Black Hat USA
The False Goon – Michael Vaughn, #Nerd (Ziften Product Manager).
Opening Keynote Takeaways
Dark Tangent aka Jeff Moss
- The disparity between good vs. bad is on the rise. External and internal political roads blocks are drastically increasing year to year. Cyber security defenders are hampered when it comes to deploying necessary tools, while the hackers are free to focus entirely on their goal. The number of check-boxes and hoops an enterprise security team must overcome to do their job is unprecedented. This is the first time defenders are regularly stuck in holding patterns, while the attackers are only focused on the attack.
- Depending on the industry and information involved, compliance regulations, such as the recent race to become GDPR compliant, take extra efforts and time away from the real goals of enterprise security teams. Not only are there Federal and state obstacles for defenders to maintain, they also must deal with internal push back. For example, the forcing of developers to use a specific security toolset can be detrimental to their progress, as developers often to utilize full system resources which a bloated anti-virus tool can limit.
Dark Tangent then offered a solution for dealing with an increasing amount of red tape. He suggested the backbone of the internet, such as AT&T and Google, must be the ones to take initial action. For example, Chrome and Gmail have been pushing hard for protection of user data. Their efforts alone effected approximately 80% of the US population.
- The theme that I felt that was being portrayed was around the battle between defenders and attackers. As Jeff Moss said in his opening talk, companies trying to defend themselves are caught up in a lot of political and internal disagreements and that is slowing down their ability to apply any real defenses and proper actions against the attackers who do not operate within those constraints. Parisa Tabriz, who did the keynote this year also discussed this by saying that the defenders and companies (like ours) that sell security really need to do what they can to help everyone (drive innovation to make others follow suit) so we all benefit.
- I’m going to be honest with you, even though I had a Briefings pass, I was unable to attend as many Briefings as I wanted. This was due to actual customer meetings during the week and a fellow colleague, who shall remain nameless, had me pick up some of his booth shifts 😉 Either way, I want to give a shout out to Josh Harriman, VP of Cyber Security Intelligence at Ziften for notes on some of the talks I wanted to attend. Without further delay, below is a quick review of some Black Hat talks Harriman and I were able to attend. Note: Most talks were great but not everything was a homerun. The same goes for certain talks at Defcon.
Dissecting Non-Malicious Artifacts: One IP at a Time
- Founders of VirusBay
- Mostly talking about leaked information by security vendors like emails or other confidential material. Certain email security products might leak the actual content and emails after a scan and upload to their product. It was being found by these guys during research.
- This is not what you want to hear happening to your email security provider!
Deep Neural Networks for Hackers: Methods, Applications, and Open Source Tools
- Sophos Chief Scientist and author of Malware Data Science
- A lot of math and how Machine Learning (especially Neural Networks) works and is applied to technology like self-driving cars.
- Harriman and I had hoped to see how it could be applied to attack profiles or a combination of events. Maybe next year? Still very interesting.
Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology
- Guys from SpectorOps
- Can be done against any security product, but they just used Sysmon as a demo.
- They were basically talking about turning of certain logging or events and even subverting ETW to bypass and/or make the data a tool like Sysmon collects.
- We were not too impressed as you need access to the system or a way in to make those changes. And even some tools would see those changes happening.
Behind the Speculative Curtain: The True Story of Fighting Meltdown and Spectre
- Panel from Google, Microsoft, and Redhat
- They talked about their role during the 10+ months of fixing and dealing with Spectre and Meltdown.
- It was about collaborative processes that were required and that was new territory to get say Google and Microsoft to work together in this fashion. This goes to the overall highlight of the Black Hat theme regarding the need for giants like Google/Microsoft/Redhat to initiate the fixing of problems that affect all of us.
AI & ML in Cyber Security – Why Algorithms are Dangerous
- From Forcepoint
- You cannot blindly trust what any ML algorithm is doing to the data to get results. You must understand the data and how the algorithm works, and in most cases, you need domain knowledge of what you are dealing with.
- You are best setup with data scientists and security experts working together. Do not expect a data scientist to solve a security problem on their own.
Windows Offender: Reverse Engineering Windows Defender’s Antivirus Emulator
- From ForAllSecure
- Very deep (code level) investigation into Windows Defender AV (client agent)
- Looking at the emulator and how to see exactly what Defender AV is doing and what files are responsible for examining programs or protection or updates
Even at Black Hat, the message was there: it takes more than one perspective.
Ziften Booth Time
Home ‘skillet’ Jonathan Taylor Thomas on the right! Great guy #Ziften #Socks #ReplaceAV #Behavior
Great discussions at the booth and positive feedback from everyone on Ziften’s new AV offering and recent partnering with Microsoft Windows Defender by providing Linux and macOS visibility.
