This talk was well prepared but not as dynamic and entertaining as the Schuyler Towne talk (fortunately I attended the Towne talk and they had coffee by now). It had alot of buzzwordology and business clichés in it but I mean that in a good way. Knowing business-speak is unfortunately a cost of doing business so it was grating but valuable to attend this talk. He spoke of how security is typically a bolt on or an afterthought and really needs to be thought of as part of the core business plan. What often happens is some application that is going to generate $20 million in revenue gets audited and found to be full of security holes and that justifies $750,000 to harden it up. It usually takes those big money projects to drive the security side of things. He also spoke of the plight of the CSO or pen tester, specifically that they are implicitly to blame if any compromise happens but it is actually under pressure of the project manager that products ship despite the warnings of pen testers or the CSO. So he recommends requiring the project manager to sign a document absolving the CSO or pen tester(s) of responsibility if he/she intends to ship a product against recommendation to the contrary. He also recommends schmoozing the legal counsel as that gives political leverage in these situations.
Summary: this guy is giving very good advice to CSOs and pen testers which, if they heed it, will create a climate in which vulnerability scanners should become more popular.
The title actually says most of it. SMS is used because it is easy to conceal the botnet. Malware on phones often announces its presence by draining the battery and piggybacking into SMS packets solves that. And SMS is fault tolerant. It is within the protocol itself to resend the message if there is no acknowledgement. The protocol extends to the hacker the courtesy of persistently communicating the attack to its destination. The balance of the talk encompassed the technical details of what an SMS packet looks like and how you craft the attack.
Summary: this talk provided good general security knowledge. I’m not sure if we (NTO) will ever scan smartphones. That is an interesting business prospect though… I have never heard of a smartphone app scanner… one targeted specifically to phone apps.
Pr0n being a fanciful distortion of “porn”… itself a fanciful name for any data you value and might want to hide. The speakers started by noting several stupid ways to hide data (hidden files, deep directories, etc) then got down to the good ways… encryption being step one. In the current political climate (terrorism etc), there is a law which states that the mere presence of encryption is itself suspicion, i.e. that one can be prosecuted for refusing to supply credentials to an investigator under certain circumstances. So in addition to encryption, one must establish “plausible deniability.” That is, hide the data and leave no traces that suggest its presence anywhere on any computer you are afraid might be searched. Steganography is the proffered solution to this. Steganography is concealing data in some differently-purposed file. For example, take a lossless encode of an image like PNG and use the least significant bit of each pre-encode pixel to hold the data. Since in any photographic data, those bits are quite plausibly noise, they can be used to store data. On a previous Defcon, someone spoke of using whitespace in HTML source to store attack data. That speaker did not call it steganography and the purpose was attack, not solely concealment, but conceptually, it is basically the same thing. So, encrypt the files, stego them into image files or whatever, then store the stegoed files in the cloud. Obviously, this is the ultra paranoid extreme but of course that’s what security is about. The speakers mentioned that Al Quaeda were communicating data to their operatives by stegoing it into pornography images posted on the Usenet.
My reactions: this talk inflamed my anti-establishment and paranoid sentiments. Specifically, I wonder what happens when someone with something like encrypted bank info, encrypted personal info, any info that a private citizen might want to encrypt for quite valid reasons (identity theft etc) could be acquired by legal machinations claiming to be concerned about terrorism, child porn, etc. Terrorism and child porn are such high fear provokers that any hint of either is so provocative that they can and have had their definitions stretched to rather dubious extremes. So I’m not rushing to stego all my data but I am concerned that authorities are being granted purview over information beyond their ability to wield such power responsibly. But that Al Quaeda stuff is rather unsettling as well. So I fear both the terrorists who are called terrorists and the terrorists that work for the government. I also think this talk may prove to have some direct relevance to our product. We might want to write a stego detector module… more for the concealing attacks in webpages variety than the stashing data in images variety although the latter could have assessment relevance as well.
