Sunday, March 8, 2015

#RootedCON, Day 3: wanting more and more

All good things must come to an end, and RootedCON is one of these cases. We arrive to the last date of this masterly security event, giving the most out of itself one year more. It's been a triumphal ending for this edition, with some of the most expected talks. Did you miss them? Don't worry. CIGTR tells you. Let's go!

Third and last date for this Rooted started with @tarlogic Miguel Tarasco's talk, who appealed for developers community: not every single attack targets final user, and in fact it will be neither first nor last time that some Internet-extracted code has embedded "presents", allowing third parties to install a shell in a developing device with used IDE permissions.
From Miguel to Pablo Casáis (@pcasais), a new recruit for Rooted speakers cast, who recited its work at invest banking. Casáis spoke at length on poor security in trading systems focused to investment Tier1 and Tier2, used routinely for this kind of transactions, without direct touch to the rest of the world, developed by third parties and moving everyday millions and millions of euros/dollars.

@Layakk's boys (David Pérez and José Picó), never disappoint. For this ocassion, they were keeping a surprise, the explanation of one of their latest works: a WiFi pentesting where the victim should not at all get notice. The best way they found these two researchers was to put a motorbike abroad the business, with an 'ad hoc' WiFi monitoring testing inside a backpack, and remote controlled via servos. Yes, pure wardriving!

DIY simulator and physical pentesting
It was time for Hugo Teso (@hteso), the researcher that last year revolutioned Internet showing a PoC of hacking commercial flying systems. Everyone was expecting something similar, and he gave to the audience even one better thing. Teso announced that this talk will be the last one about this issue, and because of that, he is releasing all of its work during last 7 years. Now is the time for the community: how to code our own flying simulator, how to audit it, how to exploit it and hoy to post-exploit it, with the objective of giving information to so hermetic as airlines industry.

After midday rest, Eduardo Arriols (@_hykeos) showed how with little money, previous study and a lot of social engineering, everyone can access business facilites protected by physical security measures. Neither proximity sensors, nor thermic ones, nor lasers, nor cameras, nor guards... can resist physical penetration work from this researcher. The best of the story? For his tests, Arriols have been using equipments accesible by anyone at sports or neighborhood stores.

Chema Alonso (@chemaalonso) is a regular speaker at events like this. He talked this time about Path5, one of the tools developed into his company ElevenPaths, used to make researches related to malware evolutions at Android markets. The joint of Path5 and Sinfonier, two projects from Spanish Grupo Telefónica, give as a result one OSINT tool that has allowed to find and shut down malware distributed netbots, fake developers (devolopment accounts farms that release different apps with same malware), and mutant apps (legitimate apps that somehow are sold to a less scrupulous third party).

Raúl Siles (@RaulSiles) is determined to time travel. His previous paper treated about freezing iOS (Apple) devices updates. This time, he talked the same thing... on Android, getting advantage of Google Play functionality that allows any developer to release stepwise updates. And finally, we arrive last talk by Adrián Villa (@AdriVillaB), who brought to light some vulnerabilities at VOD servers, which should allow an attacker to extract DRM-protected content, ie create its own videoclub.

As you can see, all of them are questions that will make people sit up and take notice. RootedCON, or 'The Rooted', ends for this year. Its job is to plant a seed. Now, time to rest, stand ideas, and recharge to start the week wanting to hack the system, in the best sense of the term.

You may also like:
#RootedCON, Day 2: PoC earthquake
#RootedCON, Day 1: The show begins!


Post a Comment