My experience at Bsides ROC virtual 2021 Conference.
Hello, for this month I’m going to share with you my experience with the security convention I attended about a week back.
Bsides events are typically small, community driven security conferences with a focus on specific areas of the profession. While there were other events going on around the same time, such as HackerOne’s Nathancon, I felt it was important to my hometown web security awareness project prospect to prioritize besides first.
I feel the most important thing to start out on is this year’s overarching theme: Diversity in tech. A wonderful thought experiment presentation led by Sarah Swad rounded off the conference.
Her speech on making inclusiveness through thoughts, actions and words shared throughout security community hits a key note as to how the activity of hacking itself is viewed. From a global perspective to a local one, words such as ‘penetration testing’ while important to understand current jargon, can and likely will change in our lifetimes to be better understood from a people-centric worldwide perspective. A marketing tagline and cross promotion is one thing, but making a change for everyone’s benefit is another thing entirely.
Her presentation was echoed by Chris Roberts as the group reflected on the future for hacking as a hobby and a profession.
Inclusive acceptance of differences we all have is one reason I started down a learning path with Microsoft back last summer. I previously had a policy previously of separating my personal live with my ventures. With my current direction and IT work, I’m a lot more free to bring my creative inner self to the discussion table. This commitment isn’t just a feeling, it’s a sign of being welcome for having the right mindset and skillset. This isn’t just a good thing for the hobby, it’s a good thing to let others see what the hobby can be.
Back at the start, one of the leading presentations was done by Nick Reed on independent public knowledge based research. He’s an advocate for the OSINTION. The methodologies that pen source intelligence (OSINT) researchers utilize in the community are certainly a valuable resource to hear more about. Their work is why it’s important to keep track of the data and information you’re sharing online, knowingly or not.
The talk covered one area that piqued my interest, and that was the segment covering the linux distribution in North Korea known as Red Star OS. Nick had been successful in determining the presence of XSS through a webshell function. I do not know much about this technique yet, but given that it was a potentially unfiltered exploit, I would presume there would be many more issues with this OS in regards to web security features
The next presentation that piqued my curiosity was Jon Bauer. His work at RIT is certainly well respected and he’s a go-to on community hacker competitions. I have great respect for the management behind red team methodology, despite not quite understanding its overarching approach in the two times I’ve been lectured on it. I’m certainly in awe nevertheless.
During my trips to video game speedrunning conventions in the past, I learned a way to get more out of your convention experience. That’s simply to take a look at what others are doing for their work, and see if there’s an intersection somewhere. Striking up a conversation this way I’ve found is like striking a match to a lighter.
I had a chance to pinpoint other folks working on web security through this trick. After a quick hour talking to experts from the Rochester Wordpress group, the experts had updated the best practices document. Though they wish to remain anonymous, their astuteness in web design and past & present IT matters is inspiring.
One individual I had the pressure of talking to again was the organizer @JRWR We first met back in 2018 through Interlock Rochester. He was the person who gifted me a convention badge to tinker with, assigned to fix an LED attached.
This year I’m thankful he allowed me the chance to test out something I haven’t tinkered with yet, websockets. I pulled up another researcher’s medium blog and followed along as I explored the feature:
https://medium.com/@osamaavvan/exploiting-websocket-application-wide-xss-csrf-66e9e2ac8dfa
It turns out there’s a specific tab in Burp for this tool There’s sent and received communications, Communications are handled through specific ‘wss’ formatting, each handling it’s own script property. Security aspects here are outlined at Osama’s blog linked above, but there’s two areas I focused on. Making sure external origins cannot access the resource, and making sure a good ID and cookie schema is implemented. Both of these are defenses to stop Man-in-the-middle supported XSS attacks from happening on both the client and server side.
By the end of the presentation, I felt more accomplished than I had in my musings many months ago. Events like this inspire confidence, and this years despite the technical hurdles was no different, if not better. I will mention that one thing I miss from years past was the lockpicking village. I hope to see a virtual equivalent for next time.
If you want to learn more and see the other talks from the event, communities such as interlock Rochester and the OSINTION, you can find them on the event’s website. Many of the presentations will later be available there to view as well, so feel free to check them out. http://bsidesroc.com/
If you ever had a passing curiosity about attending and supporting local IT security communities, Bsides is a great first convention experience. You can find your communities’ Bsides event info at: http://www.securitybsides.com/w/page/12194156/FrontPage
Here’s to an even better Bsides ROC in 2022. Until then, stay safe.
