Bsides Asheville Information Security Conference 2015

My hands are up. I'm finished with my presentation. We're ready to do it now. Are we good? Yes, sir. All right, cool. Hi. Hey, first of all, thanks for having me to the B-Sides team here. It's always a pleasure to get with smart people, share ideas. Usually when I talk, I kind of do a little bit of interaction. So don't be don't feel awkward when I call you out. I'm like a stand-up comedian. My hands are up. I'm finished with my presentation. We're ready to do it now. My hands are up. I'm finished with my presentation. We're good. So the first thing I had to do last night, first of all, thanks for having me. We had to do a barbecue challenge. First of all, I

was going to speak at the bar. It's always a pleasure to get with smart people. Sure ideas. Usually when I talk, I get with smart people. Sure ideas. I feel awkward when I talk, I kind of stand up a little and I'm finished with my presentation. I feel awkward when I call you out. I'm finished with my presentation. So first thing I had to do last night, first of all, we did first thing, I had to do last night. First of all, what did you do? I was going to speak if you had a barbecue. It's always a pleasure to get with smart people, share ideas. Usually when I talk, I kind of stand up a little and I'm finished with my interaction.

So don't feel awkward when I call you out. My hands are up. I'm finishing my presentation. My hands are up. I'm finishing my presentation. We're good? So, uh, first thing I have to do is, first of all, we're good. We have to

I'm

finished for my presentation.

So, first of

First of all, we're good.

First of all, what is the

name of our hands?

I'm sorry.

A CIDADE NO BRASIL

Gracias.

Gracias.

Thank

you.

I know.

helped me like take the whole product thing, create my own product to the next level. But the other interesting thing I learned was I actually... So the cool thing about It actually helped me take the whole product thing on the technical level. What can I do technically? The other interesting thing I learned was

I actually

I learned a lot of business in a different world. It actually helped me take a whole business. And now I know society, security, and now I know in some organizations even defenders was I actually...

I know.

The whole point is that it's actually a lot of people who have to be in the classroom. And we also have the demonstration of the final things for the online team that's given up. So, the truth is, someone honestly kind of a person who believes that they're not.

.

I'm sorry.

.

The

.

.

.

I'm sorry.

.

I just moved recently, I wasn't this organized on contents and all that stuff. The funny thing about hackers is this, and this is what's funny, it's not funny about the OPM case, but attackers don't actually write down the stuff that they're stealing off your network, right? Who figured, right? It would be nice if they said, hey, I just stole your SF-86s, I just stole this, I just stole that. Attackers don't do that. The truth is attackers, what do they do? They box it up, but usually they encrypt it, right? They'll roar it or whatever. That's what most of them. I mean, nobody uses roar except for attackers. It's not funny about the OPA case. It's

funny, right? So they zip it up, they encrypt it, they roar it, they encrypt it. So most of the time, I actually kind of laugh sometimes when I hear people saying, they stole this, they touched that, blah, blah, blah, because they don't know. I'm not gonna know what they do. So, you can use

a text, bar file, going on here that way. Most of the time, I think that's where, you should be able to do that, right? A lot of people can't do that. What's funny about that is that there was a deal with the contract done a couple years ago.

pretty much find everything they can.

Mr. Barney.

This actually was a program the NSA ran and actually they had free training back in the day. So NSA's, one of their core mission is to prevent people from doing and intercepting US companies while absolutely pawning everybody else to. It's an awesome mission, right? So the information assessment methodology tells a business to actually use, and they actually use the CIA methodology, the confidentiality, integrity, availability to actually assess your organization and enforce the proper controls. I think a big problem with this whole XP and I's and people getting totally owned is because they don't know what to protect. So, and a good example of this is if you're a medical company, I mean if you're a hospital for instance, what's the

most important thing in that hospital? So is it the confidentiality of hospital records? Is it the availability of them? Or is it the integrity of them? I would personally say in order to save lives, confidentiality probably is not the top priority for a hospital because they need to have the, they need to have availability, they need to have the right data, prescriptions or whatever, and they need to make sure that those prescriptions don't get changed.

kind of thing, but the information assessment methodology tells you to, okay, cool, your primary security mission should be the integrity of the data and availability of the data. And you can apply that, and it's still out there, all the documentation and stuff, but I think they discontinued that training for their reasons. But it's definitely money, because that's actually how you kind of like fight this whole, you got to fight the battle and you have to have a plan. You can't protect everything, that's why we're losing. So this is where it comes down, right? So an idea, this is a two-fold. People talk about intellectual property all the time. I'm gonna ask a question, what is intellectual property to someone in here? Can you

give me an example of it? Secret sauce. Secret sauce? Secret sauce, like what? A specific example.

Formula to Coke. Your code. My code. Your proprietary source code. Source code. Proprietary encryption. Acquisition, mergers and acquisition. Oh, I like that. Mergers and acquisition. That's a really big one right there. Right? It could be as small as payroll data. It's not really intellectual property per se, but you don't want to reveal it to the internet. Yeah. It could be something that you've developed that is either trademarked or patentable or patented that is some new idea that you want to make sure that nobody else can replicate, thereby stealing your profits from your wallet. All right, cool. Implementation, I love this. This is good stuff. Because a lot of times we don't think about it. That business stuff is more important than your actual

product, idea, or whatever. And I'm going to break it down to you in the next couple of slides. Actually, like all the stuff that you do on your network and protecting your network and all that stuff, it's just a speed bump because eventually they're gonna actually get in and they're gonna do something, right? It's just a speed bump. Also, if somebody, anytime we release a product over here that's worth anything, if the Chinese manufacturers or whoever else is coming in, right, if they don't get the data, they're just gonna reverse engineer it anyway. It's a speed bump. So maybe they get it six months before you release it, but after you release it, they ship one to China and they reverse engineer the whole thing. So it's gonna

happen anyway. This kind of data, like Salesforce data, this is the kind of information that I would be after if I was an attacker. This is the kind of information, if I'm an overseas competitor, this is what I want. I want your Salesforce data. It's gonna have a lot of stuff in there. it's gonna have your customers in there, right? So if I build a similar product to you, I'm gonna be actually looking at, okay, cool, who's their customers, right? And I'm, so, you know, who's their leads, right? How are they getting people to the registers and pay for stuff, right? That's actually more important than the actual product itself, because if you don't sell the product, who cares? So, really awesome

story. I was in Norway doing a security training thing So this guy comes up to me and said, he asked me for advice because everybody thinks something like cool or something, I guess. He asked me for advice. I guess he thought I knew what I was talking about. So he's like, hey, this competitor keeps on undercutting us on bids. It's like, what do you mean? It's like, all right, we send them a proposal. And some of these proposals are, we're like sole source. They didn't ask for any other solicitation. And somehow, they somehow they found out about the bid and somebody else comes in and undercut them. And so every time they did a bid, they actually did fake bids on stuff

and somebody in that, and they were trying to undercut the fake bids. And they was like, oh snap, like what's happening here? And so I thought that was probably Insider or something like that. It could have been somebody, but the moment there is like, dang, maybe you should have like, and how they try to catch them is they try to issue fake, they try to issue their salespeople like, all right, boom, here's this bid, here's this bid, here's this bid, fictitious bids and try to see which one will come back. Never heard from them, but that's absolutely insane. So that's actually, that's kind of like what this whole expenage thing is really about. It's about

actually making money. It's not so much about the ideas, because truth be told, There was somebody executing the same idea all over the place. There's a million hospitals, there's a million startups, there's a million, all these people doing the same stuff.

There are several people trying to do what I'm doing, yes. Yeah, that's it, you gotta do it better than everybody else. That's the mitigation. technical difficulties. Am I good? Yeah, we've been good for a while. All right, because it just worked out and dropped me. We had a little audio clip, so you could sound good for a while. All right, cool. I lost control of what I'm doing over here, though.

Oh my God.

Yeah, it totally jacked up PowerPoint. You need an open office. You know what I'm saying? That's like oil and water, right? Microsoft and Mac.

in the last few years, they're better. All right. So that's it. Like, like with Salesforce, if I get into your Salesforce and people talk about the cloud stuff all the time, but most of the time they talk about cloud is they, they talk about running your software in the cloud and all that stuff. I think it's way more important than like, like, wow, somebody get into my Salesforce. They'd have all my customers. They're going to have all my potential leads. They're going to know what bids are. They're going to know the leads, hot or cold. They're going to know all that stuff. And so this is stuff I learned trying to sell software, right? Like

it's like, wow, that's a different way to look at it. And as Josh said, they're gonna know your financials and all that stuff. So if you're a publicly traded company, the cool thing about that is that there's actually a market that will develop if it's not, and I'm pretty sure that this is going on already. They're gonna be able to trade futures, stock and all that stuff. And even we've said at one point that he wants to create a company called Troll, what, Troll LLC or something. we were talking about doing that as like of a hedge fund kind of situation for when somebody's breached or whatever. But the truth is like the people that

are actually doing this, this really like corporate expenance type stuff, they can actually resell this data and you will never know where the data came from, right? They just say, oh, I have a good hunch. And once somebody, if somebody proves that they have good hunches, quote unquote, they're gonna make a killing. So that legit data, I mean, that stolen data is gonna be in turn used to make money. That's where it's going and I'm pretty sure that it's already going on. If you look at some of the, if anybody that bids on a contract related to China, they get owned. I've seen an article saying that China is using that information to actually do bid, to get people bidding

wars and drive price down. But the truth is like, Companies pay for leads all the time, like lead gen, and so how do you know where that data's coming from? You feel me? How do you know? I think there's definitely a market for laundered data. Bidding information, things like this. Who uses Box or Dropbox? Anybody use these? Right? So the problem again is, it's not necessarily your software, none of that stuff, but once they get on here, How do you know when they're logging in? You lose some kind of control. I'm not saying don't put stuff on Box or Dropbox, but if one of those companies get owned, all your data is definitely gonna be out there, right? And so it's just coming to reality like, okay, cool.

Then what? Like, what's the worst that's gonna happen then? GitHub. A lot of people write software. There's private GitHub. People use these things all the time. And most of the time when people talk about IP, they are talking about code or whatever. The thing is, these people, everybody's going to get owned. And when they do get owned, you're going to find out. So you can actually do a Google search for who's using Dropbox, because they like to brag on who's using them. You can say, who's using GitHub? And you'll find a page. There's a lot of government agencies using GitHub. I mean, I don't know what they're using them for. What if somebody compromised some government organizations,

GitHub, changed some stuff, whatever, and then submitted it back to the repo. And then the next time they do a push, boom, they push the bad stuff up there. Stuff like that can definitely happen. Because

that's the kind of stuff that's like, wow, this is really getting crazy with all this outsourcing stuff. It's not gonna change, there's nothing you can do about it, Just realize that that's a possibility of stuff that's probably gonna happen in the future.

Anybody use Slack? So people use Slack. Slack again is one of those things, Slack got compromised a little bit ago. So they're gonna have not only, they compromise you, they're gonna have access sometimes to your corporate communications and such. And the big thing that's coming up I swear, this is it. This is a laundromat. So many people have been compromised by so many different events now. I'm not sure if it matters even if people get compromised again. Like, OPM got compromised, banks got compromised, healthcare they got compromised. And then every time, like, oh my God, they're gonna have all this data. They already have the data. Like, the only thing that OPM probably revealed was stuff like

affairs you know, sexual preference, stuff like people, stuff that can embarrass you, but most of that other stuff is already out there on the internet. Somebody already has it. It's too many, it's been too many dang breaches, right? And what, how do we, how do we, what do we do about it, right? I think, and this is like an international criminal court logo, but it's like international law has to kick in at some point. And so, and I think that the U.S. would be best, instead of talking about cyber war and all that stuff, I think we need to pursue these things in international courts because that's the only way you're gonna be fighting for

like if you have a patent on something or somebody totally ripped you off, you're gonna have, that's actually a legal fight. So we're gonna have to have countries like China really cooperate with us on things like that. And I don't think it has nothing to do with cyber at all. I think you have to protect as long as you can and then you have to classify data, protect as long as you can, But the data is definitely going to be compromised at some point. I'm not saying defeat us. I'm not saying we're an Infosec defeat us or anything. The data is going to be compromised and we have to be able to find out, okay,

what's next business? Everybody's talking about OPM right now. There's like, man, there's so much on is going on, bro. Like in general, it's ridiculous. But As a business, what we have to do is we have to think, what's the worst case scenario, let's classify stuff, and when is stuff perishable? Because we have to set perishable stuff. For instance, if I have a big marketing campaign kicking off from a software company, I want to keep that under wraps, but as soon as I launch it, I don't care about it no more. But what's happening is, they launch it and they're still protecting it just like anything. You gotta say, okay cool, this is totally unclassified right now, we don't care. It's not business confidential

anymore. So this book is absolutely awesome. Anybody ever seen this book? Man, this book will change your life. It changed my personal life and it changed the way I look at InfoSec. Because the whole thesis of this book is assume the absolute worst that's gonna happen. and then work back from there, right? I think we have the opposite of it. You like the book? And you prepare for the worst case scenario, there ceases to be a worst case scenario. The fact that you prepare for it. Yeah, so that's how I think the security personnel and security groups need to, like look, we wanna protect as much as we can, but assume the worst. If we have

a total massive breach, this is how we're gonna respond. All right, and I'm talking about from a business level down to the PR, down to the media, down to whatever, corporate comms, I think you should have a canned letter ready to go for when you get owned. And by having a good technical controls and good technical systems and IDSs, IPSs and all that stuff, you can do a great incident response to get them out of your network. and then you have to start over again. In military, we practiced on a ship, I was on a destroyer, we had emergency destruction procedures. Like if our ship ever sunk or something like that, and there was actually some shipmates of mine when I was at Fort Meade, you

remember when the P3 went down in China? So in the military, we assume that once a device is in the hands of somebody else, It's completely compromised. Game over. And so the same thing with something on your network, and this is what makes me laugh about us, what we call stunt hacking, is like, if I have a medical device and I completely control the medical device, of course I should be able to hack it. Because that's just the way it is. In the military, that's how we think. It's all over. What do we do now? Do we do, we gotta issue new crypto. We might, heck, if they get the crypto gear, we have to, obsolete their crypto equipment. That's how

it goes in the Navy. Like hardcore Jurassic like that. So this book, I highly recommend you read it. It actually, to be real, you can actually listen to it on YouTube. You can actually do an audio book on YouTube. Just pull it up, type that in, and you can listen to the audio book. It's probably highly illegal or something, but you need that in your life. So, uh, that's probably not a felony. Maybe a misdemeanor. But whoever uploaded it, that's their problem. All right. So, uh, here's a little bit about VThreat. Gage is back in the pink shirt. Very manly in the pink. I can't tell. Salmon, right?

All right, so. There's only 16 colors. Yeah. All right, so VThreat, you can follow us at VThreat. Mark is every thread, my email address, that's me on Twitter. People say I'm hilarious, some people hate me on Twitter, but I have fun. And also we have a little bitty table back there. Come back, we'll show you what we're doing with our product. That's it, hey, thanks for listening. Any questions? Yeah, I got a quick question. I'm under some contact with so many reaches of politics that I have to touch on.

We're going to shortly, not too long from now, start seeing a world where people start developing their own OPSEC and start putting out, you know, there might be marketplaces for this, try to put out information that is incorrect as far as their PII, just to see that. You see what I'm saying? I can actually see that maybe being an endgame here, that there actually starts being maybe even businesses that will put out incorrect information, PII, about you to confuse these people. It is happening. All major banks and financial institutions purposely salt out bad information and they purposely inject in phishing pages, phishing pages, and things like that just so they can try and track down the sources. So it absolutely already is happening. Yeah. So another thing is

like, and I always thought like stuff like that, if I were like in the Intel game stuff, I was like affiliated with any kind of intelligence agency, I would totally like paste bin, all those different things. I would totally own all those. If I was military, I would put a, I mean, there's so many things I would do if I was still in the Intel game and stuff like that. I love that stuff. A couple of years ago, I released a tool called HundyDocs to have the dig, huh? Yeah. So Honey Docs was something I built to do callbacks. People can download a document. If somebody breached it, you just put it on the server, and it would dial back. It would

call back home and do geocoordinates for anybody to open up the document. That's something I did a while ago. And actually, there was a company that claimed to have invented it. And when I called them on it, they're like, oh, well, you know. So in this game, in the security game,

And like the biggest threat to any business is somebody, like I said, it's the business process. Like anybody would tell you, anybody watch the show called The Prophet? Anybody watch that show? Man, yeah, I love that show. Like it's on MSNBC. And if you look at that, he said that any business is based on three things. He talks about people, process, and the product. Like the product, Anybody can clone your product, it doesn't matter too much about patents and all that stuff, anybody can deliver the product you have. So what you have to do is, you have to have the best people and you have to have the best process. That's how you win a cybersecurity game. It's not about, that's it. And

remember that we help the business execute by protecting our data as long as we can. And that's what I did in the military. I protected this data as long as I could so troops could get out there and fight the war. So the same thing with the information security people, protect it as long as you can so your company can execute its plans. And that's how you fight cyber-expionage. That's how you, in general, that's how you fight the infrasect a battle. Any other questions, comments?

So we talk about protecting software and platform and hardware, but don't you think we should be protecting the behavioral patterns of the users themselves more importantly, considering that 90% of your breaches originate from people? Shouldn't we be worried about who's using the key rather than what key was used? An example, Snowden, once again, compromised a bunch of systems. He had legitimate user names and passwords for these users. None of the systems would have caught him because he would have set the profile and said, yes, he had authentication rights, rather than looking at a behavioral pattern that here's somebody using this authentication and originating from a network segment that it shouldn't have been there. So I

guess my question is, why don't we focus more on the behavioral processing of the users rather than just the data? Well, first, let me answer it, and then Josh can. It's kind of a trick question because that's what we built. Yeah, yeah. So on that, I see a lot of people that are, that's definitely Did you go to RSA? Yeah, so that's actually a major, major movement.

