OFFZone 2023 event report and interview with hacker Caster
I’ll start again, not according to tradition, with activities. There were a lot of them, both quite suitable for the word “lounge”, and those where you had to think about it. For winning in activities you can get some kind of merch. They themselves had a conventional orientation related to information security, but were more entertaining. Everyone who participated in the activities automatically participated in the end-to-end OFFZONE quest that went through all the activities. For participation in them, visitors at the stands were awarded points in the form of chips called OFFCOIN. I may not remember all the activities, but I will try to cover more.
Perhaps the most difficult activity for me is the Cube. In one of the pavilions there was a cube in the design of the SCP universe. On the OFFZONE website, the Cube page was also designed in this style. It had to be hacked to find out all the secrets.
Well, since there is a reference to SCP, the description of the Cube is also in the style of this universe. There is an “object” with known characteristics, places where it was found, and reports of observations and studies. Anyone who took a laptop with them could take part in the “study of the object.” Unlike other stands, Cube’s was free.
And yes, there were a lot of people at the stands all two days, and until the evening. I don’t like queues, so I just watched from the sidelines. Moreover, being in line, it was possible not to get to the reports.
Let’s get back to the activities: at the Security Vision stand we had to solve IT and information security problems. They were of varying degrees of difficulty.
Then I headed to the Kaspersky Lab stand. Their activity was called “Mission Midori White Hat”. The participant’s task is to test the city’s infrastructure for stability and identify all possible vulnerabilities. Somewhat reminiscent of Standoff from PT, but in a smaller version.
After Kaspersky Lab, I went to the GARDA company stand. There was Cyberduel. As part of the duel, it was necessary to protect the cyberverse from threats.
Like previous festivals, this one had a craft zone. Traditionally, in this area one could work independently, exchange experiences with colleagues, or learn how to hold a soldering iron, solder simple things, find out why flux is needed and what solder is. Just like last time, in the crafting zone you could solder an addon and attach it to a badge. Speaking of them, this time the badges were unique again; on our website we have a review of the badge from the previous OFFZone. In addition to self-creation, addons were passed off as activities at stands. The badge was also made in the form of the same Cube, the SCP “object”.
Next to the crafting area there was a Cyberdom stand. There were no special activities here (just a few tasks to fill out a booklet), but there was a samovar and alcoholic drinks for visitors.
After the Cyberdom stand, I went to another pavilion with several stands from different companies. There were two slot machines. To play them you needed special tokens. They had to be received at the BI.ZONE company stand for subscribing to their social networks. As I said, there were two machine guns. The first is a machine with soft toys, where you need to grab the toy with a special “hand” and bring it to the hole; these used to be in various stores, and they still are. The toys in the machines were a bison and a beetle. I managed to win the beetle. The second is an automatic machine with a pneumatic device that knocks things out on a shelf. These can also be found in shops and train stations; usually they contain telephones, watches and other things. The machine at OFFZone had black ducks with the BI.ZONE logo. However, when I wanted to win the duck, they ran out.
In the same pavilion there was a stand where visitors were invited to open various locks or get out of handcuffs. Some of the locks hung on a large cube. Next to the handcuffs and locks were tables with board games.
Next in the pavilion was the game Hack in 15 minutes. As in 2022, the participant had to hack the system in 15 minutes; if he needed additional time, he had to drink a shot of an alcoholic drink every 5 minutes.
After the pavilion with the machines, I went to the TATTOO.ZONE pavilion. As one might understand, tattoo artists were located here. In exchange for the festival currency (OFFCOIN), you could get a tattoo of your choice. It was also possible to get a tattoo cheaper, but chosen at random. To do this, you had to turn a special selection wheel. And yes, for a printed OFFZone logo you could get a lifetime pass to the festival and local currency. The stand of the publication “Hacker” was located in the same pavilion.
The next place I went to was the GAME.ZONE pavilion. Here you can get local currency for winning one of the tournaments on consoles. There were 3 consoles in total: PS4, PS5 and Game Stick. The competitions were in the fighting games Mortal Kombat, Tekken), the Hot Wheels racing simulator and the restaurant cooking simulator Overcooked. We have listed the most global and interesting activities of the conference.
Then I went to the pavilion with stands of Sberbank, Sovcombank Technologies, League of Digital Economy, Start X, Tinkoff, SWORDFISH SECURITY (I may have forgotten someone, I apologize). A quiz with answers was held at the Digital Economy League stand, and at the Sovcombank Technologies stand it was possible to register for the CTF. At the stands of other companies there were also activities, but very local ones – quick tasks and quests in various areas within IT and information security, system hacking.
Well, the last pavilion is the roof, on which the Positive Technologies company is located. Here you could smoke a hookah and play poker at the IB casino. Moreover, like in a casino, there was a croupier and you could play with other players.
Even before going through all the activities, I attended a press conference dedicated to the BI.ZONE Bug Bounty. I don’t see any point in retelling it, because I interviewed the owner of the platform, Andrey Levkin. Therefore, how the platform has changed over the year can be read in a separate article.
