Here is a quick wrap-up about the just-ended BSidesLisbon event. This is the second edition of this BSides event organized in Portugal. The philosophy of those events is well known: organized by and for the community, free, open and creating a lot of opportunities to meet peers. A classic but effective organization: talks, lightning talks, a CTF but two tracks in parallel. Here is a review of the ones I attended.
The day started with my friend Wim Remes‘s keynote: “Damn kids, they’re all alike“. Wim’s message was: “learn and share”. He started with a review of the hacker’s manifesto. Written in 1986, it remains so relevant today. Key values are:
- Judge people by what they say and think, not by what they look like
- Outsmarting you
- ‘I’m a hacker”
Wim addressed the problem of the Infosec community vs the industry. If a clear distinction is mandatory, at a certain time, we need to move forward and take our responsibilities by putting our knowledge into companies/organizations. If some security researchers are seen as rockstars (or want to be one), that’s not the best way to behave. Some Wim’s slides were nice with good quotes. I particularly liked this one:
Your knowledge is a weapon, you are a threat
The keynote was followed by a series of very interesting questions and exchange of ideas.
The first talk was given by Doron Shiloach from IBM X-Force: “Taking threat intelligence to the next level”. Doron started with a review of the threat intelligence topic, based on a definition by Gartner. From an industry perspective, criteria for evaluation are:
- Where is it sourced from?
- How often is it updated?
- Vetted by humans?
The next part was dedicated to the techniques to built a good threat intelligence, where to find the right information. Once done, we need to make it available. Not only between humans but also between computers. To achieve this, Doron introduced Taxii and STIX. Personally, I found the talk to focused on IBM X-Force services… but anyway, interesting stuff was presented.
For the next time slot, there was only one presentation, the other speaker was not able to attend the event. The tool Shellter was presented by its developer Kyriakos Economou. After explaining why classical shell code injection sucks, Kyriakos’s tool was presented in details. Shellter is a dynamic shell injector with only one goal: evade antivirus detection! The presentation ended with nice demos of malicious generated files not being detected by AV products! The joy of seeing a scan result on virustotal.com: 0/55!
After the lunch break, I followed Ricardo Dias‘s presentation about malware clustering. By cluster, we mean here a group of malwares that share similar structures or behavior. Ricardo’s daily job is to detect malicious code and, to improve this task, he developed a tool to create clusters based on multiple information about the PE files (only this file type is analyzed). Ricardo explained in details how clusters are created. He used popular algorithms for this: reHash or impHash. The next part of the presentation was based on demos of the tool created by Ricardo. I was impressed by the quality and accuracy of the information make available through the clusters!
The next talk was also focusing on security visualization. Tiago Henriques and Tiago Martins presented “Security Metrics: Why, where and how?“. Seeing the amount of data that we have to manage today and the multiple sources, it became very difficult to be able to analyze them without proper tools. That was the topic presented by Tiago & Tiago. After explaining how to use visualization tools in the right way and answering questions like:
- Which security metrics can I get?
- Am I using them in the right way?
They demonstrated how to extract nice information from important datasets.
Then, Pedro Vilaça presented his research about malicious kernel modules in OSX: “BadXNU, a rotten apple!“. For sure, never, never left your Macbook unattended close to Pedro! Normally, to load a new module to the OSX kernel, checks are performed like verifying the module signature. Pedro explained how to bypass this and inject malicious code into the kernel. For Pedro, Apple is doing bad controls and tests should be performed at ring 0 (kernel level) and not in userland! (like Microsoft does). Impressive talk!
Finally, my last talk was the one of Tiago Pereira: “What botnet is this?“. The talk was a resume of a malware analysis involving DGA or “Domain Generation Algorithm“. The goal was to perform the reverse engineering of the malware to understand the DGA algorithm used. Also very interesting, especially when he explained how to bypass the packing of the binary to extract the code!
Unfortunately, I was not able to attend the last keynote presented by Steve Lord, I hope that the slides will be available somewhere. The day ended with the speaker dinner (thanks for the organizers for the invitation!) in a relaxed atmosphere. Now, it’s the weekend and I’ll spend some good times with my wife in the sunny Lisbon!