Yeah, yeah, so that's a major movement. People are doing behavioral analysis, and that's right. So if somebody has legit credentials, they're coming from Hawaii, in Snowden's case, they're accessing something that's in Fort Meade, or something in San Antonio, or something in Georgia, yeah, that should be a red flag, right? Yeah, so behavioral, but again, log all the things, right? You have to have the logs, and you have to be able to execute. You have to have a good process in place, right? And it's all about process, and tools, software can definitely make that easier, right? So yeah, just have a good process to do that. Yeah, that's basically the same idea. The problem is people suck at being consistent. You can baseline the living hell out of

them, and one minute. People suck at being consistent. You can baseline them to hell and back, but will they be consistent about their behavior, or will you be chasing false positives all day long? So the question is process and behavior. It's not just a behavior. It's not just a process. So even like in the Snowden case, Snowden actually, if I think about the behavior to myself, if I think about it, he's in Hawaii. That's like at least... probably eight hour time shift from the east coast or something ridiculous like that. I lived in Hawaii, I was stationed at Fort Meade. So, I mean, I was stationed at Pearl Harbor on a ship. So, that's an

eight hour time shift, right? So, if he's using credentials in Fort Meade, like, it has to be some kind of analysis saying, look, this person's logging in, this person's usually a day worker or whatever at the fort, right? Their hours are right here, we have somebody that obviously Snowden would have been, I don't believe he was that smart to go in on off hours or nothing. I don't think he would have been doing that. But there should have been something. I'm telling you right now, I know from experience that there's different ships, right? So in some of the stuff he would have been accessing, that stuff, that wasn't like 24 hour ship type people. Like there's only a couple of people at the fort

that work all the time. Those are SOC type people and all that stuff. Rest of everybody works during the day. All right, cool. All right. We can have a conversation later. So the hard part of this talk was, sometimes I don't know where I learned certain information from. So if I would have learned it from my old life, I'd say I better not include any of that stuff in this talk. So yeah, so there's a lot of cool stuff going on at the fort. I believe at the end of the day, I think that they're trying to do the right thing. But sometimes money gets in the way, like contractors and stuff. So that's kind of pretty much what I think about

Fort Meade. We good? All right, appreciate you guys. Thanks for coming out.

We're starting back up at 1025. We've got Bill Gardner up next. So take a few minutes, grab some Zona, grab some coffee.

.

It's all right.

security practitioners need to start talking to people outside of our community, outside of the bubble. And this is an attempt to do that. So if you want to be on Reboot It, let me know. I call Reboot It a security podcast that my mother could listen to. So we don't do a lot of talking about locker room jokes, don't talk a lot about cigars or drinking, nothing against other people who do, but we're not your average podcast. Please check it out. So what's a profession? A profession is an occupation that involves prolonged training and formal qualification. Is InfoSec a profession based upon this definition? It could be. I think it's becoming that. And I think we're moving from, I hate to use the word paradigm,

thing I'll be talking about thought leaders but we're moving from one yeah we're gonna get cyber later drink wait a minute I can't say cyber and then tell you to drink can I we're moving from a time where you know hackers I'd self identify as a hacker people you know people who work at InfoSec have become self were self-taught You know, I was a system administrator for 20 years. I have degrees in political science and journalism, which makes me perfectly qualified to teach digital forensics, right? Well, we're just moving into a time where we have formal education and things like information security and digital forensics. So it's a brave new world. So what I'm gonna talk about today is how we're becoming more profession and

how that's changing and some of the things that we probably need to leave behind and some of the things that we need to think about. So what's the difference between education and training? Well, training is basically the sort of hands-on stuff, you know. Training in the past was things like you wanted to become a plumber, so you followed another plumber around until you figured out what you were doing and then you credentialed as a plumber, right? Probably still to this day, I mean, there's no formal education to becoming a plumber. If you were a craftsman in the Middle Ages if you were a Cooper made barrels You know you've learned it through an apprenticeship and that's sort of

where we are in information security I think we're moving to a time where it's more about education. We're a young industry The personal computers roughly 30 40 years old. I think I miscalculated that Apple Apple One, if you want to call that the first personal computer is what, 1976? It's a little bit more than 30 years. You know, we had the non-academic internet came to being, the internet that we can get on thanks to Microsoft and Windows 95. We finally got on this thing called the internet, this commercial internet which sprung from military and the research community. So 1995, who was born in 1995? Anybody? Are you all as old as I am? I hope not. So I mean there's people who are old as the internet, but yet

the internet is relatively new, right? First SchmooCon, well first DefCon 1993. First SchmooCon 2005. First DerbyCon, which seems like it's gone on forever.

2011 first B-sides in Asheville last year we're a young community

and breaches get bigger we suck how many records have been lost and this is doesn't include recent OPM OMP OPP okay thank you OPM hack or breach the word use the word hack when talking about breaches So that's a lot of records. Are we getting better or getting worse? A lot of people say we're getting worse. So we need to find a way forward. There was a lot of drama over the Sony Entertainment breach. And I think there still is. There are people who are getting paid a lot of money, I call it the cyber, industrial, and military complex. who is getting paid a lot of money to tell the government things that I don't know that are particularly things that US government should be using to make foreign

policies decisions on. And then there are people inside the community who looked at the Sony breach and said it's not North Korea. Mark Rogers is an example of that and some other people. But we need to find a way forward. How do we become more mature as a So education the difference between training and education training teaches you to do a specific thing right? Education is a lifelong process. We have formalized education in the United States because what would pay taxes to have schools right? We go Through that and then we go to universities and colleges that sort of teaches us how to do a job and But most of the time when you're done with

a college degree, you're not gonna go out and say, hey, I can do this job. What education does is it makes you trainable. And it exposes you to a world beyond just what you would do if you were learning through training. So how did you become a lawyer in the 19th century? Abraham Lincoln became a lawyer by reading books and following another lawyer around. He was an apprentice, right? Well, nowadays, Johnny Cochran went to law school. You didn't have to follow another lawyer around and read a bunch of books. So it became more formalized. How did you become a doctor in the 19th century? Well, another doctor told you how to use leeches and bleed

people in order to make them better. Nowadays, we have formalized education. So if we're going to become a profession, we need to move from being self-taught apprenticeships and training to formal education. And this talks about some of the different things I was talking about self-learning. I'm a self-taught hacker. I mean, I got an OSCP, which is training, but a lot of it thanks to the magic of Facebook. I can talk to a lot of really smart people out there, Facebook, Twitter, YouTube, free resources. You can learn all kinds of really cool things about how to use different tools using YouTube. There's training out there we can take, offensive security, which I mentioned. The OSCP, even though it was the hardest thing I've ever done, and

it wasn't cheap, it was the most rewarding thing I've ever done. I can't talk highly enough about it. Then we've got Black Hat training. Black Hat DEFCON's coming up here in a couple weeks, where you can pay a lot of money to get some very good training. And then we have education. Like I said, it's lifelong learning, formal, level courses of study. Is anyone in here currently involved in infosec education? Are there students or professors?

So what's the future? We're changing, we're changing community, we're changing profession.

We all want to be penetration testers because we want to be cyber ninjas and break in and stuff and steal things. But InfoSec is more than just penetration testing. It's blue teaming. It's system administration. The easiest penetration test or easiest thing, assessments that I've done have been misconfigured networks. You walk in with default passwords. Those sorts of things you're going to have to start baking, we need to bake security into our processes. Developers are part of the InfoSec community. As well as building tools, they also need to move toward more secure coding. Does anyone have, does anyone in political science, I mean a political science, computer science background? Did you learn secure coding?

Right, that's what I'm saying. We need to teach everyone secure coding.

I think that you should at least, my own personal opinion is if you don't learn secure coding in a university setting, you should learn it whenever you go to get a job. And it's just something that we need, this has to be a holistic approach. It can't just be penetration testers against network defenders. Most of the time when you show up for an assessment, they think you're there to get them fired in the first place. I've had some very interesting conversations with blue teamers where I show up to do an assessment who are basically sitting around sharpening up their resumes because I think they think I'm there to get them fired. And then you have to tell them, no, I'm here to help you.

And usually it works out in the end. But we can't go around dropping O days and being cyber ninjas all the time. We have to be more well-rounded. And part of being more well-rounded is education once again.

We also need to set up standards and I think the PTES is an excellent example of a standard, the penetration testing execution standard. So a bunch of luminaries in our field got together and said, these are the different things that compose a penetration test because there were people selling Nessus scans charging tens of thousands of dollars as penetration tests. test really sets up a standard a formalized codified standard that either people who are doing penetration testing or buying penetration tests can go look at and say this is what I'm buying or this is what I'm being sold and this is basically the different steps when I teach my classes we talk about penetration testing We use the PTES. We go

through the entire PTES standard. We go through the technical guidelines, and we follow the steps of the PTES. All the way through, all the way from OSINT, Open Source Intelligence, or Pre-Engagement Interaction, we actually talk about how do you scope a penetration test? How do you charge for a penetration test? PTES addresses all that all the way through reporting, which is the funnest part of a penetration test. How many people of you know, do you all know that are highly technical, could go around dropping O days on everything and its brother but can't write a report? Or they can't talk to management about what their findings are and this is unfortunately is a problem. So education

seeks to make people, practitioners more well-rounded, better communicators, because guess what, if you're getting a degree in InfoSec degree in digital forensics you're gonna have to take English classes you're gonna take public speaking classes etc so that's going to make you a more rounded person it's beyond training PTES is an emerging standard I really hope that we adopt PTES formally inside the community I believe PCI DSS actually looked at PTES and said hey you know this is something we can use in setting up our standards

And it is suitable for an operational environment. This just isn't 10,000 foot overview. You can put this into practice.

Accreditation processes. How do we accredit professionals? And I want to give Kevin Johnson a shout out. A lot of what I'm talking about today is based upon one of his talks I believe that I saw. recorded at B-Sides Orlando and I am wearing the professionally evil

lanyard as a shout out to Kevin Johnson. The CISSP isn't working. The CISSP is not a good measurement.

We need more standardized meaningful standards. This was written at four o'clock this morning. We have a lot of certifications, but how many of those are worthwhile beyond getting you beyond the HR filter? I mean, I think the OSCP is a good certification for people who are technical, but it doesn't mean, well, you do have to write a report. But we need to move to a place where it's sort of a combination of CISSP and OSCP, right? It's both training and education and those outcomes that result from training and education where people are more well-rounded. You know, I know people, I've never taken EOS, as a CISSP I don't need it. I mean, I teach college. It's not really a requirement

for my job. Neither was the USCP, but we need to move from a time where technical and non-technical people can come together like the Coke commercial and sing in perfect harmony. So education, formal security, information security education is really seeking to move toward that point.

This is another thing Kevin Johnson alluded to and I'm not sure how you fix this problem. Do we really want to license penetration testers? Exactly.

Exactly. Especially in case of digital forensics, you're dealing with criminal activity. You may need... but what is there out there for... I mean, what is an example? Private investigator in some states? Yes. There's also...

Yeah, okay. We don't have it in West Virginia at all. I'm just trying to think of what else was out there. The people who give the CEH has a...

Yeah, LPT, CFI. Yeah, so they've got a bunch of those certifications.

You know, I think that really has to come from the governmental organization. You know, the problem really is we don't want to break paradigm even more in order to fix the problem. So I'm not, I don't have solutions. I'm asking the questions. And that's one that I don't know where, how we fix that problem. But you wouldn't hire an accountant that didn't pass accounts, once again, Ms. I'm sorry. I'm going to stand in front of my misspellings. You wouldn't hire an accountant if he didn't pass the CPA exam, right? You're not going to hire a doctor that is a licensed practice in your state in the past, all of the different medical practices. Yes, sir.

One of the things, just your example, doctors and lawyers, typically the majority of the work that gets done in the doctor's office is being done by a physician's assistant. Most of the work done in a law office is being done by a paralegal. That's true. And so could it be that The media is talking about how there's a requirement for a tremendous amount of personnel for the mobilization in information security. And yet if the solution is a four to six year program of licensure in order to get people in place, you're running way behind. And

to say that, for instance, if you're going to build a thousand foot skyscraper you're going to need plumbers, but you're also going to need laborers. You're going to need people that are going to be able to fit pipe and do those menial tasks. And you can find these people now. And that's not necessarily the thing that requires a four to six year degree. Right. I understand. Let me say one thing. I use these as examples. We're not here now. This is what we should strive for the next 10 to 20 years.

information security, to become a more mature, to become a more professional profession, we need to look at things like credentialing. And I think that these are examples, sort of really high level examples we can look at. The other thing you were talking about was how in law firms most of the big work is done by paralegals, right? People who are a lot without professional licenses.

You know in the case of like QSAs, you know if you're doing a PCI audit, if you have, hire an organization that has a QSA that can review your work, you're good to go. And that's another example perhaps of accrediting in a profession. Maybe that's what we look at. We accredit organizations instead of individuals. But I don't have the answers, I'm just posing the question and I think this is where we need to be, you know, 20 years out. It can't happen today. It's not going to happen today. Cultural change takes a long time. I'm just trying to set up the question. I don't have all the answers either. Goodness knows I don't have all the answers. So I'm just trying to pose the

question and sort of point to some solutions or a path forward. You got a question? I actually do, because this is a little close to home. My fiance has a master's degree in psychology with counseling. And she's basically, because she moved states for the last several years, she's stuck in this licensing hell, which is basically you need not apply. You're not welcome here. And the job that you have to have to get the hours to become licensed is not available to you because you're not licensed. And so I don't know that we actually want to create that same sort of situation in our industry. Well. There is a mix though, because with law firms, certain types of law firms, let's say you do corporate law and things like that,

you can come from another state and you can't practice individually. Like in South Carolina, you can't practice law individually unless you pass the bar. But if you're a corporate lawyer and you have passed the bar in another state, if you go to work for an entity, that entity has a right and has an authorization by the state to perform law. So therefore, you're under their kind of And that kind of comes to the question earlier about that you had, how do you train everybody to go through six years? You don't. You find somebody who's going to be your lead forensics guy. You find somebody who's going to do each one of those tasks, and you

make them specialists. I mean, when you go to a doctor and you have a general ailment, you send out a general assessor and says, OK, this is your problem. That's what not a pen tester would do, but a general incident responder would do. And then they go back and say, OK, I need the wireless guys because this is wireless intrusion. Or I need the guys who are going to do analysis on the databases. It's the same basic principle. And then you could start credentialing each one of those individually, and it won't take you. six years it'll go by much faster. I think that's a good idea and it sounds like the situation that your fiance

is in is just a broken licensing system and nobody wants to create a system that's broken. I think that's the reason we need to start the discussion now about how do we do this? You know, is it going to be, if the CISSP is going to be the gold standard, I think that we need to change some change that with the CISSP.

Is there any CSSPs in here before I know that I am offending people? Sorry.

So who has a CEH? Any CEHs? So you know where I'm coming from, right? Any OSCPs? No OSCPs? I'm the only one. I'm the only survivor. So Security Plus, which is another one. a master's degree in computer science with InfoSec as an emphasis but. Cool. Was that hands on or was it theoretical? I did the policy track. Yeah. There was some hands on and it's a changing program. It was worth, it was worthwhile. There's a few of these popping up around. Which program? Georgia Tech. Yeah. Very good program. I went to James Madison when we were secure software. Also a very good program.

They changed it again but it was software security. At Marshall we have different tracks. We have a computer science department that teaches engineering. And then we have integrated science and technology where we teach game development, application development, web development, digital forensics and information assurance that's really hands on. So it's really what you want to get. Really what we need is a blend of the both of them. And you can do that in four years but I think that once again we're about two different fiefdoms that are not really talking to each other. We need to talk to each other. So they put us all in the same building. We're in a new building on Marshall's campus. My hope is since we have

offices next to one another, we'll actually talk to each other. And we can move forward with maybe an InfoSec degree at Marshall, which we don't have right now. Does anyone have any questions before I go further on my rant? How much time do I have? Time? Dave Keene was so excited that he had these things, these cards. So step one is education. I think that we've entered a time where you really need to have a degree to be an InfoSec professional. Step two is hands-on skills. Everyone, including your CSO, should have some ability to understand what NMAP is. I was in a meeting recently two guys got in an argument because one of them said, wait a minute,

I'm a CISSP, I know what a VPN is. Why, I mean, it's frustrating. And if you've ever dealt with a non-technical manager, you know, we've got people who spent 20 years on the help desk in government organizations who are suddenly thrust into these roles of being leads or CISOs or whatever they are and they have no technical skills and you're trying to talk to them about making sound decisions and they have no idea what you're talking about that needs to change I can tell from the reaction in the back of the room that you all have been there I think we all have so education is and we need some sort of formal education I mean formal qualifications credentialing and we talked about

that I think we started a conversation on that education is a lifelong learning process and you need to keep your education current how much do things change in InfoSec all the time so we already have certifications that require continuing education this is true in other professions as well law I work for 20 years we can talk about keep talking about lawyers over for 20 years in a law firm actually different law firms they have very strict continuing education requirements in order to continue to keep their professional license

I think that I talked about some of this before I may have been repeating myself but basically we need a blended reproach we need both education and training here's an example of the cultural divide inside of our community we have suits versus hoodies right We've got people wearing the black hoodies are highly technical. And then you've got the non-technical people, the people that like to throw around the word cyber a lot. We need to come together as a community. We need to come together as a community or we're going to have further breaches. We're going to have continued loss of data. And I don't know how much worse we can get. We keep hearing about cyber Pearl Harbor. When did it happen?

Hasn't happened? Probably been happening the entire time.

And for the love of God, quit using the word cyber before everything. I actually started a community on Facebook about to eradicate the word cyber. Now I was trolling. You can't put cyber in front of every word. I mean, cyber war is a thing. Actually teach a class on cyber warfare very happily. But

you can't talk about cyber ninjas is not a thing.

What about cyber rock stars? Cyber rock stars? Not a thing. I mean, if you're talking to somebody in government, that's their word. That's what they use. That's their speak. But if we're talking to each other and someone starts saying cyber, cyber, cyber, I'm going to look at you like, are you trying to blind me with your cybers? You know, we've got it. My whole personal...

