The 3-1/2 day event (March 20-23) kicked off with a screening at
the Paramount Theater of Code 2600,
Jeremy Zerechak’s documentary about the origins and present reality of computer
hacking and privacy issues. The festival
officially began the next morning at the Wingate by Wyndham in Round Rock. Registration was $10 per day for the official
2-day event. The movie was extra. Breakfast,
lunch, dinner, and beer (courtesy of New Republic Brewing of College Station) came
with the price of admission. Conference
schwag included t-shirts and complicated ballpoint pens. Other giveaways and
door prizes were plentiful. Officially closing Friday at 5:00 PM,. an after-party and Saturday field trip to Texas A&M’s Disaster City training center capped the hacking holiday of hard work.
Star Trek theme with Command for the volunteers, Blue for attendees and some Redshirts. |
Special two-day games included a lockpicking contest, a social engineering challenge, and “capture the
flag.”
Lockpicking is a traditional cultural aspect of
hacking. The practical side for computer
security professionals is that business managers typically hang five dollar
locks on server racks with millions of dollars of data: you need to know your
exposed risks.
“Social engineering” is the engagement of hapless
intermediaries as tools to reveal and expose software and hardware. The two-day
challenge was limited to the hotel and the adjacent shopping center: the
residential neighborhood with its homes, day care, school, and senior center, was off limits.
“Capture the flag” involves a server loaded with typical applications. The defense team must keep the system up and running while offense
teams attempt to break in.
Sponsors included RackSpace, Digital Defense
Inc., Visible Risk, RSA, Rapid 7, Palo Alto Networks, Mandiant, ISSA of Texas,
Pwnie Express, Security Innovation, Tenable, The Denim Group, Milton (providers
of shwagg), Last Pass , Haking, the International
Association of Forensic Investigators, Longhorn Lockpicking, and New Republic
Brewery of College Station. Also mentioned were "Protect Your Nuts"
and "Kommand && Kontrol: Revenge of the Carders."
Money was collected for two charities, "Hackers in Uganda" and the Electronic Frontier Foundation, via the sale of conference buttons. EFF is famous for protecting and extending rights in cyberspace. "Hackers in Uganda" is to be a film by Jeremy Zerechak.
Money was collected for two charities, "Hackers in Uganda" and the Electronic Frontier Foundation, via the sale of conference buttons. EFF is famous for protecting and extending rights in cyberspace. "Hackers in Uganda" is to be a film by Jeremy Zerechak.
Friday lunch: about half of the 175+ attendees sat in the big room. |
BSides San Antonio will be held in May, DFW in
November. (BSides Texas here).
Summaries and reviews of talks delivered follow below.
(Much of this presentation
began as posts to the Group64 and the Austin Tech Geeks local groups on
LinkedIn.)
Thursday’s sessions (Track 1 and Track 2) began with an assessment of global computer security from H. D. Moore of
Rapid 7, and the chief architect of Metasploit.
Moore
followed in the tracks of the Internet Census of 2012 with his own massive
“bot” that investigated the hundreds of millions of computers connected to the
internet and relying on default passwords or even less security.
Two copies of the Census on Bitbucket here and
also SourceForge here.
- 310 million unique IP addresses at any one time
- 5 million unique IP addresses each day
- 11 million new services each day
- 150 million unique “finger” prints per month (“finger” is a command to identify users.)
- 35,000 servers were considered “vulnerable” for their lack of passwords or reliance on default logins such as guest/guest and admin/admin.
- Of the 16,000 devices with subsystems made by Hawei Electronics, 15% allowed the login admin/12345 which was installed by the manufacturer.
TENABLE.COM |
Groans and chuckles came when Moore showed systems whose bug placed
Clipboard pastes into the website Banner, revealing bank account transactions,
passwords, and other sensitive information.
Thursday’s sessions also included a
presentation on the vulnerabilities of printers by Samuel Shapiro of Digital
Defense. Printers store information from timestamps to whole jobs. Printers can
be accessed from the Internet like any other device. "Black hat
hackers" from China ,
(especially the Chinese government led by the People’s Liberation Army), and Russia
routinely access corporate and government printers to steal intellectual
property, classified information, and other sensitive data. Most users are
unaware of their exposed risks.
For the luncheon
speech on Thursday, private investigator Max Westbook explained some of the
ways that he uses computer security, and some of the problems with computers
that he was called upon to investigate. Westbook also outlined some of the
legal empowerments and legal restrictions on private investigators, locksmiths,
and other regulated security professions. Generally, digital forensics
specialists are hired as subcontractors by licensed investigators under whose
aegis they work.