- Above is what you want, if you are running a cyber security business. It’s a picture of day 2. These booth pros (pictured left: Jesse Sampson – Lead Badass, middle: me – Honest Noob, right Kim Foster – Head Badass (not pictured: Andrea D’Avignon – Wizard Badass)) exceeded their lead goal with ease (hint: our customers love us) and we were quickly out of Ziften socks. Do you have a pair of Ziften socks? We’ve been giving them away for years. Different style each year! If you are one of ‘those’ to refuse a sock…I got nothing extra for you #StayWarm
For reference, we had over 1,000 Ziften socks to hand out, and we ran out mid-way through the second day. Many security experts were wearing previous year sock designs and we love it!
- I mentioned our recent integration with Microsoft Windows Defender console, but Microsoft themselves also gave a great presentation on the integration. They gave a talk showing off our integration with Defender ATP and it was well received. Now enterprises have a single pane of security glass for all their operating systems!
- I’m not going to blog about how great Ziften is but if you want more, you can read on the main site. I’m here to tell a true story, good or bad.
“HEY!! NO PICTURES!”
If you were not able to make it to Defcon this year, here is a quick walkthrough of my weekend (with pictures I risked my life taking).
Goons are Defcon guides. They do not like their picture taken, so here is their 2018 flyer. They are easy to spot during the conference, as they are dressed in bright red and covered in scary nerd flair. They get a bad rep for being mean, which is valid, but they are there to answer questions… tread lightly.
- Dark Tangent, also known as Jeff Moss, opened the hacker convention by stating, “The conference is what you make of it.” Basically, it is the hackers and attendees who make the conference what it is today. 2018 has a record number of hacker villages, at 28 total. Villages are smaller versions of the larger talks and are more hands-on and specialized. People are more likely to find and meet like-minded people and make real, lifelong contacts at these villages. With villages and contests taking over speaking tracks for the first time, it’s apparent the people are enhancing the conference to satisfy a wider array of hacking topics.
And Jeff Moss recognizes people want to break into smaller ‘affinity groups’ to hang out and meet similar people. One of his latest goals for the conference is to increase transparency. Have more signs, make it easier for people to navigate, and give Goons badges showing their guidance capabilities. Of note, this is the last year Defcon will be held at Caesar’s Palace.
- ‘Defcon is a hacker con, not an infosec con,’ stated Dark Tangent as he went on describing an awakening moment for him. 5 years ago, he was speaking with the CISO of Facebook. The Facebook CISO was informing how he refused to send his security team en masse to get additional specified training. Individuals on his team could seek out training if they wished, but this was not enforced by the CISO. Instead, he sent his entire team to Defcon with the goal of inspiring more thinking and create new growth and understanding throughout his team. This talked lead Jeff Moss to keeping Defcon entirely hacker and not leading down the path of an information and security conference.
Dark Tangent was also not above himself. He understands that Defcon can be overwhelming, especially for first timers. He labeled it “an embarrassment of riches in a land of plenty.” He has taken note that attendees are becoming overwhelmed with the amount of knowledge sharing available during the event, it’s impossible to see everything. He reminded everyone that the talks will all be available online later in the year and even he catches up on talks later in the year when he has time. Dark Tangent was passionate about letting everyone know, that at the heart of Defcon, it truly is about meeting people. Be social. And hence, that reason alone is the foundation of this year badges.
Want to be a speaker at Defcon? Submit to tradition (water is alright). Note: That’s Jeff Moss on right.
- 28,220 badges were made
- 2.6 million components used
- Only 25 Uber badges were made (Dark Tangent was wearing one). The remainder go to special persons and the team who cracks this year’s badge. Not only do they get an Uber badge, but also free lifetime entrance to the conference. Note: Many teams fly in from around the world to be the first to crack the badge puzzle.
- 6 temp workers programmed every single badge. This comes out to ~5k badges programmed per person.
- Prior to the above statistic, the chip makers were given 6 months to program the chips, and 5 weeks before the conference, they said they could not figure out how to program the chips themselves and required someone else to do it.
- There are varying badge levels: Artist, Goon, Regular Attendee, Speaker, and Uber
Each badge level contains a different hardware and software puzzle. Human badge:
- Each of the badge levels withholds a different story, and on each badge, you can decide to either be bad (red LEDs) or good (green LEDs).
- At the bottom of the badges, there is a human interface buttons for directional movement and plus or minus buttons on the right side.
- There is a ‘mating plug’ on the side of each badge which allows syncing of data between badges. This shares storylines and transfers certain data, good and bad. For example, I synced up with a Goon right out of the gate and my storyline became more complex and at the same time, I became eviler via more flashing red LEDs lighting up my badge.