Josh is looking at me funny back there. My whole personal thing on the word cyber is that we have words that... succinctly describe what we do, which is protect information. Information security is a perfectly good word. So to constantly throw this word around is confusing. It may be useful when talking to non-technical people because they've heard it before, but for the love of baby Jesus, quit using the word cyber all the time. Does anyone ever watch Congressional? Huh? It's the same thing. I mean I'm awful. I'm also on a program of basically rehabilitating the word hacker. So that's the first thing I ask in my classes is what's a hacker? And I try to take whatever bad connotation

they have and flip it on their head by the end of the semester. Because hackers the same way. I self identify as a hacker. the good kind not the bad kind and that's part of this too is mass media have latched onto these words so it's just not doing us a lot of favors we need to stop the drama yes we have these great resources of talking to each other Facebook Twitter but we fight with each other way too much in public there's a difference between what Marcus does which is call out people when they're being stupid or they don't agree with them to fighting like children. We need to stop fighting like children. Doctors don't do it online. Yeah, they do.

They do it in journals. They do it in online communities. They do it in WebMD comment threads. I apologize, but I'm going to take account of that. Doctors do it. Accountants do it very quietly because they try not to destroy their business. Right. That's what I'm saying. I'm saying that if we want – we can – I'm all for lively debate. I don't think that we should as professionals be having a lot of these fights. I mean, I've gotten into a lot of drama because of my fights, my trolling of people and them trolling me back, and it got personal. Or we've had disagreements before. But should we really be talking about that openly in a community, or can we just take that one to one? I think

that that's – I understand exactly what you're saying, but I also think this is part of this being such a young industry. I do think that we're all still trying to figure out things like, oh, gee, we're going to call ourselves and folks have professionals, okay, why side is that? That's not what I'm talking about. No, no, no. But no, there's a lot of issues like that. Right, right. That we're all still struggling with and trying to decide. That's fine. This is who we are. Trying to decide who you are as adolescent. I agree. Okay? So we're still in our adolescence. I think you're going to see this kind of drama. I think that's debate.

That's not drama. Okay. I don't know if you've ever – you've actually seen some of the drama that goes on. I think people get way too personal. They get into personal fights online in public, and I think that that's not helpful. And what you usually have to do when it happens with me – and I've gotten in – I got a big fight with somebody online one time. And then I realized I was being a jackass, so I stopped. But it's happened both to me on Facebook and on Twitter. I think there's a point where you take debates that have gotten personal offline or you take it to some place where it's not public. There's a lot of people, I mean, you

almost have to operationalize the term drama. And then some people just don't care. Drama usually starts out as a debate that becomes that common. Yeah, you're right.

I agree. Yes.

Yeah. Yeah, I think that's true, too. And I think, once again, it is us being a young industry. But, you know, I don't know. I think it makes this look shallow and pedantic. And that's also true of a lot of people who are system administrators. You can't tell me something I don't know because... I know everything and unfortunately some of these people move into our community and they're just as bad here as they were. Foul language. I cuss damn it as much as anyone else but when you're on Twitter and you're communicating,

how can, well you don't go into a boardroom and say shit or stuff like, yeah we raped you today in a pen test. To me, that's a problem, and that's a problem, suits versus hoodies. People come in, you know, there's an element inside of our community that is a little antisocial anyway, and it's just not, it's not productive to sound like, you know, a high schooler when you go in and try to explain to people what you're trying to do and what you're trying to achieve, or the findings of your penetration test. We need to do better talking to people inside and outside of our industry, including journalists. I know whenever I'm interviewed for a story, I

try to be very succinct in what I'm trying to say. I don't use the word cyber. I try not to use the word hacker. I talk about online criminals. Acting like an adult online, which kind of addresses the foul language and the drama aspect. You need to be well-rounded.

Our profession will not move forward and people will not take us seriously until we become better communicators or good communicators. And education is not training. Education produces better, well-rounded communicators. So that's my presentation. Does anyone have any questions? Yes, sir.

Perhaps more comment. Perhaps more comment in that disagree with your basic premise. If you're looking out at 10 to 20 years, I would question the viability of a separate infoset profession and the way people look at it now. If you're still hiring pen testers and people like that, the computer industry has fundamentally failed. If vendors are not building security in a meaningful way in 10 to 20 years in ways that work with enough standards well enough that they can interoperate and you can collect logs and join them from a bunch of different things, then it's just a losing proposition. As an industry to come in and impose security on fundamentally insecure products is just not going to work. Well, I don't think that we'd

be, I think that, you know, security is guarding whatever makes a company money. So you're not really imposing as much as you're partnering with the business – operation of the business so that you help them, you enable their business process. And that's really what I'm talking about here as far as communication being well-rounded is you need to understand how to talk to different people, just not people who are technical or people inside the community. And – What we do today, what needs to be done today, what you do working with the computing environment as it is.

Right, that's true. Well, the next 15, 10, 20 years time frame you were talking about, I think we need to be a fair... Okay. I agree, I agree. And I appreciate your comment. I mean, I don't know everything. Part of this is really starting a conversation. If you want to come on Reboot It, we can talk about this. That's cool. I think this is a conversation we need to have in public so that people understand. Yes. I'm an information systems major at College of Charleston. And how do we, we're just now starting to get into the security role. And I helped with that by creating a cybersecurity club and gaining interest among our students. But

how do we bring the security education piece to our university? Well, I think you're still doing, I think you're doing it right. I mean, here's the thing, is that not All InfoSec degrees are made equal. Some are way more technical. Some are way more 10,000 foot overview. So you're doing the right thing starting a club. Have you looked into doing CCDC? Yes. So actually we were the only South Carolina team to make it to the Southeastern. Cool. Congratulations. I still haven't won with my team. We still haven't gone to regionals because my kids' team seem to be focused on DFs and the attack side of it and they're not defenders. So like one of the first things they did was lock themselves

out by misconfiguring the firewall. So they were done in five minutes. You know, and I teach network protocols and network administration, so I'm sitting there going, okay, this is a teaching moment. So they got two weeks worth of how to configure a firewall. So you're doing the right things. The other thing you can do if you're involved in InfoSec education that you don't feel is technical enough, look at online resources. Part of being a hacker, good kind, is asking questions and finding the questions on your own, finding answers on your own, not waiting for people to tell you things. And when you become a practitioner, there's a lot of things you don't know. Google is your best friend, and so I would say do that.

And then if I know students will have a lot of money, I'm a big fan of defensive security training. But look for opportunities. DerbyCon has training. There was training here last night. Did you take the Python for information? No, I didn't get in. Yeah, but yeah, something like that. You can go to community events and get more technical hands-on training, et cetera. So I highly recommend it. Yes, sir, you have the hat. What do you think about apprenticeships? I think they're great, because mentoring is very important. Mentoring in this community is very important. Mentoring and apprenticeships are not the same thing. Okay. Mentoring is a relationship with somebody where you go to for an occasional piece of advice. You can even talk on a fairly

regular basis. Apprenticeship is where you work with the person and you learn by doing with that person. They are effectively your junior partner. Yeah, that's part of the training piece, I think. We talked about apprenticeships before. Before you came in here, we talked about apprenticeships. They're useful, but do you think that they also teach the communication skills? No, I worry about that. I mean, it depends on the person who you're doing the apprenticeship with. Good point. And in the case of... formal education, you have to take classes which make sure you know how to write and speak in public. And I think that's the difference. But there is definitely,

I mean there's a plus to that. I wish I had an apprenticeship whenever I started out or someone who knew the ropes. Does anyone else have any questions? I think I'm

And we talked about Network Scout, which I did with two students. That was as much a mentorship as it was an apprenticeship because they taught themselves Python with my help. And then they did the project on their own based upon the skills we taught them. Thank you, everybody. You did spot on the time. Thanks. Awesome. Yeah, I hate to go over there.

So I'm going to go and give you guys the initial rundown. This is my first talk at a conference. So feel free to interrupt me. Let me know how I'm doing. Higher volume? Yes, sir. All right. So I will try to speak loudly so everybody can hear. And we'll get started with it. All right. So as you guys know, my name is James. And before I get down to the subject we're talking about today, I kind of figured I should tell you guys a little bit about myself. I know my bio in the show notes was a little bit short. So I actually discovered computers in 1984. My dad brought home an Apple IIe. He had sprung for the extra 64K of RAM.

It was glorious. I played around with it a lot, a lot of video games, old school, Karateka, things like that, Wavy Navy, if anybody knows that one.

Then when I became a professional, I started out as a system administrator. Anybody who's still doing sysadmin work, I am sorry for you. It is a rough life. And there's a reason why the O'Reilly book has the armadillo on the front of it, because you gotta have a tough skin. Switched over to software engineering for the past few years. This was really where I began my true descent into Lovecraftian madness. The more you learn about the code, the more crazy you get. And that's just how it goes. So I got hired at LandCope last year. This is the last mention of my company in this talk. But what I realized when I got to LandCope is that everything that I had been doing before this was

just a warm up for what I've been doing since. And it's great. Alright.

Okay. Alright, so

This brings us to what we're actually going to talk about today. This is actually a very detailed analysis of the movie War Games in which David Lightman attempts to start World War III by hacking into a computer. It's one of my favorite movies, really what motivated me. I apologize for deceiving you guys. I just had to bring in a clip of War Games because of the name of the thing. This is actually what we're going to talk about. I'm actually not a security professional security expert. So this is kind of an outsider's perspective of my discovery of capture the flag challenges and war games. A little bit of an overview for people who may not

be familiar with it. Looking around the room after hearing some of the questions you guys probably are pretty familiar with it. And then kind of a transition for how traditional learning methods can fail and why these war games and CTF challenges are not only important for people in the security community but actually more important for technical people they've already got the chops, they just don't realize they're already good at security or they can actually become really good at security very quickly. And then, you know, why are we looking at games? What advantage does games give us? And then my own thoughts on better security through gaming and then how we can use these as infection

vectors to the people that we work with on a daily basis, you know, so that they can take the benefit and actually start helping security professionals and everybody else do their jobs better by not having to know, wake up in the middle of the night thinking, oh my god, did they remember to do this on the system, or are we already owned? Which, actually given some of the other talks in the keynote we heard today, I think we already know the answer, yes, we're already owned, but maybe we can do better going forward. And then finally, just wrapping everything up, hopefully you guys will agree. If not, I'm looking for some good points where you

guys can prove me wrong. That'd be great. So like I said, I am an outsider, and my apologies, I am not a hacker. I actually have stopped identifying as a hacker back when I was a teenager and realized I wasn't gonna go into security and I just wanted to work on computers. I'm slowly coming back around to wanting to learn how to break things but for a good way and not just daydream about breaking into OPM, which apparently is not that hard. So you may ask yourself, why am I doing a talk at a security conference? It kind of gives me a unique perspective. Sometimes these things come from people outside of your field can shed new light on things

that we become comfortable with. So anybody out here who does security professionally? Like actually employed, anybody heading that direction? Okay, cool. This will actually be good because a lot of you guys who didn't raise your hand, you're actually my target audience for this. At least of what I'm trying to do. So this is kind of the uninitiated view of what security professionals are, you know, pen testers, the incident response guys. It's a lot of black voodoo, it's a lot of magic. And this is what I thought when I first got to LandCope, when I'd hear hushed tones of the people who were walking around the halls, you know, oh that guy, he does incident response.

It's like, ooh, that's gotta be very hard to figure out what they do. This is I think what a lot of people think about security professionals. It's kind of the, well they can compromise your system and all that. So how do we get from that view to what I'm talking about today? Like a lot of things, I went to, after I started working at a security company, I was like, ah, I probably need to start familiarizing myself with more of the ins and outs, what things have changed since 1995 when I kind of first really got on the internet. And so I stumbled across this post and my first thought was, ah, cracking passwords, that's awesome, we should do more of this. And so I started digging through it

and I discovered this site called Over the Wire. Anybody who's familiar with, Joseph Campbell in the Heroes Mythology, the Monomyth. This is kind of my moment where I crossed the threshold into the hidden world and realized that maybe all the things that I have been learning are actually more aligned with security than I originally thought. So, Over the Wire is a type of war game. It's hosted online. And this was actually from their Bandit series, which is all Linux platform stuff. And so, I went. I played around with it and after a couple of days, because I do have a two and a half year old daughter so she eats up a lot of the free time, I finished all 26 levels and

this is how I felt. I have done it. I am finally a hacker. Not really. But I was hooked. I actually had had my perspective shifted a little bit. And what I realized was all of the tools that I've used to admin Linux machines, Windows machines throughout the years or in programming, They're the same tools that security professionals use. They just have a slightly different perspective or they're using them in slightly different ways. And so all these years later I was like, oh, what the guys at work have been telling me about that's not really that much different is actually true. But it kind of took me discovering this to get that through my head. Now I am kind of thick headed so, you know, we'll make

Matt have an easier time with other people. So moving on from that, let's see.

People need to know about this. I actually assumed that I was the last person in the world that had discovered War Games and Capture the Flag challenges from the amount of stuff online about them. But when I started talking to people I worked with and friends of mine who are also in IT, none of them had heard about it. So I was like, okay, well, how do we get that out there and how can we start shifting other people's perspectives and making the application and platform security awareness better? And so that's kind of where we got to this talk. So that leads us to what exactly are these capture the flag challenges, what exactly are war games, and how can we use them? So capture the flag.

Anybody who has been to a lot of conferences, you've probably participated in a capture the flag challenge. It is basically an information security competition. So there are predominantly three different styles. There's a Jeopardy style, which it's kind of like the game show Jeopardy by its very name. And so what... What that means is you can have trivia, like computer history, you can have forensics analysis, crypto, reverse engineering, a lot of interesting things. What you do is you work through the different set of tasks. Sometimes they lock down the harder task until you've completed the easier task. Sometimes you can just pick the hardest one you want to. The way you get points is you solve the challenge, you get a flag, you submit it, they give

you points. Usually it's a team competition in the CTF challenges. That's actually good because you can diversify your skill set. It's nice. I think the most famous example of this is the DEFCON CTF qualifications that lead you to the next type, which is the attack defense type of CTFs. So attack defense is kind of what it sounds like. You have a network setup. You have attackers who are trying to attack other team's servers. You're also trying to defend your own servers. And the more attacks you pull off and the more defenses you pull off, you get attack and defense points.

This is actually the first type of CTF there ever was. There's actually apparently a really easy one to set up if you want to play around with it. It's called Network King of the Hill. Apparently it's extremely easy to set up and you can just play around with it on your own. It's free. And the most famous example of this is the World Cup of CTF, which is the DEFCON CTF, the one that you have to qualify for. So, like I said, it can be teams, it can be individuals. Most times it's teams because you want to diversify your skills and you want to get points very fast. And I also have to give a

shout out to CTFtime.org if you're interested in any more or what competitions are going on, those guys are great. And I did pretty much steal a lot of the information off their website. So this leads us over to a different type of CTF challenge, which is a war game. War games are online. Most times they're hosted online. You can't actually pull them off and load them locally. They're almost always a single player because you're SSHing into a machine and trying to get the different levels.

I like a game very much in the fact that you start off with very easy levels and they increase in difficulty and what game is good if it doesn't increase in difficulty? So the services, the two services that I use mostly in the past is overthewire.org and Smash the Stack. Smash the Stack is more reverse engineering. Over the Wire is more web vulnerabilities and platform security. So now for anybody who may not be familiar with this, I was gonna do a quick demo of Just a very easy one that I wrote, which apparently I'm going to need to exit out of this guy real quick. So we will try to do this and then go back to full screen. So can everybody in the

back actually read this? Cool. All right. So what do we have in the directory? We have this executable called level zero. Let's see what happens when we run it. Okay. So it's asking us for a password. We've got to figure out the password.

I always type Bob first, because that's the password that I used to use before I realized it was not a good password. And then they kept increasing the length on me, and you can only repeat Bob so many times before it gets messed up in your head. So that's not the right password. So let's see. Well, we know it's an executable. Let's see if there's any hidden files. Maybe they made it nice for us and did a nice easy password.txt where they stored it, so they didn't do that. So let's see. Well, I know about this amazing utility called strings. So let's see, I'll pass the dash D just to get rid of some of the junk and we run it. So shout out the

answer when you see it on the screen. All right, I heard B-Sides, so we will try that.

And so obviously I had to do that first talk. I figured I'd go shout out to B-Sides Asheville. And then this would be usually your password to get to the next level of the Wargame challenge. So you would basically log into the next level through SSH, give them that password, and then go on to the next challenges. So let's see. I can get rid of this guy again. I can grab a hold of the window. All right. So anyway, that's kind of a basic example of these things. And let me get back to the full screen. So hang on. All right, there we go. So I did skip over a screen, but it's basically we're

going to transitioning from what an actual game is into why traditional methods can fail. So I know we've talked about certifications, different training, education, all those things are very valuable, but when you're beginning out, especially when you're hard-headed like me, you don't realize what the right questions are to ask. You don't know who the experts in the field are. Most of the hackers that I remember reading about when I first got in, first started looking into computer security, were kind of shrouded in myth and legend, and there wasn't this fancy thing called Google that you could use to search for things. You had to go dig around, and it took hours, and you still didn't find the right answers.

