For a third year in a row, I had the opportunity to go to Hackfest. Once again, the conferences were awesome, the venue well organized and the CTFs packed with fun and challenge. Here is a summary of some of the talks I attended.

Fingerprinting Android malware packaging process through static analysis to identify their creator, by François Gagnon

This talk was about all the information we can get by decomposing an Android application’s APK, which is in fact just an archive of all the required files. We can extract a lot of information about an app by looking at its Manifest and signing X509 certificate. When malicious people create malware for Android, they usually produce them in batch and publish them alongside multiple different apps to infect more victims. So, we can look for different information using static analysis to help us identify quickly if an app is malicious or not. Usually, malware creators make some obvious mistakes when generating their infected APKs. They reuse the same package name, set strange values for app version or SDK Version, duplicate permission or even reuse the same certificate across multiple apps. The goal of the static analysis tools is to search for these odd values and surface the app for further analysis, if necessary.

Creating a Professional-Quality Embedded Device on a Budget, by Michael Vieau and Kevin Bong

This talk presented how to bring an electronic project from an idea to a working device. I’m definitely more a software guy, but I’m interested in electronics I can run my software on.

They presented a 4-step process:

  1. Design: Think about your project, the components you need, the circuit you want to build.
  2. Prototype: Make a prototype using a temporary setup with a breadboard, alligator clips wires and full-size arduino to easily test out the idea.
  3. PCB Design: Once you know precisely the components of the circuit, design a PCB to have a clean and tidy result.
  4. Assembly: Solder the final components on the PCB and make a case if necessary.

They also shared some useful resources to help us along the way:

  • AliExpress: To order electronic DIY kits, buy components in bulks. But beware, they are cheaper because they are Chinese knockoffs.
  • Fritzing: A great open-source PCB modelling tool.
  • PCBWay: A place to get your PCB designs printed.

Beating the Disinformation Drift: Facts about the AlphaBay Market, Masarah Paquet-Clouston

This presentation was about exploring the black markets and explaining the criminology and economics principle behind them. The presenter told the story of the AlphaBay market, basically Ebay for illicit products and services, from its creation in 2015 to its shutdown in 2017 by a joint effort of the FBI and Dutch Police. She also presented some statistics about the market: 4500 vendors, 47 000 listings, 18 US$ million a month in revenue (9 times the revenue of another famous market, SilkRoad). Seeing the enormous numbers, we may think the vendors on the platform are all extremely rich. But in fact, it’s a highly competitive and unequal market. A few vendors make most of the sales, 90% of them make almost nothing.

The market uses principles of self-governance. There are some rules about trading and prohibited products, but otherwise the users pretty much solve their conflicts by themselves. Very few transactions involve international market. The risk is too high went a package must cross a border, it can be seized and never reach its destination.

Overall, the market offers pretty limited rewards. The online and somewhat anonymous part of the transactions is only the tip of the iceberg. Most of the work must be done in real life to produce and send the items. The barrier to entry is low, but the barrier to sell is very high.

Practical Analysis of Awareness, by Kendra Cooley

This talk was really interesting because it presented a more human side of infosec. We always hear that the weakest link in the chain is the user, but we rarely talk about concrete ways to raise their awareness towards the important issues related to information security. Kendra presented tactics to help on board the members of an organization in the training programs by making them develop a genuine interest to learn and improve their processes, instead of doing it just to check the box. The idea is to get the users, no matter their role in the organization (HR, marketing, sales, developers, etc.), to a higher level of knowledge, instead of driving their decisions by fear and paranoia. Promote a proactive mindset to act before bad things happen. Support a hacker mindset by thinking about what could go wrong, before it does, so you avoid being the next privacy leak story in the news.

Attack Driven Development: Getting Started in Application Security, by Keith Hoodlet

Keith started as a software developer then transitioned to web applications security. His career path particularly resonated with me because of me developer background and my interest in cyber security. He presented what he calls ADD: Attack Driven Developement, a methodology to help developers make their software safer. The goal is to learn a language or technology to purposefully build a broken product and practice attacking it. Then iterate on the code to make it more and more secure. Rinse and repeat. A pragmatic approach like that is a pretty good way to build experience and gain knowledge in the pitfalls of different tech stacks. Security is no longer an afterthought, every developer must be conscious of these challenges and do everything it can to build better software from the source.

Genetic Algorithms for Brute Forcing, Christopher Ellis

This talk presented how to leverage genetic algorithms to make informed guess when brute forcing. For example, when trying to find a secret URL hash, after multiple runs of the algorithms and some successful guess, the algorithm can start to discover a pattern and adjust its guess accordingly. The process consist of: Making a guess, Analyzing the result, Mutation according to success or failure, then repeat. It’s definitely not a perfect solution, but it’s an interesting way to bring intelligence into brute forcing techniques. I can’t wait to see more innovation using AI or machine learning in infosec.

Lessons Learned Hunting IoT Malware, by Olivier Bilodeau

Olivier, MontreHack co-founder and VP Training at NorthSec, talked about using honeypot to mimic real IoT devices and collect malware to inspect them. IoT devices are very hard to analyze for malware. Using a honeypot to attract malwares allows to gather data on their behaviour and develop a defence mechanism afterward. There are some challenges associated with running a honeypot. You can choose the software route, which is harder but more flexible and cheaper, or you can choose to monitor a hardware setup, but this requires more maintenance and its costly. It was a great presentation, I really liked to see the methodology behind these tools to explore the inner workings of malware.

Parting thoughts

Each time I come back from a conference, I’m hyped up and motivated, this one is no exception. I’m eager to put to use the tips and knowledge I got out of the event in CTF or even some bug bounty. Big props to the people who organized the event and thanks for making the videos available online!

Until next year, Hackfest! :)