Wednesday, 29 June 2016

SnoopCon 2016

I had the honour to be invited again this year by the Cyber Security Testing and Validation Team at British Telecoms (BT) in order to attend their annual internal conference, as a guest speaker. The conference is known as SnoopCon and it is BT’s Penetration Testing and Ethical Hacking annual meet-up event which lasts five days.

The event is held behind closed doors, however it is customary that on the third day they invite people from the industry, recognising that their work would be an invaluable input if presented at their internal conference.

It was a great opportunity for me to catch-up with so many friends at SnoopCon. I also find out that Anoop Sethi has decided to retire after approximately 12302 days uptime (33 years) for BT. 

It is a great honour to have known Anoop, the man who fundamentally changed the way Security and Penetration Testing is viewed in BT. Given the opportunity, I would like to personally wish Anoop all the best with anything he decides to do and I would like to thank him for being such an amazing individual.

I had a fantastic day at BT and the quality of the guest talks was over the roof. I am going to outline here briefly the content of the talks in the order they were presented. 



The day at SnoopCon started with Saumil Shah (@therealsaumil) with a talk about Stegosploit. It was a really interesting talk about a toolkit that contains the tools necessary to test image based exploit delivery. You can find out more about Stegosploit here: stegosploit.info

My talk was next (@drgfragkos), and it was about the myths and truth when it comes to hacking airplanes. The purpose of this talk is to present people with small truths and facts about airplanes, their systems, about hacking, the law, and some inside information I managed to gather over the years. During this talk, I tend to share with the audience some insights that very few people know about airplanes and their systems. 


Dominic Spill (@dominicgs) took the stage and did an interactive presentation on tools and techniques for reverse engineering proprietary RF protocols. He demonstrated how we can use low cost hardware to interact with devices and discussed the security implications. Personally, I always enjoy Dom's talks as I am really fascinated with all the hardware hacks he talks about. 


The next talk was by a man that needs no introduction. @hackerfantastic took the stage and talked about exploits in orbit. The talk was an overview of packet radio communication and application as a C2 channel for covert red team operations. He introduced the fundamentals of packet ratio and satellite operation. It was very interesting to see how you can bounce a radio signal using the International Space Station (ISS) and send a command to a computer to the other side of earth.


Saumil Shah took the stage once again, and discussed his views on the state of information security and cybersecurity today. I totally agree with his views and I have made blog posts on the fact that the industry sells blinking light instead of trying to solve the security problem, be proactive, and focus on predicting how attacks are expected to shift. 


Next, Kostas Litovois and Vincent Yiu spoke about attack vectors that abuse Microsoft Office's functionality, with the sole purpose to attack unsuspecting end-users and formulate attacks against today's businesses. The presentation was about different configurations and mitigation controls that made available by Microsoft over the years, as they discussed various bypasses that have been known and highlight MS Office templates and the ways these can be used to assist in different stages of an APT life-cycle. The talk discussed the tool #WePWNise that can inject native VBA code, create a process, allocate and reserve a space of memory, and finally execute the malicious payload.


The final talk of the day was delivered by Bryan Fite, who discussed <<The Internet of "Deadly" (Dangerous) Things>>. I had the opportunity to speak with Bryan during the lunch break about exploiting airplanes, ships, guidance chips and mission critical systems. During his talk, 
Safety, Security and Privacy was the main focus, and he delivered the content in a very interesting presentation. By 2020 we are going to have 4 billion connected people, $4 trillion revenue opportunity, 25+ million apps, 25+ billion connected devices and all this online presence needs to be taken under serious consideration. 
He talked about industrial internet consortium http://www.iiconsortium.org, I am the Calvary https://www.iamthecavalry.org and the NIST CPS Framework (Cyber Physical System) https://pages.nist.gov/cpspwg/. Bryan in his talk discussed "how to build a killer robot without even trying" but I am not going to discuss this here, because you need to attend his talk and enjoy this part of the presentation, as much as I did. 

Thank you for inviting me to the conference. I am looking forward to the next conference already! 

1 comment: