Last week was the week of the last ever Symposium on Security for Asia Network (SyScan) conference in Singapore.
Well known for being unafraid to court controversy, SyScan had become something of a legend in vulnerability research circles. This year was no exception with a very public reaction to Blue Coat’s alleged bullying of Airbus researcher Raphael Rigo’s Proxy SG internals talk. But between the talks, the whiskey and an amazing badge there were plenty of other things happening worth talking about.
The first thing I noticed on registration was the amazing badge – an ARM-based system with a joystick and LCD included challenges and games to keep the audience busy. While I enjoyed the implementation of Conway’s Game of Life, I have to say I gave up at level two, unlike part-Finn part-machine hacker @miaubiz who stomped through the challenges, even finding easter eggs on the way.
The first day of the conference opened up with some cracking talks, perhaps the stand-out talk of the morning being Google Project Zero’s James Forshaw and his talk on attacking Windows via Symbolic Links. Symbolic Links are effectively shortcuts to files, but when used to create shortcuts to other Windows objects, can be abused to elevate a user’s privileges to the unrestricted SYSTEM level.
The aforementioned pressured researcher Raphael Rigo followed Forshaw with a well structured talk on secure encrypted hard drive design. Down in the weeds? Definitely. But worthwhile watching? Absolutely.
After a break for lunch, Saumil Shah showed the audience how to use pictures to compromise web browsers. By embedding malicious code in different files in a way reminiscent of Ange Albertini’s Corkami project and some of Joxean Koreat’s research into attacking email anti-virus solutions, Saumil showed attendees how to abuse browser-viewable file formats and HTML elements to compromise various systems. This tallied up extremely well with his bug hunting course delivered earlier in the week.
Later in the afternoon Jacob Torrey presented his HARES (Hardened Anti-Reverse Engineering System) project, which was as welcome to reverse engineers as Nigel Farage at an asylum seeker’s fundraiser. Using a combination of CPU-level encryption and a low level technique known as TLB-splitting, HARES’ goal was to make disassembly far more difficult for engineers to obtain, a crucial part in both exploit development and in developing your own modifications to hardware and software.
As if day one wasn’t controversial enough with the Blue Coat furore, day two brought in Stefan Esser, best known for his work on iOS jailbreaks and PHP security. Starting off by blaming Apple squarely for perpetuating state sponsored malware by not fixing vulnerabilities in iOS, Esser then proceeded to lay into Chinese jailbreak groups who offer money in exchange for vulnerabilities so that they can get Chinese users to use their alternative app stores.
Esser exposed the marketplace for buying jailbreak exploits and the tactics and techniques used, including accusing the Pangu jailbreak team of offering $100,000 for code that could be used in a jailbreak, with a chat screenshot showing the offer.
As if bashing iOS wasn’t enough, that afternoon Pedro Vilaça regaled the audience with tales of bugs that had been fixed on iOS but not on OSX, including many privilege escalation vulnerabilities affecting OSX right up to Yosemite, as well as remote vulnerabilities that could be triggered simply by visiting the wrong website.
If anything, the takeaway from Esser and Vilaça’s talks was that Apple’s product security management is reactive at best, and OSX still remains what several of the attendees referred to as, “a total rootfest”.
One of the things SyScan is known for is its alcohol-fuelled lightning talks round, Whiskeycon. Perhaps the biggest highlight of Whiskeycon was Liam’s groundbreaking five minute one whiskey-shot analysis of APT. Talking about a serious threat that affects all of us using computers on a regular basis, his piece on Anterior Pelvic Tilt had the audience in stitches.
Overall SyScan was a fantastic event and will be sorely missed, even without the controversy caused during its long and varied history. It will be interesting to see what, if anything, comes next for Asian conferences.
Steve Lord is a co-founder of 44CON and technical director of Mandalorian