{"id":977,"date":"2012-08-03T00:00:21","date_gmt":"2012-08-03T04:00:21","guid":{"rendered":"http:\/\/jlg.name\/blog\/?p=977"},"modified":"2013-09-05T13:48:00","modified_gmt":"2013-09-05T17:48:00","slug":"black-hat-usa-2012-and-def-con-20-the-future-of-insecurity","status":"publish","type":"post","link":"http:\/\/jlg.name\/blog\/2012\/08\/black-hat-usa-2012-and-def-con-20-the-future-of-insecurity\/","title":{"rendered":"Black Hat USA 2012 and DEF CON 20: The future of insecurity"},"content":{"rendered":"<p>I returned to the blistering dry heat of Las Vegas for a\u00a0<a href=\"http:\/\/jlg.name\/blog\/2011\/08\/black-hat-usa-2011-and-def-con-19\/\">second year in a row<\/a>\u00a0to attend Black Hat and DEF CON.<\/p>\n<p>The most interesting talk to me was a panel discussion at Black Hat that provided a future retrospective on the next 15 years of security.\u00a0 Some of the topics discussed:<\/p>\n<ul>\n<li><strong>What is the role of the private sector in computer and network security?<\/strong>\u00a0 One panelist noted that the U.S. Constitution specifies that the government is supposed \u201cto provide for the common defense\u201d \u2014 presumably including all domestic websites, commercial networks and intellectual property, and perhaps even personal computers \u2014 instead of only claiming to protect the .gov (DHS) and .mil (NSA) domains as they do today.\u00a0 Another panelist suggested that, as in other sectors, the government should publish \u201cstandards\u201d for network and communications security such that individual companies can control the implementation of those standards.<\/li>\n<\/ul>\n<ul>\n<li><strong>Social engineering and the advanced persistent threat.<\/strong>\u00a0 At a BSidesLV party, someone I met asked whether I felt the APT was just a buzzword or whether it was real.\u00a0 (My answer was \u201cboth\u201d.)\u00a0 Several speakers played with new views on the APT, such as \u201cadvanced persistent detection\u201d (defenders shouldn\u2019t be focused on vulnerabilities; rather they should look at an attacker\u2019s\u00a0<em>motivation\u00a0<\/em>and<em>\u00a0objectives<\/em>) and \u201cadvanced persistent fail\u201d (real-world vulnerabilities survive long after mitigations are published).<\/li>\n<\/ul>\n<ul>\n<li><strong>How can you discover what evil lurks in the hearts of men and women?<\/strong>\u00a0 One panelist speculated that we would see the rise of long-term [lifetime?] professional background checks for technological experts.\u00a0 Current background checks for U.S. government national security positions use federal agents to search back 7-10 years.\u00a0 I got the impression that the panelist foresees a rise in private-sector background checks (or checks against private databases of personal information) as a prerequisite for hiring decisions across the commercial sector.<\/li>\n<\/ul>\n<ul>\n<li><strong>How can you protect against a 120 gigabit distributed denial of service (DDoS) attack?<\/strong>\u00a0 A panelist noted that a large recent DDoS hit 120 Gbit\/sec, up around 4x from the largest DDoS from a year or two ago.\u00a0 The panelist challenged the audience to think about how \u201cold\u201d attacks, which used to be easy to mitigate, become less so at global scale when the attacker leverages cloud infrastructure or botnet resources.<\/li>\n<\/ul>\n<ul>\n<li><strong>Shifting defense from a technical basis into a legal, policy, or contractual basis.<\/strong>\u00a0 So far there hasn\u2019t been an economically viable way to shift network security risks (or customer loss\/damage liability) onto a third party \u2014 I believe many organizations would willingly exchange large sums of money to be released from these risks, but so far no third party seems willing to accept that bet.\u00a0 The panel wondered whether (or when) the insurance industry will develop a workable model for computer security.<\/li>\n<\/ul>\n<ul>\n<li><strong>Incentives for computer security.<\/strong>\u00a0 Following up on the point above, a panelist noted that it is difficult to incent users to follow good security practices.\u00a0 The panelist asserted how E*TRADE gave away 10,000 security tokens but still had trouble convincing their users to use them as a second factor for authentication.\u00a0 Another panelist pointed to incentives in the medical insurance industry \u2014 \u201ctake care of your body\u201d and enjoy lower premiums \u2014 and wondered how to provide similar actionable incentives to take care of your network.<\/li>\n<\/ul>\n<ul>\n<li><strong>Maximizing your security return-on-investment (ROI).<\/strong>\u00a0 A panelist asserted that the best ROI is money spent on your employees:\u00a0 Developing internal experts in enterprise risk management, forensics and incident response skills, etc.<\/li>\n<\/ul>\n<ul>\n<li><strong>Assume you will be breached.<\/strong>\u00a0 I\u2019ve also been preaching that message: Don\u2019t just protect, but also\u00a0<em>detect and remediate<\/em>.\u00a0 A panelist suggested you focus on understanding your network and your systems, especially with respect to configuration management and change management.<\/li>\n<\/ul>\n<p>When asked to summarize the next 15 years of security in five words or fewer, the panelists responded:<\/p>\n<ol>\n<li>Loss of control.<\/li>\n<li>Incident response and cleaning up.<\/li>\n<li>Human factors.<\/li>\n<\/ol>\n<p>Beyond the panel discussion, some of the work that caught my attention included:<\/p>\n<ul>\n<li><strong>Kinectasploit.<\/strong>\u00a0 Jeff Bryner presented my favorite work of the weekend, on \u201clinking the Kinect with Metasploit [and 19 other security tools] in a\u00a0<a href=\"http:\/\/p0wnlabs.com\/defcon20\">3D, first person shooter environment<\/a>.