So, a place I usually start with any new hobby is I start with books. I do home brewing. I started reading a lot of great books. It didn't really help me make better beer, because you actually have to make better beer, you have to make good beer to know how to make better beer. most things you can find out some stuff, but when you get with computer security, the first thing you realize is, well, what are the good books? Who are the experts in the field? What question do I even want to learn? So it's very difficult to know where to begin. So you think to yourself, okay, well, I live in the modern age,

and there is this amazing thing called Google. So you strike out on the internet, you start searching, you sign up for all these newsletters. I think when I first got started, I signed up for like Bug Track, out of security, full disclosure, secure coding, should I own security? And I had all this stuff flooding my inbox every day. Did it help me? Not really. I mean, these little key pieces of things as I moved forward, but overall, it didn't really help me with what I was trying to learn, which was be better at security. So I thought, well, I work for a company, maybe they'll send me to training. And it kind of circled back

around to, I don't know what the good training is. I saw the prices of black hat training, and after they revived me off the floor when I passed out at my desk, they asked what I was looking at, and then they passed out when I told them what I was looking at. And then you also don't want to sign up for bad training, because if your company invests money in you to go to training, you want to be able to give them something back, so they'll send you to more training. If it's bad, they won't do that. So, and also, since I'm new to this, how do I even know what training I need? So

this led me to, anybody who doesn't recognize, this is Bruce Schneier. He wrote an amazing book. He's actually written several amazing books. The first one I was introduced to was Applied Cryptography, way back in the day. He is very much considered an expert. And so let's say that I was lucky enough to sit down with Bruce and talk to him about anything. Let's say I picked the Applied Cryptography book because I tried to read it when I was a freshman in college. It's very dense. I did not finish it. I took a lot of math. and then read it again when I was a senior, once again, it was very dense, I did not finish it. I'm not ashamed of that, it's a very hard book

to finish. And so even though I can sit down and talk with Bruce, given my level of knowledge of cryptography and his level of knowledge of cryptography, there's gonna be a point probably about five minutes into the conversation where he just goes right over my head, which tells me one thing, I probably don't need to do crypto analysis or cryptography, because I'm not that good at math. But you're gonna have a similar problem with anybody who's much farther ahead of you in the field, because it's very difficult for those guys to break down what they do as instinct to the level where a beginner can get into it. So, we've looked at our traditional methods, we've got this introduction of games, can games help us to

actually make this transition point to where we can start more effectively using the books, the training, being able to know what to search online, knowing the lingo that's around us. So I saw a TED Talk which led me to the book Reality is Broken, Why Games Make Us Better and How They Can Change the World by Jane McGonigal. And the quote that I pulled away from this is, when you strip away the genre differences and the technological complexities, all games share four defining traits. A goal, rules, a feedback system, and voluntary participation. So this is Jane McGonigal from the TED Talk where she talked about gaming basically changed her life, how she realized that she had not wasted her time playing video games.

Luckily to anybody out there who plays video games, you have not wasted your life playing video games. They actually can teach us a lot of things. Games in general can make you better at things. Actually, their setup is what does this.

This is kind of a very overview of what we're about to break down.

In a game, there's always a goal, right? I mean, everybody who's played Mario, you have to get to the flag at the end before the timer runs out. That is your goal. Try to collect as many coins as you can along the way, but if you don't make it here, it's all for nothing. So it's great because there's a clear objective when you're playing a game. Sometimes they'll even provide you with help to get along the way. You know, if you play WoW and you're on a quest, you know, World of Warcraft, for those who may not remember WoW back in the day, they tell you where to go. It's kind of nice. And there's

always a solution for the problem in front of you. because if there wasn't a solution, it's not really a goal. This is great for when you're playing with a war game in CTF, because if you just set out and say, well, I wanna look at, let's say, the most real, Jesse, for Debian. I'm gonna look at the release of Debian. I'm gonna take one of the packages in there, and I'm gonna find a vulnerability. Well, there may not be a vulnerability, though, given what we've learned already, there probably is. But you may not know where to look. You may not know how to look at the code, or the source code to even find the

vulnerability. you don't really have a defined goal. And in the beginning, that's what you want. You want something that you know there's an answer, you know you're not just spinning your wheels. So the next thing that helps us, even though for a lot of people in this room, rules are probably not something we like following. It's what makes us good at what we do. So anybody who doesn't recognize this, this is the greatest edition of Dungeons and Dragons that ever existed. And we can discuss and debate that afterwards probably over a few beers. if you don't agree with me. So rules actually in this case give us a bounding box. They give us this nice

sandbox to play in. And that's very helpful once again because when you're a beginner you need kind of boundaries so you're not like off in the wild, you know, not finding anything. They also give us tools in the fact that if you look at the rules of a system, they tell you kind of the areas you don't need to, you can already eliminate all the possible possibilities that are not, that kind of conflict with the rules. And then finally, especially in the war game scenario, because you are SSHing into this box and there are other people SSHing in the same level, the rules and the way the system is designed can actually protect you from

cheaters. So let's say you've been spinning your wheels on, let's say Bandit 13, the one we're looking at. You've finally figured out, you've gotten the hex file, you're starting to get through it, and all of a sudden somebody swoops in and steals the answer right about the time you did it. Well, you did all the work, they kind of get credit for it, and that's not fun. So it also forces us to be honest when we're playing the game, which is actually more important for people who are trying to learn a new skill. Because if you have to be honest with yourself and you can't cheat and find the answer really easily, you get better.

And that's one of the things that's actually really important in trying to learn this. So a feedback system. Feedback systems are awesome because when you get the flag or you finish a level, you get immediate feedback. You realize you've done something good. If you're playing Mario and you run into a Goomba, die or you become small and that immediately tells you you pretty much suck at this game and you should probably try to get better. And that's the great thing about it is that you can easily find where your skill level is in these games because you get the first challenge you're done with it in 10 seconds. You get to the next one it takes you about a minute and eventually it gets to a difficulty level

where you have to stop and reevaluate what you're doing. Games are kind of unique in that they provide this immediate feedback system. You know training, you read a book, You may not get a chance to exercise what you found in the book until a month later and then you gotta go find the book, find out if you actually made notes in the book to what you needed. So, games are great and they provide instantaneous feedback which then reinforces the fact that you've learned something new which makes it stay in long term memory. Finally, games are voluntary participation. So this is where most of my games end up for me at some point. I get very frustrated with them and the thing to remember in that moment is

games are voluntary. No one made you do this. You're doing it to yourself. Seriously, you've given up your free time, you've decided to play a game, regardless of what the game is, and no one made you do it. So you can quit. No one's gonna hate you if you quit a game. I mean, if you drop out of training or you don't finish, oh yes, go ahead. Tell that to the Korean gold farmers. That's true, okay. So that's a job, not a game. We'll come back to jobs in a minute. He was mentioning the Korean gold farmers, those guys, yeah, they're definitely doing a job. That's kind of the insanity of this, you know. So you start playing this voluntary game. You get to this

point where I remember at one point with one of the challenges, I had like three Google tabs open. I was reading about the inner workings of SHA-256. Once again, remember, I'm not that good at math. So reading about hash functions is not my idea of fun times. And I was doing it all for a game that I had decided to play just because I wanted to see what the next level was going to give me as a challenge. And that's what makes games amazing because We can force people to go to training, we can force them to sit through OPSEC meetings, we can ram policy down on top of them, and they're just gonna ignore us. But you get them to do this to themselves, and they may

throw a keyboard through a monitor, but they're going to learn something before they do that. And that's kinda nice. There is actually a fifth thing that you get with the Capture the Flag in the War Games, and it's actually mostly because of all the people sitting in this room and the IRC channel that these guys have. a huge support structure. You're not in this on your own. These games give you the framework to start asking questions besides, you know, the one I see every day on Reddit is, you know, how do I hack? How do I do something? You know, there's not a proper framework. There's no scoping to it. It's, you know, it makes

you better. And it also prevents you from throwing your keyboard through the monitor in the previous photo because you do have people out there helping you. You're not on your own. Okay, so I've talked about War Games. I've kind of given you guys my background as not being a security expert, and now I've kind of showed you why games can be good. Does it actually make a difference, and can it make you better at security? Particularly in the case that I've been studying, it's been application and platform security. So can it make coders think about secure coding more naturally? Can it make you look at your systems more critically when you're trying to harden them?

I think it can, and like I said, I definitely want to hear if you guys don't think it can. So, the thing is that we're talking about very technical people. I mean, developers, they know languages, they know how systems work. You know, sysadmins, same thing. They're very good at understanding how systems work. They're very intimate with the tools that are on their systems. Maybe what they need is not so much new tools, oops, sorry about that, but a shift in perspective. So,

That's kind of how I felt when I got done with the first challenge. When I got to that level 13 and I realized I'd worked all my way through it and I started understanding that all these tools that I've used for a completely different purpose could be easily used for, you know, actually compromising systems or even showing where there are weaknesses in systems. Even if you're not going out to particularly compromise it, you're just trying to point out, hey, I might need to look at something. So, you know, from the matrix, the world around you hasn't really changed, just your perception of reality's changed. That's what we're going for. We don't really want to convince, we don't want all the developers in the world and the sys admins

in the world to just say, that's it, I'm not doing this anymore, I'm gonna go be a security professional, I'm gonna be a Red Team tester. We just want these guys to be better at what they do. We want them to think more critically of the things that they've written, the systems they've set up, so that all the guys who are doing Red Team stuff can sleep at night, because they haven't shut down somebody's domain controller with a vulnerability or whatnot.

So that leads from shifting the perspective is that you end up with a pattern recognition. So you start seeing these things, you know, I know for me it was like, hey, this was just a simple permissions error. Wait, Linux boxes are really big. I bet I have a few Linux boxes that I need to go permissions in. And so you start realizing these things. First, you'll just notice something that seems familiar to you, and then as you keep playing the games, as you keep practicing these things, you start seeing these things quicker and quicker. It actually begins to, like I said, it makes you think more about, okay, well if this is something that's considered a very easy level on an over the wire challenge and I know

I've seen it on another box that I have, that's probably bad, probably very bad. And so as you continue moving through this, as you continue playing the games, your padding recognition gets better and better. And kind of more importantly, and I think Bill touched on this in the last talk, is that we are seen as very anti-social people and we do kind of think that we know everything. So it's very hard at times to convince people that their systems might have vulnerabilities or that their code might have vulnerabilities because their immediate reaction is, no, no, I'm not going to listen to you, I'm gonna put my head in the sand and you're wrong because I

wrote the code and it's perfect. I don't write bugs but people keep still finding them and then I have to go fix them. This helps you kind of, as the person playing these games, you start taking ownership of the things, the vulnerabilities you find. You're not as afraid of them, you start realizing these things happen. know, but if you can recognize them faster, you can fix them. You can start learning how to write the code better in the first place. You can start learning how to harden the systems, you know, right out of the gate because you recognize all these easy vulnerabilities. And, you know, a lot of this does sound like a lot of

hard work in the end, but I don't think we chose computers because it's easy. It's difficulty is why I like it, at least for me. Any tabletop fans, Will Wheaton's tabletop on YouTube, any fans? Excellent, okay. So if you watch the Ticket to Ride episode, in that he talks about infection vectors. So an infection vector is like a game that you can get, you know, you may say, hey, I play board games, and people are like, wow, you're a huge nerd. And yeah, that's fine. But an infection vector is a game that you can introduce to the non-nerd friends that you have and get them to play, and then before they realize that they're a nerd, probably greater than you were. So... I'll give you guys just a brief,

I want to save this one. My degree is actually in psychology, and this talk, talking about infection vectors, is the first time I've actually used my psychology degree professionally. So my parents can be proud of me now. So why are these challenges an infection vector? That's kind of what I'm trying to make. And so for that, I enlisted the participation of my daughter. I want to thank her for sitting for 30 minutes while I try to get the perfect picture. And then I'm gonna ask you guys to participate. your eyes. I promise you it will not be something terrifying on the screen when you open them. I'm not going to play that kind of joke on you, but close your eyes. And what I want you

to do is think back. I want you to remember the first game that really captured your attention. I want to remember the first game that you loved. Could be a board game, could be a card game, could just be a video game. And I want you to remember exactly how you felt the first time that you like just absolutely beat the game. All right, now open your eyes. you guys can pretty clearly remember that feeling, right? It felt like that you had conquered the world, like you were unstoppable and you were just playing a game. It's not like you were trying to like, you know, learn a new skill or anything like that. So if we can put that feeling of, that joy, for me it

was Zelda. The first time that I just absolutely owned the original Zelda on NES, I was unstoppable as a small child. But, Duck Hunt, yes, Duck Hunt, another great example, yeah. Yes. And the first time, also the first time that you beat the original Mario without losing a single life. Excellent. But anyway, it gives you this amazing feeling and it's a feeling that is very hard to replicate. In fact, the only thing that comes close is when you actually are working as a red teamer and you just truly own someone's system. I mean, for me, that was the two things and I think that's the reason why I initially got interested in security because I realized there's a similarity there. The nice thing about these CTF and War

Game Challenges is no one comes to arrest you when you compromise that system. They are completely legal and that's very important. So, why is that important? So besides that feeling, it's just a game, right? So, no one made you play Mario, your friends may have, or insert your game here, Pokemon for people who are maybe a little bit older. No one made you do it. You can be terrible at them and the only people who are gonna make fun of you are your friends and you'll find something to get back at them a little bit later, right? So there's this lowered threshold, right? It's not like, so you know, when people would say, oh well, security is really just the things that you've already done, well you

start feeling like there's a gap in your knowledge, right? You start becoming defensive immediately, no it can't be, it really can't be this easy. I should have realized this earlier on. But when you start playing a game, you kind of, you forget that threshold of I shouldn't know this and you start trying something new. And when it feels familiar, you just realize, oh, I'm already good at this, and then you start trying to find more and more difficult challenges. That's nice, you know? In the real world, you're supposed to know things, but if it's just a game, who cares? And then if you get stuck, you're not as afraid to ask for help. I mean,

I know when I got to, like, I think it was level 25 in Bandit, I rammed my head into the same brick wall about 100 times on that one, and definitely don't want to give away the answer in case anybody wants to go play that if they haven't already, And it took someone actually, like me stopping, asking someone for help about like, here's what I'm doing, here's what I'm trying to do, I've got nothing. But it was a game. It's not like I was trying to figure out a problem at work, but in all honesty, playing these games, learning how to lower that threshold has actually helped me go ask for advice at work on

things. So I may not know the best way to handle this certain algorithm, but there is somebody in my company who does, and going to get advice from them makes the software better. So it's a nice thing. Finally, it's fun. You get a lot of joy out of playing games because they're fun. We keep playing them because they're fun. That's basically the only thing I can say about it. Oh yeah, and then the final thing, I do have a note here about that. Remember, no laws were broken playing these games. People have actually asked you to come play the games, even though they're on other systems, you're not going to get thrown in jail for it. I feel that's a very important part because when you start

talking about hacking systems as a game, your friends look at you like you're crazy and like the police are on their way. All right, so let's go back briefly and cover what we talked about. So I am not a computer hacker. I do not use the word cyber every day in my life, but it's mainly because I just don't use the word cyber. It wasn't really anything planned. CTF and war games are games that security experts and security people play, and people who are just interested in operational security or information security, that's the games that they play. Good, we'll do this for a second. In retrospect, it probably was not the wisest idea to carry a cup of water over

my computer during the presentation, but we all survived. So there are these games that we play, games that people play for challenges at conferences just for fun. And that's great because it teaches, it hones the skills that security professionals already have. But they can be just as valuable for the people that are around us every day who at times make our lives more difficult. make y'all's lives more difficult, because I'm one of the guys making your lives more difficult. And it can increase their, especially in these cases, the ones that I've talked about, their application and platform awareness. And like I said, it's not that we want, it's not that your end goal is to make these guys exactly like you. You just want them to kind of

have that little voice in the back of their head that says, what you're about to do is bad, and you should stop, and look at it, and possibly find a different way to do it. So if I'm completely wrong about this, and like I said, feel free afterwards to come up and tell them if I'm wrong, I would love to improve this to where it is very useful. In the worst case, I know we saw the movie Hackers slide earlier. We all get to Hack a Gibson and we all get handles. So, hack the planet. All right, so any questions? Excellent, yeah.

But I think the interest and the ingenuity that you have, you're obviously passionate and you can see the excitement that you have. I think that's what a hacker is. It's somebody who wants to pursue more knowledge or try things out.

I always consider myself more tinkerer at this point. But yeah, I guess the more correct would be I'm not a security professional at this point. I'm also really interested in the fact that you have a psychology background. Because we do work with the guys at USC and we talk to a lot of psychologists. One of the things that you're hitting on that's very popular in marketing from a business side, right? So this isn't a... to hacking per se but gamification of almost everything we do every form that we contribute to whether we're putting stuff on stack social or whatever happens to be there's like badges and points you earn it's that inherent need to kind of get that instant recognition for what you're contributing back that kind of helps

so I think it's really interesting that as a developer you have a psychology background and I would love to hear you talk more or look into that develop that some more and how you can apply that into what you're building I think that's a really interesting perspective that the next talk that I'm working on which I have hopefully hopefully I can finish it at some point in my life, is actually why operational security makes us as humans kind of fight that good natured thing that we're taught from kids to have. Because it's very hard, you know, you see it everywhere, you know, no tailgating when you're going through doors. Breaking that habit of holding the door for someone, like as you're going through just out of, you

know, common courtesy. that just breaks your system. It's like, you know, it's the getting, and all the aspects of social engineering that I know a guy at Hungry Hungry Hackers in Atlanta, he gave a talk about abusing Maslow's hierarchy of needs. Phenomenal. Just the way that you can get people to do things because you're actually abusing their honest and, you know, I think in Bruce Schneider's book Liars and Outliers, he says that, you know, 99% of the people in the world are good, it's that 1% that realize that everybody else is good and they can take advantage of that. and then the inherent trust that we put in people every day. Yeah, I would, yeah. Yeah, oh yeah, yeah. It's the, you know, there are two things. If

you're not afraid to ask, and then once you've asked, you're not afraid to just shut up. Yeah, let the other person fill in the blanks for you, which is something that I actually, if my wife is watching through the live stream, she was gonna berate me about when she hears that I said that, because this is advice that she's given me since we met, because I tend to not do any of those things. Yeah, and then, let's see. You guys can continue to ask questions. I'll just throw this up. This is who I am. And just an email. Like I said, this is actually not for my company. So I just throw up a personal

email up there. And then feel free to follow me on Twitter, ask me questions if something pops in your head. Or, you know, if you find a really good Capture the Flag challenge or a good war game that I may not, you know, even if you think I may already know about it, go ahead and send it to me because I am addicted to them. I play them every free moment I get.

Yeah. Yeah.

Definitely. Yeah, yeah. Reach out to me and I'm interested. Yeah. Excellent. Cool. I was going to say, if there's nothing else, I'll finish early and give you guys some time to roam around. Excellent. Cool. Thank you.

is on. So just leave it on green. OK. And find some water. Do you want a cup of ice water? Or just tap water? I got a water. OK. And put this on. Yeah, on your shirt. Shirt good. There? Or no? No, I'll do it quite like that. I've learned the hard way. It needs to be facing up. Yeah. I don't know. Maybe you can clip it on. You can do it. Oh. Yeah, that could work. Right there? A little lower. That way you don't want to, you know. That should work pretty well. Yeah. We'll do a monitor test here in a second. All right. And what will happen, we have this handheld mic. So obviously, if someone

isn't here, those people on the internet will not hear it. So if they aren't holding the mic, just kind of process repeat. Or if they're going to share their opinion, let's make sure they get this. All right.

