Feeds

'We have your water supply, and printers' – Brumcon report

All purely in the interests of science, of course...

  • alert
  • submit to reddit

3 Big data security analytics techniques

Brumcon this year was held at the Brittania hotel in Birmingham, the agenda was as varied as one can expect when h4xors, Phreeks, geeks and assorted wannabes get together to discuss the interweb thing and how abusing computers is more phun than abusing yourself, writes Arthur Barnes.

The whole thing kicked off with a demonstration of phone tapping, there was of course a lab set up at the Brittania so no animals were harmed during the course of the film and no laws were broken. The demonstration included a variety of tips, hints and tricks for the amateur interceptor.

After a beer break, we gathered together to discuss the merits of various encrypted file systems under Linux. The consensus reached was that the free stuff was difficult to use and we should all go down the Stego route if we were going to keep "the man" away from our porn, mp3s and tools.

Things started to get a little more interesting when semi sober we reconvened to investigate the security surrounding the UKs water management system. The talk was titled "how safe is a glass of water." It was a detailed breakdown of the RF systems that are used by water management authorities in the UK and how these systems can be abused, interfered with and generally messed.

The live demonstration included how to monitor the un-encrypted water management systems and create a denial of service attack. It was also made clear that additional communication channels using dial up connections would kick in automatically in the event of such an attack.

Moving on Alex Delarge gave an amusing and informative presentation around more traditional h4xor themes. This included the unveiling of a tool that if released out to the wider community would cause hilarity and consternation in equal amounts - more on that later.

The first component of Al's discussion focused on Cisco's access control system and offered those present a detailed "how to" on defeating this product. The methodology outlined used a privilege escalation on the current version, but the older version of Cisco's product used a simple obvious compromise that showed a remarkable lack of consideration for security by the global leader in networking tin.

We moved on to a demonstration of HP printer security (or lack thereof). There are of course already tools in the public domain that take advantage of known vulns in the PJL implementation but Al has written a tool that takes these already understood issues to the next level. The tool allows a user to lock users out of the printer's console and set the default number of prints to 999: so far so dull, but unlike other tools that enable an unscrupulous user to perform this action on a printer by printer basis, this innovation allows the hacker to take control of all the printers in an organisation at once.

Al then moved on to the eeyes secure IIS product; the content of this session is largely unrepeatable due the libel laws and limitations on the use of profanity, but to sum up, "Secure IIS is not a significant barrier to the activities of those individuals with an enquiring mind and the skill to investigate the content of a webserver".

Al then interviewed a member of the London 2600 on recent legal difficulties; this led to a free flowing discussion on the CMU and its validity as a piece of legislation.

Dr K then gave an informative talk entitled "Fuck computers let's hack", which was an analysis of the methods utilised by hackers, and how these methods might be employed in a non-technological environment (politics, religion and science).

In summary a pretty good con, some of the stuff I haven't covered includes the panel at the end of the day and the great giveaways. ®

High performance access to file storage

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.