Security Dumpster Fire — BSides RDU 2019 Review

Steve Myrick
Oct 20 · 6 min read

It’s October 18th, and while the masses of the Triangle were enjoying their fried oreos, smothered corn, and borderline deadly rides at the NC State Fair’s opening weekend, I spent it at the Carolina Theater for one of my favorite security cons — BSides RDU.

If you’re not familar with a BSides conference, the idea is pretty simple.

Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening. (www.securitybsides.com)

While my Raleigh-apologist side wishes it was still at Marbles in downtown Raleigh, the Carolina Theater is a far better venue for the con. Better parking, more space, two large theaters, and a historic setting make for an interesting venue to spend your day.

Carolina Theater, est 1923.

Getting to the venue early, I started the day off with a Rise biscuit and coffee, while the Belgian waffle and coffee food trucks were getting set up on the street just outside.

A few friends and I host the Capture The Flag competition for this, and a few more conferences through our group EverSec CTF. While registration was running and the keynote was getting started, we were setting up servers, running ethernet cables, and placing switches on tables. We even ran an AP to the theater so people could watch talks and capture flags simultaneously!

Gaffer tape is the MVP

Fun fact: we’re actually now using the networking gear from DerbyCon that their CTF runners graciously donated to our cause.

Once we were up and running, I stepped out to see my friend and coworker Ray Doyle’s talk. — What Is HTTPS, and Why Does It Matter?

Ray in his natural habitat

He emphasized the point that it’s important for you to host your site using HTTPS, even if you’re only hosting static content with no forms or sensitive data.

He taught me about an interesting attack — intercepting non-HTTPS data, changing the HTML to include embedded content linked to your Responder instance, and stealing netNTLM hashes. I’d never heard of this attack method before and look forward to trying it out in the future. For more info on this attack, check out this guide.

Check out Ray’s blog for more posts. He’s been posting weekly for years now and his blog is the inspiration for me starting mine. Seriously, he’s written about almost everything.

Back in the CTF room, we were going through our usual business of getting last minute challenges uploaded and making sure everything is up and running smoothly. Thanks to some great help from Jeff Macko, our hardware and network issues were few and far between. We’ve come a long way since the literal server fires of CarolinaCon 2017.

In an effort to encourage a bit off cross-development, we put two flags in to our scoreboard for those who could pick some locks downstairs in the lockpicking village. Oak City Locksport has been a staple in the hacker community around Raleigh and always provide a great service to our security cons.

I went down and picked some locks for myself! I’m by no means an expert, but I do enjoy getting to tinker any chance I get.

The lower level flag was this 4 digit non-ordered combo lock that’s usually used to store actual keys to other locks.

And the second level lock was any of the other locks on the table. I chose to pick this Master lock. I had no experience with this one but it only took a couple minutes of tinkering to get it to pop.

On my way out, I popped by the vintage tech museum. I did notice they had an original Nintendo DS and a second gen (I believe) iPod, which made me feel very old since they were on display as “vintage.” They had people playing OG Atari games and I think I even spotted an Apple II.

Hey, I recognize some of this!

After a bit more CTF management, I stepped back out on the balcony to see my new coworker Rebecca Deck give a speech titled Extinguishing the Vulnerability Management Dumpster Fire.

She recounted the tale of one of her previous positions where she had to manage about half a million vulnerabilities from some authenticated server scanners. She stressed the important point that, it doesn’t matter if you’re remediating incredibly sophisticated vulnerabilities if you’ve still got MS08–067 still in your network.

Who knew there was so much dumpster fire stock imagery?

We finished up the CTF about 10 minutes before the closing ceremonies. We had over 30 teams (~50 people) compete in the CTF and solve about 53% of the available flags. Lucky for us, we might be able to reuse some of the unsolved ones in the future.

Fortunately, we only had one major network outage that lasted for about 10 minutes. That’s a heck of a better uptime than our past performance. (Again, shout out to Jeff.)

We had an amazing trophy donated by one of our community friends JoyKil — a light up dumpster fire! She even learned how to make graffiti tags just for this project!

Isn’t this cool? Just look at that little book inside.

At closing ceremonies, I presented our top 3 teams — Cos1ne, NotBob, and a146 with our top prizes. We had our friends over at eLearnSecurity and SANS donate:

  1. eLearnSecurity Penetration Testing Student Elite Course and Certification
  2. eLearnSecurity Penetration Testing Professional Elite Course and Certification
  3. 4 month voucher for SANS NetWars

We really appreciate our corporate partners who are willing to donate prizes for our competition. It definitely means a lot to all of us.

Our community members and sponsors make this whole thing possible, without the hours of work that they put in and the money provided by our corporate sponsors, this wouldn’t be possible.

Thank you all!

BSides is one of the biggest highlights of my year in the security community. It reminds me every time that we have a fantastic group of likeminded individuals, passionate about what they do and enthusiastic to share their knowledge with others. I’m very proud to be a part of this community and have nothing but the upmost respect for everyone who puts their time in to making this happen.

Also, I’d like to shout out my company Avalara for not only giving me the time off to attend the conference, but also for sponsoring the conference financially. It makes me proud that we put the effort in to not only bolserting our own security, but supporting the security community.

Co-branded!

Next up, I’ll be posting a write up for the challenges I made for the EverSec CTF. Stay tuned!

Steve Myrick

Written by

Yet another infosec wannabe. CTF’s, Red Teaming, Pentesting, and other content marginally more interesting than my Twitter feed.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade