LIVE FROM LAS VEGAS: the 3 biggest conferences dedicated to computer security – Black Hat USA, Def Con and BSides LV

6 August 2015 – Every year I try to schedule the trifecta in security conferences – Black Hat USA, DEF CON, and BSides LV, all overlapping this week in Las Vegas. When I cannot attend I send the data security team from our data analytics division, led by Eric De Grasse, our Chief Technology Officer.

It’s one-stop shopping, a place where every major security executive and analyst is gathered. You don’t have to travel around the globe or hunt them down on the Internet – they’re all here.

The Mobile World Congress (MWC) is still my favorite event because of the subjects covered, but in this age of seemingly “everything-is-cyber-and-IoT” the security hacker conferences have become paramount “must go” events. At MWC I learned mobile device forensics and how to “e-discover” a phone. At DEF CON and Black Hat I learned how easy it is to hack a phone.

While these conferences revolve around security topics, they cater for different target audiences. Unlike the Black Hat conference, which is hosted by a large media company (UBM Tech), DEF CON is considered a classical hacker convention. BSides Las Vegas is exactly as they advertise. It isn’t another “talk at you” conference. Everyone at BSides is a participant. In track after track, year after year, the security researchers, engineers, analysts and managers that present at BSidesLV are looking to engage participants and be engaged by them. They want your feedback, insights, opinions and questions on the latest InfoSec topics and discussions of the “Next Big Thing”.

All of these conferences are brilliant.  They are where I have made my best cyber/security/intelligence community networking contacts who I call upon all the time to assist in my work for clients, and to inform my posts.

Between them, they capture the entire gamut of hacker culture. And to give you an idea on the numbers, preliminary attendance figures indicate Black Hat has attracted upwards of 10,000 security executives, hackers, academics, and government and law enforcement staffers, while DEF CON looks to have attracted nearly 16,000 people, and BSides about 6,000.

And as Mark Ward of the BBC (who covers all manner of tech) describes them:

“Black Hat is the sensible, grown-up conference, where the clothes might be casual but the shoes are shiny. BSides is an unofficial companion conference for Black Hat and acts as a fringe event for the bigger show. Def Con is their freewheeling, raucous, free-spirited sibling. With tattoos. And a mohawk”.

The conferences always attract droves of Feds and a favorite game at both conferences every year is “Spot the Fed”. Well, except they are now pretty open because the Feds need lots of help despite the PRISM surveillance program.

And as I have noted in prior posts, the number of lawyers attending these events now has skyrocketed. While MWC has attracted more e-discovery lawyers over the past three years with e-discovery presentations first appearing two years ago, the Las Vegas conferences seem to be attracting more privacy and “cyber” lawyers trying to learn the tech behind the legal cyber issues they need to address.

For many years, Black Hat has generated pre-conference announcements that catch the media’s attention, and this year was no different. We received a detailed technical briefing on the hacking of a Jeep Grand Cherokee that was featured in Wired magazine, plus discussion of how big companies spend too little time thinking through cybersecurity implications in the product development life cycle. At DEF CON we learned if you use GPS, for targeting or driving or whatever, the Globalstar satellite network is so very easily hacked.

Oh, hell. EVERYTHING can be hacked: home security systems, sniper rifles, medical devices, toys, etc. Said one of the keynote speakers “connected devices are the low-hanging fruit, such easy, easy targets giving you access to entire networks”.

Our paying clients will get our full report next week but here are a few general points to our regular readers from Eric and the gang:

The hacker schools at these events are fabulous. You can spend an entire day in these training courses and exercises. The best are the “penetration testing” courses where you emulate what the cyber attackers do. They use the tools and techniques of attackers to make the tests fair and representative of real-world threats and risks.