Branden Williams on behalf of RSA (http://hirebranden.com/) spoke
on “Using Social Engineering Tactics to Game Big Data.” Big Data is not just lots of data: it is
disparate sourcing of information – your bank account, your driver’s license,
your school records, your purchases at Walmart, CVS, and the local stores, …
yours and the same from millions of other people – aggregated on large servers
and analyzed with sophisticated mathematics to tease out the habits and acts of
individuals. Willliams’s paradigm was the father shocked to see Target sending
coupons for baby products to his 16-year old daughter. Indeed, she was pregnant
and Target knew it before Dad.
According to Williams, you can pierce the corporate veil with
similar investigations. Mentions on Facebook of spending a week on business in
this town or that can reveal a merger or acquisition in progress. Updated resumes on LinkedIn can reveal an
executive changing companies. Chat about
working long hours can expose a new product in development.
Registration princesses worked hard even for the after party |
Thursday night was for “Fire Marshall Talks” short, ad
hoc presentations. I delivered a
PowerPoint overview of the advantages to private security versus public
policing. The winning talk was about how
to tell if your computer has been physically compromised by the addition of
unauthorized hardware. This is
especially relevant to executives who travel outside the USA . Another presenter warned about the
limitations of biometric security. Anyone
who has your finger or eye will gain access to your sites. Moreover, while you
can change your passwords, you cannot change your fingerprints or retinas. Regardless
of the organ, ultimately, the lock is a digital file that can be compromised,
copied, or changed.
Friday Track 1 began with “How Do I Pwn Thee, Let Me
Count the Ways” by raconteur Jayson
Street .
(Pwn means “own” and it began as a typo but continues independently
usually to mean being owned (bested, taken, or exploited) in a digital
domain.) Street works by day on a Blue
Team: digital defense. By night (figuratively) he is the Red Team, penetrating
your security with ruses, hacks, bluster, begging, dodges, and other social
engineering, to get to your servers, your clients, your desktop.
Jayson Street employs forged emails, fake letterhead, and
other “gate passes” to defeat the security desk and gain access to offices,
server rooms, etc.
Street said that now he always ends every attack
by getting caught, no matter what it takes to get someone’s attention. That person brings a positive reinforcement
to the organization which would be lacking if the attack were completely successful,
which it has been too often and too easily.
Jayson Street and a White Hat |
Friday Track 2 heard David Balcar of Novacoast who also
brought perspectives on “pen testing” (penetration testing) both via social
engineering but largely through digital attacks. Typically, a large system fail point involves
the compromise of so many millions of records that the victims have no idea how
much data was lost. When informed by the
FBI of the extent of their liabilities, the metrics typically involve measures
of bandwidth and time to estimate the millions of items. Blue Cross, the Pentagon, NASA, Experian, and
other warehouses are among the well-known victims.
Balcar said that less in the public mind are the
cases in which rent-to-own chains such as Aarons and Colortyme loaded spyware
on computers placed in the homes of consumers to make video records of their
private lives. He recommended two
clearinghouses for information about breaches: ID Theft Center and Data Loss db of the Open Security Foundation.
As costly as outside attackers are, Balcar warned
that 70% of attacks come from inside the
organization when employees copy and remove sensitive and proprietary
information.
Code 2600
Jeremy Zerechak introduces modern cyber security
via Sputnik and the Cold War which brought about the Defense Advanced Research
Projects and the first computer network. The film also weaves in the threads of
telephone systems and phone phreaking, and the transmutation of the computer
from the behemoths of corporations and governments to the homebrew hacks that
birthed the Apple computer. The result was an assault on your privacy which is
magnified today by government agencies and private companies that compete for
the control of information that you create about yourself.
More subtly, in the Cold War, we could see our attackers. We would
know who launched the missiles. Today, the clues left by a cyber-attack are
harder to trace. The war is going on right now with the governments of the USA and China
hacking each other, as well as Britain
hacking Norway .
And corporations are really the leading edge players: everyone – civilian or
military, government or corporation – uses the same operating systems and
applications programs. The military is no longer the leading edge of
technology: they buy it from the same places that you do.
The success of AOL was a milestone. When the computer information
service bought Time-Warner it heralded the blossoming of the information age.
But we are still in the middle of the story. We will not know for 50 years how
this plays out.
“What should we be teaching young people about computers?” is the
wrong question. Young people should be teaching us about how they use their
devices, apps, and media, because that is the future.
Website for "Code 2600" by Jeremy Zerechak
ALSO ON NECESSARY FACTS
BSides Austin 2015
Lonestar Application Security Conference 2014
Your Cellphone is not Safe
Securing Your Viper Against Cylons
ALSO ON NECESSARY FACTS
BSides Austin 2015
Lonestar Application Security Conference 2014
Your Cellphone is not Safe
Securing Your Viper Against Cylons
What really stunned me is that China, or hackers in China, has/have the ability to hack a climate control system in order to use it like a wifi access point to snoop on corporate/personal communications that are otherwise secure.
ReplyDeletecomputer repair services maryland