BSides Newcastle is probably one the most anarchic of the BSides I’ve been to so far. So much so that the fascists organised a protest. Well, not really, but there was a far-right and counter-protest not far from where the conference was. Thankfully, the organisers were on top of it and kept is all up-to-date with advice: “Punch Nazis” (for the benefit of the tape, nobody endorsed violence).

Aaanyway, aside from a really early start I was ready to dive in and hope to share some of the experiences with you.

Yes, I needed more coffee! But, no time, Dave dusted off his astronomy degree to give us a whistlestop tour of satellite communication. Putting on my most Nimoy-Spock face, it was fascinating to learn that a lot of the satellite comms can be listened to with Software Defined Radio (SDR), drug smugglers have learned how to relay messages via satellites and it’s possible to patch Voyager 1 yourself as it’s signals have no encryption - you do need a very powerful dish array though.

Also interesting was the fact that GPS has an epoch. Last time it happened 2019, causing some parking meters to fail. GPS time is pretty weird. Anyway, the next time it’ll happen is 2038. Now why does this date seem familiar?

Top Secret

I really enjoyed the Top Secret talk. But obviously can’t talk about it.

Beware of Insiders

The next talk was by Donna about insider threats. There’s a lot of myths about which usually can be categorised into:

• won’t happen to me
• it’s a tech problem
• we can’t do anything about it due to privacy

I think that talk was rather timely, especially against the background of this BBC Story about a BBC tech reporter being offered lots of money to give up credentials. Looking at a lot of the attacks in the news recently (JLR, Harrods, M&S) the weak point is all too often unwitting insiders.

The solution is refreshingly simple: treat your staff well: A pissed-off employee might be persuaded to sell credentials. An overworked call centre agent might reset a password. And an unfairly laid-off employee might still have access to systems.

Supply Chain Perfect Storm

Then I couldn’t help myself nodding along to Jerry talk about the CVE Crisis:

There’s a real risk that due to “the political situation” over in the US that the NVD will no longer be able to score CVEs. And that is a problem. Presently, NVD can deal with about 80 CVEs a day. But 130 new ones are added every day. Something has to give.

And before you say AI - it’s not good enough. Experiments so far have shown that it can be about 90% accurate in a best case scenario. But for CVSS scoring that’s not sufficient. I’m actually relieved that AI isn’t being stuffed down the NVDs throat here.

Jerry hopes that when he comes back to Newcastle next year, he’ll have some better news. There’s CISA and ENISA looking to fill the void, but that in itself risks fracturing the ecosystem. Imagine a situation where the EU, US, Indian vulnerability registers are all independent. We’ll have to look at each and every one of them, aggregate and prioritise. Of course, big vendors will provide solutions but what about OpenSource or smaller companies. Will they be left out in the cold?

Sounds like a headache to me and I really appreciate the work he’s doing in that area.

The Death of Learning

The munchnote came from Christine who talked about the possible impact of using GenAI on our ability to think.

And thinking caps were definitely required! We covered how the earliest “technology makes us stupid” can be tracked back to Socrates and Plato, how biological and artificial neural networks (BNN and ANN) are similar but completely different and how “it’s the plasticity, stupid” (channelling my inner Bill Clinton there).

If we delegate thinking to an LLM, then the problem isn’t that we don’t get the right answer, but that we will lose our ability to learn. Learning isn’t just about learning content, it’s about practicing learning.

Or put in another way “it’s not the destination that counts, it’s the journey”.

Lots to think about - and no, I won’t just ask ChatGPT…

Operational Technology Hacking

The next talk I attended was from Liam about Operational Technology. These are the bits that open doors, build cars, operate on people, etc. So when pentesting this kind of thing, there’s a real risk that shit will hit the fan.

I loved Liam’s golden rule of OT testing:

This is quite important when a simple portscan can bring down infrastructure. Often the only way of pentesting is to create simulation rigs and test in the cloud.

I did have to chuckle about his example about robotic arms being controlled by files being uploaded to an FTP server. So not that different to legacy IT, then…

Scam, scam, scam

I quite enjoyed Clive’s talk about Money Laundering. I do wish I had an edit button on BlueSky though where I misnamed him Chris (sorry). Mind you, the title of the talk was a bit misleading because he didn’t teach us about how to launder money, which was both disappointing and reassuring.

I did like his incident maps about the root causes of being scammed. Porn or friends from the internet is an unsurprisingly common factor:

His top tips:

• “Different phones for fun and profit”
• “Adopt an elderly person”

Me!

Then it was my go. I gave a live demo with LLMs and ZAP and OpenAPI. Read more here. It was really good fun, the network didn’t play up too much and there were tons of questions and great feedback.

Just do the fucking basics

After that, there was a great locknote by Kat about cloud security.

The grand majority of cloud breaches happen due misconfigurations - and due to the usual suspects:

There were some great stories about using cloud misconfigurations to DNS poison an AI start-up and MitM the prompts and changing them.

Top tip: as a customer never start a pentest engagement with “we’re sure you won’t find anything”. That’s just one step down from proclaiming someone is “unhackable”.

To finish

It was a great BSides! I loved the vibe, the content of the talks. I missed out on lots of interesting talks, and never got to the lockpicking, nor the battlebots, nor the CTF. I came away buzzing and full of thoughts.

Congrats!

Tags bsides conference security appsec genai

If you'd like to find more of my writing, why not follow me on Bluesky or Mastodon?