I returned to the blistering dry heat of Las Vegas for a second year in a row to attend Black Hat and DEF CON.
The most interesting talk to me was a panel discussion at Black Hat that provided a future retrospective on the next 15 years of security. Some of the topics discussed:
- What is the role of the private sector in computer and network security? One panelist noted that the U.S. Constitution specifies that the government is supposed “to provide for the common defense” — presumably including all domestic websites, commercial networks and intellectual property, and perhaps even personal computers — instead of only claiming to protect the .gov (DHS) and .mil (NSA) domains as they do today. Another panelist suggested that, as in other sectors, the government should publish “standards” for network and communications security such that individual companies can control the implementation of those standards.
- Social engineering and the advanced persistent threat. At a BSidesLV party, someone I met asked whether I felt the APT was just a buzzword or whether it was real. (My answer was “both”.) Several speakers played with new views on the APT, such as “advanced persistent detection” (defenders shouldn’t be focused on vulnerabilities; rather they should look at an attacker’s motivation and objectives) and “advanced persistent fail” (real-world vulnerabilities survive long after mitigations are published).
- How can you discover what evil lurks in the hearts of men and women? One panelist speculated that we would see the rise of long-term [lifetime?] professional background checks for technological experts. Current background checks for U.S. government national security positions use federal agents to search back 7-10 years. I got the impression that the panelist foresees a rise in private-sector background checks (or checks against private databases of personal information) as a prerequisite for hiring decisions across the commercial sector.
- How can you protect against a 120 gigabit distributed denial of service (DDoS) attack? A panelist noted that a large recent DDoS hit 120 Gbit/sec, up around 4x from the largest DDoS from a year or two ago. The panelist challenged the audience to think about how “old” attacks, which used to be easy to mitigate, become less so at global scale when the attacker leverages cloud infrastructure or botnet resources.
- Shifting defense from a technical basis into a legal, policy, or contractual basis. So far there hasn’t been an economically viable way to shift network security risks (or customer loss/damage liability) onto a third party — I believe many organizations would willingly exchange large sums of money to be released from these risks, but so far no third party seems willing to accept that bet. The panel wondered whether (or when) the insurance industry will develop a workable model for computer security.
- Incentives for computer security. Following up on the point above, a panelist noted that it is difficult to incent users to follow good security practices. The panelist asserted how E*TRADE gave away 10,000 security tokens but still had trouble convincing their users to use them as a second factor for authentication. Another panelist pointed to incentives in the medical insurance industry — “take care of your body” and enjoy lower premiums — and wondered how to provide similar actionable incentives to take care of your network.
- Maximizing your security return-on-investment (ROI). A panelist asserted that the best ROI is money spent on your employees: Developing internal experts in enterprise risk management, forensics and incident response skills, etc.
- Assume you will be breached. I’ve also been preaching that message: Don’t just protect, but also detect and remediate. A panelist suggested you focus on understanding your network and your systems, especially with respect to configuration management and change management.
When asked to summarize the next 15 years of security in five words or fewer, the panelists responded:
- Loss of control.
- Incident response and cleaning up.
- Human factors.
Beyond the panel discussion, some of the work that caught my attention included:
- Kinectasploit. Jeff Bryner presented my favorite work of the weekend, on “linking the Kinect with Metasploit [and 19 other security tools] in a 3D, first person shooter environment.” I have seen the future of human-computer interaction for security analysts — it is Tom Cruise in Minority Report — and the work on Kinectasploit is a big step in us getting there.
- Near field communications insecurity. Charlie Miller (“An analysis of the Near Field Communication [NFC] attack surface”) explained that “through NFC, using technologies like Android Beam or NDEF content sharing, one can make some phones parse images, videos, contacts, office documents, even open up web pages in the browser, all without user interaction. In some cases, it is even possible to completely take over control of the phone via NFC, including stealing photos, contacts, even sending text messages and making phone calls” and showed a live demo of using an NFC exploit to take remote control of a phone.
- Operating systems insecurity. Rebecca Shapiro and Sergey Bratus from Dartmouth made the fascinating observation that the ELF (executable and linker format) linker/loader is itself a Turing-complete computer: “[we demonstrate] how specially crafted ELF relocation and symbol table entries can act as instructions to coerce the linker/loader into performing arbitrary computation. We will present a proof-of-concept method of constructing ELF metadata to implement [Turing-complete] language primitives and well as demonstrate a method of crafting relocation entries to insert a backdoor into an executable.” The authors’ earlier white paper provides a good introduction to what they call “programming weird machines”.
- Wired communications insecurity. Collin Mulliner (“Probing mobile operator networks”) probed public IPv4 address blocks known to be used by mobile carriers and found a variety of non-phone devices, such as smart meters, with a variety of enabled services with obtainable passwords.
- Governmental infrastructure insecurity. My next-to-favorite work was “How to hack all the transport networks of a country,” presented by Alberto García Illera, where he described a combination of physical and electronic penetration vectors used “to get free tickets, getting control of the ticket machines, getting clients [credit card] dumps, hooking internal processes to get the client info, pivoting between machines, encapsulating all the traffic to bypass the firewalls” of the rail network in his home country.
- Aviation communications insecurity. There were three talks on aviation insecurity, all focused on radio transmissions or telemetry (the new ADS-B standard for automated position reporting, to be deployed over the next twenty years) sent from or to an aircraft.
Last year I tried to attend as many talks as I could but left Vegas disappointed — I found that there is a low signal-to-noise ratio when it comes to well-executed, well-presented work at these venues. The “takeaway value” of the work presented is nowhere near as rigorous or useful as that at research/academic conferences like CCS or NDSS. But it turns out that’s okay; these venues are much more about the vibe, and the sharing, and the inspiration (you too can hack!), than about peer-reviewed or archival-quality research. DEF CON in particular provides a pretty fair immersive simulation of living inside a Neal Stephenson or Charlie Stross novel.
This year I spent more time wandering the vendor floor (Black Hat) and acquiring skills in the lockpick village (DEF CON), while still attending the most-interesting-looking talks andshows. By lowering my “takeaway value” expectations a bit I ended up enjoying my week in Vegas much more than expected.