This year I was extremely lucky to be able to sit the awesome SecEDU Bsides bus again! Not only that, I was sponsored by MercuryISS for travel, accomodation and food costs — Thanks Edward and Alexi!

This year’s venue at the National Convention Centre was by far the best, being located near the CBD meant there were tons of accomodation options nearby — I only had to walk 10 minutes to get to the event compared to the 10-15 mins bus ride last year.


Tamper Evidence and Locksport

During last year’s Bsides I totally skipped this section, so I dedicated some hours to it this time round and wasn’t disappointed.


I learnt how to bypass simple tamper-evident stickers using alcohol-based substances such as shellite. The theory here is that most substances have a solvent, and when you apply the solvent (using a syringe for precision) the sticker will give way, and you can reapply it afterwards

   
Similarly the plastic seals can be bypassed by simply cutting a straw, folding it into a V-shape, putting it in the hole and sliding the shim and the plastic backwards. sneak



The wristbands operate in a similar fashion to the stickers but with the added difficulty of being ribbed and also only being able to use one hand (if performing on yourself) :punch:

Tamper


While we were playing around, a physical security enthusiast from RMIT came by and gave more in-depth knowledge on the techniques as well as attempting to bypass some of the harder stuff himself. The metallic seals looked extremely hard to break! I believe he recommended us to go to OzSecCon, which unfortunately is in Melbourne, not Sydney…


Talks, talks, talks

Conference Hall

I listened to mostly talks this time around, slightly controversial subject but I actually preferred single-stream talks compared to the previous years’ multi-stream in different rooms. This meant that I wouldn’t have to choose between two good talks happening at the same time :twisted_rightwards_arrows:


Main Track

Here are the talks that stood out to me:

  • Apathy and Arsenic: a Victorian Era lesson on fighting the surveillance state [talk] [notes]

    • Would recommend any security/privacy conscious individual to watch this
    • It touches on many concepts and has great analogies
    • I felt like I was listening to a TEDTalk


  • Attacking JWT [notes]
    • I learnt lots of new techniques from this talk, mainly:
      • When re-encoding a tampered JWT remember to use url-safe base64!
      • Spoofing the signature in the event that no strict checking is done
      • Setting the algorithm field to None
      • Spoofing algo field to be RSA but actually sending HMAC-signed JWT
      • SQLi in a special kid field
      • jku header may lead to SSRF
    • Problem ? — paseto


  • IoT Pentesting [notes]

    • IoT making its ways into enterprise, more @internetofshit content!

    • Hardware presents whole new attack surface for pentesters:
      • Dump firmware
      • Get source
      • Exploit Web Interface and get RCE with vulns
    • Attack surfaces:
      • Manuals/Data sheets from the interwebz
      • USB-oriented attacks (sniffing/replaying)
      • Use wifi to hook to access point, monitor traffic to cloud
    • Watch more hardware hacking videos to learn techniques such as desoldering chips


  • Deobfuscating malicious JavaScript [notes]
    • Compiler Theory: deobfuscation process and decompiling process similar
    • Think of deofbuscation as “optimization”
    • There are beautifiers out there but they don’t preserve semantics ie: 
      // int convert to string
"price = $" + 10  <=>  "price = $10"
    • Look at SAFE and UGLIFYJS
    • Techniques are so similar that you can use pre-existing pieces of compilers to build your own deobfuscater


  • Abusing trust in public repos [notes]
    • Summary: Software supply-chain is not as safe as you thought it was
    • Pseudo-solution: DockEnv — virtual env for Python using Docker
      • Suitable for testing, quick (one-time) solutions and development



Hardware Hacking Village

  • There was a cool talk about hacking a USB-powered LED fan involving:

    • sniffing the USB packets
    • reverse engineering the protocol
    • tampering and replaying packets
    • in the end displaying your own patterns/ascii with the lights


  • I also sat in to listen to @gnustomp’s talk about controlling your BIOS (UNSW support!)

    • The coreboot project seems quite interesting, and it is definitely a good idea if you’re paranoid about the manufacturer settings being vulnerable


The hardware

This year’s conference badge traded functionality for aesthetics

Which I think was definitely worth it!

It’s called the Nopia 1337, and its pretty fucking awesome		   It has custom firmware flashed onto it that resembles old Nokia-style interfaces

Complete with
- Tetris
- Snake :snake:
- Hidden flags
- Talk schedule		   nopia-1337
(Image from the Privasec website) (Sauce for the adventurous)



I actually went sightseeing this time !

On the Sunday morning myself, @adamyi, @jk, and Lew woke up early and went to check out the Parliament House building. :sunrise: Parliament House

We took our time getting there (by foot), unfortunately we had to rush through the building to take photos and hurriedly Uber back as time was running out and we didn’t want to miss the Bsides bus back!


Stuff I didn’t do

Conversely to last year, I did not take part in any of the competitions, ie: ASIC IR Challenge, Cybears CTF and Drone Hacking.


I did network a little bit more at the event this year, but not as much as I had set out to — imposter syndrome can be a dick sometimes…

I will try harder next year at Bsides 2020 :muscle:
(but maybe by then I would have had a job already... who knows?)