And oh, the vulnerabilities galore. Everywhere. The first phase is enumeration – essentially exploring the small, sample network they set up to see what we can find. We probe every device we find to see if it has any ports open. Ports can be thought of as virtual doors and every net-connected device has them. The coda: “If there is an open port there is a service”. Services are the things we do on the net. For instance, port 80 typically handles HTTP traffic – web browsing to you and me. Those services are almost always exploitable and it gives a hacker a way in. In one exercise we started to probe those services a bit more to see what information we can elicit about the system we are looking at. We shook loose user names, software versions and other useful information. Armed with this we can look online for information about vulnerabilities that we can slip through.

During our enumeration we noticed that the test network has a web server running on it so we have a look at it to see if that is exploitable. Whoever set it up might have done a poor job and left it open to the well-known cross-site scripting attacks. Said an instructor “there’s a lot of old code running out there from the 1990s – they never thought that it would be used in the way that it’s being used today.” There might be a database behind the web server we can subvert using other tried and tested techniques. We also use a proxy program that lets us manipulate data as it travels between our browser and the server. It’s another way to see if that behind-the-scenes system is subvertable.

The idea: establish a foothold or even a toehold on the network. With that done we can seek to move sideways around the system and, eventually, rattle up the hierarchy of privilege to consolidate our control. The ultimate aim is to get root – total ownership where we can do anything we please to this network.

And on it goes. Almost everywhere we look on this network there are holes, mistakes, vulnerabilities and exploits we can get through. It’s been set up to be wholly holey but plenty of networks have some of the same weaknesses.

What has surprised me is how little I would need to know to do this by myself. The software tools are available online and, armed with a few relevant commands, I could do this again.

2. The speed with which attackers are weaponizing zero-day vulnerabilities in the wild has been essentially cut in half.

New research presented at Black Hat from Malwarebytes Labs shows that after Hacking Team, an Italian security company specializing in offensive technology, was compromised, their trove of zero days was leaked to the Internet, including several for Adobe’s Flash Player.

NOTE: for some background on zero days click here. And for a story on how the Hacking Team breach showed a global spying firm “run amok” click here.

The zero days were previously unknown, but were accompanied by clear and concise instructions to deploy them. As a consequence, exploit kit makers integrated it into their digital weapons in record time. This zero-day campaign is notable for the speed demonstrated by exploit kit makers in integrating the exploit into their platforms. This was further facilitated by the helpful readme files provided by Hacking Team, which clearly explained how to deploy the vulnerability.

The cybercriminals who develop exploit kits are always on the lookout for additional vulnerabilities to add to their arsenal. Their selection of vulnerabilities directly affects their businesses, their popularity, as well as the prices they can charge malware authors who use their services as a vehicle for delivery. All of this hinges on successful infections, and using zero days yields the highest infection rates possible.

While this incident is unique, as zero-day exploits are seldom available at no cost and accompanied with a detailed crib sheet explaining how to deploy them, it nonetheless shows the need for a layered defense that includes addressing the challenges that zero days bring to the table.

Those of you who followed our MWC coverage know that the Federal intelligence authorities are quite concerned about cyberattacks on the electronic control units (ECUs) in modern cars and other modes of transport. These ECUs represent the brains of most modern cars. The recent death of Rolling Stone investigative journalist Michael Hastings may have been caused by such an attack.

And as we have learned at MWC over the last few years the enormous effort by automakers to create the “connected car”, web-linked cars that are the next digital frontier and key to the auto industry’s efforts to attract younger, tech-savvy car buyers, is more than just about accessing email or Twitter. Connected cars will be able to help drivers navigate the best route home at rush hour, automatically schedule maintenance appointments and even order and pay for takeout food. And while the business opportunity is enormous for both automakers and mobile operators, they must work together on encryption to prevent interception and alteration.

So at Black Hat this year we saw many vendors presenting/discussing gadgets that can override the ECU and read data from and write data to the ECU.

And it raised another spectre: the continuation of a trend called “democratization of digital skills” with hacking becoming available to average people through downloadable, inexpensive software, much of which was on display in Vegas this year.

