Area41 (@a41con) is a security conference held in Switzerland. Its the successor of the highly successful Hashdays. Several Compass Security Switzerland employees volunteered to help organizing this event. Some say, we completely infiltrated Area41!
The compound of Komplex 457 was pretty awesome. There was enough space in the main hall for to accommodate all viewers, and an additional second floor (balcony) with great view of the main stage (and also was close to several couches, the bar, the catering and most importantly the coffee machine). The second room was located underground in a former strip club, featuring red walls, which made the talks a lot more dirty ;-). A big outside terrace completed the temporary hacker epicenter.
Banashide (@banasidhe) organized the still tired group of volunteers, as we arrived on Monday morning. Biggest problem was the complete lack of coffee (Rumor had it that the four coffee machines were involved in an accident on the motorway). Fortunately, a big stash of Club Mate helped bridging this rough patch.
Between my shifts, I had the chance to attend several interesting talks.
In the Keynote (Slides), Halvar Flake (@halvarflake) showed that we are not able to check the integrity of software on our computer systems on any level (Userspace, Kernelspace, BIOS, …). So the only valid option after a compromise of a machine is to re-install it from a trusted medium. But there’s anyway little hope, as with Intel ME, we have component on our mainboard with full network- and memory access. Also we can’t check for BIOS backdoors, for example issued by the NSA. Additionally, the process of deploying and managing signatures creates a big amount of problems by itself.
For me, the request for integrity checks for the complete machine is bold, but necessary. I hope in maybe 30 or 50 years, we will be able to do so.
Rob Fuller (@mubix) gave an entertaining talk about free defenses (slides, from shmoocon), with many practical examples and penetration testing stories. For example, he told us about honeypots with port 23 open, or domain admin user with the password in the user comments, both immediately triggering an alarm if accessed.
In my opinion, those simple honeypots and triggers are immensely useful for any company to deploy, as they are cheap and with nearly no false positives.
Marc Ruef (@mruef) talked about his “baby”, the SCIP VulDB (slides). He showed us the weaknesses and faults of other vulnerability databases. Seemingly simple things like disclosure dates and version information (e.g. does “version up to 11” include 11, or not? What does 2.x mean?) are handled differently and sometimes inconsistently by the various vulnerability DB’s.
As penetration tester, I depend on accurate information of vulnerabilities in vulnerability databases. It is necessary to correctly assert risks of installed software versions. The talk opened my eyes to the massive deficiencies currently prevalent in the reporting and management of security advisories.
Overall it has been an interesting and successful day. I intend to attend again next year!