By Michael Vaughn

Ziften at Black Hat and Defcon 2017 – Friends in Low Places

Howdy from Austin, Texas! Last year this time I reviewed my experiences at Black Hat 2016, and I’d enjoy sharing them again this year. There is a slight addition in approaching this year’s synopsis. It is large in part due to the theme of the opening talk given by Facebook’s Chief Security Officer, Alex Stamos. Stamos projected the importance of re-focusing the security community’s efforts in working better together and diversifying security solutions.

“Working better together” is seemingly an oxymoron when examining the mass competition amongst hundreds of security companies fighting for business during Black Hat. Based off Stamos’s messaging during the opening keynote this year, I felt it important to include some of my experiences from Defcon as well. Defcon has historically been an event for learning and consists of independent hackers and security experts. Last week’s Black Hat theme focused on the social aspect of how companies should get along and truly help others and one another, which has always been the overlying message of Defcon.

People visited from around the world last week:

I took the above picture last Friday – July 28, 2017 – on a pillar amongst the Defcon Tracks. It shows that people from around world come together to learn and share hacking knowledge.

Jeff Moss, aka ‘Dark Tangent’, the founder of Black Hat and Defcon, also wishes that to be the theme: Where you look to help people gain knowledge and learn from others. Moss wants attendees to remain ‘good’ and ‘helpful’ during the conference. That is on par with what Alex Stamos from Facebook conveyed in his keynote about security companies. Stamos asked that we all share in the responsibility of helping those that cannot help themselves. He also raised another valid point: Are we doing enough in the security industry to really help people as opposed to just doing it to make money? Can we achieve the goal of really helping people? As such is the juxtaposition of the two events. The main differences between Black Hat and Defcon is the more corporate consistency of Black Hat (from vendor hall to the talks) to the true hacker community at Defcon, which showcases the creative side of what is possible.

The company I work for, Ziften, provides Systems and Security Operations software – giving IT and security teams visibility and control across all endpoints, on or off a corporate network. We also have a pretty sweet sock game!

Many attendees showed off their Ziften support by adorning prior year Ziften sock designs. Looking good, feeling good!

The idea of joining forces to fight against the corrupt is something most attendees from around the world embrace, and we are no different. Here at Ziften, we strive to truly help our customers and the community with our solutions. Why offer or rely on a solution which is limited to only what’s inside the box? One that offers a single or handful of specific functions? Our software is a platform for integration and provides modular, individualistic security and operational solutions. The entire Ziften team takes the creativity from Defcon, and we push ourselves to try and build new, custom features and forensic tools in which traditional security companies would shy away from or simply remain consumed by day-to-day tasks.

Delivering all-the-time visibility and control for any asset, anywhere is one of Ziften’s primary focuses. Our unified systems and security operations (SysSecOps) platform empowers IT and security operations teams to quickly repair endpoint issues, reduce overall risk posture, speed threat response, and boost operations productivity. Ziften’s secure architecture delivers continuous, streaming endpoint monitoring and historical data collection for enterprises, governments, and managed security service providers. And sticking with this year’s Black Hat theme of working together, Ziften’s partner integrations extend the value of incumbent tools and fill the gaps between siloed systems.

The press is not allowed to take pictures of the Defcon crowd, but I am not the press and this was prior to entering a badge required area :P The Defcon hoards and goons (Defcon mega-bosses wearing red shirts) were at a standstill for solid 20 minutes awaiting initial access to the four massive Track conference rooms on opening day. The escalators and building construction were a bit precarious but eventually everyone got to where they were going.

The Voting Machine Hacking Village gained a lot of attention this week. It was interesting but nothing new for veteran attendees. I suppose it takes something noteworthy to garner attention around certain vulnerabilities. ? All vulnerabilities for most of the talks and especially this village have already been disclosed to the proper authorities prior to the event. Let us know if you need help locking down one of these (looking at you government folks).

Presentation: Dark Data – Svea Eckert & Andreas Dewes

More and more personal data is becoming available to the public. For example, Google & Twitter APIs are freely and publicly available to query user data metrics. This data is making it easier for hackers to social engineer focused attacks on people and specifically persons of power and rank, like judges and executives. This presentation titled, Dark Data, showed how a simple yet brilliant de-anonymization algorithm and some data enabled these two white hats to identify individuals with extreme precision and uncover very private information about them. This should make you think twice about what you have installed on your systems and people in your workplace. Most of the above raw metadata was gathered through a popular web browser add-on. The fine tuning occurred with the algothrim and public APIs. Do you know what browser add-ons are running in your environment? If the answer is no, then Ziften can help.

Presentation: DOOMed Point of Sales Systems – trixr4skids

This presentation was clearly about exploiting Point-of-Sale systems. Although quite humorous, it was a tad scary at the quickness at which one of the most commonly used POS systems could be hacked. This particular POS hardware is most commonly used when leaving payment in a taxi. The base operating system is Linux and although on an ARM architecture and defended by sturdy firmware, why would a company risk leaving the security of customer credit card information solely up to the hardware vendor? If you seek additional protection on your POS systems, then look no further than Ziften. We secure the most commonly used enterprise operating systems. If you wish to do the fun thing and install the video game Doom on one, I can send you the slide deck.

Presentation: Death by 1,000 installers; on MacOS, It’s All Broken! – Pratrick Wardle

This guy’s slides were off the charts excellent. What wasn’t excellent was how exploitable the MacOS is during the installation process of very common applications. Basically everytime you install an application on a Mac, it requires the entry of your escalated privileges. But what if something were to slightly alter code a moment before you enter your Administrator credentials? Well, most of the time, probably something not good. Worried about your Mac’s running malware smart enough to detect and alter code on common vulnerable applications prior to you or your user base entering credentials? If so, we at Ziften Technologies can help.

We help you by not replacing all of your toolset, although we often find ourselves doing just that. Our aim is to use the advice and current tools that work from various vendors, ensure they are running and installed, ensure the perscribed hardening is indeed intact, and ensure your operations and security teams work more efficiently together to achieve a tighter security matrix throughout your environment. Oh, and if you are lacking a cool pair of styling socks, stop by our booth during Black Hat 2018!

Above: Kim Foster, Michael Vaughn, and a partial Jesse Sampson slinging socks!

Key Takeaways from Black Hat & Defcon 2017:

  • 1) Stronger together
  • Alex Stamos’s keynote
  • Jeff Moss’s message
  • Visitors from around the world working together
  • Black Hat should maintain a friendly community spirit
  • 2) Stronger together with Ziften
  • Ziften plays nice with other software vendors
  • 3) Popular current vulnerabilities Ziften can help prevent and resolve
  • Point-of-Sale accessing
  • Voting machine tampering
  • Escalating MacOS privileges
  • Targeted individual attacks

Michael Vaughn: Looking good, feeling good!

Get the Blog Here