Daily Archives: January 6, 2019

Cyber Security Conferences to Attend in 2019

A list of Cyber and Information Security conferences to consider attending in 2019. Conference are not only great places to learn about the evolving cyber threat landscape and proven security good practices, but to network with industry leading security professionals and likeminded enthusiasts, to share ideas, expand your own knowledge, and even to make good friends.

JANUARY 2019

SANS Cyber Threat Intelligence Summit
Monday 21st & Tuesday 22nd January 2019
Renaissance Arlington Capital View Hotel, VA, USA
https://www.sans.org/event/cyber-threat-intelligence-summit-2018


AppSec California 2019 (OWASP)
Tuesday 22nd & Wednesday 23rd January 2019
Annenberg Community Beach House, Santa Monica, USA
https://2019.appseccalifornia.org/


PCI London
Thursday 24th January 2019
Park Plaza Victoria Hotel, London, UK
https://akjassociates.com/event/pcilondon

The Future of Cyber Security Manchester
Thursday 24th January 2019
Bridgewater Hall, Manchester, UK
https://cybermanchester.events/

BSides Leeds
Friday 25th January 2019
Cloth Hall Court, Leeds, UK
FEBRUARY 2019
Cyber Security for Industrial Control Systems

Thursday 7th & Friday 8th February 2019
Savoy Place, London, UK
https://events.theiet.org/cyber-ics/index.cfm

NOORD InfoSec Dialogue UK
Tuesday 26th & Wednesday 27th February 2019
The Bull-Gerrards Cross, Buckinghamshire, UK

MARCH 2019
RSA Conference
Monday 4th to Friday 8th March 2019
At Moscone Center, San Francisco, USA
https://www.rsaconference.com/events/us19

17th Annual e-Crime & Cybersecurity Congress
Tuesday 5th & Wednesday 6th March 2019
Park Plaza Victoria

Security & Counter Terror Expo
Tuesday 5th & Wednesday 6th March 2019
Olympia, London, UK
https://www.counterterrorexpo.com/


ISF UK Spring Conference
Wednesday 6th & Thursday 7th March 2019
Regent Park, London, UK
https://www.securityforum.org/events/chapter-meetings/uk-spring-conference-london/


BSidesSF
Sunday 3rd and Monday 4th March 2019
City View at Metreon, San Francisco, USA
https://bsidessf.org/

Cloud and Cyber Security Expo
Tuesday 12th to Wednesday 13 March 2019
At ExCel, London, UK
https://www.cloudsecurityexpo.com/

APRIL 2019

(ISC)2 Secure Summit EMEA
Monday 15th & Tuesday 16th April 2019
World Forum, The Hague, Netherlands
https://web.cvent.com/event/df893e22-97be-4b33-8d9e-63dadf28e58c/summary

Cyber Security Manchester
Wednesday 3rd & Thursday 4th April 2019
Manchester Central, Manchester, UK
https://cybermanchester.events/

BSides Scotland 2019
Tuesday 23rd April 2019
Royal College of Physicians, Edinburgh, UK
https://www.contextis.com/en/events/bsides-scotland-2019


CyberUK 2019
Wednesday 24th & Thursday 25th April 2019
Scottish Event Campus, Glasgow, UK
https://www.ncsc.gov.uk/information/cyberuk-2019

Cyber Security & Cloud Expo Global 2019
Thursday 25th and Friday 29th April 2019
Olympia, London, UK
https://www.cybersecuritycloudexpo.com/global/


JUNE 2019
Infosecurity Europe 2019
Tuesday 4th to Thursday 6th June 2019
Where Olympia, London, UK
https://www.infosecurityeurope.com/

BSides London

Thursday 6th June 2019
ILEC Conference Centre, London, UK
https://www.securitybsides.org.uk/

Blockchain International Show
Thursday 6th and Friday 7th June 2019
ExCel Exhibition & Conference Centre, London, UK
https://bisshow.com/

Hack in Paris 2019
Sunday 16th to Friday 20th June 2019
Maison de la Chimie, Paris, France
https://hackinparis.com/

UK CISO Executive Summit
Wednesday 19th June 2019
Hilton Park Lane, London, UK
https://www.evanta.com/ciso/summits/uk#overview

Cyber Security & Cloud Expo Europe 2019
Thursday 19th and Friday 20th June 2019
RIA, Amsterdam, Netherlands
https://cybersecuritycloudexpo.com/europe/