We're not gonna use flash cards for time because when you're done, we're just gonna go to lunch, so talk as long as you want. All right, I can keep going all night. Okay. I just won't stop.

Uh-oh. Still works though, right? Yeah, it should work. Believe it or not, these are cheap at $200 each. Your audio gear gets crazy. I think any professional gear wears not something that everyone needs.

Yeah, is that okay? Yeah.

I hardly do any of it anymore except for when I was in Texas. Oh, that's good. I want to get into it here.

surprises. Let's give a warm welcome to Jason.

How about it? All right. Welcome everyone.

So today we're going to talk about zero days, sort of. Actually what we're going to be doing is comparing zero days to the types of things that often that I see during pen tests. So I'll get into a little bit more on that in a second. Hang on a second. There we go. Moving forward faster than I intended. All right, so about me first. My name's Jason Gillum. I'm a senior security consultant with Secure Ideas. I have lots of experience. A lot of my background is in software development, which makes me a little bit odd. A lot of the folks you find in the security space come from more of a network administrative background.

Mine's more software development, architecture, and then several years back I decided security was more fun. It was more fun to start breaking the software than to be building it all the time, so I got into that. I'm an open source contributor. I work with a bunch of different projects, probably most well known for Burp CO2. So if you're web pen testing at all and you use Portswigger's Burp product, CO2 is a plug-in for that that I built. And I do some running to offset my home brewing, or the results of the home brewing anyway. I'm a home brewer. All right. Starting off with a big question. What keeps you up at night? So how many sysadmin types do we have in

the room? We got hands up? Or is everyone here a pen tester? Somewhere in between. Okay. So something that's on a lot of people's minds, especially after 2014, the year of the breaches, all of them have pretty names and everything. Zero days, APTs, wondering whether or not you're a target. What's the latest SSL vulnerability? So all of these things are things that get a lot of focus these days. And a lot of it's because the media, right? So the media's, they've started making a bigger deal out of these. I mean, they've tacked on fancy names onto a lot of the vulnerabilities. And that just, it's getting a lot more attention than these things ever got in the past. used to

be you just look over CVEs, occasionally you'd see something go through in the main, but it wouldn't be in the mainstream media to the degree it has been in the last few years. I think everyone will agree with that, right? So next question is, do those things really matter? I mean, they do to an extent. I mean, yeah, it's a zero day out there. But do they matter as much as all of the other stuff that still isn't fixed? And that's really what the of my messages today is we see these things out there, they get all kinds of media attention, but I regularly will go in on a pen test somewhere and do, even running an automated scan, I find a plethora of issues that have not been

addressed yet. And I'm sure everyone in the room who's done pen testing will also probably agree with that, that that's pretty normal to run into that. So that's really what I want to talk about today. So, attack targets. If you have a vulnerability, the vulnerability is going to kind of fit into one of two categories. It's either one that's used in a more generalized attack or it's going to be used in a very specific attack. And often this has more to do with the age of the vulnerability than the specific type of vulnerability. So, newer vulnerabilities, so we're talking about zero days, the latest and greatest has just come out. More often it's going to be used in a more generalized scenario. It's

the new great thing. People want to find out who's vulnerable to it. So they'll do kind of a, you know, throw a net out there and see who's vulnerable to it and potentially exploit based on that. Whereas as a vulnerability gets its age, it's been around for a while. So, you know, we're talking about things that have been, there's been metasploit exploits for several years, like MSO8067, for example. That's something that's going to be used in a more targeted attack. Somebody is working against a very specific target, and they want to see how many or which vulnerabilities is that target vulnerable to. So what's going to work against them?

So as a company, you have to ask yourself the question, what kind of target am I? Do I fall into that generalized? Well, everybody falls into both is the answer to that question. Everybody can be a victim, every company out there can be a victim of the generalized attacks because it's new, it's a zero day. It's something that nobody's seen before. But then you also have the targeted attacks. And the targets are a little less, they're a little bit more limited.

Smaller companies or companies that don't necessarily have information or data or systems that people

really want. They're going to be less of a specific target than those that do have something that people want. But let's face it, most businesses are in business to make money and people want money. So almost anybody is a target because of that. So anyway, pen testers, we'll notice these trends. I work for a consultant company. I basically do a lot of pen tests for a lot of different clients. So it's not always the same client. I'm not going to see exactly the same thing every single time. This is one of the great things about what I do is every week is different. I'm going to have new challenges. I'm going to run into new

interesting vulnerabilities I haven't seen before. But then I will often see patterns. I'll see the same sort of things pop up over and over again. And that doesn't mean every single client is vulnerable to all the same things. It just means that a of the same types of issues keep popping up even though they've been around for a long time. So what I want to do is take those things that pop up all the time and relate those to some of the fancy named zero days that were announced mostly last year. And just kind of show how, you know, why are you worried about this when you still haven't taken care of all of these other things that are very much

related. So let's start off with Shellshock. This one's got a nice fancy name. They don't have a pretty picture to go with it, so I kind of made one up. I know it's not very good. So Shellshock. Also, hopefully, some of you who maybe heard of these vulnerabilities but aren't quite sure exactly what they do, this will help clear that up as well. So Shellshock, that string of characters right there. That is the Shellshock vulnerability.

payload that if a vulnerable version of Bash sees this set of characters in this order, it will execute the command that follows this. And we can see that in a little bit more detail. Robert Graham, he tweeted, I'm running a scan right now of the internet to test for the recent Bash vulnerability. So some of you probably remember seeing this. Here's his example configuration for a mass scan.

And you can see that there's that same string of characters right there. That's what he was doing. He was basically putting all the, and he was hitting port 80, so that's your usual HTTP port. And he was in several HTTP headers. He was adding that along with a ping back to his own box. So it's actually pretty straightforward, right? Note that although he said he's running a scan across the internet, it was only one port on the internet and it was only one page for any web server on the internet, not all of the pages of all the websites. It's just basically the root. So you can just imagine that if you consider all of

the other services out there other than HTTP, this is, you know, it's a very widespread vulnerability. So

Just a bit of a side note on Shellshock. It sounds really bad. It was fixed, but then it had to be fixed again. And then it, well, anyway. There's several CVEs that basically relate back to the same sort of thing. So the thing with Shellshock is the main examples that they talk about with Shellshock have to do with modCGI and modCGID. So these are CGI scripts.

They've been around for a long time. And largely, they've been, mostly because of performance reasons, they've been superseded by other technologies that do the same sort of thing. We're talking about server-side code execution for getting dynamic responses back. So everything from PHP to Java servlets to Ruby on Rails apps, There's lots of other technologies out there today that do the same job and tend to do it better and tend to do it in a more, I would say, kind of in a more sandboxed manner where it doesn't have direct access to the underlying operating system so easily. So it's a wonder that we're still using CGI in places. Maybe it's a good idea to look at alternatives.

So some other old technology issues. These are the things that I see in scans all the time. I would say pen tests, except I don't even get into the pen test before I see this sort of thing. I'm running a scan. And it'll be use of unsupported software, so old operating systems. Anybody still run into Windows XP? I do. I'll do. Yeah. All the time. Yeah. See? There we go. Windows XP. Not supported. You might even find older ones in that too. I'll use that again. 98. 98 occasionally. Patching computers. There you go. So they're out there. Unpatched software. We find tons and tons of unpatched software. Almost every pen test has unpatched software on there. It's like, hey, you guys need to

do a better job of patching. It's one thing if you find patches that are maybe it's a month or two old. But when you find systems that haven't been patched in four or five years, bad issue and that happens a lot. It happens a lot more than we'd like to see. ESX servers, web server versions, old versions of PHP, we find old Apache. I'm just pointing out the really common ones. And if they have WordPress, I'm sorry. Okay, WordPress for the record, WordPress itself doesn't seem to have that many issues that have come up but the plugins are just I don't know. They're really bad. It's a constant. If you've been watching in the CVs lately, every other CV is a WordPress plugin. It's pretty bad. Okay,

so let's jump over to another one. Poodle. Everybody likes Poodle, right? Yeah. Another one. I had to come up with my own icon for that one, too. I kind of like that one, too. So, padding Oracle on downgraded legacy encryption. I have to read that title off because I can never remember that. This is a good thing that they actually gave that one a name. Okay, so I want to talk about Poodle a little bit first. So Poodle is a vulnerability that only affects SSL 3. And it takes advantage of, it's actually sort of a downgrade dance. So when you have a client and server negotiating their SSL, basically figure out between themselves what's the highest version of

encryption that we both support. Okay, we'll use that. So that's kind of what it takes advantage of. So SSL3, what's wrong with it? Well, first of all, it uses one of two ciphers, so RC4, which is already known to have a lot of issues with it, or some issues with it. And so the recommendation for quite a while before Poodle was to not use RC4 anyway. And then CBC is the other one, cipher block chaining. And that's what Poodle is about. It's about a vulnerability in the cipher block chaining, which basically there's some padding in there. I'm not a cryptographer, so I can't really explain it that well. But there's some padding in there where they change which bits of padding or

how many bits of padding they're sending along with the message. And as a result, they basically have to change. I think they can figure out one bit at a time or something along those lines. So what ends up happening, though, is it takes 256 SSL3 requests decrypt a single byte. So it's going to have to be a situation where it's the same information over and over again. The best example for that is probably a cookie. So we're talking about like a cookie on a web server. There's other situations as well, but that's one that really pops out as, hey, you know, it would still take a lot of requests because it's 256 requests just to get one byte out of that

cookie. So no pun intended. Excuse me, are you suggesting that that's an issue to be concerned about? No, it's still an issue to be concerned about. If you use it back to get a session token in real time, how would that be? Yeah, it means that you're not going to be able to get it instantly. It's going to take some work. Not really. I mean, there are demonstrations you can go to a conference, and you can see these guys attack a session cookie in real time. So five minutes, you're in the white rod. Right. I'm not quite sure the point you're trying to get across here. This is a serious vulnerability that can be exploited in the wild.

Oh, absolutely. I'm not saying it isn't. OK. He's just saying the amount of data that would have to be processed for each bit is a lot. So it's a substantial amount of data that . So with computers, 256 is not much. No, you're absolutely right. But still, 256 times the number of bytes. And yes, it can happen fast. Now, if you're doing what mentioned earlier today, if you were watching our keynote, Marcus mentioned several times, log all the things. So if you aren't doing that, you probably won't notice those 256 however many times basically hitting the same thing over and over again. Right. This is just an explanation of what it is. This isn't necessarily... Yeah. This is just a piece of... It's

like a raper attack against, you know... Let me move on. This will make more sense in a second. Okay. All right. The issue is Poodle is really about an encryption issue. It's an encryption-based attack that's a concern. But what I would venture to say is it's good. Be aware of it. Do what you can about it. But it's not the most critical SSL issue that we find out there. And that's really what I was getting at is, yeah, we find Poodle, but when I run a scan across a network, very frequently, very frequently run into lots of weak SSL configurations, stuff that's weaker than that. So I'll find old ciphers. I find SSL2. So I don't know why you're so worried about SSL3 when you haven't even fixed

SSL2 yet. That's still on your systems. Or weak ciphers, like support for 56-bit ciphers.

These things need to be fixed first. It's not saying don't fix Poodle. It's just saying, why focus only on Poodle? Just because it's in the media, oh, let's go fix this thing. It's like, well, wait a sec. We also need to fix all these other things too. We can't just fix the one thing that shows up just because the newsman said that's what needs to be fixed. We should be looking at our entire systems. So other things that we see a lot, password storage. This one I don't really run into during an automated scan so easily, but during a pen test, if we do get a peek at a database that has passwords in it, it's still not uncommon to

find MD5 hashed passwords in there, often without salt on there. Basically salt helps make each password more unique and makes it harder to crack. Now MD5, for those who aren't familiar, it's an older hashing algorithm, super fast. Easy to crack just because you can generate lots of them really quickly. So what you'll find is there are rainbow tables out there, even all over the internet basically, that'll do a lot of this work for you. So you don't even have to hash everything, especially if it's not salted, in order to break them. You can often Google them. So it makes it pretty easy. And unencrypted services. So again, why are we worried about Poodle when you have an FTP

without any SSL sitting up there on the internet. Man in the middle of that, I don't have to do any work, it's already done for me. To be fair, there was a, when the, if I'm trying to make sure, Heartbleed broke out, it turns out that if you had had an HTTP unencrypted, then that's not gonna leak information about other people's sessions. Even though you have trivial men in the middle or sticking. So you're trading one for the other.

I agree. Heartbleed is an exception. So we're going to talk about Heartbleed next. Good timing. Great segue. Yes. See, I actually set that up for them. Anyway, I knew someone was going to ask about that. No, you're right. But Heartbleed really was an exception to the rule. Normally you should, I mean we know this, this is what we tell everyone, is you should be encrypting any sense of data across the network. So Heartbleed. Heartbleed is actually the result of an implementation flaw in the reason why HTTPS is no longer expensive. So you remember, those of you who have been working at this for a while, probably I don't know how long ago, I don't really want to date myself, but there was a point in history where a lot

of people wouldn't implement HTTPS everywhere because it was expensive. There was this handshake that had to happen every single time and they didn't want to incur that or they had to go out and buy expensive accelerator type solutions to basically make this work decently. That's no longer the case and part of the reason that's no longer the case is because of the heartbeat that was introduced in HeartLean. So, they have a heartbeat extension, documented in RFC. And basically the heartbeat extension, what it does is sort of a keep alive type of mechanism that's in place.

client or one in the communication say, hey I'm still here, say hi if you are too. And then you get your response back, hi. That's kind of it. That's the extent of my PowerPoint animation.

So that's basically it. So that's a heartbeat message. Now what happens with Heartbleed I'm sure a lot of you have probably seen various different examples of this. But basically you have, in the request for the heartbeat, you have your payload, the message that you want echoed back, and then you tell it how long the payload length is. And then the response message says, okay, hi, and it just keeps going until it fills up all of that payload length. It's only slightly more complicated than that, but not much. Pretty straightforward. able to actually pull stuff out of memory, you know, whatever happens to be in memory after, after the, like, the end of high in this case here. So, a lot of the main concerns that have been expressed around

Heartbleed is the ability to capture passwords or keys, things that are likely to be in memory on that endpoint. Probably not data in a database because usually the database is not on the endpoint, but if you happen to be able to hit a database, then you might be able to do that as well. But it's also, it's unpredictable exactly what you're going to get back. It just happens because we don't know from the outside exactly what's in memory and how it's been managed. It's just, we're just going to get back whatever we get. So,

kind of flipping this around now again, what are the types of things that we see as a pen tester that kind of fall into the same category? We're talking about passwords and keys. have default credentials. Why do I need to use Heartbleed to find your password if your password is password or ABC123, you know? Dammit! Exactly. Admin, wait. Admin, admin, yeah. Admin, admin. We find all the time. One name name, that's always that you're referring to. There you go. So everybody named admin one name name. It's secure now. I have numbers and characters on there. So, yeah, weak passwords, default passwords,

Lack of two factor. Lack of two factor, yeah. That's all over the place still. That's another story, though. Ike aggressive mode. So I don't know how many of you have actually seen or run into that. I've run into it all the time. So this is old. It's an old vulnerability associated with a particular mode of operation for VPNs.

Yeah, it's just basically There's no patch for it or no way to change it. But there are things that you can do to make it a little less vulnerable, such as changing your keys around frequently and making sure you're using very strong passwords. But basically, that allows you to pull a key out with a single request, and then you can try to decrypt it offline. Unencrypted session cookies. So you know I have the secure keyword when you're setting a cookie. So that sort of thing.

So I'm going to actually switch over to one that happened this year, because this is one that I've actually spent a fair bit of time messing around with. So I thought it would be worth noting. There was a vulnerability called universal cross-site scripting. It's specific to Internet Explorer, but it was specific to all versions of Internet Explorer, or at least the most recent, like four versions, when it came out in January of this year. And what this is, it's actually not a cross-site scripting flaw. Even though it was called a universal cross-site scripting, that's what the media called it. It's actually a bypass for the same origin policy.

Same origin policy. That's basically a security feature in your browser that prevents scripts that come from one place running against other places or other origins. So without this working, basically the whole internet would be completely compromised by cross-site scripting because it would just work everywhere.

So the bypass itself in this particular case actually very specific. It had to do with iframes. So you're basically loading some content from somewhere in an iframe and then you basically trick the browser, the JavaScript engine in the browser, into thinking that what's in there is actually from the same origin that the script is running and so therefore it's okay to access it. That's it in a nutshell. And for those who've actually delved into this, the proof of concept that was out there, there was one of on the internet you could go play around with. There was pop-ups you had to accept and buttons you had to press. I messed around with this and got it to a point

where there was no user interaction required at all. So I could actually get it to run inside of a VM on IE, and it would just instantly start working against whichever site I was targeting. So pretty cool. I didn't publish that, though. It's not something I want available on the internet. really, really bad because it just works, you know, especially against an organization that has, you know, Internet Explorer as their standard browser. Good thing that it's been fixed. I don't know if you can see this. The date on there, yeah. 09 of June, 2004. In the vulnerability, where was this, cert, there we are. The vulnerability that closely resembles this one in fact it could even be the same one I don't

know for certain if it is but it really looks like it is I mean they both involve iframes are both the same origin policy bypass they're both executed in very similar fashion one was from 2004 the other one's ten years later in there as well so kind of makes you wonder was this vulnerability in place over that ten years it might have been I don't know if it was ever fixed I never found any evidence that the 2004 flaw was fixed. So that doesn't mean there isn't. I just, I never found any. So talking about iframes, I know I'm kind of picking on a little thing right now. But you guys, any of you remember

seeing this one before, the pixel perfect timing attacks? Basically, Paul Stone, he issued a white paper with a, there's a technique on here for using, he would use basically the Is it the filters, the HTML5 filters for doing text shadows and things like that to pull pixels out of an iframe? So an iframe that that JavaScript outside shouldn't normally be able to access. It could at least determine based on the timing how long does it take to render

as it's going through the filters. So for example, if you do a really big drop shadow on something, it might actually take a half second for that to render, I'm exaggerating, versus if the pixel was black versus a lot less if it was blank space or white. So with that, along with OCR technology, so object character recognition, that's how you can take something that's basically an image and infer text from it. Basically, it's able to read data out of those boxes. So that's another one that has to do with iframes. Protection from iframes, for right now, the best thing we can do is use the XFrame options headers. And I still run into lots and lots of websites that don't

do this, even though they have information on there that they should. And this is a small thing to fix. It's not really a big deal, adding the same header on things. It's so easy to put a asterisk there.

