April 17, 2018

Hack In The Box Amsterdam - Day 1

A recap of Hack In The Box 2018 Amsterdam - Day 1

Hack In The Box Amsterdam - Day 1

I attended the Hack In The Box Amsterdam conference. I had high expectations upfront, because I heard very positive things about this conference from several people. And I must say that the expectations were met. The setting was great. The Grand Hotel Krasnapolsky in Amsterdam is really nice.

I met a lot of really nice and smart people during these 2 days. Some of them like Jelena Milosevic and Victor Gevers, I already knew via Twitter, but I had never met them in real life. So it was really nice to have a chat with them. Special thanks to Jelena, she introduced me to several very interesting people from the (Dutch) hacker scene. The networking part, just meeting and having a chat with different people is one of the big advantages of conferences. Okay, over to the day 1 talks now, or wait, one more thing. How cool is this badge:

Day 1 talks

The first day of the conference kicked off really well. The welcome talk titled “Hacks, Sticks and Carrots: Improving incentives for Cybersecurity” was given by Michel Van Eeten a professor in Cybersecurity from the University of Delft in the Netherlands.

While it was only a 15 minute talk there were some interesting take-aways, with the key one for me being: “Patching is all about economics”

  • A study at a major network operator found that leading cause of outages is: patching.
  • Over 20k vulnerabilities reported in 2017. Most are never exploited. CVSS critical score tells you nothing because it’s biased.
  • This explains why companies like Maersk get infected with wannacry. It’s not always clear how critical bugs are and it’s just (economically) not feasible to apply all patches.

The slides of this presentation can be found here

Next up was Marion Mareschalk with the day 1 keynote titled: “THE PAST, THE FUTURE, AND … wait, where the hell are we now?” The following tweets summarize what it was all about:

About the paradox in (the evolution of) threat detection

and threat detection flaws:

And about the lack of good security tooling:

This is how this pretty crazy (!) presentation ended by the way, with a crazy Portland dude on a one wheel bicycle, holding a bagpipe spitting fire ;-).

The presentation of Marion Marschalek’s keynote can be found here:

Another interesting talk was given by Vladimir Kropotov, “Ticket to ride: Abusing the Traveler and hospitality industry for profit.” The talk is about the research he and some of his Trend Micro colleagues did about travel fraud.

In this talk he explains what travel fraud is all about and what goods and services are offered at underground forums. This is literally everything you can imagine you might need when you travel. Sellers active on these forums also have a reputation and there are certain guarantees for the buyers. Another aspect is the criminality going on behind the scenes. Think about stolen credit cards, abuse of loyalty and promo programs and hacking of websites. If you want to read more about it, you can find the full presentation here.

Another good talk I attended was “Faster, Wider, Greater: Modern Pentest Tricks” by Thomas Debize. Just have a look at this presentation, it is full of tips and tools you can use to optimize your pentesting activities on a wide scope.

More to come about several good talks I attended on day 2 of this great conference, so stay tuned.