- There is also a micro-USB connector which can display the story in a more consumable fashion via terminal output/input (the terminal screen is 80×25).
- It quickly gets a LOT more complicated than what I described above, but the puzzle for those trying to crack it to be social by ‘docking’ with new people aka badge sex.
NSA & White House
Robert Joyce, the acting United States Security Advisor for the White House and previously head of the National Security Agency (NSA)’s Tailored Access Operations (TAO), a cyber-warfare intelligence-gathering unit, gave an excellent presentation on how the NSA and private sector can work together to fight cyber terrorism. The NSA has full authority in US cyber security and foreign intelligence matters. This viewpoint enables a unique view of historical methods that are effective in defending against global cyber threats and insights into global networks.
A few interesting minor facts he mentioned:
- The year Edward Snowden leaked insider data, the NSA, FBI, and other government agencies were banned from attending Defcon, so Robert attended on his own dime.
- He has a smaller talk in a village about how every December, he creates and extremely elaborate Christmas light display on his house. I did not attend this talk, but it did indeed make him seem like a human (and not a lizard person from Area 51).
The NSA is broken up into two parts:
- Signals Intelligence: Producing intelligence for the law
- Cyber Security: For securing the highest levels of US information
He showed two timelines and named names of continually poor-behaving countries.
- The first was a historical perspective of humans coming online. During 2015, over half the world had some level of access to the internet.
- The other timeline was a historical perspective of global attacks.
He also showed ‘The Big Four’ which are the countries known for malicious cyber behavior: Russia, China, Iran, and North Korea (DPRK).
He closed by restating that cyber defense is a team sport between government agencies knowledge and the private cyber security sector. He gave the example of how Microsoft saw the intrusions of a US Senator’s email account and alerted the proper authorities. This helped the agency track and shutdown a network of outside cybercrime.
This thing ran into my leg and many others. ‘Crack me if you can’.
Police Body Cameras
- This presentation was given by Josh Mitchell, a renowned hacktivist, and to be honest, like many other talks, was eye-opening and downright frightful.
- I will not provide too many specific details on how he went about doing it, but he took 7 of the most popular police body cameras and showed how to hack them. Prior to his talk, ‘someone’ told him he was not allowed to discuss two of the seven devices. Essentially, he would be in some serious trouble if he spoke about how to hack them.
- These devices were made for openness between law enforcement and regular citizens, but he shows how this is not always the case. Josh showed how it is relatively simple to track, hack, and manipulate captured video on all police body cameras. Ouch.
I’ll leave this WIRED video with more details here:
Patrick Wardle gave an excellent talk at last year’s Defcon regarding escalating permissions on mac operating systems. This year he gave another great talk about macs, but instead it was about subverting macOS firewalls.
Mac’s are not secure at all and hence you can get simple cracking guides off CNET.
But it’s still interesting to see newer methods of hacking a mac. Long story short for beating a mac firewall is to utilize its own processes to send bad outgoing messages, as the firewall, currently, automatically approves all messages from native operating system processes.
- Some colleagues and I from the Ziften security team ventured around Defcon and learned lots of cool and scary things this year. As much as I would like to share information on them all, some are borderline unethical to share that information and, I’m likely running out of real estate on this blog’s webpage (marketing team may slap my wrist for going on and on forever). So, I’ll close by describing some typical shenanigans which occur during the conference.
We took a ride on a hacked elevator at Caesar’s Palace but only noticed after we had already begun descent. Pro tip: Don’t run an 800MHz Celeron processor, as there is a laundry list of hacks out there for a 20+ year old processor. At least lock down the elevator panels!
The other ‘strange happenings’ I would like to share is something new to me, from the opposite end of the spectrum: local physical security, which is good due to recent happenings. But in some instances, the security people failed to properly identify themselves, which made it scary for some. The searches seem acceptable, as some attendees are carrying very strange suitcases filled with all kinds of strange fuzzing equipment, but in at least one case, they attempted to enter a single females hotel room unannounced at 5 in the morning. This caused a lot of outcry on social media, and I’m certain we have not yet heard the end of it.
- “Current status: two members of hotel security banging on my door after I asked to go into my room and verify them with hotel security. I’m on speaker phone with hotel security, asking for a supervisor to come verify. I’m terrified. What the hell is this @CaesarsPalace #DEFCON” – Katie Moussouris, @k8em0
- “We have video of them in our room touching stuff, knocking over gear, and taking pictures of all my pelican cases and gear with their phones.” – M R B 0 T, @MrB0t
- Below are related Twitter posts:
Defcon hackers apparently are not the only creepy people in the building! Cheers and see you all next year!
PS: This was likely a cooler social thing than you partook in last week:
PPS: This is ~45 minutes out of Las Vegas to Austin. It is the largest popular meteor in the USA!