The week of August 5-12 was a whirlwind of activity as thousands of cybersecurity professionals descended on Las Vegas, NV to attend the annual trifecta of conferences: BSides Las Vegas, Black Hat Briefings, and DEFCON. This was my 14th consecutive year in attendance, and I found a number of good, bad, same, and different things to report on.
There's More BSides
Let’s start with BSidesLV. This has been held at the Tuscany Suites the past few years, and it’s gotten bigger each year. You used to be able to just show up for BSides and grab a visitor badge, but no more.
Besides (haha!) being a cool/chill place to network with other infosec professionals, probably the biggest draw about BSides was that it was free. But that concept is going away next year for their 10th anniversary.
BSides sprang up as a grassroots effort by some folks who had their papers rejected from Black Hat. They decided to hold their own conference somewhat in opposition to the commercialization and vastness of Black Hat. So, it has the vibe of an edgy conference with open exchange of ideas, but just not on the scale of DEFCON.
One nice thing about BSides is that their Proving Ground track provides a forum for first-time speakers, whom they pair up with seasoned veteran speakers as mentors. This gives nervous rookies a welcoming environment in which to spread their wings. BSides also has an “Underground” track, which, much like DEFCON Sky Talks, features off-the-record discussions on subjects with no press, no recording, no streaming, and no names.
One really cool thing at BSides this year was that Jim Christy, a digital forensics and investigations (DFIR) legend who used to run the DoD Cyber Crime Center (DC3), gave a talk on how he put together an online task force to track down D.B. Cooper – the man who skyjacked a Northwest Orient flight in 1971 and somehow eluded capture for 45 years.
You can enjoy the entire playlist of streamed talks from BSidesLV here.
Hanging Out With White Hats at Black Hat
In the Mandalay Bay Events Center, Google’s self-proclaimed “Security Princess” Parisa Tabriz opened the Black Hat Briefings with a cautiously optimistic keynote in which she encouraged more ambitious, strategic, and collaborative solutions to security issues. My favorite part was when she said: “If there's one takeaway from this talk, it’s that blockchain won't solve everything!”
Tabriz exhorted the audience to tackle the root causes of security issues – not just treat the symptoms, i.e., no more whack-a-mole. One way she does this is using the Five Why’s method to explore the cause-and-effect relationships underlying particular issues.
Tabriz’s big crusade has been to get more websites using HTTPS instead of HTTP. To figure out how to move this forward, she started with a haiku poetry slam (complete with bongos) to spark ideas from her team. Then, she opened up the project to comments from the public, and “shamed” the top 100 websites that did not use HTTPS. Since July, Google has begun labeling all sites still using unencrypted HTTP as “not secure” on Chrome. Tabriz’s efforts have been successful. She said since 2015 when only 45% of all websites used HTTPS, that number stands at 87% today.
Just as drinking Smart Water doesn’t really make you smart, we found out from Jen Savage and Daniel Crowley that Smart Cities aren’t, well, all that smart about how they do security. The researchers found some basic vulnerabilities, such as default passwords, authentication bypass, and remote code injection that could allow attackers to take over products from such IoT vendors as Libelium, Echelon, and Battelle.
It’s funny that every time there is a new “Smart” thing, we forget the lessons learned from the last thing; and in our race to get something to market, we inevitably make the same mistakes again and again. To wit: Smart Elections, Smart Cars, Smart Medical Devices, Smart Cameras, etc., etc.
In general, you can probably hack any hardware device to which you can gain physical access. You pop the cover, solder some leads onto a UART port, and drop into a root shell. But the ones that really worry me are those that can be reached remotely over the network. Savage & Crowley uncovered 17 0days – including eight deemed “critical” – and now, with Shodan, you could theoretically find hundreds of these vulnerable devices out there on the Internet.
This is all the more reason you must continuously monitor your network using a solution such as AlienVault’s USM-Anywhere and a team of trained analysts. You never know when someone is going to pop a box using one of those 0days and then start pivoting into important stuff. You would like to be able to identify, control, and contain any fallout from that.
One thing that always makes me wonder is why people don’t use two-factor authentication. Well, this talk by Indiana University's Jean Camp and Sanchari Das found that people simply aren’t educated enough and don't understand the risks of not using two-factor. I know I am constantly having to teach people this – especially in a post-mortem after a breach investigation.