Gartner Security and Risk Management Summit
Monday 17th to Thursday 20th June 2019
National Harbor, MD, USA
https://www.gartner.com/en/conferences/na/security-risk-management-us

European Maritime Cyber Risk Management Summit
Tuesday 25th June 2019
Norton Rose Fulbright, London, UK


AUGUST 2019
Black Hat USA
Saturday 3rd to Thursday 8th August 2019
Mandalay Bay, Las Vegas, NV, USA
https://www.blackhat.com/upcoming.html

DEF CON 27

Thursday 8th to Sunday 11th August 2019
Paris, Ballys & Planet Hollywood, Las Vegas, NV, USA
https://www.defcon.org/


SEPTEMBER 2019
44Con
Wednesday 11th to Friday 13th September 2019
ILEC Conference Centre, London, UK
https://44con.com/

2019 PCI SSC North America Community Meeting
Tuesday 17th to Thursday 19th September 2019
Vancouver, BC, Canada
https://www.pcisecuritystandards.org/about_us/events

OCTOBER 2019

Hacker Halted
Thursday 10th & Friday 11th October 2019
Atlanta, Georgia, USA
https://www.hackerhalted.com/

BruCON
Thursday 10th & Friday 11th October 2019
Aula, Gent, Belgium
https://www.brucon.org/2019/

EuroCACS/CSX (ISACA) 2019

Wednesday 16th to Friday 19th October 2019
Palexpo Convention Centre, Geneva, Switzerland
https://conferences.isaca.org/euro-cacs-csx-2019

6th Annual Industrial Control Cyber Security Europe Conference
Tuesday 29th and Wednesday 30th October 2019
Copthorne Tara, Kensington, London, UK
https://www.cybersenate.com/new-events/2018/11/13/6th-annual-industrial-control-cyber-security-europe-conference

2019 PCI SSC Europe Community Meeting

Tuesday 22nd to Thursday 24th October 2019
Dublin, Ireland
https://www.pcisecuritystandards.org/about_us/events

ISF 30th Annual World Congress
Saturday 26th to Tuesday 29th October 2019
Convention Centre Dublin, Dublin, Ireland



NOVEMBER 2019
Cyber Security & Could Expo North America 2019
Wednesday 13th and Thursday 14th November 2019
Santa Clara Convention Centre, Silicon Valley, USA
https://www.cybersecuritycloudexpo.com/northamerica/

DevSecCon London 
Thursday 14th & Friday 15th November 2019
CodeNode, London, UK


Cyber Security Summit 2019
Wednesday 20th November 2019
QEII Centre, London, UK
https://cybersecuritysummit.co.uk/

2019 PCI SSC Asia-Pacific Community Meeting 

Wednesday 20th and Thursday 21st November 2019
Melbourne, Australia
https://www.pcisecuritystandards.org/about_us/events

DeepSec
Thursday 20th to Saturday 30th November 2019
The Imperial Riding School Vienna, Austria
https://deepsec.net/

Post in the comments about any cyber & information security themed conferences or events you recommend.

Kubernetes: open etcd

Quick post on Kubernetes and open etcd (port 2379)

"etcd is a distributed key-value store. In fact, etcd is the primary datastore of Kubernetes; storing and replicating all Kubernetes cluster state. As a critical component of a Kubernetes cluster having a reliable automated approach to its configuration and management is imperative."

-from: https://coreos.com/blog/introducing-the-etcd-operator.html 

What this means in english is that etcd stores the current state of the Kubernetes cluster usually including the kubernetes tokens and passwords.  If you check out the following references you can get a sense for the pain level that could potentially be involved. At minimum you can get network info or running pods and at best credentials.

refs: 
https://techbeacon.com/hackers-guide-kubernetes-security 
https://elweb.co/the-security-footgun-in-etcd/
https://raesene.github.io/blog/2017/05/01/Kubernetes-Security-etcd/

the second link talks extensively around types of info the found when they hit all the shodan endpoints for 2379 and did some analysis on the results.

If you manage to find open etcd the easiest way to check for creds is to just do a curl request for:

GET http://ip_address:2379/v2/keys/?recursive=true

Example Loot - 

Usually it's boring stuff like this:



But occasionally you'll get more interesting things like:



or more fun things like kublet tokens:




Kubernetes: kube-hunter.py etcd


I mentioned in the master post one a few auditing tools that exist. Kube-Hunter is one that is pretty ok.  You can use this to quickly scan for multiple kubernetes issues.