4. A new age of espionage

In 2013 the Las Vegas conferences were held 1 month after the Snowden revelations. It was one of the best weeks. We learned how “in the old day” cyber cafes were once a favored tool of Western intelligence and security agencies. They were inconspicuous, cheap to establish and highly effective. Set up near an international summit buzzing with targets, or close to a mosque favored by Islamist extremists, these facilities allowed their masters to monitor browsing habits, obtain targets’ logins and passwords, and plant spyware for future use.

Well, maybe not so old. Last year we learned now Chinese agents in D.C. used a Starbucks near a large international law firm to access the law firm’s servers by hacking attorneys just “taking a break” and using Starbuck’s Wi-Fi.

These episodes highlight one of the most important trends in modern intelligence work. Collecting electronic information is generally getting easier. It is hard to lead a completely non-digital life, and any activity using computers and networks creates openings for the watchers. An e-mail is as easy to read as a postcard for anyone with modest technical skills. We hacked a few email accounts while we were here.

And with a few tweaks, mobile phones become tracking beacons and bugging devices. Most people readily trade private information for convenience. And hacking into computers can yield vast amounts of intelligence. But as chap from the United States Cyber Command said (making no attempt to hide who he worked for) “it is much more difficult for intelligence officers to maintain secrecy and create fake identities”.

And as he readily admitted “look, espionage is inherently lawless. Private communications are fair game. Friendly countries spy on each other”.

But most interesting were the off-site sessions on electronic intelligence-gathering and the trawling and sifting of huge amounts of information “for value”. One Federal government agent (I think he was a government agent) noted they have a trove of private communications between people who have no connection to crime, terrorism or statecraft. He insisted “this material is of no interest to us, merely the inevitable by-product of collecting communications which contain the material we are interested in”.

And encrypted electronic messaging was heavily discussed.

NOTE: the theory is the encryption keys may be held only by the communicating parties so there is no point in serving a warrant on, say, Apple to get access to messaging that uses its platform. 

The “spooks” (just had to use that word) complain mightily about this saying the firms which provide encryption software to their customers should have a duty to provide the decryption keys to law-enforcement agencies. Critics see this as either futile or dangerous: a warehouse full of keys would be a target for attack.

But … what the spooks DO NOT talk about is the many ways in which they can get round encryption. As one analyst at Black Hat said:

“However heavily encoded a communication is while in transit, it must be composed and displayed in a way that humans can understand. This involves keyboards and computer screens-known as “end-point vulnerabilities”. If you know what your target has written, and what he is reading, the fact that it was transmitted with heavy encryption does not matter. Spies may have to work harder on their targets but no communication, electronic or otherwise, is completely secure: it is just a question of how much effort the other side can put into getting hold of the message”.

Oh, the irony: the very vulnerabilities which make it easy for spies to steal other people’s secrets also make it hard for them to hold on to their own. In pre-computer days, intelligence agencies kept files on paper. Access was strictly controlled; making copies more so. That arrangement was cumbersome but made it possible to see exactly who had looked at a file, when and why. Looting an intelligence registry of its documents was all but impossible.

Now … oh how things have changed. Said a cyber analyst:

“Computers are inherently leakier than cardboard files tied with ribbon and kept under lock and key. Any network connected to the internet is at risk of penetration. Even those that are “air-gapped” – kept physically separate – are vulnerable. A doctored mobile phone can secretly plant spyware on a target’s computer and vice versa. Large quantities of data can be carried on a computer chip the size of a cufflink”.

At one of the Russian intelligence agencies, we’re told, for the most secret documents, manual typewriters and carbon paper are back in fashion.

