Finland’s most significant annual cybersecurity and the industry’s most important networking event, Disobey 2024, was held on February 16-17 at the Cable Factory in Helsinki. The event was now organised for the 7th time and as always, the arrangements and performers were of very high quality. There were over 200 applications for speaker slots and many cybersecurity professionals were left without a ticket because the event sold out in a couple of minutes.
The event consists of presentations, workshops, and a CTF challenge typical for cybersecurity events, where various technical and other problems are solved. In addition, there are stands where cybersecurity operators present their products and services. The scale of the event is evidenced by the fact that there were over 1800 visitors and the arrangements were handled by a team of over 100 volunteers.
We participated in the event too. Iiro Uusitalo, our Senior Security Consultant, has been part of the event’s CTF team for a long time. Satu Korhonen, Solita’s Machine Learning Engineer, was in the performer lineup with her presentation on GenAI’s cybersecurity and MLSecOps. Read a summary of a few highlights.
Hardware hacking all the things, on a budget – You can do it too!
Tomi Koski provided tips and tricks based on his extensive experience in hardware hacking. Hardware hacking may be intimidating, but there are good resources available to get started. The barrier for entry is not ultimately that high. There is a lot of solid equipment available at a relatively cheap price. The biggest investment really is time (and space to store all the h/w).
Beyond code security: How CSPM can help to secure your cloud and avoid configuration disasters
Mikael Nilsson talked about processes, practices and solutions to cloud security posture management. His thoughts were interesting, and the bulk was that while AppSec has developed by leaps and bounds, cloud misconfigurations are still a significant factor in the breaches. While there are good tools for CSPM, the solutions are only part of the equation. It’s the people, practices, KPIs etc. that complete the circle. This is an area where Solita has done interesting work. Our CloudBlox MSP contains components that enable and empower development teams to monitor and manage cloud security posture in an agile and flexible manner.
I like to MOVEit MOVEit
Juho Jauhiainen talked about CL0P ransomware and their exploitation of a MOVEit zero-day. Juho’s grim message was that everything will be hacked, and you should invest in having controls and monitoring in place.
Securing GenAI? How far will DevSecOps take you and how to go further?
The number of GenAI and machine learning talks were surprisingly low in the event. However, Solita’s Satu Korhonen talked about taking the best from DevSecOps, and augmenting it with MLSecOps to be on-par with the threats of the new landscape.
Purple teaming in action: Beyond the hype
Tuomo Makkonen demystified the hype related to purple teaming, with clear and practical real-world examples. The iterative and open approach utilised in purple teaming can benefit defenders in a manner more tangible than red teaming. For example, purple teaming allows much wider attack path exploration compared to red teaming, where the goal is at the end and all activities build on achieving the gold. Purple teaming is an exercise aiming to build and increase the capabilities of the defenders, and therefore it’s suitable for organisations of varying maturity levels. The future is in the cloud and cloud purple teaming is one of the key areas of development. Our team agrees with this vision and has experience conducting purple team exercises in the cloud.
Weaponising plain text: ANSI escape sequences as a forensic nightmare
Stök presented his research in ANSI escape sequences in his unique and entertaining style. The key point was that viewing logs using standard Unix tools such as `cat`, `grep`, `awk` etc. can have unexpected and dire consequences. In a way, it’s surprising that there are significant issues in an area that has been around for such a long time.
Creating monsters
Joona Hoikkala discussed about developing and maintaining open-source solutions. His take was that providing a popular solution pro bono has an unexpected burden and a cost. People’s expectations related to open-source tools are hard to manage, and it’s close to impossible to avoid issues and conflicts. Those conflicts tend to have an impact on the life of the maintainer and main developer. On a positive note, Joona was willing to mentor the development of an audience member’s OSS solution, so he hasn’t lost all hope.
Smoke and mirrors: How to hide in Microsoft Azure
Christian Philipov and Aled Mehta have identified certain use cases in which Azure fails to log contrary to expectations. They introduced ways for attackers to hide within the legitimate activity of certain services. While cloud platforms enable visibility with much less of a barrier of entry than traditional solutions, none of them come without effort, and there might still be gaps.
Circling dragons: Red team lessons from modern breaches
Jason Lang talked about his experience as a red teamer. One of his points was, that sophisticated is an overused term, which was also mentioned by Juho Jauhiainen in his presentation. Many of the significant recent hacks haven’t exercised a high level of sophistication, and the reason for this is that the level of observability isn’t as robust as it should be. Also, true APT simulation requires huge amounts of time – that’s something APTs have when they have a target and a goal. As a Finn, it was a bit of a surprise that the most effective stage 0 attack is a phone call – who uses a phone for calling anymore?
Breaking badly: Domains, callbacks, tokens and exploits
Jarkko Vesiluoma presented an interesting case study of an exploit where an old and forgotten service enabled him to own the infrastructure of a company. Mistakes were made, assets weren’t retired properly, and development services were able to access the production environment. A combination of those mistakes enabled him to escalate to a remote code execution in the production environment.
Hacking around with satellite, aerospace, avionics, maritime, and drones: Crashing/exploiting at the speed of SDR
Andrei Costin introduced satellite and navigation solutions and their security (or the lack of). It’s a complex landscape where updates might be extremely difficult, and thus patching is close to impossible.
Zero trust – dope or nope?
Sami Laiho had a take on zero trust. It’s a worthwhile goal and approach, but it’s also misunderstood in a way. Zero trust is not a technology that you implement and off you go, but more of a philosophy, for which the technology has been around for a long time. While it’s not easy to implement, there are significant gains to receive, not only in terms of security but also overall performance and cost savings in maintenance.
Identifying cross-account attack paths in AWS environments at scale
Aleksi Kallio presented a new tool in development at WithSecure. It maps the IAM role trust relationships and presents them in a graph view. Such paths present the paths which a potential attacker could take to pivot between accounts and roles. While the best is to avoid chainable roles to the extent possible, the second-best thing is to be able to map and document the paths properly. The tool also provides great possibilities for development: It could be possible to include `iam:PassRole` permissions, which enable roles to start services with other roles, as well as identify roles which increase the permissions of the user.
All your frontend belongs to us – Crawling through JavaScript using AST’s
Matias Huhta presented a tool they are developing which enables the user to map potential uncalled API endpoints from the source code of a JavaScript application. Traditional ways of identifying endpoints are monitoring the application requests and executing content discovery on the endpoints. Matias’ method, however, reveals those endpoints that might’ve been retired or otherwise abandoned which are still present in the source code but not called anymore. We are anxiously waiting for his solution to be released.
Exploring generative AI’s threat to social justice and democracy
Maria Bique and Dimitri aka d4e5 presented a dystopian vision of a future of uncontrolled AI use.
