Disclaimer: this is my first blog entry in English; so be warned;-)
Like the two years before i visited this year the BRUCON conference in the nice city of Gent. Unfortunately, because of lack of budget, i couldn’t attend any training so i can only write about the conference.
As usual i had to decide which workshops i want to attend because several interesting workshops were at the same time. You can watch the talks later so i prefer to attend the workshops.
You could create on a website your own schedule. What i didn’t know: with a click on a workshop you registered for it. Instead of „first come, first serve“ this year it was „first the registered attendees then „first come, first serve““. Because it was (at least for me) not clear some people couldn’t get into their preferred workshop; but at least i could attend any workshop i wanted to attend.
The conference started on the first day with a Keynote by Jennifer Minella. She was talking how we can get more people interested in working in IT security (because we have a lot of work to do, but a shortage in people). She used for her talk citations from the books of Dr Seuss. Two points that i really like are:
– Leadership is about creating leaders, not followers
– you can’t have people interested in IT Security if you always complain how much your job sucks
Usually i don’t like Keynotes, but this was a good one.
The next talk was Investigating PowerShell Attacks by Matt Hastings and Ryan Kazanciyan. They showed how PowerShell introduce new attack vectors into a company and how you can use PowerShell for attacks. I will definitely go through the slides again and use the information in my consulting work.
Then followed Windows Crash Dump Exploration Vehicles by Aaron Lemasters. He explained what happens during a crash in Windows and how you can use it for forensic analysis (like reading the MBR on root-kit infected computers). Not an easy talk, but i recommend it.
Next i could choose between three workshops; unfortunately i had chosen the „wrong“ one. Daniela Zapata and Wim Remes wanted to give a workshop with the title The dirty secrets of client-side exploitation and protection. Unfortunately the labs were in the suitcase that didn’t make its way to Gent (note to self: always have a backup). Wim presented for one hour some slides with general information how to prepare an attack on clients, but most of the information wasn’t new to me. But he asked some attendees to go out and ask people on the street for their mail addresses and telephone numbers and they didn’t return without some prey;-)
It was a pity that we couldn’t use this information in the labs for the preparation of a (theoretical) attack.
I will only say this about the party: nobody danced but the music was so loud that talking to each other was nearly impossible. Can we return for the next year to the location of the party from two years ago?
On the next day we decided spontaneously for the workshop Splinter the Rat Attack: Create your own Botnet to exploit the network given by Solomon Sonya. Because of some changes in the schedule this workshop moved to the first slot which was good for us;-) Solomon showed us how we can build (with the help of his tool SPLINTER and some other tools) a botnet and use this to extract data from a company. We discussed also some counter-measures. This was a very interesting workshop and with his tools someone can build a different scenario for a live hacking demo instead of the usual „here is the shell“.
Now followed Willi Ballenthin with his workshop „EID 1102 The Audit Log was cleared“ wont stop me: Advanced Windows Event Log Forensics. He talked about some of the internas of Windows Event logs and the differences between the Pre-Vista and „Vista and later“ versions. He showed us some tools how you can even in the case someone deleted the Event log recreate some information from it. A very good workshop delivered by someone who knows what he is talking about,
The last workshop was Network Device Forensics by Didier Stevens. For the attendees Didier brought with him 20 CISCO devices (yes, we had to give them back after the workshop). Unfortunately i wasn’t able to get my serial interface working so i had to use the dumps he provided with his workshop material. Didier first explained some of the internals of CISCO IOS and then he showed how to create a dump. He used then some of his tools to analyze these dumps. Good for me that i have an old ISDN CISCO router at home;-)
This workshop was also very interesting and whoever is working with CISCO devices should have a look at his tools.
With this workshop the conference ended for us and we headed back to the car for our drive home.
I learned a lot, met old friends and made some new. That is what makes BRUCON for me special;-)
I hope i will be back next year and then also for some training.
What i couldn’t see but wanted to:
– Michael Sikorski: Counterfeiting the pipes with Fakenet 2.0 (at least i have the slides)
– Hal Pomeranz: Linux Forensics Workshop (i saw too late that this workshop was given also on Thursday evening)
– Jake Valletta: Exploiting the bells and whistles: Uncovering OEM vulnerabilities in Android (as far as i know from one attendee this workshop was good too; luckily i have all the material)