Hack In The Box Amsterdam - Day 2

I finally took some time to write a short review of the second day of the Hack In The Box conference in Amsterdam. You can find my review of day 1 here.

The second day was kicked off by Jennifer Leggio. She is Chief Marketing Officer of Flashpoint. Like she mentions at the start of her keynote, at first sight she might not be the kind of speaker you would expect at a hacker conference. But this is exactly what made this talk stand out for me. It’s refreshing to listen and learn from people that look at the things from a different perspective.

The title of her keynote was “A Risk Assessment of Logo disclosures’.

This talk is all about the conflicting interests between on the one hand manufacturers, security vendors and researchers — they all try to reduce harm — and on the other hand marketers who often create risk or sensationalize (why did the Heartbleed vulnerability need to have a logo?).

But this is the old way and this needs to be changed:

“We are going to change the way business and marketing leaders interact with researchers and analysts, and raise the bar for ethics. We are going to empower researchers and analysts to advocate business and marketing leaders for better practices.”

And this eventually should lead to marketers that “reduce harm”.

Without spoiling too much of the talk I encourage you to watch it and see how they are implementing “the new way” of marketing at Flashpoint. In this talk there are several good practices that can be used within your own business and certainly not limited to the marketing department.

Prodsec: A Technical Approach

This was probably for me one of talks that is the most applicable in my daytime job. The talk was given by Jeremy Brown, who is security lead at NVIDIA. I didn’t know Jeremy upfront, but met him at the elevator at day 1. We had a quick chat and I learned that he would do a talk about product security the next day. And it was a real good talk, full of tips how to create secure products and how to introduce and continuously improve product security in an organization. After the talk I had again the opportunity to chat with him and like I said in my review of day 1 this is really added value of being at a conference.

Somebody Call a Doctor: Hacking a Hospital for Fun and Profit

Another really entertaining, but also quite scaring, talk was given by Asaf Cohen and Ofir Kamil. They performed research in a Israeli hospital and they showed how easy it is to pwn your way through the hospital and eventually hack medical devices like Electrocardiography (ECG/EKG) — which has default passwords — CT scanners or PLCs . How to get into the internal network? Well, the attack surface is quite big. You can choose between the cafetaria wireless access point, “Hot” network jacks or an unhardened kiosk, all connected or bridged to the LAN.

Defense-in-depth Techniques for Modern Web Applications and Google’s Journey with CSP.

In this talk Google security engineers Lukas Weichselbaum and Michele Spagnuolo show the purpose of a Content Security Policy (CSP) and best practices for implementing CSPs (very interesting to see how Google implements CSP). They also give a preview of new features in CSP 3.

Other security features — some still in proposal — discussed in this talk:

  • Subresource integrity: SRI ensures that resources hosted on third-party servers have not been tampered with by specifying a hash of their expected content.
  • Same-Site Cookies: The SameSite flag in cookies allows servers to mitigate the risk of XSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same site.
  • Site isolation: A Chromium browser setting ensuring that pages from different websites are put into different processes and blocking the process from receiving sensitive data from other sites.
  • CORB: An important part of Site Isolation restricting which cross-origin data is sent to a renderer process, limiting the access to such data using speculative side-channel attacks like Spectre.
  • From-Origin (proposal): Prevents resources from being loaded and included by non-whitelisted origins. Mitigates inline linking and attacks such as Spectre.
  • Suborigins (proposal): Isolate different applications running in the same origin by adding to a response a server-specified namespace to the origin tuple.
  • Origin Policy (proposal): Applies Content Security Policy, Referrer Policy and other policies to an entire origin, by default (like “pinning”). It complements header-based delivery, increasing coverage.
  • Feature Policy (proposal): Selectively enables and disables different browser features and web APIs.

Conclusion

Hack In The Box Amsterdam is really a great security conference. Nice location, well organized and a lot of high quality talks. If you have the opportunity to attend the conference, don’t doubt! I hope to go back next year.