‘Go forth, have fun, and hack the planet’
The sixth annual edition of SteelCon opened its doors in the UK city of Sheffield on Saturday, attracting more than 450 hackers, tinkerers, and security enthusiasts from across the country.
As ever, the event featured a mix of technical talks, community-focused discussions, and informal networking, both on and off site, along with a range of social activities for hackers of all ages.
First to take the main stage on Saturday was security consultant Neil Lines, who presented a lightning-fast discussion of offensive automation, and talked attendees through his quest to compromise a targeted organization with a single click.
Lines also took the opportunity to address the recent concerns surrounding YouTube’s decision to remove hacking tutorial videos from the platform.
“I left school with nothing,” Lines said, in a heartfelt plea against censorship. “I had no money for education and I had no job for years. I eventually go into IT through YouTube videos.
“Without YouTube, I wouldn’t be here today talking to you. The videos shouldn’t be blocked, they shouldn’t be banned.”
Chris Truncer of FortyNorth Security demonstrated how network defenders can make use of built-in application whitelisting with Windows Defender Application Control (WDAC).
Truncer looked into building custom policies that allow sysadmins to define how their environment is protected and what to trust.
“WDAC is more than just an app-blocker,” Truncer explains. “It also helps [secure] an endpoint with kernel mode code integrity, where you can enforce different rules that either allow or deny drivers on your system to be loaded as well.”
In a highly entertaining talk, Pen Test Partners’ Andy Gill explored the key differences (and overlaps) between penetration testing, bug bounties, and red teaming.
“Each of these solve a different problem,” he said. “They have differences, they have similarities.
“With red teaming you are testing your defensive capability, bug bounties [provide] a varied security approach within a wider scope, and pen testing allows the identification of vulnerabilities within a time-based scope.”
Despite the differences, Gill noted the ongoing cross-pollination between the three approaches, particularly as new offensive techniques are trialled at bug bounty level, before eventually making their way into pen tests.
Andy Gill asking the important questions
Infosecurity Magazine’s Dan Raywood presented findings from the 2019 State of Cybersecurity Report.
According to the study, product problems, human factor issues, and compliance continue to rank among security experts’ primary concerns in 2019.
It’s clear that vulnerabilities in software supply chains also remain a huge problem, as researcher Sean Wright discussed attack vectors in open source tech, along with the tools available to help defend against malicious actors or poor security design.
“Like all good things, encrypt,” Wright said.
Elsewhere, Connor Morley of Countercept delivered a well-received talk on how the APT Equation Group stayed under the radar for many years.
The talk focused on KillSuit – a post-exploitation component of the Equation Group’s arsenal.
The utility was developed by The Equation Group (strongly suspected as being a hacking unit within the NSA) prior to 2013 and leaked in 2017 by the ShadowBrokers.
Countercept’s research focused on looking for indications of compromise associated with the presence of KillSuit on a host.
The deep dive into the inner workings of the malware threw up a theory that the attackers selectively targeted Windows machines with a customised cryptographic system mandated for use by GCHQ on UK government systems.
The talk also covered SolarTime (SOTI) the Equation Group’s advanced bootkit persistence for KillSuit. During the research, Morley and his colleagues adapted an MBR analyzer to hunt SOTI.
Sticker swag at SteelCon
How we should redefine security was the focus of a talk by Saskia Coplans and Alistair O’Neill, who looked at how using alternative models of security implementation has had a positive impact on their company, Digital Interruption, and could even be used to help ease the cyber skills shortage.
Coplans said: “Think about what we didn’t have five years ago that we have now. There are all these things that we didn't have before, but the model for security isn’t changing. Technology is changing but security isn't changing.”
Dan Nash offered an extended history detailing how extremists have abused the internet in his talk ‘Parasite: Can An Open Internet Fight Extremism?’
The presentation focused on how the open internet at large has enabled extremist groups from the KKK to al-Qaeda. It also detailed how ISIS has used internet resources, from bulletin boards to social media, in order to nurture a “pipeline of extremism” to expand their influence.
Malware researcher Sarah White of Emsisoft offered a talk on the various cryptographic mistakes ransomware authors have made over the years.
White highlighted generic mistakes the bad guys made in their wares, hoping to educate legitimate developers to avoid making the same errors.
“It’s cheaper to learn from other peoples’ mistakes than to have to deal with the issues when you’ve made your own,” she explained.
Mistakes made by ransomware authors include the use of static or semi-static keys, key reuse, or – worse still – home-made algorithms, White said.
Even when the cryptography is right, some authors still make mistakes in implementing web security, leaving the infrastructure vulnerable to attacks on command and control servers, for example MegaLocker, which used a random directory with no authentication on a PHPMyAdmin system.
Finally, parental discretion advised – The Beer Farmers closed the con with security advice to companies and shots of chilli infused vodka.
The four speakers each took a shot of 500,000-Scoville chilli vodka immediately prior to their talk.
It wasn’t all booze and hijinks though, as the group outlined how fear, uncertainty, and doubt (FUD) was causing businesses and consumers to make incorrect choices when it comes to digital security.
Those interested in learning more can watch all of the presentations on the SteelCon YouTube channel.
Community and inclusion
Security conferences seldom welcome families, but SteelCon turned that on its head by not only providing a crèche, but by rolling out a track especially targeted at young computer enthusiasts.
The centerpiece of this effort was a computer lab featuring challenges and games. These were not standard hacking exercises or computer games, but rather challenges designed to stimulate interest in STEM (science, technology, engineering, and maths) subjects.
The SteelCon car hacking area also included an exercise aimed at children – a mock-up of a car dashboard that could be turned or tilted to move the dials.
Around 20 children from ages four to 16, chaperoned by volunteers, participated in the track, which was extremely well received by its young participants. Who says kids are only interested in robots, dinosaurs, and space travel?
Car hacking at SteelCon 2019
SteelCon’s strong community focus was highlighted by founder Robin Wood, who expressed his support for other grassroots hacking events across the UK.
“In a lot of other industries, we would be competing against the BSides, 44Cons, and all of the other events,” Wood said in his opening remarks on Saturday. “In this industry, they are our friends. We support them, they support us.”
Wood added: “Come to our con, but go to theirs as well. They all have something different to offer. Some are up north, some are down south, some are east, some are west. Get to your local con and give them support as well.”
SteelCon came to a close yesterday with the event’s annual game of laser tag – ‘Pew Pew Fest’ – which continues in memory of Mike Kemp, who passed away earlier this year.
“Mike was a great supporter of SteelCon from year one where his sponsorship of the Pew Pew Fest came in the form of a brown envelope full of used bank notes,” the SteelCon founders said in the introduction to the 2019 program.
“A great big loveable character who always had time for others, he helped kickstart at least a few infosec careers and supported many others.
“Mike would not want us to mope around or be miserable, he would want us to get on with things and cause chaos. So let’s go forth, have fun, and hack the planet!”
Additional reporting by Catherine Chapman and John Leyden