I have never been to any of the larger Cons like Blackhat or Defcon. Sure the parties seem great and it would be awesome hanging out with so many hackers plus there are some excellent talks but given the time and cost of getting there it can be hard to justify. Over the last year however I have been very fortunate to have the opportunity to go to some of the smaller, but by no means less valuable, conferences around Europe and they have been awesome. They have all been well organised, with a great atmosphere and some incredible talks. I feel much more comfortable in these less overwhelmingly large settings, you’re more likely to bump into familiar faces and the speakers are always hanging around and happy to talk.
Yesterday was my first time at BSides Belfast but this was no exception. I’ve had the pleasure of spending a reasonable amount of time in Belfast already, however it was my colleague Seb’s first time. So, after too many beers the night before we got up early, had a quick breakfast and then took the long way round to the Europa Hotel, doing the most touristy thing I could think of - signing the Peace Wall, although I don’t think we were quite as philosophical as Nigel.
Whilst I definitely don’t want to start talking politics it still always amazes that a city less than an hours flight from London has a huge wall through the middle of it and that so many people here are completely unaware of the (very recent) history.
It is the classic hacker hobby and something I’ve always been intrigued by but never any good at so it was hugely satisfying when, after much swearing, I could finally get a pair of handcuffs off with just a hairpin. I’m already getting some ‘interesting’ Amazon recommendations though after immediately searching for a pair to order!
Once everyone had arrived it was time for the keynote which was given by Costin Raui (@craiu) of Kaspersky. This was one of the most interesting keynotes I have seen, giving a great overview of the intricacies of attribution and how current changes and improvements are affecting that, to the point where a much larger percentage may become reliably automated through the use of tools such as YARA. The scale Kaspersky are working at has necessitated much of this change for them when you consider the obstacles of dealing with a sample collection over 5PB!!! It was also a refreshingly honest/ amusing talk, acknowledging that samples of Duqu 2.0 were actually found in their own network, and that in retrospect it was maybe not the cleverest idea to report on some of the campaigns they have done so with the subjects of analysis maybe not as appreciative of the hard work as fellow Infosec colleagues and conference attendees. This is never more clearly highlighted than hearing of him coming home to find a note on his living room table suggesting he ‘take a break’ after giving a talk on Stuxnet.
The quick break before talks began allowed me to get my first taste of Club-Mate. I always think it is weird that it has attained such cult like status among hackers but so many don’t actually seem to like it. Thankfully I did so am hopefully a real hacker now although would not recommend drinking quite as much of it as I did over the course of the day. Full of caffeine it was then time for the first problem of the day - working out the unavoidable conference dilemma of which talks to go to and not being completely drawn in by the CTF organised by ZeroDays.ie. I think we found a good balance between attending some of the talks, checking out some of the challenges and hanging out talking to other attendees and sponsors.
Inevitably I missed some talks I was really keen to see however of the ones I did catch my personal highlights were:
Joseph Cox’s (@josephfcox) discussion on how hackers and journalists can work together. It was interesting hearing from a journalists perspective and nicely highlighted the different priorities or motivations they have and the obligations on a journalist when reporting, especially compared to a whistle blower or hacker who may be providing some data and almost always have their own agenda. There was also a worthy reminder that nothing is ‘off the record’ unless agreed by you and the journalist in advance!
David Coursey (@dacoursey) gave a great intro talk to hacking mobile apps with Frida which I particularly enjoyed as Frida is something I’ve been saying I want to use more for a long time whilst only having been successful in avoiding and procrastinating. Hopefully this will give me the kick to get up and do it. There was also a nice list of resources and Frida scripts included in the slides so be sure to check them out if you’re interested when they are available.
Finally the day was wrapped up nicely by Warren Mercer (@securitybeard) and Paul Rascagneres (@r00tbsd) of Talos discussing a year’s worth of attacks from the North Korean Group123. It was great seeing how the small similarities between payloads are enough to tie campaigns to the same actor but different enough to help identify motivation or targets although I will be forever paranoid if I find any jpegs I don’t recognise on my machine after it being drilled into the audience by Warren about the groups (mis)use of them.
A huge thanks to the whole Belfast BSides crew, the whole day was well organised and very professional. Apparently the power went out at one point in one of the tracks and even that wasn’t enough to stop Katherine Cancelado (@eepica) continuing with the talk!
It was a great atmosphere and I had an awesome day. I will be sure to be back next year! My only frustration of the whole experience was having to get a flight home that evening meaning I couldn’t make the most of Talos’ generosity and drink all the free beer at the after party!
Lastly we will all be at Confidence London on October the 4th so hope to see some of you there 😀