Being from the Louisville metro area (and recently having moved back with my family), Derbycon is one of the highlights of my year. The general conference ran from Friday, October 5th, to Sunday, October 7th, at a brand new location, the Louisville Downtown Marriott! Every previous year, the neighboring Hyatt has hosted it, but the move meant a bigger venue with more rooms for all the activities. Despite more space, the Derbycon team actually decides not to significantly increase the number of tickets sold, in order to keep the smaller, more familial feel. I really like this about Derbycon and the crammed, chaotic atmosphere is one of the reasons I haven’t been to DEFCON yet…though I think I’m going to finally make myself go to it next year, just to get one under my belt.
For only about a grand more than a con ticket, you have the opportunity to sign up for one of several excellent training courses that run on the Wednesday and Thursday before the conference. And trust me, $1000 might sound like a lot, but this is a steal compared to what you’ll pay for courses like this at SANS or Blackhat. Last year, I took @FuzzyNop’s Modern Red Team Immersion Bootcamp, which was very heavily focused on open-source intelligence (OSINT) gathering, selecting good spear phishing targets, and crafting convincing phishes. This year, I went towards the more technical side of red teaming with Silent Break’s Dark Side Ops 2: Adversary Simulation.
I just returned from NCC Group’s internal North American conference, a nice respite from the cold East Coast to sunny San Diego. I’m a remote employee, so it’s always a blast getting to hang out with my New York office coworkers and seeing awesome presentations from colleagues from across the country. One of the highlights was the mini-CTF put on by Sid Adukia and Dean Jerkovich.
This CTF consisted of an iOS app bundle compiled to run on the iOS Simulator, thus able to run on any Mac with Xcode and not requiring a jailbroken device. I’ve been doing iOS application pentests for years and it was really cool to see a CTF challenge using this! This is the first one I’ve seen since DVIA came out years ago.
Perhaps the biggest challenge was the fact that this was a Simulator app. Had it been an ARM-compiled iOS app that I could put on a jailbroken device, I would’ve solved a lot of these challenges in a few minutes. Most of my time was spent googling for how to do stuff like dump the keychain or hook methods on the Simulator instead of on a jailbroken device.
I’ve been worried recently just what the future of iOS security is going to look like. It seems we’ve been thrown a few bones in the last month, with Project Zero’s Ian Beer recently publishing the “tfp0” vulnerability and Jonathan Levin publishing LiberiOS, the first jailbreak for versions of iOS 11. But fewer and fewer people are publicly releasing jailbreaks. I don’t blame them either. Due to the enormous sums being offered by exploit brokers, many would argue you’re a moron for giving away million-dollar exploits for free. Someday soon, those of us in iOS security testing might be forced to have our clients compile x86 versions of their apps for us and run them all in the iOS Simulator. The good news is that a surprising number of the same tools and techniques you would normally use on a jailbroken device will also work with a Simulator app on macOS! Some things don’t, but if you’ve ever chased the latest jailbreak and found that half the stuff on Cydia doesn’t yet work for your version of iOS, then you’re already used to life on the bleeding edge. Continue reading