In the Black Hat Business Hall, I saw a lot of the S.O.S. While many vendors touted the latest mantra of artificial intelligence/machine learning/deep learning, I would ask specific questions about their products, and many were unable to answer or demo these features.
In this realm, you have unsupervised AI/ML that’s pretty much a neural network trying to get smart by characterizing the steady-state of a system and then looking for outliers.
Ultimately, these systems are asking you to hand over monitoring of your enterprise to a bot, and I’m not ready to do that yet. As we know, it didn't turn out very well in War Games, Terminator, or The Matrix.
I think the more promising technology is probably supervised AI/ML. This is more like an expert system, in which an expert (the cybersecurity analyst) guides the system in its learning - much as you teach Pandora your likes and dislikes through thumbs up/down, and then it starts making music choices that it thinks you’ll like. They also use relationship graphs to start making connections and seeing things the analyst might not have initially picked up on. I could definitely see this kind of technology being added to traditional Security Information and Event Management (SIEM) solutions in the future to help them be a force multiplier for analysts. However, in my humble opinion, we have not yet arrived there, if this year’s Black Hat were any indication.
DEFCON: Dystopia's Edge
Okay, well maybe that whole theme was a little over the top. Then again, when you think about the pervasive surveillance, government control, and propaganda out there, it does seem sometimes like we’re on the edge of Orwell’s 1984.
But there is a counter-future. DEFCON is a celebration of people whose technical understanding and passions will (hopefully) keep us from falling into that dystopian future. If “they” try to subjugate us by algorithm, a researcher will just hack that algorithm and subvert it to free the people. If “they” try to fake us out with one source, our universal, interconnected access to information will allow us to find numerous other sources and viewpoints to counter the misinformation.
So, besides hanging out with colleagues and enjoying adult beverages, this free exchange of ideas is the hallmark of DEFCON. It’s still anonymous – entry only via cash at door. I thought DEFCON did a lot better at not just being “linecon” this year. It only took 15 minutes or so to get my badge, and things didn't seem as stiflingly overcrowded as they were at DEFCON 25. So, it made me wonder: were there actually fewer people at DEFCON this year, or did the organizers do a better job with the logistics and just spreading everything out a little more? I note that they were still selling excess badges at the end of DEFCON this year. I don’t think that’s ever happened before. They always seem to run out by Day 2.
Unfortunately, I didn’t get to stay the weekend and lose in the finals of Hacker Jeopardy! as I do every year, because I had to catch a redeye back for a wedding. But here were a few highlights I noted:
- I guess HP’s new bug bounty program is paying off, as researchers discovered a number of remote code execution flaws in HP printers – including the HP Deskjet, HP Officejet, HP DesignJet, and HP Photosmart. Dang, I think I might have one of those at home. I’d better go patch it ASAP. Here are the CVEs: CVE-2018-5925 and CVE-2018-5924. I’m also going to tell our pen-test team to try those out. We just love printers!
- Fake news is so 2017. Now, people are trying to change perception in science via fake journals and conferences. This talk especially drew my interest, as I have been adjunct professor teaching cyber courses at University of South Florida since 2000. What I found especially hilarious is that they used the MIT Paper Generator to produce a paper that was accepted to a journal. What is the motivation for these shenanigans? Money, I suppose. But in the case of the fake conferences and papers sponsored by Philip Morris and AstraZeneca – well, also money.
- As usual, I only went to about three talks – I typically wait for the videos to show up online – but I went to every village and played in a couple of contests. I couldn’t hang out in the biohacking village, because I actually had inside knowledge about a couple of the devices they had there. The Social Engineering CTF is always fun to watch, as they vish their way to prizes. It seems that the lady social engineers are especially good at this. When a guy picks up the phone and hears a female voice treating him nicely, he immediately turns to jelly and tells her whatever she wants to know.
The past few years, I said, “Never again” after Hacker Summer Camp. But then, I ended up going anyway. Maybe it’s the overcrowding at the conferences, or maybe it’s just being in Vegas for nearly a week – that can be rough on anyone. This year, however, I actually left with a good taste in my mouth. I saw all of my friends at AlienVault and heard about the exciting times ahead with AT&T. I talked to the product folks and got a wee glimpse into the future. Maybe, just maybe, it’s not a dystopian future to which we are headed, but a positive one with hope and optimism. As Princess Tabriz said in her Black Hat keynote, we need to celebrate when we achieve a milestone, no matter how small, and keep pressing forward.