Example run:
$ ./kube-hunter.py
Choose one of the options below:
1. Remote scanning      (scans one or more specific IPs or DNS names)
2. Subnet scanning      (scans subnets on all local network interfaces)
3. IP range scanning    (scans a given IP range)
Your choice: 1
Remotes (separated by a ','): 1.2.3.4
~ Started
~ Discovering Open Kubernetes Services...
|
| Etcd:
|   type: open service
|   service: Etcd
|_  host: 1.2.3.4:2379
|
| Etcd Remote version disclosure:
|   type: vulnerability
|   host: 1.2.3.4:2379
|   description:
|     Remote version disclosure might give an
|_    attacker a valuable data to attack a cluster
|
| Etcd is accessible using insecure connection (HTTP):
|   type: vulnerability
|   host: 1.2.3.4:2379
|   description:
|     Etcd is accessible using HTTP (without
|     authorization and authentication), it would allow a
|     potential attacker to
|     gain access to
|_    the etcd
|
| Etcd Remote Read Access Event:
|   type: vulnerability
|   host: 1.2.3.4:2379
|   description:
|     Remote read access might expose to an
|_    attacker cluster's possible exploits, secrets and more.

----------

Nodes
+-------------+----------------+
| TYPE        | LOCATION       |
+-------------+----------------+
| Node/Master | 1.2.3.4        |
+-------------+----------------+

Detected Services
+---------+---------------------+----------------------+
| SERVICE | LOCATION            | DESCRIPTION          |
+---------+---------------------+----------------------+
| Etcd    | 1.2.3.4:2379        | Etcd is a DB that    |
|         |                     | stores cluster's     |
|         |                     | data, it contains    |
|         |                     | configuration and    |
|         |                     | current state        |
|         |                     | information, and     |
|         |                     | might contain        |
|         |                     | secrets              |
+---------+---------------------+----------------------+

Vulnerabilities
+--------------+------------------+----------------------+---------------------+--------------------------+
| LOCATION     | CATEGORY         | VULNERABILITY        | DESCRIPTION         | EVIDENCE                 |
+--------------+------------------+----------------------+---------------------+--------------------------+
| 1.2.3.4:2379 | Unauthenticated  | Etcd is accessible   | Etcd is accessible  | {"etcdserver":"3.3.9     |
|              | Access           | using insecure       | using HTTP (without | ","etcdcluster":"3.3     |
|              |                  | connection (HTTP)    | authorization and   | ...                      |
|              |                  |                      | authentication), it |                          |
|              |                  |                      | would allow a       |                          |
|              |                  |                      | potential attacker  |                          |
|              |                  |                      | to                  |                          |
|              |                  |                      |     gain access to  |                          |
|              |                  |                      | the etcd            |                          |
+---------------------+----------------------+----------------------+----------------------+--------------+
| 1.2.3.4:2379 | Information      | Etcd Remote version  | Remote version      | {"etcdserver":"3.3.9     |
|              | Disclosure       | disclosure           | disclosure might    | ","etcdcluster":"3.3     |
|              |                  |                      | give an attacker a  | ...                      |
|              |                  |                      | valuable data to    |                          |
|              |                  |                      | attack a cluster    |                          |
+---------------------+----------------------+----------------------+----------------------+--------------+
| 1.2.3.4:2379 | Access Risk      | Etcd Remote Read     | Remote read access  | {"action":"get","nod     |
|              |                  | Access Event         | might expose to an  | e":{"dir":true,"node     |
|              |                  |                      | attacker cluster's  | ...                      |
|              |                  |                      | possible exploits,  |                          |
|              |                  |                      | secrets and more.   |                          |
+--------------+------------------+----------------------+---------------------+--------------------------+

Kubernetes: cAdvisor

"cAdvisor (Container Advisor) provides container users an understanding of the resource usage and performance characteristics of their running containers. It is a running daemon that collects, aggregates, processes, and exports information about running containers."

runs on port 4194

Links:
https://kubernetes.io/docs/tasks/debug-application-cluster/resource-usage-monitoring/
https://raesene.github.io/blog/2016/10/14/Kubernetes-Attack-Surface-cAdvisor/

What do you get?

information disclosure about metrics of the containers.

Example request to hit the API and dump data:

http://1.2.3.4:4194/api/v2.0/spec?recursive=true

Screenshots