Saturday, March 23, 2013

Hacking Computer Security: BSides Austin 2013


The 3-1/2 day event  (March 20-23) kicked off with a screening at the Paramount Theater of Code 2600, Jeremy Zerechak’s documentary about the origins and present reality of computer hacking and privacy issues.  The festival officially began the next morning at the Wingate by Wyndham in Round Rock.  Registration was $10 per day for the official 2-day event.  The movie was extra.  Breakfast, lunch, dinner, and beer (courtesy of New Republic Brewing of College Station) came with the price of admission. Conference schwag included t-shirts and complicated ballpoint pens. Other giveaways and door prizes were plentiful. Officially closing Friday at 5:00 PM,. an after-party and Saturday field trip to Texas A&M’s Disaster City training center capped the hacking holiday of hard work.
Three men standing. One shirt is yellow, the other blue, the third red.
Star Trek theme with
Command for the volunteers,
Blue for attendees
and some Redshirts.

Special two-day games included a lockpicking contest, a social engineering challenge, and “capture the flag.” 

Lockpicking is a traditional cultural aspect of hacking.  The practical side for computer security professionals is that business managers typically hang five dollar locks on server racks with millions of dollars of data: you need to know your exposed risks.

“Social engineering” is the engagement of hapless intermediaries as tools to reveal and expose software and hardware. The two-day challenge was limited to the hotel and the adjacent shopping center: the residential neighborhood with its homes, day care, school, and senior center, was off limits. 

“Capture the flag” involves a server loaded with typical applications. The defense team must keep the system up and running while offense teams attempt to break in.

Sponsors included RackSpace, Digital Defense Inc., Visible Risk, RSA, Rapid 7, Palo Alto Networks, Mandiant, ISSA of Texas, Pwnie Express, Security Innovation, Tenable, The Denim Group, Milton (providers of shwagg), Last Pass, Haking, the International Association of Forensic Investigators, Longhorn Lockpicking, and New Republic Brewery of College Station. Also mentioned were "Protect Your Nuts" and "Kommand && Kontrol: Revenge of the Carders."

Money was collected for two charities, "Hackers in Uganda" and the Electronic Frontier Foundation, via the sale of conference buttons.  EFF is famous for protecting and extending rights in cyberspace.  "Hackers in Uganda" is to be a film by Jeremy Zerechak.
About half the attendees sat in the big room for box lunches
Friday lunch: about half of the 175+
attendees sat in the big room.

BSides San Antonio will be held in May, DFW in November. (BSides Texas here). 



Summaries and reviews of talks delivered follow below.
(Much of this presentation began as posts to the Group64 and the Austin Tech Geeks local groups on LinkedIn.)


Thursday’s sessions (Track 1 and Track 2) began with an assessment of global computer security from H. D. Moore of Rapid 7, and the chief architect of Metasploit.  Moore followed in the tracks of the Internet Census of 2012 with his own massive “bot” that investigated the hundreds of millions of computers connected to the internet and relying on default passwords or even less security.


Two copies of the Census on Bitbucket here and also SourceForge here.
  • 310 million unique IP addresses at any one time
  • 5 million unique IP addresses each day
  • 11 million new services each day
  • 150 million unique “finger” prints per month (“finger” is a command to identify users.)
  • 35,000 servers were considered “vulnerable” for their lack of passwords or reliance on default logins such as guest/guest and admin/admin.
  • Of the 16,000 devices with subsystems made by Hawei Electronics, 15% allowed the login admin/12345 which was installed by the manufacturer.

 The census revealed state-sponsored malware: viruses, trojans, etc., created by many governments to seek out and harm other computers.  The census also tallied “tons of botnets” criminal zombie networks created to control the unsuspecting computers of millions of users.
From the back, man in t-shirt from Tenable computer security
TENABLE.COM

Groans and chuckles came when Moore showed systems whose bug placed Clipboard pastes into the website Banner, revealing bank account transactions, passwords, and other sensitive information.

Thursday’s sessions also included a presentation on the vulnerabilities of printers by Samuel Shapiro of Digital Defense. Printers store information from timestamps to whole jobs. Printers can be accessed from the Internet like any other device. "Black hat hackers" from China, (especially the Chinese government led by the People’s Liberation Army), and Russia routinely access corporate and government printers to steal intellectual property, classified information, and other sensitive data. Most users are unaware of their exposed risks. 

For the luncheon speech on Thursday, private investigator Max Westbook explained some of the ways that he uses computer security, and some of the problems with computers that he was called upon to investigate. Westbook also outlined some of the legal empowerments and legal restrictions on private investigators, locksmiths, and other regulated security professions. Generally, digital forensics specialists are hired as subcontractors by licensed investigators under whose aegis they work.