5. The catastrophe at America’s Office of Personnel Management (OPM)

Discussed endlessly in the media and a bit in Vegas, a few interesting points:

a. There seems to be universal opinion that for more than 1 year outsiders (probably Chinese spies) were running freely across OPM networks and databases, with the loss, by the latest tally, of information relating to 22m people.

b. This included the 127-page SF-86 security-clearance forms, on which candidates for sensitive jobs have to give an exhaustive account of their past, including foreign contacts.

c. The OPM also lost another set of files: the so-called adjudication data, relating to sensitive personal details which had caused difficulties at work, such as extramarital affairs, sexually transmitted diseases and other health matters, as well as the results of polygraph tests.

d. The OPM used laughably weak security and did not encrypt the data it held. The breach came when hackers stole the login and password of an employee working at a commercial contractor for the agency.

e. Although the OPM does not deal with current staff of the CIA and other agencies the information enables Chinese (or other) counter-intelligence services to play “spot the spy”.

How? The core activity of a Western intelligence agency is to send its officers overseas as embassy officials. This is known as “official cover” and at some levels the pretense is a matter of politeness. Titles such as “economics attaché”, “first secretary (external)” and “counsellor (information)” give a semi-public signal of what the real job is. Other identities are tightly concealed. Spies may work as lowly administrators or consular officials, performing routine tasks and seemingly of no interest to the hostile country’s counter-intelligence services.

But their real task is far more important: collecting clandestine communications from dead drops, watching out for signals from sources and so on. They may be in charge of meeting agents in inconspicuous places or supporting other spies working under deep cover, without the protection of a diplomatic job.

If 28 of the 30 purported officials at a diplomatic mission, say, are listed on the OPM’s database, then it is a fair bet that two who are not must be undercover intelligence officers. It is also possible to work out which people have moved from the intelligence world to regular diplomatic and other government service. In short, if the OPM tells you who the real diplomats are, it is possible to identify the pretend ones. That helps a hostile foreign intelligence service work out what the spies have been up to. Past patterns of activity and contact, which seemed innocent at the time, can be re-examined to see if something else was afoot.

6. And how do the security pros protect themselves in Las Vegas this week?

With the biggest computer security conferences taking place this week in Las Vegas, and the tools and the knowledge to break into just about any system imaginable, it is an event that bring in some very cool people … and also plenty of data and networks to entice the nefarious. The threats include everything from “script kiddies” – unskilled hackers who use other people’s programs to attack dangerous systems – to nation-state actors out to pry loose sensitive information from large international corporations.

How to protect yourself? Summarizing Stan Black, chief security officer for Citrix, and Elizabeth Weise who covers tech/cyber/security for USAToday:

1. Pen and paper instead of a laptop. Cash instead of credit cards. Face-to-face chats instead of cell phones. We’ve been to multiple sessions demonstrating how easy it is to read credit card data remotely with an electromagnetic sniffer.

2. Stan Black brings his schedule of meetings/contacts on a piece of paper so he doesn’t have to turn on his cell phone to check it.

3. And Black advised if you must use your cards keep them in specially shielded envelopes or stack them one on top of the other so the signals are jumbled up.

Side note: Black said Citrix gets over 20,000 unauthorized probes on its system every minute.

4. The most wary will also turn off Wi-Fi, power down Bluetooth and book hotel rooms halfway across town, only using virtual private networks to log-in to networks.

5. Many make sure all of their communications are encrypted.

6. To guard against having their cell phones hacked, some attendees use “burner phones” instead. These are cheap, pre-paid cell phones that contain none of their personal information. They just throw them away when they’re done with the conference.

7. And many bring bring only “sterile laptops” that contains nothing but the presentations they’re making. No email. No Web browsers. No personal files.

8. At DEF CON they have what is known as the “Wall of Sheep.” Most years a self-appointed group of attendees monitor the conference Wi-Fi system and post a continuous stream of passwords, IDs and other information unwittingly transmitted in the open by those not using safe computing techniques.

It has been a madhouse in Las Vegas this week. We simply could not get to all the sessions. Just way, way too much. But as fully-paid attendees, relief is at hand.  We can buy all the session recordings at least for Black Hat. They are always of very high quality, available on a pair of USB keys and via the attendee online portal access