Conference: B-Sides Las Vegas
Title: Cultural Cues from High Risk Professions
Speaker: Gal Shpantzer
In this B-Sides LV talk,Gal Shpantzer employed the Swiss cheese model of catastrophe as a parallel for the information security industry. The model was originally developed by James Reason of the University of Manchester and Dante Orlandella, and used to analyze the causes of systematic failures in aviation, engineering and healthcare. The model likens organizational problems to swiss cheese – where each problem can be viewed as a hole in a piece of swiss cheese. The layers in the systems and processes are designed to catch mistakes before they become catastrophic. But, if the holes in each layer align, serious problems can result. Much like a hole going all the way through the piece of cheese.
For example, Korean Air at one point in time had 17 times as many catastrophic incidents per million miles as United Airlines. Investigation revealed that it came down to differences in processes and protocols. Whereas, at United Airlines, volunteering information and seizing controls under emergency circumstances, etc were incorporated into the official cockpit protocols. The captain was the authority but could be questioned. This was also discussed in depth in the context of cultural influence in Malcolm Gladwell’s book, Outliers, there was an atmosphere of over-deference in the cockpit where one does not question the captain. And, it wasn’t just Korean Air where this happened. There were other airlines headquartered in countries where respect for authority is so ingrained in the culture – like in Colombia.
In the info security space, Gal Shpantzer proposed protocols where there is responsibility but people are not afraid (i.e. penalized) for volunteering information. Pain and hostility shuts people down and leads to swiss cheese. In the medical profession, it was found that the more expert the physician, the more likely that physician was to miss simple things like administering aspirin before/after operations that reduce probability of cardiac problems.
Summary: I find little to disagree with. This is one of those common sense, obvious when you hear it talks that is none the less worth mentioning because when you don’t hear it, it tends to not get done. No product ideas, but good general security philosophy.
Title: History of Physical Security
Speaker: Schuyler Towne
This was a great entertaining talk. This guy enters my pantheon along with Joseph McCray (conspicuous in his absence this year) as a must-attend for entertainment and information.
This talk was about the history of lock technology from year ~1500 onwards. Actually he did mention ancient Egypt, but mostly ~1500 onwards. Up to a point, locks were “security by obscurity“. Once you knew how the lock worked, it was easily defeated.
Then in England some guy invented a lock that is more along the lines of a modern lock with the tumblers and whatnot that demand a specific key to unlock and where knowing the design doesn’t help you as you need the specific key to open it. These of course are also defeat-able but the security-by-obscurity approaches were as trivial as: if you knew where to poke a stick into the lock you could open it. There was a long period in which there was no advance in physical security. People got smug or didn’t want to be told that their locks were insecure and this created a climate which stifled advancement.
Advances then resumed around the end of the 1800’s. The summary of this talk and its relevance to our business is: this is another “metaphor” talk. It is about locks (physical locks) but security-by-obscurity and its weaknesses is quite relevant to information security as well.
Any Schuyler Towne talk is highly relevant to any software engineer at a vulnerability assessment company particularly if they are out of coffee (as they were when I attended the talk) because he wakes you up and entertains you and gives you a bit of cognitive inertia that you can carry forward into the next boring-but-informative talk and thereby get more information out of it.
The NTO team had a great time at Black Hat, B-Sides and Defcon this year. This blog post is the first in a series where we share some of our favorite talks.
The first talk we attended at B-Sides Las Vegas, was Tim Keanini’s, CTO at Ncircle Network Security Inc, presentation on how we can use metaphors like John Boyd‘s OODA attack/defense and General Predator/Prey theory to better understand how hackers work. Keanini used nature as a metaphor for attack/defense.
