October 15, 2018
Annual visit of the Brucon security conference in Ghent
Like in years past (nearly) the whole team met in Ghent for the unofficial second team event: the BruCON . Next to trainings, talks and workshops the main focus was to have fun together. Therefore, the majority of the team – not all since the team has grown significantly over the last year – stayed at the band resort: a complete apartment in a prime location with lots of space, a beer fridge and a bar. In short: a perfect starting point for evening trips, of which more later.
The Training Session
Before the conference itself, five of us attended different trainings for two or three days. The subjects were chosen by personal interest and differed greatly like our daily business itself. From Practical IoT Hacking over Offensive PowerShell for Red and Blue Teams to Post Exploitation Adversary Simulations – Network Data Exfiltration Techniques the offered trainings appealed to all tastes and interests. Especially the Offensive Whiteboard Hacking for Penetration Testers training was worth doing and inspired to do a company internal workshop to enhance our skills when creating customer offers. The goal: support the customer by conducting a threat analysis to tailor the offers even better to the needs of the customer. The highlights of each training were already discussed while having one or another beer with the other team members who arrived the day before the conference started. More on this later.
This year the BruCON took place for the 10th time, traditionally in the beginning of October, in a building of the University of Ghent. The first impression when we walked through the entrance was exactly what we were expecting from previous years: friendly, open minded hackers, nerdy stuff wherever you look and beer. This was already evident in the badges that were needed to enter the building: a circuit board with console like buttons, a display, a battery and – matching the motto Hacking for Beer - an alcohol tester (see picture). Equipped with this badge we left the reception area and entered the main hall. Passing a lot of friendly people, the bar and the breakfast buffet, we headed to the single conference room and the talks.
Especially for the 10th birthday, the schedule promised Retro Talks for the whole first day of the conference. That’s why speakers from the last years were presenting the same topics but from today’s perspective. Talks like Hacking driverless vehicles showed an impressive progress in technology. New attack vectors for modern sensors were presented as well as the surprisingly small amount of effort and money needed to conduct some of them. For a demonstration, a faked GPS signal “teleported” the audience right into the White House. Leveling Up Security @ Riot Games also showed progress from the view of a company that has to protect their resources. The speaker compared the security e.g. from buildings from the last talk to the improved current state. Internal reorganizations and RFCs were the main focus.
In contrast to the fast developing technology, other talks showed that some parts of the business can not keep up with the speed of change. In the first place the human itself. The main message of the Social engineering for penetration testers talk was: nothing has changed. The attacks are still the same and the awareness of potential attacks is low as ever. Therefore, the slides and presentation was nearly the same as at the 1st Brucon nine years ago. However the talk was educational, enriched with anecdotes and fun to attend. A second example for minor changes in the past was The 99c heart surgeon dilemma talk. For the original one, the speaker collected reports from different penetration testing companies showing the range in quality from useful to useless. The examples were quite funny and sometimes incredibly bad. Even tough all these companies with bad testing and reports do not longer exist, there are still a lot of bad practices today. Quality prevails even though new offensive security companies show up on a regular basis. However the good new for us: We are still here for nearly two decades, improving our knowledge and quality every day and hopefully living up to our high standards.
Next to the talks, some workshops were offered. Some of us attended the Finding security vulnerabilities with modern fuzzing techniques. For 4 hours we moved through hundreds of slides an several hands on practices. We wished we had at least a day for the workshop but since the slides and exercises materials were distributed, we took it home as a homework assignment. Other workshops were more relaxing but not less informative.
Beside all the educational content there was a wide range of entertainment offered. Starting from tasty food and drinks, a lot of interesting people to talk to and some competitive challenges. Some of us competed in the CTF with uncommon challenges like lock picking, others relaxed in the Retro Gaming Area and indulged in reminiscences. On the second day, the badges, which until then had possessed the functionality of a stone, were flashed. Now everybody had an up to date scheduling and a map of the most important locations of the BruCON with oneself. This once again demonstrated that we are all different. While one of us immediately examined the new firmware, the others tested the functionality of the alcohol tester. Fortunately, all needed utilities where directly provided at the bar. Other platforms like the Mentor/Mentee meeting as well as the BruCON party at the second day provided a great opportunity to socializing and make new contacts. Furthermore, for all the hackers who wanted to defy the cliché of a nerd a hacker run was organized. At least one of us participated and enjoyed the beautiful city of Ghent at 7am during a 10km run.
The evening before the conference, when the rest of the team not attending any trainings arrived the fridge was already filled with beer and the atmosphere was great. Even though Ghent has a beautiful cityscape we only made it across the street to “schotel”. Schotel is the Dutch word for dish/bowl, but for us it is the deep fried fast food traditionally eaten during BruCON. Back in the apartment, we emptied the fridge and enjoyed a great time together with no thought of work. After the official program ended on the first day of the conference, we all met at the band resort again. Since the band resort is located in the middle of the city everything is within walking distance. A few beers laid the foundation of the construction of a beer can tower later (yes, it reached the ceiling in the end), we headed to a steak and burger restaurant which we discovered last year. On this occasion, we were able to admire the beautiful old houses, streets and churches and all agreed on the fact that Ghent is worth a longer visit. We will definitively return next year.