained through a funny (commercial) quizz...

On the third day, we gave a talk called "Analyzing Massive Web Attacks" where we quickly explained how some attackers target tons of end-users or tons of web servers over the web.

We gave an example of how to handle such intrusions, by looking at an example about a real Facebook attack that occurred in 2009, and another dealing with currents threats turning some web sites into special botnets (with Pbot source code analysis). The slides were available online on the HITB web site just right after the talk itself.



Example of pBot source code analysis:
class pBot {
    var $config = array(
        "server"=>"a.b.c.d",
        "port"=>6669,
        "pass"=>"", //senha do server
        "prefix"=>"owned|",
        "maxrand"=>8,
        "chan"=>"#pbotchannel",
        "key"=>"oxi", //senha do canal
        "modes"=>"+p",
        "password"=>"l33tP4sS", //senha do bot
        "trigger"=>".",
        "hostauth"=>"*" // * for any hostname
        );


We were really lucky because the room was packed with hundreds of people who came and listen to our explanations (with people everywhere on the chairs, the walls, the floor, etc). From the tons of discussions we got right after our talk, we can definitely say that IT Security threats are really well studied and understood in and around Asia, compared to some companies and governments that have to work harder on organization or certification stuff (which is different from working on highly technical issues).

To conclude, we really appreciated to be active members of this massive Asian IT Security event, which was really well organized and pretty interesting. We do hope we'll be able to come there in the future... Many thanks to our students, attendees, friends and special shouts for HITB crew...