And the other thing to keep an eye on is the CSP, content security policy.

Being a developer and looking at this thing, I can see that it's probably not going to be adopted very quickly. CSP is complicated. You can't retrofit an existing site to use CSP very easily. You pretty much have to rebuild the whole thing. It's too expensive, I think, for organizations to actually entertain fixing old websites and making them CSP compatible. All right.

much everything I want to say. I do want to bring up two other points. Marcus brought up at least one of these earlier, and these are two things that we see a lot on pen tests. And I don't have a zero data, a specific zero data to mention with these, but just all of them sort of together. This is another thing that we notice often is, first of all, are you monitoring the logs? Are you logging all the things, as Marcus said earlier? And

of the time things are simply not being logged. I mean I run into internal tests all the time. Hey, are you logging this? It's like, well no, there's logging there but we just haven't turned it on yet. Anybody else run into that? Yeah. Everyone's chuckling. Yeah, that'll go. You have to read the logs too, yes. So that's the other half too, right? So the logs are there but we just, somebody looks at them maybe once a month. I actually have tests sometimes where they are monitoring the logs but it's sort of a weekly or bi-weekly process and I'll get a I'll get an email from somebody or a phone call and they'll say hey last week when you were doing your tests were you doing

this you know it's like it's kind of late to be asking me this you know yeah I mean what if I say no it wasn't me what are you gonna do then

I always got to clarify that with clients too. If you see something weird on your network and I'm doing a test, don't assume it's me doing the weird thing. It could be somebody else. I'm not going to use WAR files. I'm just there to test. The other one is, are you scanning? It's really depressing getting on site to a client.

basically spin up an automated scan to start things off. And you realize that they either don't even know what a scanner is, never used one before, or

they've used one and they've looked at it, but they've never actually actioned anything from the scan. Except risk. Except risk. Yeah, except all the risk. Can you characterize maybe an average customer size or whatever? Like I can see a 10, 20, 100 person shop not being into this versus, say, big enterprise customer or financial out-of-the-wall. I find this across the board. I had a 475-person defense contractor who said, we put Palo Alto Network Firewalls in, so we're secure, right? And I said, who reads your logs? I mean, that's good. I'm glad you got a good firewall. That's solid. How often do you read the logs? And they literally turned to me. This is the IT director, the head of network, everything goes,

logs? My point is, you know, like I've worked with small jobs. No, this isn't the large defense contractor. ... don't want to think about this. Want to hire someone to come and be healthy. Yeah. And then, of course, the enterprise customers, you would think you really should know a lot better. They should. And you've got billions of dollars of assets. But we find it across the board. And it doesn't mean that everybody is really bad. We find a whole spectrum. So there are some clients that actually do a really good job with it. But the point is, there are a lot that don't. There are a lot of bigger risks.

So I think that's where, so like for us, a lot of our clients, you know, if you have a five-man team, you can't afford to pay me $1,000 an hour to not get work, right? So what we do is we look at it. Okay, the big dogs can pay the premium price, and they rightfully should, so we charge them the premium price, and then we actually take a loss on the hours that we spend for the smaller guys because it's just important for them to get security as it is for the entire part. I think that's kind of how we have to adjust as an industry is stop trying to make, you know, hundreds of

thousands of dollars off these people who have not even put power boxes in security.

So here's my takeaways. Definitely evaluate your zero days as they, you know, if a new one comes out, take a look at it, determine what your risk level is with that, address it. Don't forget and keep fighting the good fight if you're running into management barriers on fixing all of the old things, all of the vulnerabilities that are already there. Make sure you're doing your monitoring, make sure you're doing your logging. Don't forget about the little things. Just because, hey, there was a vulnerability at one point in time that had to do with iframes, but then that went away so we don't have to worry about it anymore. been several actually with iframes that have popped up over the years. And it is a small thing. It's

not something we really worry about so much, but maybe we should still take care of it. And that one, iframes, I pick on that one. That's something that developers should be aware of as well, because they're so intimate with the code. And that's pretty much it. So thanks, everyone.

What are we up next? What's up next? We have questions. Questions, anybody? Any questions? Yeah, I'm just curious. Like your point 2, 2, 4 in the previous slide all makes sense. Motherhood, apple pie, good, and I'm sure a good point for your clients. But what do you suggest they do for point number one to evaluate their risk of zero days? So when they're not known, is it just to be monitoring other sources to see when they come up and maybe they have to get patches?

I'm just curious, what do you do? Oh, what do we do? How do we discover when there are zero days? Your takeaway is to evaluate risk of zero days. Yeah. I'm just going to wonder what you mean by that. OK. I guess I should clarify is once a zero day becomes public. So obviously, you're not going to know about a zero day if it hasn't been announced yet. Right. So what I meant by that is so all of these, if you take a look again at everything that came out, like the shell shock and the heart bleed, when something like that you become aware of it, it becomes public knowledge. There should be a scramble

right away to say, okay, well how badly does this impact us? Evaluate it, and is there anything that we can do immediately to address at least some of the risks associated with it? So

what I'd like to talk about is, and I might have mentioned it earlier, I don't believe, I don't think zero days should dictate your policy at all. And I think you're right. There's plenty of stuff that they should have been doing well beyond. We saw recently a couple of breaches that they were like on the hill of like a heart bleed. And then we come to find out that the company had been breached for years. That happened with one of the health care providers that got breached. People said, oh, we got hit with heart bleed. And then they come to find out that they hadn't been thinking into malicious hosts before. a year, way before

Heartbleed came out. So that's hilarious to me. I don't like basing it. Do all the stuff that you could do, and then worry about zero days. Yeah. I mean, zero days, managing those really should be based on, I mean, it's an exercise in risk, just like everything else. But we don't want to forget about all the stuff that's out there. Anything else? .

I was going to say, Jason, one of the things I've been struggling with is I've started to try to talk to developers about the developer ethics of security. So we're reaching a point, I believe, and I'm trying to figure out if you agree or not, there are certain decisions that the organizations can no longer make because they have proven themselves incapable of weighing the risks. And amongst those, I believe is two-factor authentication especially, or other things that we know as a community, it needs to become just something that the developer just does. And if the client rejects it, the developer should resign or charge way extra money to show that this is a negative decision that you're making. And because we're ethically

obligated, we're not just gonna do it. So the default should be the reasonably more secure option. And stop letting the business people decide because they can't make a decision. It's like, no, buy the $300 of UV keys and use them. Like, you don't have a choice. Right, but that actually creates a problem too. So security's kinda tricky, there's a cost bit of analysis, right? We actually just had a conversation about this earlier. So one of the major banks here, one of the first things they said was we want to change passwords and force people to add two more characters to their password and change them on a 90-day period. By doing that, they spent 10

times more money supporting phone calls from customer service and creating issues and lost brand recognition than by keeping it simple. So the dangerous part there is, while any of us, I use YubiKeys, we are all about two-factor. There's certain instances where, think about the people that you meet on the street and you talk to all the time. I mean, they can barely remember their password. Do you think they're going to keep track of it? Right. If you work from the bank. Sure, internally, you're absolutely right. It's not an option. Right, so you're absolutely right. Internal security is one thing, though. You have to think about it. You can't just say a blanket everybody. External security

is tough, though, because you have to think of the consumer. You're never going to stop it, right? Because if you attack that consumer while he's getting in there, the two-factor still means nothing because you're not validating who's using that two-factor. once again. So it doesn't really solve the problem. It actually can create more problems if not done. But I absolutely agree on the inside. It definitely needs to be done. I just think there's a big cost risk. And to say that they're not doing that, almost every Global 500 company that we've dealt with, they actually do an extensive amount of assessment just to see, well, what would the implementation of this two-factor RSA token cause?

Which, by the way, if I recall, RSA was breached. So I mean.

the internal aspects of that one when they make it complex on your own users you're adding costs you know I mean so any security thing you do it costs a lot of money it's gonna it's gonna cost you got a way to benefits I think security is supposed to support the business and like I said my mission and his mission was just let the let the people be able to do their job and try to build a good way to run it right what do you I'm

So about the developer resigning, it's possible, but it's really tough because you've got a lot of contract developers that are desperate for the money. You've got a lot of developers, you know, over here in this country, we're fairly spoiled for developers in terms of there's a lot of them. They get paid very well and there's an incredible market. I mean, I'm looking for AngularJS people right now and they're up. Yeah, to find. But it's tough in other countries, man. There's developers working for 10 bucks an hour or less. Irrespectively, it's gonna be a business decision to do these things. It is not a technological decision. Because honestly, from a business perspective, if you don't build what I want, I'll just find someone who will.

It's a business decision, it is not a developer education decision. It is a wonderful thing to have developer education, but the business people make the decisions, you have to deal with that. Realistically, you have to impose that from above. I've been working with NIST a very little bit and working with some MITRE people. The new NIST standards, if you haven't read SP 800, 171, and 160, go get a copy. Especially whoever it was that said about the developer education bit.

even though it makes sense from your perspective, there is a higher higher cost. I mean, that's the tough part because from a tech standpoint, I'd lock everything down. I'm like, you know, if you're going to sit in the lock-in room and double locks me outside, you're not touching anything. It's just not realistic. It costs me money and it costs my clients money. Yeah, it's definitely a challenge. Just, I mean, great discussion overall, I think. Very good discussion. I

mean, my take on it is, It is a challenge. We have different groups with completely different goals that basically they have to somehow work together in order to get to where they're going. We see not even taking the business out of the equation for a second. You see the same types of issues between just security and development often where they're not quite lined up. They're not on the same page on how they want to get things done. So it's tough. I don't have the answers right now. If you're not, you can make a lot of work. Yeah, I was going to say, if I did, I'd probably be. If you had to answer, that means everybody would be out of a job. Yeah. Great.

OK. Thank you. We have lunch break now.

Maybe we're good? Yes, sir. This is Paul Burbage. Let's give a round of applause to him. He's going to be talking about bypassing two-factor auth with Android Rats.

Thanks, man. Welcome, hackers. My name is Paul Burbage. And today, I'm talking about bypassing two-factor authentication with Android Remote Access Trojans. So kind of bleeding over, it was in the last talk about two-factor. So it was pretty cool that kind of led into this discussion. A little bit about myself. I'm a security threat analyst, mainly handling customer-submitted malware samples right now for Phish Labs. As of June 6th, I've been there for about three years. And one of my passions about malware hunting is also taking a look at PHP and finding vulnerabilities within those malware C2 panels. So I'll talk a little bit about that too in my talk. Being a drummer, I'm a huge Red Hot Chili Peppers fan, so

I really like Chad Smith. Definitely want to be like him.

So today we'll talk about why miscreants are utilizing mobile remote access Trojans for account takeover. We'll talk about three different families. How are these being spread in the wild? Have some examples of some previous campaigns. We'll talk about the command and control infrastructure, mitigations of that, if you're an organization who's thinking about switching to two-factor or if you already have. We'll talk about some of the means of combating some of these attacks on the mobile side. And my personal passion, as I already talked about, is the vulnerabilities of these malware families. So we'll get into that as well.

First, a little disclaimer. Since some of the... There are some live links maybe in my presentation, so you definitely don't want to visit those on your mobile device. We also be talking about exploitation of proof of concepts of live malware, so do not try that at home unless you like to be visited with men in suits. So as financial institutions implement two-factor, these miscreants are

this for account takeover. No longer is the possibility of solely getting the username and password for account takeover necessary for a full account compromise. So anyone in here have a Google account? Yeah, several folks, right? Has everyone implemented two factor on that? Yeah? How about LastPass?

Recent breach with them, right? They came back and said, yeah, definitely want to implement two-factor with that. But that's not the end-all to be-all, right? One of the main issues that we see with some of these financial institutions, their user base is already used to going out to third-party stores to look for the unofficial application for that site. You have Joe Schmoe that realizes with a customer of XYZ Bank, there's not an official application. user base is already used to finding these unofficial applications in third-party repositories or even the official ones. And it's a very low entry point for miscreants to get into this type of malware. Some of the families I'll talk about, they're freely available, well not freely, but they're relatively inexpensive and

low entry point compared to your PC man in the browser malware. There's also a lack of mobile antivirus adoption. some slides here of recent samples that have hit virus total, and we'll take a look at the signature count of how many AVs actually are popping for these types of families. Kaspersky put out a very interesting report last quarter of 2014. They said one in five Android users have encountered some type of mobile threat in that last year. So you're starting to see that ecosystem evolve. see more as a, especially developing nations, they might not have the financial backing to purchase a full-blown PC. What are they turning to? Mobile devices to access that internet.

I'll take you through the steps of a traditional phish account takeover. So our evil miscreant here on the left sends out a spam campaign that contains a link to a phish. Our victim clicks on that link. just like the banking website that he's used to logging into, plugs in his username and password, right? Sent back to the miscreant. One other attack, now we're talking about mobile attacks themselves, is you may have run across them on the internet. You can create an account on a website and plug in a URL, and it creates a Android application that's automatically shipped off to the stores. So in some of the attacks that we've seen, one issue of concern is utilizing these store wrappers, as we

call them, to wrap the actual fishing site. So there's been a couple of examples that I've ran across. where Miscreant was using a compromised website to host a phishing form, just a username and password login form. He wrapped that in the Android application and it was pushed to Google Play as XYZ Bank. Users, you know, looking for that application on the official Play Store then downloaded that and divulged their credentials.

But as that bank implements two-factor, let's take a walk through this.

with the normal spam campaign or PC malware, as I'll show you with one of the families, sent to the victim, captures that username and password, and is also sent back to the misgrant. But now that phishing site also gives some verbiage about, well, you need to download our new mobile application to make you more secure, right, in order to capture that SMS. Most of these, by the way, are solely to capture that SMS one-time PIN.

That SMS is sent to the victim. Since that miscreant has a remote access Trojan on the mobile device, he now has a copy of that pen. So that's essentially all the pieces of the Pi 4 bypassing two-factor. Any questions on that campaign style? This was, yeah, I didn't draw them by hand. I'm not that talented. I forget which website. It's like free graphics, open graphics. released under common license or something like that. Can I actually retweet that picture? Because I have that t-shirt. Yeah, absolutely. Yeah, everything's up. You used to wear it for project management. Oh, yeah. Read the fucking manual. That's right. All day.

Yeah, absolutely. So the question was, what is the timeframe from, or the duration of the timeout for that SMS pin, correct? So yeah, that's definitely one of the mitigation factors. And I haven't studied actually, you know, with most systems, I think Google Authenticator even is 24 hours, if I'm not mistaken. I may be wrong in that. But generally, there's some leeway with the duration and as one of the mitigation factors we'll talk about you know decreasing that value as well.

So how are these remote access Trojans being presented to the users as official applications? One other method that they're utilizing is a method known as binding. So taking a look at the PC malware in comparison you may know of it as packing an executable, whereas with on the Android side, we call it binding. A lot of the toolkits, so this is actually a screen of one of the remote access Trojan C2s. It handles APK generation for the actual malware. And also, you're able to upload or bind this application with an official looking application that the user would be then tricked into installing on their system.

screenshot of another binder here. All right. Let's talk about the two different communication and control types. Just with PC, Remote Access Trojans, I like to break those in pretty much the same categories. You have your Java C2, which runs on PC.

One of the families that we'll talk about there is the Andro Rat, also known as Sandro Rat and Droid Jack, which is now able to be downloaded from their website. The other C2 type, the one that I like to find vulnerabilities in, is the PHP panel variety. So these are hosted on compromised VPSs or websites that the miscreants have unzipped the PHP website to in order to have C2 from these compromised mobile devices. we'll talk about here is iBanking and Dendroid.

Taking a look at the Java C2, again, the evil miscreen actually hosts the server on their PC. They have to port forward that from the internet to have it routable back to the PC. Usually you see these set up with some sort of dynamic DNS account, like NoIP or DyneDNS, one of those free services for dynamic DNS hosting. So it begs the question two, running this type of C2 on the computer, does that open up the miscreant to application vulnerabilities? There's a really good talk recently, I think at B-Sides London, a researcher was talking about some of the exploits in, oh shit, I forget, one of the PC, to mind, I'm sure, after I finish talking about it. But anyways, one of the remote access trojans

for PCs, he was able to find a file download vulnerability. So any requests that he sent to the server, he was able to download any file from that computer. That's pretty neat. Man, I can't remember the name of it now, but all right, I digress.

there's these websites or hack forms, semi-underground, where these families have been leaked out. A lot of the malware, the rats that you see on there are backdoored by the people that are releasing them for free, right? Getting nothing for free, right? One of the huge issues with this, since we're hosting it on the PC side, is that it's extremely flood susceptible. Whoops.

Let's talk about the PHP C2. Panels as they're referred to in the underground vernacular. One of the huge issues with this is lack of input validation. So you have everything from SQL injection, shell upload, remote and local file inclusion. It's also being hosted on usually scarce resources on a compromised site or VPS. Definitely susceptible to layer seven flooding or HTTP flooding.

One of the first families we'll talk about is AndroRat. This is an example of the Java Sisu I was talking about earlier. First discovered in the wild August 2014, targeted Polish financial institutions. And this is actually the lure, email lure on the right, masqueraded as a

an official notice from Kaspersky saying, hey, you need to download our latest Android security application. So as you can see, it's kind of fuzzed out, but it's .apk there.

And then, let's see, this also targeted German financial institutions, and that was masqueraded as a Google service framework update. The actual attribution of this is from a gentleman in China, Sorry, not China, but India. And he is now using, it's now called Droid Jack.

Some of the capabilities of this remote access Trojan, complete file manager, SMS interception, of course, two-factor bypass. I am spying, contacts grabbing, GPS tracking, records calls and audio, right? Remote bug, if you will. Same thing with the video, remote spy cam.

