Report from BlueHat IL
At sepago, education and communication are deeply valued. Furthermore, with Microsoft we have a partner on our side that shares and encourages the development of these same values. That is why this month, Alexander Benoit and myself were in the lucky position to visit one of the most significant Cyber Security conferences in our field: BlueHat IL.
BlueHat took place in Tel Aviv, and was one of the most exciting conferences I’ve ever attended – but generally any European will find that travelling to Israel is a very interesting experience, as it is a very special place.
Tel Aviv as a business location is known for its vibrant startup scene, but is also a kind of cyber security mecca: popular apps such as Waze, Viber, Outbrain and Gett are examples of the former, while Checkpoint, CyberArk and Minerva exemplify the latter.
Microsoft’s own Windows Defender Threat Protection team, with whom we have been working very closely since last year, also hails from Tel Aviv. Furthermore, Hexadite, one of Microsoft’s recent acquisitions, has their office here, and we eagerly await the integration of their product into the Defender ATP suite in the following months.
The history of Tel Aviv is a rather short one, spanning just over 100 years, but the city is joined by the ancient port of Jaffa in the south. Here you can clearly see how orient and occident meet and mingle, which becomes apparent in the city’s architecture: Old markets where oriental rugs and fruits are sold stand next to both decrepit old houses and newer Bauhaus-style buildings, both overshadowed by modern highrises. Here, old and new mix freely.
The conference itself took place in a smallish venue, considering over a thousand visitors were there. Several tents with wooden floors bordered a large hall, where the main event took place. While there wasn’t a ton of room, it was attractively decorated (in a geeky way, so geeks like us would feel welcome).
Clever little details could be found around the tent areas, with hacking challenges, arcades, pinball machines and several workshops where participants could hone their hacking skills with the aid of a Raspberry Pi (e.g. “Hack my Car” or “Boot to Root” with Kali Linux). However, the heart of every conference are obviously the sessions:
On the first day, we heard some conceptual talks about topics such as the human confirmation bias and our tendency to accept mostly views that are similar to our own. Costin Raiu came up with a gripping thriller on threat attribution: Who hacked whom, and what is the footprint or signature that a hacker left at the scene of a cybercrime? The afternoon was deeply technical with scenarios from the perspective of hard- and software developers. One example: How does one reverse engineer a CPU (answer: with acid and laser beams, of course!).
While the first day was exciting and fun, the talks on the second day were a lot closer to our everyday reality. Three researchers from TU Graz who documented and demonstrated the Meltdown and Spectre vulnerabilities appeared for the “mystery keynote” of the day, and explained the vulnerabilities found in our CPUs in depth. Alongside several well-known Microsoft employees (such as Dave Weston, who showed the old and new of Windows 10 hardware security), some of the most reputable people in the cyber security space were present. Matt Graeber talked about the security (or lack therof) of digital signatures, Marina Simakov and Itay Grady demonstrated attacks on Active Directory by abusing insecure computer accounts. James Forshaw from Google’s Project Zero showed an Exploit to execute arbitrary code on the highly-secured Windows 10 S. Despite the fact that Microsoft usually patches such vulnerabilities very quickly, the savvy of the many developers present was quite impressive.
The afternoon was somewhat of a high point for us, with the session by Vincent le Toux and Benjamin Delpy, the developers of Pingcastle and Mimikatz, respectively – the latter has been universally known for years as a standard for demonstrating post-exploitation in the Windows security scene. We love it for demonstration purposes in client- or internal workshops… :)
Vincent and Benjamin showed a new module for Mimikatz, which can be used to promote any client computer in a domain to domain controller. In a multi-domain environment, it can even abuse trust relationships to control the entire forest. This was very impressive indeed, and should give us a bit of work in the upcoming weeks, to understand how the attack works and take a look at defensive strategies.
In the end, it wasn’t just a single session, but rather the whole breadth of attacks we saw, that led to a creeping realization which we kind of already knew: EVERYTHING can be hacked. Furthermore, the sophistication of attacks never stops increasing. This leads to having things that could be hacked before, were made “secure” and can now be attacked in a different way.
Overall, we had a terrific time at BlueHat IL and could both deepen existing relationships as well as make new acquaintances with some of the leading people in this industry, which was a huge gift.
Israel is a unique place for the cyber security business, and I could see us visiting again in the near future, to a significant extent thanks to our strong partnership with Microsoft and their Windows Defender Advanced Threat Protection team.
Find more pictures and coverage from the event on my Twitter.