Branden Williams on behalf of RSA (http://hirebranden.com/) spoke on “Using Social Engineering Tactics to Game Big Data.”  Big Data is not just lots of data: it is disparate sourcing of information – your bank account, your driver’s license, your school records, your purchases at Walmart, CVS, and the local stores, … yours and the same from millions of other people – aggregated on large servers and analyzed with sophisticated mathematics to tease out the habits and acts of individuals. Willliams’s paradigm was the father shocked to see Target sending coupons for baby products to his 16-year old daughter. Indeed, she was pregnant and Target knew it before Dad. 

According to Williams, you can pierce the corporate veil with similar investigations. Mentions on Facebook of spending a week on business in this town or that can reveal a merger or acquisition in progress.  Updated resumes on LinkedIn can reveal an executive changing companies.  Chat about working long hours can expose a new product in development.
Registration princesses worked hard even for the after party

Thursday night was for “Fire Marshall Talks” short, ad hoc presentations.  I delivered a PowerPoint overview of the advantages to private security versus public policing.  The winning talk was about how to tell if your computer has been physically compromised by the addition of unauthorized hardware.  This is especially relevant to executives who travel outside the USA.  Another presenter warned about the limitations of biometric security.  Anyone who has your finger or eye will gain access to your sites. Moreover, while you can change your passwords, you cannot change your fingerprints or retinas. Regardless of the organ, ultimately, the lock is a digital file that can be compromised, copied, or changed.

Friday Track 1 began with “How Do I Pwn Thee, Let Me Count the Ways” by raconteur Jayson Street.  (Pwn means “own” and it began as a typo but continues independently usually to mean being owned (bested, taken, or exploited) in a digital domain.)  Street works by day on a Blue Team: digital defense. By night (figuratively) he is the Red Team, penetrating your security with ruses, hacks, bluster, begging, dodges, and other social engineering, to get to your servers, your clients, your desktop. 
 He likes to attack on the second shift.  After 4:30 most executives and many managers are gone, so nothing can be checked with a higher authority.  The security guards who work midnights tend to be quirky and unpredictable.  The best guards work M-F 8 to 5 or 7 to 3 and have management back-up.  So, he picks the second shift for his targets.
Jayson Street employs forged emails, fake letterhead, and other “gate passes” to defeat the security desk and gain access to offices, server rooms, etc. 

Street said that now he always ends every attack by getting caught, no matter what it takes to get someone’s attention.  That person brings a positive reinforcement to the organization which would be lacking if the attack were completely successful, which it has been too often and too easily. 

Friday Track 2 heard David Balcar of Novacoast who also brought perspectives on “pen testing” (penetration testing) both via social engineering but largely through digital attacks.  Typically, a large system fail point involves the compromise of so many millions of records that the victims have no idea how much data was lost.  When informed by the FBI of the extent of their liabilities, the metrics typically involve measures of bandwidth and time to estimate the millions of items.  Blue Cross, the Pentagon, NASA, Experian, and other warehouses are among the well-known victims. 

Older woman to left speaking with younger man to right

Balcar said that less in the public mind are the cases in which rent-to-own chains such as Aarons and Colortyme loaded spyware on computers placed in the homes of consumers to make video records of their private lives.  He recommended two clearinghouses for information about breaches: ID Theft Center  and Data Loss db of the Open Security Foundation.

As costly as outside attackers are, Balcar warned that 70% of attacks come from inside the organization when employees copy and remove sensitive and proprietary information. 

Code 2600
Jeremy Zerechak introduces modern cyber security via Sputnik and the Cold War which brought about the Defense Advanced Research Projects and the first computer network. The film also weaves in the threads of telephone systems and phone phreaking, and the transmutation of the computer from the behemoths of corporations and governments to the homebrew hacks that birthed the Apple computer. The result was an assault on your privacy which is magnified today by government agencies and private companies that compete for the control of information that you create about yourself.

More subtly, in the Cold War, we could see our attackers. We would know who launched the missiles. Today, the clues left by a cyber-attack are harder to trace. The war is going on right now with the governments of the USA and China hacking each other, as well as Britain hacking Norway. And corporations are really the leading edge players: everyone – civilian or military, government or corporation – uses the same operating systems and applications programs. The military is no longer the leading edge of technology: they buy it from the same places that you do.

The success of AOL was a milestone. When the computer information service bought Time-Warner it heralded the blossoming of the information age. But we are still in the middle of the story. We will not know for 50 years how this plays out. 

“What should we be teaching young people about computers?” is the wrong question. Young people should be teaching us about how they use their devices, apps, and media, because that is the future.


1 comment:

  1. What really stunned me is that China, or hackers in China, has/have the ability to hack a climate control system in order to use it like a wifi access point to snoop on corporate/personal communications that are otherwise secure.
    computer repair services maryland

    ReplyDelete