I was talking about. Available now at DroidJack.net for the lifetime price of $210. You can own this Trojan. Is that USB? Yeah. Yeah. Another screenshot here too on the left of the actual Java C2 that's running on the PC. So it handles everything from not only the bot check-in, APK generation, binding, and so forth.

prevalent. I pull these stats on Thursday. Source being a virus total intelligence for this. Still very widely seen in the wild.

So in the lab I set up, fun thing about what I do is being able to play with these families and you know wanted to mimic how long would it take for a simple sin flood to knock one of these offline. It really didn't take that much at all. So, again, being a Java-based application and poor coding standards, these guys aren't necessarily going through quality assurance compared to an actual product that's being released officially or legitimately in the ecosystem. Any questions on DroidJack? Good to go?

Next family I'll talk about is iBanking. So this targeted financial institutions in 2013 and is still very active today, mainly in Europe and Asia where most financial institutions have implemented two-factor, right? Not so much of a big deal right now in the US because unfortunately we haven't really jumped on that bandwagon. Famously used by the NeverQuest, also known as Valtrak Crew. Is anyone familiar with that malware family by chance? Not so many folks? Okay, cool. I'll talk about that here in a little bit. When this was initially sold, you could tell that the end buyer that was purchasing this crime wear kit was solely set up with crime wear intentions. These other families have really nice slick GUIs and it's

mainly to attract that noob customer, right? But with this family, solely being sold for crime wear. So you'll see the UI is not that slick, but they have features like after a campaign's over, I want to delete all traces of this Trojan on the device. So you'll start to see some of that more anti-forensic capabilities in this type of family. Source code was leaked in 2014. And of course, especially with crimeware, as an example, the Zeus malware, as soon as you release a leaked copy like that, it spawns several variants for that. So starting to see that now, of course. Going back to Vaultrack, Vaultrack is a man in the browser PC malware family. What that means is as

a computer is infected, as that victim visits a website, there are specific JavaScript injections that are injected into that stream to not only grab the username and password, but they might also

or a prompt for all your user information, credit card numbers, list goes on. So taking a look at one of the Vautrac configurations that was pushed out about a month or two ago, we saw a bunch of PNG Base64 encoded strings within this Vautrac config. So I pulled that down, scraped the image Base64 Decoded that out and dumped it to disk and I started looking at these images here Facebook OTP or one-time password It's like okay interesting Some other pictures here that were decoded So what we're seeing here is the actual picture decoded injection for the instructions of how to install this Facebook application from an infected of all track victim computer does that make sense?

All right. So to give you a little background on this, I went back after taking a look and seeing these images that were decoded. There were a couple of obfuscated lines of JavaScript in there. Decoded those, and sure enough, there was a hot link to an actual APK download. that anyone in here has done APK decompilation? Is Jason in here? Jason? A little bit? So, essentially with an APK, you can actually reverse it to somewhat readable Java or Smalley code. So you run a decompiler on that and just grepped out any URLs and sure enough, I plugged in that URL, you know, of course, in OPSEC on the browser, but took a look and it was the iBanking login. So iBanking family still, you know,

that was two months ago from a VOD track config that's still being used in the wild. Some of the features of this family, capture SMS and call list, send SMS, premium rate scans, if you will, right?

Not much big in the United States, but overseas there's the method of doing transactions and sending money via SMS actually. Call phone numbers, premium rate scans. Incoming call redirects. So if I've compromised a device and I know that the bank is gonna call that individual to verify a transfer that I made fraudulently, why don't I just redirect that call to me? Yeah, that was my freaking transfer, right? The chord calls and microphone. And one of the biggest things I kind of touched on earlier, wipe all device data after I'm done with that particular victim. Still very prevalent, still fresh samples, hitting VT.

So I talked about the source code leak in late 2014. A security researcher by the handle of Xylitol pulled this down and found a unrestricted file upload vulnerability. Of course, it's being patched now in the wild, but just goes to show you the lack of input validation on these types of C2s is definitely prevalent. What's that? Oh, Xylitol, yeah. Very good malware researcher. And this is actually pictured down at the bottom. This is the login interface for iBanking. Again, compared to the other families, not too much splashy gooeyes to attract the noobs here. Kind of broken English. In your browser must be included cookies. I'm going to show you the proof of concept. Again, this has been patched.

Within sendfile.php, what this file was originally intended to

to perform was any type of recorded audio on the capture device was submitted to this and that would be dropped into the sound directory on the server. So there was no type of file mime type checks. There was no type of extension check. So what you can do is essentially upload PHP. In this example, uploading a PHP backdoor shell and then having full capabilities as the privileged account of whatever's running in Apache on that web server. Last thing we will talk about is Dendroid. March 2014, CERT India. quite a few warnings about this particular family. It was originally marketed for $300, and the binder author actually seen some form traffic between this particular author and andro-rat, or

Droidjack, right? So they were going back and forth and discussing different methods of how best to implement a binder, and so there's quite a few similarities between the binder of this family and Droidjack. features is probably the most feature-rich family for mobile rats right now. Access those call logs, call phone numbers, again, premium rate scans, open web pages. You can probably think of some type of social engineering type of experiment that you can do with that. Record calls and microphone, intercept text messages, of course, exfil and upload files. We store everything on our device now. GPP flooding, that was kind of a unique feature. I haven't seen actually a DDoS client for mobile implemented yet in one of these rats. And one of the other unique features

is that it actually has hard-coded forensic capabilities for some of the messaging apps like WhatsApp and whatnot. You can still, you know, passwords and stuff for some of those well-known applications. any type of like save form file in the browser and whatnot. Still very prevalent. It's probably the most prevalent out of all the families that I see.

This is a screenshot of the actual C2. You know, again, compared to iBanking, a lot of time went into the JavaScript and the Ajax, but luckily what I'll show you is Not too much QA went into the PHP server-side code. So I'll talk about a vulnerability there. Again, Google Maps, tracking your victims on a Google Map display, several features within this particular family.

So this panel source code was actually not only the panel, but the entire family itself from the APK generation and the panel was leaked August of 2014 on GitHub. immediately pulled down the code and discovered a PHP remote code execution vulnerability. So essentially how this works is the apply settings.php file. This was supposed to only be accessed through the logged in admin, right? But what you can do, since there is no check for that, this file writes anything to config.php. So now we're able to write

any text to a PHP file, thus we have remote code execution. So in this example, I'm just pushing the get parameter C and I'm passing that to the system function for remote command execution.

Once that config.php file is rewritten, it completely zeroes out everything. So not only is this remote code execution, but essentially it's denial of service, effectively ends this PHP panel's existence. Because as that config file is rewritten, it doesn't know how to talk to the database, and it doesn't know how to authenticate users. And it just completely wipes out the panel. So it is quite noisy. Now we can run system commands.

Passing, you know, earlier wrote the get parameter of C, passing that into the system function and then being able from there any parameter that I specify or argument rather for get parameter C, it will be displayed and rendered back into the browser for remote command execution.

Any questions on the family so far? about some of the FUD when it comes to mobile malware. The thing is that these families take a high level of social engineering for them to be implemented and for a successful campaign, right? When you think about it, a user has to not only download outside of the App Store, which is a flag on Android, although outside of the United States they're already used to that, right? especially overseas in Asia, they don't actually shit with Google on the phones. So you already have third-party app stores enabled by default. So that's one issue.

Second issue is whenever that user is presented with, you know, there's no hiding of all the permissions that these things, these things request every permission available to it within the developer API. So you'll take a look at that once you install it. I mean, it's everything under the sun that it requests permission to. And of course, what do users do? Sure, okay. It happens. Right now with all these families, there's really no operating system level exploits.

One thing that we will see, I think, is as mobile market saturation,

As I discussed earlier, some of the developing nations that are just now discovering the internet, they're not buying PCs, they're buying mobile devices. So I think these types of rats will definitely be more prevalent in the future. And also, again, the PC man of the browser crime where it's mad expensive, right? successful campaign but with these not only can you find freely available or leaked copies the the entry point themselves are you know less than $300 just to get started

touch a little bit on mitigation we already mentioned in a little bit earlier and so as your company is considering implementing two-factor or if they already have realizing that you Okay, well we moved away from maybe PC malware from the aspect of the only thing that's needed is username and password. So we defeated phishing, but we still see phishing attacks is the main issue. People still phish you even if you have triple factor authentication, I think. The other realization is that as you to two-factor, you now have a new attack source. So you need to plan to mitigate those Android applications as well. So one thing you can also do is manage for spam bots and DMARC for brand attacks. After pin

timeouts, we kind of mentioned that earlier. And finally, it's up to us to communicate with our user base the dangers of allowing third party installs. And of course, reporting these suspicious activity to our security operations centers. That's pretty much it for my talk, guys. I appreciate it. Feel free to reach out to me. This is my work email here, and I'm also on Twitter.

Yeah. Have you dealt with two rats on the same mobile device before? Two. Sorry. So if one rat exists on a mobile device already, have you actually had an experience where you've either tried in a lab or you've seen another rat try to be installed on the same device? I have not. Are there conflicts? I've heard of malware taking over malware and things like that. My guess is with Since we're talking about more of a sandbox environment on a mobile device, I don't think they would impact one another. At least I haven't seen it in the code. You know how some malware might actually check to see if there's other malware present and either kill that or go away? It isn't really

the case with mobile malware. Male Speaker 2 Yeah, I've dealt with that in the PC world a lot. But mobile's another end. Male Speaker 2 Yeah, I haven't really seen that with that, these particular families. Good question, thank you. Any others?

Well, I thank you for your time. I'll be here all day, so feel free to stop by, hang out. Thank you.

Welcome to Ben Brown, he's gonna talk about defending against doxing. And we'll have our attention in the next 45 minutes. All right, hey everybody. As Dave mentioned, this talk is on defending against doxing. I thought I'd make the slides a little more relevant for the place and context. I'm sure a lot of you from this area know where that is, up on the parkway. So who am I? Some relatedness for you. I am a incident response engineer and threat researcher at Akamai Technologies. I do systems architecture reviews before products go live and for major changes. I also do trainings and workshops for incident management. And what I really, really love doing is spending a lot of time on

the seedy underbelly of the internet and getting about different actors and their tools and their methods and things like that so that we can then use that to better protect ourselves and our customers. Alright, so two of the terms that we're going to be talking a lot about here are doxing and swatting. Doxing is publicly releasing a person's identifying information including but not limited to their full name, date of birth, address, phone number, and pictures. Sometimes that also includes things like social security numbers, bank account numbers, things like that. Swatting is to cause the SWAT team or the police to bust down somebody's door and raid their home based on false information. All right, so why should we care about those things?

Well, when someone's doxxed, it can be That information can be used for pranking or sort of gray, shady marketing. It can also release sensitive information. We'll talk about one of the big releases of sensitive information that was very recent a little later. It could lead to online harassment, bullying, and cyberstalking. It can also lead to some scarier things like identity theft, swatting, and being targeted for physical attack. All right, so like I mentioned, it could be something like a phone prank call that you get because your phone number was released out there and that's obnoxious, but you can deal with it. It may also be something a little shadier. That guy's obviously shady. And those sorts of things are when somebody calls to try and social

engineer you or try and scam you. And all of the information from a docs can lead to them being very convincing in their scam. If somebody has your physical address, it could lead to something easy to deal with but annoying, like somebody leaving a flaming bag of poo on your doorstep. Or it could be something more serious, like having your tires slashed.

Sorry. Having your tires slashed. So those are hypotheticals. I'm gonna give you some real world cases of where people's information being released without their knowledge or want led to some unfortunate circumstances. So, and this is, I changed the names in it to try and give this kid a little more dignity back, but he was working for a bank and he emailed his boss about a family emergency. He's telling his boss, you know, I need to go to New York this morning. Sorry for the late notice. I need to deal with some family issues. And thanks a lot. So his boss writes back the next day. You can see it's November 1st. And he says, Tim, thank you for letting us know. I hope everything

is OK in New York. Cool wand. That's strange. Why would he mention a wand? And why did he CC the director? It turns out, unbeknownst to Tim, his friends had posted a bunch of information on Facebook. It's not on his Facebook, but it's linked to him, and he was tagged in a bunch of photos. And there were a lot of talk about this family emergency that he had in New York. Oh, yeah. Turns out the family emergency was going to a Halloween party and just getting completely trashed. And so the reference to the wand. And unfortunately the kid did lose his job because of this. So being mindful of what's out there about you is something that could save your skin.

So something a little more serious, Sunil Tripathi.

Anybody who was following the Boston bombing, marathon bombing,

were online on Reddit or 4chan or something like that, you know that there was some online internet sleuthing going on. And one of the people that Reddit had fingered as being a bomber early on, his name was Sunil Tripathi, and a lot of media started picking this up as well. And he was doxed on both Reddit and 4chan. All of him and his family's information put out there, so his family started receiving death threats, harassment, both in person and online. And it turns out Sunil was missing since before the bombings happened. And what had happened was he committed suicide and his body was found in the Providence River in Rhode Island. And so his family is having to deal with not only their son's suicide, but a lot of

threats and harassment as well in the real world. So that's a case where being doxed had a real impact. Another time in recent history is Amanda Todd, a girl who was blackmailed and bullied online, ended up taking her life. And Anonymous got into their white knight mode and decided we're gonna find the man who did this, and they ended up doxing the wrong man. This man, like the previous example, received death threats, harassment. It ended up being so bad that he had to quit his job, move across the country, and change his name to try and escape all of this. So it was a real upset for his life when he had nothing to do with the Amanda Todd case.

Another more public one was the fingering of the shooter of Michael Brown in Ferguson. And again the wrong person and his mother for some reason they were doxxed They never had any ties to the Ferguson Police Department They also received death threats things thrown at their house So damage to their house and they both ended up being victims of ID theft You know cards and bank accounts and things like that were opened in their name based on the information that was released so

are things that you can deal with, but you're not necessarily being shot at or harmed physically. But in the next case, swatting, that can very well occur. When you have a bunch of armed people busting into your house, there are a lot of things that can go wrong in a tense situation like that. We know there are lots of examples of SWAT teams moving in and shooting a person or a dog just because of the way that they reacted or didn't react in time. So you can see a lot of examples of swatting going on. A lot of online gamers who stream when they're gaming. There's a, you know, when one gamer wants to take out another gamer, they'll call on the SWAT

team on them and there's a lot of recordings of this going on live. And

There are a lot of the outspoken female gamers and supporters of female gamers and game designers who were targeted for swatting as well. Ashton Kutcher was swatted twice. And of course Brian Krebs, who I'm sure a lot of you know, was also swatted. Though the good thing is after the first time it happened, he got together with his local police department able to stop some future swatting attempts as well which is really nice so if if you want somebody swatted

and you don't want to get caught or don't want to do it yourself there are services where you can pay to have somebody swatted so this is one of the the onion router onion sites a marketplace where you can purchase different services and one of them is swatting. He says that he'll get it done within 10 days anywhere in the US for 100 bucks. And he has pretty good reviews. There are a number of people that used the service and were happy with it. And you can see this is rather recent.

Okay, so doxing isn't necessarily a US only phenomenon. There is an analog in China called the Human Flesh Search Engine. And this started out among academics that were trying to out people who they thought were putting out false papers or falsifying their research, things and usually what would happen is a group would get together on a forum and they would find friends and friends of friends who worked in different areas that could get them access to information about this person that they wanted to uncover. So it went from there to being something that was used to harm other people or scare other people and then also used by activists against who they thought were corrupt officials,

things like that. So it was a double-edged sword in that way. In the Eastern European and former Soviet bloc, they really like doxing celebrities. And they'll trade celebrity information and they'll sell it if you wanna buy it. There is also, excuse me, there was also for a while a website, I'm sure some of you have seen this, but leaked and you can see here There's docs on Michelle Obama, Chris Christie, Bill Gates, Hulk Hogan, Britney Spears, Paris Hilton, Jay Z, Beyonce, and those had their personal cell phone numbers, their family members numbers, their addresses, their social security numbers, a lot of things in those that you would not want out there. Alright, so how do doctors go about building

this profile of your identifiable information. Well of course they use the Googles and Google Foo is what a lot of them will call it when they just use you know basic operators and Boolean and things like that. There are also there's also a Google hacking site that will do a lot of that for you and one of the first things that a dockser will do is if they have either your username or an email address for you. They'll go online and try and match usernames to email addresses and vice versa so they can find more accounts that you've been associated with. Also, if your information is up on a website or was up on a website but is no longer there, they can use things like the

Wayback Machine to go and look at earlier snapshotted versions of a forum or a website where that information would have been. Also, they look for variations of usernames and email addresses. If your username was like BigHack555, they'd then search for BigHack or BigHack55, things like that, to try and find more accounts that you were associated with. There are also automated tools that help them do these things faster and make it less manual. The Harvester. This one you can target individuals or a business and it'll go through Bing, Google, LinkedIn, and a number of other sources to find email addresses associated with that person or company, to find skill sets that are associated with them, businesses, things like that. Maltigo, Maltigo's useful for

really building a visual diagram of somebody's social network. who they're talking to, who they're involved with, what businesses they're involved with, things like that. Creepy is a Python script that uses Facebook's API to get information about somebody through their friends. So it uses some API calls for information that aren't available through the browser interface of Facebook. So even if you have your Facebook locked all the way down, your friends' connections to you can seek some information. ReconNG is a very extensive framework for doing reconnaissance on a person or a business, and it includes some of the things that the Harvester and Creepy do as well. All right, so the next place they'll hit after Google is your Facebook account, your Twitter account, your

LinkedIn account, things like that. because those will give contact info, they'll give information about family members, where you normally go, what your patterns are, what your interests are, what skills you have or don't have, jobs that you have or have had in the past, as well as who your colleagues are. And a lot of the information that's found on Facebook, Twitter, and LinkedIn is information that could lead someone to being able to guess your security questions. your accounts so that they can then get in and see the account as the owner of the account would. Like one of the most common security questions is my favorite pet or my first pet. If you go all the way back through somebody's Facebook, chances are they've mentioned

this pet at some point. So that's just an example. For somebody who doesn't have Facebook locked down, this is some of the information that you can get. Children's names and ages, again that's useful for brute forcing somebody's password or their security questions. Your birth date, again good for guessing somebody's password or username. Contact information including email address and where you physically live, your current address. The colleges that you've been to, where you've worked, things like that. Also your political views and religious views, that could be used for social engineering as well. Right, right, right, so you're good.