\u201d\u00a0 I have seen the future of human-computer interaction for security analysts \u2014 it is Tom Cruise in\u00a0<em>Minority Report<\/em>\u00a0\u2014 and the work on Kinectasploit is a big step in us getting there.<\/li>\n<\/ul>\n<ul>\n<li><strong>Near field communications insecurity.<\/strong>\u00a0\u00a0<a href=\"https:\/\/twitter.com\/0xcharlie\">Charlie Miller<\/a>\u00a0(\u201cAn analysis of the Near Field Communication [NFC] attack surface\u201d) explained that \u201cthrough NFC, using technologies like Android Beam or NDEF content sharing, one can make some phones parse images, videos, contacts, office documents, even open up web pages in the browser, all without user interaction. In some cases, it is even possible to completely take over control of the phone via NFC, including stealing photos, contacts, even sending text messages and making phone calls\u201d and showed a live demo of using an NFC exploit to take remote control of a phone.<\/li>\n<\/ul>\n<ul>\n<li><strong>Operating systems insecurity.<\/strong>\u00a0 Rebecca Shapiro and Sergey Bratus from Dartmouth made the fascinating observation that the ELF (executable and linker format) linker\/loader is itself a Turing-complete computer: \u201c[we demonstrate] how specially crafted ELF relocation and symbol table entries can act as instructions to coerce the linker\/loader into performing arbitrary computation. We will present a proof-of-concept method of constructing ELF metadata to implement [Turing-complete] language primitives and well as demonstrate a method of crafting relocation entries to insert a backdoor into an executable.\u201d\u00a0\u00a0<a href=\"http:\/\/www.cs.dartmouth.edu\/%7Esergey\/langsec\/papers\/Bratus.pdf\">The authors\u2019 earlier white paper<\/a>\u00a0provides a good introduction to what they call \u201cprogramming weird machines\u201d.<\/li>\n<\/ul>\n<ul>\n<li><strong>Wired communications insecurity.\u00a0\u00a0<\/strong>Collin Mulliner (\u201c<a href=\"http:\/\/mulliner.org\/security\/pmon\/mulliner_pmon_2012.pdf\">Probing mobile operator networks<\/a>\u201d) probed public IPv4 address blocks known to be used by mobile carriers and found a variety of non-phone devices, such as smart meters, with a variety of enabled services with obtainable passwords.<\/li>\n<\/ul>\n<ul>\n<li><strong>Governmental infrastructure insecurity.<\/strong>\u00a0 My\u00a0<a href=\"http:\/\/blogs.computerworld.com\/cybercrime-and-hacking\/20766\/def-con-how-hack-all-transport-networks-country\">next-to-favorite work<\/a>\u00a0was \u201cHow to hack all the transport networks of a country,\u201d presented by Alberto Garc\u00eda Illera, where he described a combination of physical and electronic penetration vectors used \u201cto get free tickets, getting control of the ticket machines, getting clients [credit card] dumps, hooking internal processes to get the client info, pivoting between machines, encapsulating all the traffic to bypass the firewalls\u201d of the rail network in his home country.<\/li>\n<\/ul>\n<ul>\n<li><strong>Aviation communications insecurity.\u00a0\u00a0<\/strong>There were\u00a0<em>three<\/em>\u00a0talks on aviation insecurity, all focused on radio transmissions or telemetry (the new\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Automatic_dependent_surveillance-broadcast\">ADS-B standard for automated position reporting<\/a>, to be deployed over the next twenty years) sent from or to an aircraft.<\/li>\n<\/ul>\n<p>Last year I tried to attend as many talks as I could but left Vegas disappointed \u2014 I found that there is a low signal-to-noise ratio when it comes to well-executed, well-presented work at these venues.\u00a0 The \u201ctakeaway value\u201d of the work presented is nowhere near as rigorous or useful as that at research\/academic conferences like\u00a0<a href=\"http:\/\/jlg.name\/blog\/2009\/11\/ccs-2009\/\">CCS<\/a>\u00a0or\u00a0<a href=\"http:\/\/jlg.name\/blog\/2012\/02\/ndss-2012\/\">NDSS<\/a>.\u00a0 But it turns out that\u2019s okay; these venues are much more about the vibe, and the sharing, and the inspiration (you too can hack!), than about peer-reviewed or archival-quality research.\u00a0 DEF CON in particular provides a pretty fair immersive simulation of living inside a Neal Stephenson or Charlie Stross novel.<\/p>\n<p>This year I spent more time wandering the vendor floor (Black Hat) and\u00a0<a href=\"http:\/\/toool.us\/\">acquiring skills in the lockpick village<\/a>\u00a0(DEF CON), while still attending the most-interesting-looking talks and<a href=\"http:\/\/www.wynnlasvegas.com\/Shows\/LeReve\/Photos\">shows<\/a>.\u00a0 By lowering my \u201ctakeaway value\u201d expectations a bit I ended up enjoying my week in Vegas much more than expected.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I returned to the blistering dry heat of Las Vegas for a\u00a0second year in a row\u00a0to attend Black Hat and DEF CON. The most interesting talk to me was a panel discussion at Black Hat that provided a future retrospective on the next 15 years of security.\u00a0 Some of the topics discussed: What is the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,7],"tags":[],"_links":{"self":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/977"}],"collection":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/comments?post=977"}],"version-history":[{"count":1,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/977\/revisions"}],"predecessor-version":[{"id":978,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/977\/revisions\/978"}],"wp:attachment":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/media?parent=977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/categories?post=977"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/tags?post=977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}