Well, let’s move on to the lectures. Unfortunately, this time I couldn’t get to them at all. As with PHD, some of the lectures were very crowded and it was difficult to get through. In 2023, some of the reports were not narrowly focused, but rather had a general orientation (popularization) of information security. I hope they will be posted, because there were no plans to broadcast the lectures. However, I managed to catch the hacker Caster on OFFZone and ask him a couple of questions. He just gave a lecture about his original research on MikroTik equipment. Well, here’s the interview itself:
Tell us a little about yourself.
I am a researcher and engineer in the field of network security, I’m releasing publications in the Offensive and Defensive genres under the “Nightmare” franchise.
Can you be called a “white hat” (ethical hacker)?
No, since this is actually the profession of a pentester, which I am not.
I think the “title” of a hacker is assigned to you by the information security community; I can’t call myself a hacker.
Is your activity more financial or creative in nature?
“Caster” is my alter ego through which I present my research. This is purely creativity.
I release my work inspired by music tracks, which provide me with a basis for writing research.
What is your specialty? Why her?
My specialization is network security and network engineering.
My main phase of development in the field of IT began at the age of 16 and precisely with network equipment, because then I entered college in the CCA direction, and there was a huge amount of network equipment at hand, which attracted me with its complexity and mechanics of work.
I would call myself a person who likes lower layers such as the link and network layers.
At OFFZONE you presented your original research on MikroTik equipment, tell us about it in general terms? Is this a separate study, or is it part of a series of studies about network devices from various companies?
MikroTik equipment is extremely popular in production, and I wanted to tell the community about its safety. RouterOS has a very powerful range of functions, but it is still far from ideal and lacks quite important security mechanisms such as DAI, SAVI, RA Guard, Port Security, etc. RouterOS is good, but the developers still have some work to do.
I publish my works under the “Nightmare” franchise and the work about MikroTik equipment is not the first in this series. It all started with my Cisco Nightmare study, in which I looked at the main security flaws and how pentesters can abuse them. This franchise will continue, I’m already working on research about other vendors.
Were MikroTik devices chosen because they are widely used in our country?
In fact, I chose this topic a year and a half ago, and I worked with MikroTik equipment long enough to have the competence to write this work.
And yes, they are very popular in production networks, I hope that my work “MikroTik Nightmare” will create even more awareness in the context of the operating features of this equipment. It’s always great to write about something that is very in demand and popular.
Have you submitted your research to MikroTik?
I’ve thought about it, but not yet.
What other companies have you found vulnerabilities in their devices? Did these companies provide you with rewards for finding vulnerabilities?
I don’t really find vulnerabilities; I focus specifically on misconfigurations of network equipment that create Offensive vectors for the penetration tester. I’ve never participated in a Bug Bounty in the context of network hardware.
But in the near future I have big plans to go down a level for something called Reverse Engineering (REE), which is the area that is key to finding unusual things in equipment. I consider RE to be the pinnacle of information security.
Have you checked Russian network devices for vulnerabilities? How secure and fault-tolerant are they?
From the point of view of security research, no, but I have experience working with SNR equipment in my track record; the guys make excellent switches, which I used to carry out projects for customers when building/migrating network infrastructures.
In fact, any equipment can be under a high level of security and have fault-tolerance functions; it’s just a matter of integrating such solutions into corporate networks. It makes no difference which vendor and in which country the equipment was made. It all depends on the qualifications of the engineer and the characteristics of the network infrastructure.
I highly recommend reading his articles about MikroTik (once, two). Quite an interesting big study. By the way, this is not the last material based on the performance at OFFZone. In addition to the interview with the hacker Caster and Andrey Levkin, there will also be material about fraudulent call centers.
Summing up the festival, I would like to note the duality of the event. On the one hand, there were many interesting activities, both to think and to have fun. On the other hand, there were a lot of people. And this greatly spoiled the impression. For example, addons for badges from BI.ZONE ran out in the middle of the first day, and so did the ducks. Or already in the second half of the first day there was no place in the queue for a tattoo, and those responsible for the activity told everyone that they could get on the waiting list, but there was not much chance of getting a tattoo. Or, for example, to buy food in the food court, you had to wait in a huge line, so some guests simply ordered food delivery.
Some other visitors in the crowd complained about the topics of the reports, comparing them with past conferences. They lacked seriousness and deep immersion in the topic (“hardcore”). On the contrary, it helped me find two ideas for material.
As for the assessment of activities, opinions were divided: some of the visitors thought that narrow-profile information security activities were needed, while others, on the contrary, came to relax and chat with friends while playing light games.
The organizers said that in 2023 OFFZONE was visited by 2.5 thousand people, and there were 33 activities for visitors, plus lectures. Even taking into account two days and the fact that not all 2.5 thousand came at once, the small areas of the loft and the small number of activities could still cause negativity among people. It is possible that OFFZONE has outgrown just a small festival “for its own people” and should become a full-fledged information security festival and divide activities and lectures into popularization and specialized ones. I won’t give any advice to the organizers, these are just my thoughts. I think the organizers will decide for themselves. I hope I was able to tell you about the festival fully enough.