Yeah, I'm trying to remember mine. I don't remember. Yeah.

So some other places that aren't like the the Twitters, forums that you frequent, groups that you're in, or mailing lists that you're a part of. A lot of mailing lists keep archives. And information that you can get from that is somebody's birth date, their age, their geographic location. A lot of those things are standard when you sign up for a forum or group, it asks you to put those in. Also, for some forums that you may be a part of, it leaks information about what your secret hobbies or fetishes are. Also, it will show who you talk to the most on those forums or groups in your history. And so what that's useful for is being able to phish somebody

by acting like that trusted user that they're used to talking to. Also, breaches. A lot of forums and groups and mailing lists have had breaches that leaked the information that you thought was only between you and the admin or you and one other person that's now out in the open. One such breach that let out a lot of very sensitive information that is actively and currently being used to blackmail people is the adult friend finder breach. So if you go through the actual leaked info,

a whole lot of .mil and .gov addresses in there, as well as other companies. Akamai is not in there, yes. But, yeah. But, you know, again, that gives information about what your sexual proclivities are. If you're married and it shows you hooking up with other people, that's useful for blackmail. and it's useful information that they can do damage to you with. Also something that seems benign, Yahoo groups, especially groups like FreeCycle. If you go in there, people often will use the same username that they use on other sites, and they'll give out their address or their geographic location saying, hey, I've got this free thing, come pick it up at this address. So now you have their physical address as well. Whois

information is useful if you're not using a privacy or a proxy for registering your domain name. Then the whois information will include typically your full name, your phone number, your fax number, it still asks for that, your email addresses, and your physical address that you or your business is located at. Here's an example. So you can see for searchenginejournal.com,

when it expires, who the owner is, their email address, where they physically are, their phone number, and yes, she doesn't have a fax number because it's 2015. Data brokers, okay, so this is where the scary information comes from. So Spokio, Intellius, People, PQ, a lot of CheckU, of sites like this and what they do is they buy and aggregate data from various sources and then turn around and sell it to anybody who wants it. So the free versions of it, you can get full name including maiden name and ages, current and former addresses and then lots of information about their family members and people that they've previously lived with. If you pay, then you get things like copies of their criminal records, school records,

retail activity information. You know, when you go in the store and the people ask you, you know, do you wanna put in your email address or your phone number, things like that, a lot of that information is bundled up and resold. So you can see, Intellius has three different tiers of where you can buy information. And,

the one that's the highest tier, the $50 version of somebody's records has a whole lot of information, including things like liens,

death records, lawsuits, things that you might not want out there in the public. And just really nasty, Spokio, one of these data brokers, one of the ways that they advertise their service they will uncover personal photos, videos, and secrets guaranteed. Come on, guys. Like, that's just, that's shady. That's true.

So, public records, another way that doctors can get a lot of information about you. If you've incorporated a business, if you've purchased land or a house, If you've registered a patent or a trademark, that information is public and you could see who your business partners are, your addresses, their addresses, histories of dealings with different entities and individuals, as well as mappings to other businesses that you may be affiliated with.

Well, there are ways to protect yourself against having your information out there. And we'll go over that in a little bit. So as you can see here on this, articles for incorporation. It has the business owners as well as their street addresses and their zips. Sometimes it'll also have things like phone numbers.

And along with a lot of the sites that you can view that aggregate the public information, it'll show almost like Multigo-like connections. And a lot of times it'll show what other businesses you might have in association with other folks that you've worked with before.

And if you've purchased a house or a land, I'm sure this might look familiar to some of you who are from this area. This is Buncombe County's GIS and Deed Information Portal. So here you can see things like where the plot of land is as well as the address and full name of the person who owns it. You could see the property value and who owned it before. That's really good for social engineering, especially if they just sold it because if you pose as one of the people who just sold it to this person, they're more likely to open an email or an attachment or something like that because they've had current dealings with that person. that's

included are the improvements that have been done to the land or the house. And something that's a little scary, especially if you're paranoid, is it gives layouts of the house. You know, where different rooms are, how big they are, things like that. So if somebody wanted to cause you physical harm or break into your house or something like that, that gives them useful information. Yes? Most of, I think,

Satellite imagery as well. Yep. And not just satellite imagery of like one period of time, they'll give you a selection of different seasons as well.

Other public records that give out useful information, if you've given political contributions, then that typically will include your name, address, your affiliation, and how much you're donating. is again useful information when taken in tandem with lots of other information for tricking somebody into doing something. If you've signed a petition or a petition for recall, that'll give your name, your geographic location, and again, more fuel for social engineering because they'll understand what your leanings may be. EXIF data.

So if you've taken a picture with your phone or a video with your phone or a newer digital capturing device, a lot of times they have features that will give tag metadata onto these pieces of media that tell whoever's looking at it about the device or computer that was used, the software that was used, and the version. So that's, you know, it could be useful. Even scarier than that is a lot of times it'll include times and dates of when it was taken, as well as GPS coordinates of where that picture was taken, where that video was made. So here's an example of the metadata from a photo that I found online. It shows the time that it

was taken, as well as the camera that it was taken with, and the latitude and longitude of where that picture was snapped. So if you've got somebody's album of, you know, this is the park by our house or something like that, now you know a place that they frequent and exactly where it is and when they might typically be there. Another way of getting lots of information is social engineering. There are, if you hang out in some of the forums or IRC channels that these docks or kids hang out in, they'll talk about how they called this person's ISP or phone company and acted like a spouse or a family member or a secretary or something like that and got the ISP or phone company to

give out information about calls that were made, what type of phone or plan they have, and sometimes even giving the docs or full access to the account online. And a lot of times the people that have ability to do this, you know, are low paid, tier one support people, and are typically easy to social engineer. So also calling current or former places of work and acting like somebody who's doing a background check or somebody who is at a new hiring opportunity can get a lot of information out of a secretary or somebody in HR. Posing to family as a friend of the person or posing to friends as a family member of the person Especially when you act like

there's a lot of urgency or there's an emergency going on people tend to Get the adrenaline going and give out more information than they probably should All right, so what do we do about all of this? I just don't want to be chicken little and say oh this is terrible I want to actually give you something that you can do So one of the first things that you should do if you haven't already is really lock down your security and privacy settings for social media, Facebook, Google+, LinkedIn, things like that. Be mindful in particular about the personal information that you put up there. You don't have to put real information. A lot of times you can leave a lot of those questions blank as well. Especially

on LinkedIn when somebody's trying to connect with you. make sure you know that person. Vet the connection. That is a common way for people to find out a lot about somebody is to just send them a LinkedIn request from a false profile. Untag yourself in Facebook photos, especially if that photo was not taken by you and maybe has information in it that you don't want associated with yourself. Also, third party apps, especially for Facebook, are really shady. They have a lot of access to your Facebook information and these third party apps can easily be sold off to somebody who might have more malicious intent like harvesting information. And so I would uninstall those. You don't really need to play Farmville.

Basic account security, use strong pass phrases. Wherever two factor authentication is available, please, please use it. Single factor authentication is very, very easy to bypass. Two factor authentication, it's possible to bypass, as we saw with the previous speaker talking about Android devices being compromised. Also, reusing passwords is, right now, it's really hot for people to use automated account checkers and brooders. They'll get information from a breach, you know, people's user names and passwords, and then just apply that across the board to a whole bunch of other sites to see where people have reused their credential information. So a breach from one site can lead to somebody hacking your account on a completely different site. So old accounts,

especially ones that have information about you and you're not using it, just clean them out, shut them down, turn them into shells. And retail sites, when they ask you, you put in all your information to order something and they ask you, do you want us to save this data for later purchases? Yes, it might make it easier to purchase things, but I would suggest not doing that because it's not a case of that company might be breached at some point. They're gonna be breached, it's just when. So having that information not saved protects you against something like a breach like that. Who is information? You can use a proxy registration. You can see somebody here on the left side

who did not use it. It gives lots of information about you. But this service, Protected Domain Services, fronts their information instead of yours. I'm gonna ask a question on this one. Yeah. Is this about ownership? The transfer but if you're a business and it's your business website any of your businesses UPS store or whatever on there and it's on the website anyway, then the private registration You have a different threat model. So there's a balance. It's not all Sometimes and that's really kind of my question is how would you suggest people balance? the need to be public especially in a business or a a because oftentimes small businesses are owned by individuals or a small group, and they need to be known, not to

be completely unfindable on the internet. So you want to do ongoing CBAs. You want to do cost-benefit analysis. ongoingly. If you're a public figure and part of your income model is for you to be out there, then of course you're gonna have a very different cost benefit table than somebody who wants to be private and doesn't want their information out there. And as we were talking about earlier, it's not a one size fits all. Each person is going to have to take into account, you know, right for me is this going to hurt my business more than it's worth the protection and so it's it's gonna be different from person to person in business to business and again

it's going to be different between people individuals and businesses so these are just general things that you can do but you don't have to apply them if it doesn't make sense for you so thank you

And there are ways of incorporation that are good from a liability sense, but are also good from a privacy sense in that it is not directly tied to your personal information. You can have a business address, like a PO box or something like that, and not have it be your physical address.

Okay, so those data clearinghouses that we saw earlier, where you can pay for lots of information, all of them have opt-out mechanisms. So if somebody wants these slides, I'll go ahead and give them out because at the bottom it has a meta list of pretty much all of the major ones and how you opt out of them. So Spokio people and ZoomInfo are three of the largest ones and they just require email verification for opting out. What's that?

I'm not sure if that one's there. The MetaList might very well have that. I didn't put all of them up here. So, whitepages.com, they require email address and phone number, and they also cap how many you can do in a period of time for your own safety, whatever that means. And, Intellius is like definitely the big dog. They gobbled up a bunch of other smaller ones. And their opt-out is, because they ask for a photocopy government ID. And if I'm opting out because I don't want my information up there, I kind of feel weird giving them more PII. All right, so when we were talking about the difference between individuals and businesses, you don't have to register or incorporate

a business with your name. You can use a doing business as or a fictitious name. Some states you don't even have to go through the whole process for registering it, you can just use it. And for the states that do require registration, you can usually do it at the county clerk's office or the state government's website. They'll have websites where you can search for businesses and entity information. Now when you're buying property or a house, you don't have to put all information out there about yourself or your property or your address your name things like that you can do it through a holding corporation or through a land trust and you know you want to consult a real estate lawyer of course for the right

way to set it up for where you are but what will happen is either the lawyer the lawyer's information will be fronted for you or the holding corporation's information that you've registered with, say, a fictitious name would be fronted on those public records, so it won't actually be your information. EXIF data. So one of my favorite tools for messing with metadata or EXIF data is EXIF tool. This works on Windows, Mac, and different flavors of Linux. And what this will let you do is you can delete metadata or exif information from videos and pictures and Word documents and PDFs. But if you want to go a little further and have a little more fun, you can put false information

into the metadata, like different GPS coordinates that show the picture was taken in Antarctica or something. In Windows, you can typically right click on a file and go to the property details and it'll give you some of the metadata, but not all of it. And to really lock down this headache, I would suggest going into your mobile device, your cameras, your equipment that's capturing this media, and turning off location or geotagging for those devices. A lot of times it's on by default. So this section, we're gonna get a little paranoid. A little more paranoid. So there's a concept in Russian military thought that's called maskerovka. And it's disinformation, but it's disinformation in a very particular way.

very successfully during the Cold War. If anybody's familiar with the Cuban Missile Crisis or the Bay of Pigs incident, you could see where Russian disinformation was very, very effective and almost led to catastrophic events. So what Maskirovka is, is it's not just releasing false information. If you just release false information, then an analyst who's trained can look you can see, okay, here are the gaps in this information, so that gives me an indicator towards what's actually going on. What the Russians did is they sent out lots and lots of disinformation, flooded comm channels, but they also seeded in actual true information. So then what it becomes is just noise, because it's all mixed up together and there's no

way without some outside bit of information of discerning which is false and which is true. You don't have those gaps to go by. So we can take that and apply it to protecting ourselves online. We can use different and meaningless email accounts and usernames because a lot of times your username or email account that you chose tells somebody something about yourself. So you can either do random characters or something that has nothing to do with you. The same is true of passwords, especially if they can get the unhashed passwords. Employing pseudonyms can be useful online as well, especially if you cultivate them. You wanna be wary of cloud services. Who here is familiar with the fappening?

Yeah, I saw the slow hands. Okay, so what the fappening was was a lot of... Yeah, yeah. A lot of celebrities had their nudes leaked online. And one of the main ways that a lot of these nudes were gathered was through their iCloud services. So they had been taking pictures, nude pictures and videos of themselves on their Apple devices and having it sync up with the cloud, and then when their cloud account was hacked, you get the nudes. So I would say avoid those sorts of cloud services, especially for information that you don't want to be out there in the open. Again, it's not a matter of if there will be a leak or a breach, but when.

There you go. There you go. False flag. Also, you can rotate your phone numbers and passwords often. So even if you are doxed, then that information becomes stale and not useful. You can use things like Google Voice. You can use

You can use Fring. Those are all services that you can just keep getting new phone numbers through. Also, for your physical paperwork, especially paperwork that tells people about your medical information or credit card information or things like that, you want to go ahead and shred those before. And if you want to go one step further, shred and then burn.

differentiated information release and release cycles. You know, you don't have to constantly tell everybody on Facebook and Twitter where you're going and when and that sort of information. You could even do false information, get a whole picture series together of somebody else's vacation and post it as your own. You can seed evidence of hobbies and

patterns that you don't actually have. Again, this muddles up the doxer's ability to actually put together a brief on you. And you can release information late if you really, really want to release photos. Because if you're releasing them as you're taking them, then again, that tells people where you are and when you're there. You can also take it a step further and have friends and family corroborate some of these things. Like if you've planted a flower a false job or a false vacation or something like that, then you can have them like it and comment on it and say, oh yeah, this was a lot of fun, I really enjoyed doing this with you, things like that. Also cultivating multiple online personas

and rotating through them is really useful. It's also useful for siloing. You could have different personas for different websites in different areas. and that makes it very difficult for them to build a docs on you. When you're communicating, there's a lot of information that's leaked just between you and the site that you're using. So using a VPN with no split turned on because if you don't have that, your DNS is leaking. Also, you could consider using Tor. It's not a panacea.

It's not a way to completely protect yourself, but it can be useful for looking like you're actually coming from a geographic location that you're not actually in. Skype is backdoored. We know this, Microsoft admitted it. So that's definitely leaking information. If it's backdoored, then the government's not the only one who would have access to that information. As I mentioned before, you can start building other identities. The longer time that you've been cultivating them, the more real they'll seem. Also encrypt everything where possible. Use off the record for chatting. PGP, I know it's not user friendly, but it is definitely useful. There are lots of other email services like Tutia, based in Germany. There's ProtonMail, based in Sweden. where everything is encrypted as you're using it,

both between you and the receiver. Because remember, email was not built to send sensitive information. It's just plain text flying through the air.

All right, so what do you do if you've actually been doxxed? Well, you wanna, if you feel like you're in, at that moment, because you've been doxxed and received a threat or something like that, of course, call the cops. But one of the first things you wanna do in either case is file a police report. And why you wanna do that is because it'll lend legitimacy to all of your future actions or impacts that might occur from your doxxing. And you'll have a case history. You wanna fully document what's been doxxed, where it was doxxed, who did it, You know, where you think they got the information, take screenshots and back that up with printouts. That'll be useful in any investigations that have to

happen in the future. Also clean up any sensitive information that you found out there. You know, close down accounts that they use to get information about you, things like that. Go through, reset all your passwords. That's turn on two-factor authentication, because they will try to get back into a lot of accounts. about doing a credit watch or ID theft watch service where they'll watch for your information being used for financial or other identity theft purposes. If there is evidence of ID theft or blackmail attempts, the FBI takes those things very seriously. And if you've already got a a police record in the system for the doxing happening and then contact the FBI. They can coordinate with the local police for finding out who did it and what happened and

things like that. Also, especially if you live in

a smaller area, you wanna talk to your local police about swatting concerns that you might have and let them know that, hey, I've been doxed. typically something that can lead to a swatting attempt. So I want to give you a heads up that please vet with me before you send in the swat guys. And again, as I mentioned earlier, Brian Krebs had this very effectively worked out with his local police. And they were able to, even though he got multiple swatting attempts, they only actually went into his house once. and in the future they called him and he said, no, this is bogus, and they were able to resolve it that way. Another thing that you can do is the FCC,

their website as well as the FTC have little walkthroughs for if you think there's identity theft going on or if your information is being used without your knowledge, and they can be really useful for who to contact in your local area to get that resolved. looking for more information about where this information can be leaked from and ways to protect against it. So if you guys have any of those that I didn't cover or other things like somebody mentioned to me last talk there's a whole genre that bounty hunters use and that repo men use called skip tracing. And I started looking into that, that was really useful. So if you can think of anything like that, please hit me up. And I'm ready for questions.

Yes? This is interesting, and you can see the potential, the potential for abuse in a lot of this. But how prevalent would you say this is in a general populace? So it used to be very, very, I would say, sorry, five, six years ago, it was mostly in the gamer communities. And now it's moving into security professionals, into businesses, business owners, like the VPs of Hola, the VPN service, are right now being doxxed and actively swatted because of the stance that they took against 8chan, one of the online image boards. So it's becoming more and more, if you do something that one of these kids doesn't like, then you'll become a target. If you say something that they take offense to or that they see as being, like during

Gamergate, there was a lot of editors and staff writers and things like that that just, they just said, hey, this is what Gamergate is, and folks took offense to the world worded something or other, so now these editors and writers are being targeted as well. So, and it could be any occupation.

One of the slides you showed earlier was some people seemingly playing telephone or passing a secret, and that looked like something that was marketed directly to try to reach a different market than maybe what you were just speaking to. repo men and whatever private investigators, are these companies actively targeting the general population and do you think that they have a large share of business coming from them right now? Are you talking about the data clearing houses? Yeah. Yeah, so they're sucking up information on everyone that they possibly can. So I would suggest going to People or Intellius