I recently attended IP EXPO 2013, the UK’s leading enterprise IT event. Held at Earls Court 2 Exhibition Centre in London, IP EXPO is an annual two-day event featuring keynote speakers such as Kevin Mitnick. I only went on the Wednesday though.
I found the event to be an interesting mix of content. Surrounding the trade show floor, there were a number of ‘theatres’ covering different areas of IT such as datacentres, virtualisation, network security etc.
Trade Show:
Microsoft brought along a ‘Replicator 2’ 3D printer which they linked up to a Kinect. They were using the Kinect (and a swivel chair!) to generate a 3D image of the upper body, then sending the file to the printer to be printed.
I thought the ‘Twitter wall’ was a cool feature.
Keynotes/Seminars:
A few of the keynotes/seminars I attended included:
Kevin Mitnick’s keynote
The ‘must-see’ keynote of the day, I only just managed to get a seat. It ended up being standing room only!
We were first shown a short ‘Italian Job’-style film/presentation which covered Kevin’s main achievements.
Kevin believes he can “hack into any network”.
His interest in hacking into things started at the age of 17 when he pulled pranks. McDonald’s drive through etc.
“Started ‘fishing’ in the 70’s”
He had a natural fascination for telephone systems and would regularly hack into friends’ home phones, once even turning a landline into a payphone!
When he was in prison, he would play pranks on the operator
Whilst some people get addicted to other things, “my addiction was hacking.”
Having experienced being on the wrong side of the law, Kevin now runs his own security consultancy company – Mitnick Security Consulting, which offers network penetration testing and other security services.
But rather than just talking about what he used to do and what he does now, Kevin gave us various live demonstrations! Using a MacBook and laptop, he setup typical scenarios. For example, when an innocent-looking Word doc (which when scanned by any anti-virus software would show as being clean) is opened, the victim’s password hash is sent to the attackers computer. This can then be used to find out the cleartext password.
Afterwards, Kevin gave out his unique business cards (which have lock-pick tools) and signed badges/books.
“An Anatomy of a Hack and Client-Side Exploitation”
This seminar was by Ian Reynolds, from MTI Technology Ltd.
Ian started off speaking about how big corporations such as Sony and Google have suffered security breaches.
Zeus Trojan
For those of you unfamiliar with the Zeus Trojan, here are a few key facts as discussed by Ian:
- Allows an attacker to gain control of the machine.
- Can be used on botnet, which can then be used for denial of service (DDoS) attacks.
- Can be used to siphon off details (such as credit card details, usernames and passwords etc.)
- Unlike many other pieces of malware, Zeus is professionally written, and comes with user manual, technical support etc.
If the attacker is hacking for financial gain, he/she can then sell the credit card details (10 credit card numbers can be sold for around $15).
Client-side exploitation
Malware called ‘droppers’, malicious URL’s. Exploits something in the web browser.
Vulnrabilities:
Facebook worm, publishing malware on facebook account
Java being updated often can cause issues. Java-based exploits are on the rise.
Zeus virus (as mentioned before)
‘Hash dump’
Web portals with back-end exploit server
Social engineering
Creating similar domain (ciscousersupport.com for example), then sending spam emails acting as Cisco.
Attackers will often pose as a job-seekers and will send in a CV. Once they get a reply, they copy the signature and use it to look as if they are from the genuine company.
Another trick used is namedropping individuals, and finding out important details. LinkedIn will often be used for this purpose, often targeting Systems Administrators, IT Managers etc.
Two types:
- ‘Spearfishing’, which targets a specific individual within an organisation.
- Bulk spam emails, which target immense amounts of people
How to prevent client-side exploits:
- Employee security training
- Keep 3rd party products updated
- Use a threat management appliance (many available)
- Malicious email detection (cloud-based)
- Firewall rules
- Minimal rights to users
- Secondary accounts for administrators
Dell
Steve Atkinson, Dell
PowerEdge VRTX
One of the key advantages of the VRTX is that it potentially doesn’t need to be situated in a datacentre.
Thin client device, connects to HDMI device
Steve also mentioned PocketCloud, which is
Access devices from anywhere
Don’t have to carry around laptop
Expanding capabilities
One-off payment of £10 for professional version. Quick setup.
“Smarter Wi-Fi for Smarter Indoor Location Based Services”
This seminar was by Bryan Hall, European Sales Director at Ruckus.
Bryan began by speaking about the origins of the company and the USP’s of their devices.
Multiple directional antennas 4,000 unique directions
By focussing the energy, this results in better coverage and signal.
Current location-based tracking systems include:
- RFID
- Wi-Fi Based
- Mobile Device Based
- Outdoor GPS
- Active Tags
Mobile based GSM is getting more popular.
Wi-Fi is becoming a great way to track devices, but how?
“We are not ‘Location Intelligent'”
Ruckus devices can generate ‘heatmap’ style diagrams which show areas which are seeing the most traffic. With permission of the people being monitored, it can even pinpoint individual employees, customers etc with permission and give their x,y,z location.
I thought the interface looked a bit like ‘Google Analytics for footfall’.
Possible uses of the system could be:
- Shops can give loyalty offers to return customers
- Allowing shops to quantify return (ROI)
- Owners of shopping centres/malls would be able to see which shops in malls are busiest, and maybe alter rent rates accordingly.
- Schools could use systems such as this in emergency situations to see if there still people inside, and if so which room they are in.
One of the key issues surrounding location-based services is privacy, so this was covered explaining what organisations need to do if they wish to use these types of services.
Looking back, I really wish I’d organised to go for both days (Wednesday & Thursday)!
IP EXPO will be moving to ExCeL London next year, and will be an even bigger event with the addition of Data Centre Expo and Enterprise Security Expo. I’m looking forward to it already!