Keanini used nature as a metaphor for attack/defense. On the internet, the victim of an attack generally cannot attack back so the natural analogue are prey species that make it as expensive as possible to be attacked. Predators can use foraging which is expensive for the predator and therefore the predator must do an economical calculation to hedge the energy spent attacking against the energy gained by eating the prey. In the old days, this described the internet. Attackers foraged for servers to attack. The other approach is ambush and that is a better description of today. The server has the attack and waits for the victim. The speaker also touched on the idea of “nuke and pave.” This is where it is less expensive to simply toss the computer, format the harddrive, etc than pay a security professional to sort out a hacked box.
This talk was interesting and quite worth attending. It was a general security philosophy talk as opposed to a nuts and bolts how-to talk and it is good to toss one of those in here and there to break up the thickness of the “here is how you hack something” talks. Another metaphor in IT is that of virus-driven evolution. That is, most if not all the species on this planet owe their evolution to viruses providing the impetus for improvement. And of course we implicitly acknowledge this metaphor in the IT space by calling it “a computer virus.” See Schuyler Towne’s B-Sides physical security talk for more of that sort of thinking (though in the physical security space).
After 5 years, I have finally added a contributing writer to the blog. MJ Power (aka Mike Morton) is a good friend and fellow founder of NTO. Mr. Power and I created NTOSpider together, with me leading up the vision and him being the real C++ master and architect. After 9 years of NTOSpider development Mr. Power is ready to lend some of his experience and thoughtfulness to this blog and its readers.
His initial posts for the next few weeks will be his summary of the talks he attended during B-Sides and Defcon, so stay tuned.
Blackhat: Already kicked off and there are a number of good talks this year. I recommend the picks from Veracode for those going to Blackhat. As usual its unlikely that I will be attending any talks at Blackhat because I have so many meetings throughout the day.
B-Sides: Last year I kept hearing about all the great discussions going on at the mansion, and was very bummed that I didnt get time over there.
This year I decided that NTO needed to help out in any way it could, so we are sponsoring breakfast and co-sponsoring lunch on Thursday. If your there, please say hi and toss your card in to win a cool prize. Given the size of the audience, everyone has reasonable odds of winning.
I am also planning to sit in on as many talks at B-Sides as possible. For Wednesday track 3 looks the most interesting and fun to me, with two exception, the first at 1:30 Davi’s talk looks a bit more interesting than the DDoS talk in Track 3, and then again at 2:30 when Rafal Los does his talk. On Thursday its more of a mix,
- 10:30 – Track 1 – How to Get Fired After a Security Incident
- 11:30 – Track 1 – Cyber Fast Track (how can you pass on Mudge?!)
- 12:30 – Track 1 – Long Beard’s Guide to Exploit Dev (Track 2 close 2nd place)
- 1:30 – Track 3 – Cultural Cues from High Risk Professions (curious title, possibly very interesting)
- 2:30 – Track 2 – Hacking webapps is more fun when the end result is a shell! (of course Im going to pick a web app talk)
- 3:30 – Track 2 – Better to burn out than to fade away? (have to pick the panel, but HD Moore in track 1 is close 2nd)
- 4:30 – Track 1 – How to pass audits with non-compliant systems (Track 3 a close 2nd)
Defcon: As usual Defcon always has an interesting collection of talks, and there are plenty to look forward to. However, due to scheduling issues I have to leave on Friday night, so I wont be able to catch much of anything this year. The ones I would look for are:
- Malware Freak Show 3: They’re pwning er’body out there! (Nicholas Percoco is always interesting)
- Cellular Privacy: A Forensic Analysis of Android Network Traffic
- Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP
- Bulletproofing The Cloud: Are We Any Closer To Security?
- Tracking the Trackers: How Our Browsing History Is Leaking into the Cloud
- Don’t Fix It In Software
- Hacking Google Chrome OS
- “Whoever Fights Monsters…” Confronting Aaron Barr, Anonymous, and Ourselves
- Are You In Yet? The CISO’s View of Pentesting
- Web Application Analysis With Owasp Hatkit
If your in town, ping me on my cell (if you have it) or send me a msg on Twittier @mightyseek