Black Hat Europe 2015

Black Hat is a famous computer security conference held annually in the USA, Europe and Asia. Philippe Arteau, the original developer of FindSecurityBugs, was accepted as a presenter and because of my significant software contribution, he suggested me presenting the tool together. Y Soft then supported me in taking this opportunity.

Black Hat Europe 2015 was held in November in Amsterdam and over 1500 people from 61 countries attended this event. The conference was opened with the keynote called What Got Us Here Won’t Get Us There mentioning upcoming security apocalypse, complexity as a problem, security anti-patterns, taking wrong turns, developing bad habits, missing opportunities or re-examining old truths (using many slides). The Forum and three smaller rooms were then used for parallel briefings – usually one-hour presentations with slides and some demonstrations of latest developments in information security. There was also Business Hall with sponsors, free coffee and a Tool/Demo area for the sub-event called Arsenal. Here we and mostly independent researchers showed our “weapons” – every tool had a kiosk for two hours and people come closer to see short demonstrations and to ask questions.

Despite presenting during lunch time, fair number of Black Hat attendees came to discuss and see FindSecurityBugs in action. The most common questions were about what it can analyse (Java and other JVM languages like Scala, no source code needed), which security weaknesses can we detect (the list is here, a few people were happy that there are also detectors for Android) and whether is it free or not (yes, it is open source). People seemed to like the tool and someone was quite surprised it is not a commercial tool 🙂

There were many interesting briefings during the two days. One of the most successful presentations (with applause in the middle of it) explained a reliable software-only attack to defeat full disk encryption (BitLocker) in Windows. If there was no pre-boot authentication and the attacked machine had joined a domain, it was possible to change the password at the login screen (and have full access to the system) by setting up a mock domain controller with user password expired. Microsoft released a patch during the conference. Other briefings included breaking into buildings, using continuous integration tools as an attack surface, fooling and tracking self-driving cars or delivering exploits “with style” (encoded in image/HTML polyglot). One presentation (about flaws in banking software) was cancelled (or probably postponed to another event) because the findings were too serious to disclose them at that time, but there was an interesting talk about backend-as-a-service instead – many Android applications contain hard coded credentials to access cloud services and researchers were able to extract 56 millions of sensitive user records. You can download many of the presentations (and some white papers) from the Black Hat website.

I also had time for a small sightseeing – there was a special night bus for attendees to the city centre and I was able to see it again before my flight home too. Amsterdam has a nice architecture separated by kilometres of canals and it is a very interesting city in general. What surprised me the most were bicycles everywhere – I had known people ride here a lot, but I didn’t expect to see such a huge amount of bikes going around and parked in the centre. They don’t wear helmets, sometimes carry a few children in a cart and don’t seem to be very careful (so I had to be a bit more careful than I’m used to when crossing streets). Walking through red-light district De Wallen with adult theatres and half-naked ladies behind glass doors is a remarkable experience too (don’t try to make photos of them, they’ll be angry). Sex shops and “coffee shops” (selling cannabis) are quite common not only in this area.

Another surprise came at the airport, where the inspection was very thorough and I was forced to put everything out of my bag (which I was not very happy about, because it took me a long time to pack it into a single cabin baggage). Just after (when I connected to the airport Wi-Fi) I realized what happened in Paris recently. The plane was also surprisingly small and first time for me I had received special instructions for opening the emergency door (since my seat was next to the right wing by chance). Nevertheless, the whole tripe was a nice experience for me and I was happy to be there, so maybe next time in London 🙂

In November 2015, the third year of the Czech Hackathon was held in Prague. The challenge was to create in less than 2 days a sport application using modern technology such as Oculus Rift, Google Cardboard, Apple Watch, Arduino and others. The use of technologies in sport is becoming more popular. Y Soft therefore decided to set up a hacking team.

From Friday evening on 7 people, including a skilled teammate from sli.do (Dominik Paľo), enjoyed the great atmosphere, lots of interesting people, a chill out zone massage, perfect food and beer and then…

We hadn’t done any special preparation, we had a project idea which we had clarified at work and for which we had divided tasks. After work on Friday we met at the Impact Hub, a welcoming environment, where cool t-shirts and friendly organizers were awaiting us. The evening began with a welcome speech and lectures on Arduino, Apple TV and Apple Watch. Professional athletes also spoke and explained what their training looks like, how technology helps them and what enhancements would be welcomed. The Brainstorming and Assembly sessions started after 22:00. We had agreed our moves in advance, so we assembled a line for beer and dinner. Hacking started straight after the team pitches.

At 3 AM we were still working on the first prototype and application design. Our project was applications for fitness centers. Customers with an iBeacon keyring which identifies them are paired with their web profile. On each machine in the gym there is a tablet that detects whether the iBeacon keyring is nearby and greets the user with the question of whether they wish to work out or to have the statistics of their previous exercises. They can even directly choose the exercise program for the whole period spent in the gym. Whenever a problem occurs, the user may call a coach who can see on his own tablet the position and status of all the machines in the gym.

Gym Web Portal
The Saturday wake up was smooth, motivation was our morning alarm. We hacked, chatted and drank beer the whole day. The pleasure derived from the chillout massage planned before dinner was awesome. The work was divided into the application for tablet, watches, web portal and backend. We went home a bit earlier, a little after midnight. Next morning the final hours of hacking, testing and fine-tuning awaited us. The final presentations and voting started at 13:00.Mobile App Animation

So a great atmosphere and litres of beer and then … we came 2nd! The Hackathon was great, we enjoyed it because we strengthened our friendships, learned to do only what is necessary due to time constraints and spent it in the pleasant company of hacking enthusiasts. It was our second Hackathon. We came 3rd at the first one and 2nd at this one, so you’re welcome to join our Y Soft RnD team of enthusiastic hackers and win first place at the 2016 Hackathon.
Hacking Team
Hack on and run along now to the gym!
Y Soft Hacking Team