Black Alps 2017 Wrap Up

Black Alps 2017 was an inaugural Cyber Security Conference held last November 13 at Y-Parc, Yverdon-les-Bains, Switzerland. With support from previous cyber security events, such as CyberSec Conference and Application Security Forum – Western Switzerland, there is no doubt that Black Alps 2017 is headed for success. The conference lasted for two days, and aimed to discuss the latest threats, mitigations, and advances in cybersecurity.

We at Fortinet were proud to be a Platinum Sponsor of this event, providing one of the most interactive conference badges, which does not simply aim to promote but also to challenge participants to hack and then learn from that experience.

The conference scheduled a great line up of speakers and presentations, workshops, and divided talks to “Attack” track and “Lessons learned” track. Here are some interesting topics discussed during the conference.

Security at Snap

It was a pleasure listening to the keynote delivered by Jad Boutros, the CSO of Snapchat. Leading security for one of the most popular social media applications today, he shared the challenges and lessons learned from being the first security engineer of the company.

He specifically mentioned three security challenges of young companies, which are: patching, handling user credentials, and ubiquitous access. As a young company, the main goal is to produce a working product. While patching is a good practice, it can also raise problems of compatibility and dependencies. As the company grows, this problem is compounded by the increase in the number of employees, as well as the acquisition of other companies. These and similar events raise issues and challenges on handling user credentials and its privileges.   

It took them a while to build a mature security program, which is particularly true at rapidly-growing companies that are innovating. As a rule of thumb at Snap, they have decided that their security workforce should comprise at least 10% of engineering.

This was a great talk overall, especially for startup companies that need to have security in mind whie developing their product.

Exploiting Hash Collisions

In the first quarter of 2017, Google’s research had a break through when they were able to produce two different documents with the same SHA-1 hash signature to prove that it is weak and can’t be trusted.

As malware researchers, the first thing we were interested in was an “in-the-wild” attack that took advantage of this SHA-1 hash collision.  However, there were only public reports of past attacks on an MD5 hash collision from Flame malware, and crypto collision used to hijack Windows update. We expect that with the increasing power of computers today, only time will tell when we will see an actual attack exploiting the SHA-1 hash collision.

In this talk, the speaker shared details on the steps it took to create the first SHA-1 hash collision,­­ including practical POCs. The POCs presented were crafted PDF files essentially containing a large JPEG, and the hash collision was focused on that image data. With the tools and POCs readily available, it is now trivial for anyone to alter PDFs, webpages, and other certain documents, and still keep the same SHA-1 value.

You can find out more from the presentation and slides.

Locky Ransomware

We were lucky enough to be able to share our ongoing research and latest findings around the Locky Ransomware. The timing for this presentation was great since Locky had just recently became active again in spreading by massive spam campaigns. The presentation included details of the Locky timeline, technical analysis, configuration extraction, and an analysis of the Spam campaign behind it. If you are interested in this topic, you can check out the details from our slides.

In all, it was a great experience for us to join this cyber security conference, to share our research, and meet with other security experts in the field. If you are interested on other topics that weren’t mentioned in this review, you can check out the Black Alps official page and twitter page for a full listing of talks, as well as updates on the presentations recorded during the conference.

-= FortiGuard Lion Team =-