Last Friday a little more than a dozen Compass Security Analysts traveled to Geneva and attended the Insomnihack conference and its CTF.


The conference featured a variety of topics, ranging from areas such as corporate IT security, distributed systems and malware analysis, or even unusual topics such as remote exploitation of game engines.

DevOOPS: Attacks And Defenses For DevOps Toolchains by Chris Gates & Ken Johnson presented their collaborative attack research into the technology behind DevOps with some amusing findings. Covered topics include dev laptop hardening (mostly about OS X) and how important it is to make sure that your public git repos do not contain keys, passwords or similar sensitive information. Some bad examples were shown including companies that went dark after loosing AWS keys. They gave some insight about tools to combat such issues. Impressive was to see how many services (like redis, Hudson and Hadoop) are not intended to be exposed to the Internet with their default configuration, as it was back in the nineties. But with the rise of the Cloud services it started to happen quite often which is easily confirmed by some Shodan queries.

On the Need for Integrated Circuit Security by Olivier Thomas painted a very interesting picture of what a high-level adversary, with the right equipment, and funding can accomplish with regards to ROM extraction, physical chip security measure bypasses, and the cataloguing of SoC design for the automation of feature recognition to save analyst time to useable information. Having spent years developing hardware measures for PayTV hardware security, Thomas goes ahead to explain the constant cat-and-mouse game of security professionals with adversaries (in his case pay channel pirates – with hardware as focus) quite well.

The talk was very enlightening and after the speaker laughed at IC shielding techniques as a mere minor time waster, a concluding question from the audience as to “So what measures and techniques are there for strengthening integrated security?” came up. The quality of the talk was accentuated by his paraphrased equivalent of saying “I cannot say much about this at the time. We are busy with a collection of patent applications”.

Automating Computer Security: Why we need computers, and why they still need us by Tyler Nighswander was a funny and brilliantly delivered talk on how computer science techniques can be consequently applied to real world problems – in this case how can we automate certain aspects of security analysis in a CTF like environment. Although some may argue that the Cyber Grand Challenge did not “yet” present a real world problem, Nighswander clearly elucidated the shortfalls and possible collaborations of both sides –  humans and the automated machines used in this case for not only fuzzing and automated shallow fuzz testing, but also symbolic execution for deep searching the problem space. His team of 5 committed 2 years of their lives particular to this challenge, and fully intend on bringing the ideas to market in a non-academic way, also having won the DARPA’s CGC prize with their “Mayhem”.

CTF write-ups

The CTF offered a lot of fun in exchange for a night’s sleep. About 80 teams competed and there were some interesting challenges. If you’re interested in challenge write-ups you might to continue reading the following posts: