Tuesday, March 17, 2015

Security B-Sides Austin: Recapping a hacker conference

A recap of the 2015 Austin B-Sides security conference, with links to speakers and slides where available
March 12 and 13, about 250 hackers and security practitioners from around Texas (and as far away as Canada) descended upon Round Rock, a suburb of Austin, for two days of training and research presentations. Security B-Sides sprung up in 2009, as an alternative to the major (and highly-attended) conferences such as Blackhat and RSA: there's not much opportunity to talk one-on-one with a researcher at a conference attended by 10,000. In 2009,the inaugural B-Sides was held in Las Vegas; a year later, B-Sides Austin launched, timed to coincide with the annual Spring Break phenomenon known as SXSW (South by Southwest). For 2015, over 30 events in North and South America and Europe are scheduled, with more in the planning stages.

I refer to B-Sides as a hacker conference. Some readers may take offense. I use hacker in its original (and to many, "real") sense: one that knows a topic well and can modify something to do his or her will, rather than what the creator intended. That culture has nothing to do with malicious use of computers - it is the culture that lead to automotive performance shops, or the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a maker, or a tinkerer, or a modder - or an engineer. In that sense, I am proud to wear the label of hacker.

Following are some highlights from many of the talks. Alas with multiple tracks I could not attend every talk.

Ten crazy ideas for fixing security
Wendy Nather (@RCISCWendy)

Remember the past - and move on. Some attack vectors were once recognized, but considered unfeasible. Advances in computing power mean some of these may now be well within the reach of an attacker. The "FREAK" vulnerability for example would have been beyond all but a nation state when "export-grade encryption" was defined in the 1990's. Now with $100 or so an attacker can rent a few Amazon EC2 instances and factor the keys in a few hours. We are not learning from the past - but we are making assumptions based on the past. Wendy says we have it all backwards: we shouldn't be tied to old rules, but we should not ignore the lessons from the past.

Culture wars and "one-upmanship" are getting in the way of innovation and collaboration ... to a degree. There is a tendency for "elite" conference speakers to separate themselves from the rest, and a disturbing trend of researchers "marketing" their vulnerability disclosures with fancy logos and catchy names. In my own experience though, this is not universal. I see a lot of open sourcing, cooperation, and collaboration in my circle of influence.

Data needs an expiration date. A data breach can't come back to bite us if the data is gone or unusable.

Many businesses live below the "security poverty line." Mega-dollar security solutions just aren't practical for a great many businesses, especially smaller ones.

Uncovering the faces of fraud
Jay McLaughlin (@jaymclaughlin)

Jay talked from his perspective in the financial industry, one which I do not have much first-hand experience in, so I for one found it very educational. While many of the security fundamentals are the same, the attack surface differs, as does the attacker motivation.

There are a growing number of fake mobile banking apps, even on the legitimate app markets, but Jay says this is just the tip of an iceberg to come. Current mobile banking apps don't have the full functionality of the web app - for instance, perhaps you can set up an electronic payment to an existing payee from the mobile app, but have to use the full web UI to set up a new payee. Criminal hackers are sitting on some known mobile vulnerabilities, waiting for the ecosystem to mature to the point that it is worth revealing their hand. Why waste an 0-day now when it could be used for far more valuable fraud later?

Fraud doesn't just abuse the victim (end user). Mules (intermediaries used to move and launder money) are often financially-strapped, unsuspecting accessories whose trust is abused as well. Jay tells of mules that say this "job" is more important to them than their legitimate job, mules that have some suspicion they may be involved in scams, but are so desperate for the money that they close their eyes and hope it's not a scam. They may cash a few checks, keeping a predefined "commission" before sending the rest to the scammer. This happens as promised for a few rounds, then the scammer sends a bad check; the mule cashes the check and sends along the money, then gets stuck with the entire bill when the scam check bounces.

The comment that resonates loudest with me is one I have been saying for years: we can't eliminate all risk. It's not economically practical, even if it were possible. Our job is to mitigate risk - identify and measure it, and communicate it so the business can make an intelligent decision. Unless your business is a security product, security doesn't pay the bills. We should be about finding the right balance between risk (something bad could happen, and this is what it would cost if it did) and cost to mitigate (in terms of dollars, staffing, and opportunity lost).

We preach, but do we practice what we preach?
Michael Gough (@HackerHurricane)

Link to slides

Build systems to be resilient. One option is to separate data from the OS - put the data on an entirely separate logical disk. If the OS is compromised, it's simple to rebuild the OS image without affecting the data. Keep in mind that this mitigates only one form of compromise - if the data itself is compromised, or the malware embeds itself in firmware, reimaging the operating system will not help.

Backup, backup, backup - and show someone how it's done. Data-destroying malware are growing in popularity (ransomware, as well as the Sony Pictures Entertainment attack); a complete and tested backup is the strongest defense against these forms of attack. Michael brought up an aspect we don't like to think of though: would your wife / husband / child know how to recover your data if you died? The "BC/DR" plan for a family or family-run business needs to be implementable even if the person that put it together is no longer able to do so.

Use the Windows App Blocker policy to deny executables in places where programs should not be run. Specifically include c:\users and %temp%, then add exceptions where required. So many compromises drop an exe in the user profile folder (after all, that's where Temporary Internet Files land) and execute it. If the exe cannot be run from its location on the disk, it cannot carry out the compromise.

IPv6: A potentially hidden attack vector
Earl Carter (@kungchiu)

Red team vs Blue team panel

Red team: Marcus Carrey (@marcusjcarrey), Justin Whitehead (@3uckaro0), Kevin Johnson (@secureideas)
Blue team: Mano Paul (@manopaul), Michael Gough (@HackerHurricane), Josh Sokol (@joshsokol)

A useful pen test needs to go beyond just rote results. Tell us what you found - then give us your opinions too.

Penetration tests with restrictions are not always the most effective. There are exceptions (I know we are a mess over there, and have a plan to improve it, so don't look over there. Look at what we think we've secured well and tell us what we missed), but more often than not a restrictive test scope means the client gets a false sense of security.

I noticed a distinct shift in the general perspective. 3 years ago at BSides, there were a handful of pen test talks that focused on the physical aspect - socially engineering one's way into the physical premises. Marcus says today that is far less common. A phishing attack is every bit as effective, and far less risky for the attacker. There are certainly exceptions (as Will @haymj0y Schroeder described in his fire marshall talk), but the general tone of the conference was that physical pen testing has been superseded by phishing / vishing.

One comment garnered loud applause, both in person and later via Twitter. Security professionals, at least those that call themselves advanced or expert, must have sysadmin skills. It is impossible to adequately secure something if you don't understand how it works and how it is used. As a red-teamer, eventually you will break something. You had better know how to fix it.

For those looking to enter the security field, this is excellent advice: learn a trade first. Learn a technical skill. In particular, master the command line on multiple platforms. If you have tech skills, I can teach you to use them for InfoSec. The opposite is not always true.

Invest in training skilled people. Tools are great, but tools don't have intuition.

Acting to win: taking responsible, automated action for high-speed defense

Monzy Merza, Jose Hernandez, Steve Brant

Protecting your cloud server with a cloud IDS
Josh Pyorre (@joshpyorre)

I missed this talk, but had the chance to talk with Josh later about a project I did using IDS to alert when a computer on my network looks up a domain name that OpenDNS deems as malicious or otherwise undesirable. He showed me some of the inner workings of OpenDNS and gave me some ideas for continuing that project.

That is to me a far greater benefit than the educational talks. B-Sides and similar smaller events are an opportunity to meet brilliant people, people with brilliant ideas. Many times I have met someone at B-Sides, only to find myself collaborating with them on a project or vulnerability disclosure years later. The talks are great, but the real value is in the professional networking.

Linux Under Attack
Chester Wisniewski (@chetwisniewski)

Windows gets the spotlight in terms of malware and malicious attacks, but that can make Linux a blind spot for many enterprises. Think about it: as an attacker, would you rather pwn a Windows laptop that shuts down unpredictably, runs various antimalware products, and has a widely varying set of tools and applications loaded? Or would you rather compromise an always-on Linux distribution with a complete set of build and compile tools natively installed? As much as SoHo routers and IoT devices get flack for "hackability," perhaps there is a small win in that they tend to run stripped-down Linux distributions without may of the normal tools. 

Blue team responses to people who "hack like a girl"

Kate Brew (@securitybrew) and Charisse Castagnoli (@charissec)
Link to slides

Malware analysis 101

Adam Kujawa (@kujman5000)
Link to slides

The explosion of cybercrime: the 5 ways IT may be an accomplice

Mark Villinski


Reuben Paul (@RAPst4r), with some help from father Mano Paul (@manopaul)
Fox 7 news segment

Reuben gave a couple of bits of sage advice (a good cyber pro is always learning; spend timewith your kids and understand the tech they are using), then wowed the audience by pwning an Android phone in about 5 minutes. He used the age-old tactic of delivering a malicious link, which installs a fake "game" APK that instead opens a Meterpreter shell.

My take: Reuben isn't going to teach most of us in the room anything we don't already know. That's not his goal (for now ... he's quick though so I wouldn't be surprised to be learning from him in a few years). Watching a 3rd grader pwn Windows and mobile devices so easily though is bringing a spotlight to our industry, a spotlight that other formats don't get. How often do local and national news media say anything about security conference keynotes? If Reuben can hook a few of his peers so they pursue a career in this industry, and along the way shine a positive light on hacking, then I say more power to him.

Spanking the monkey / how pen testers can do it better

Antonio Herraizs (@antonioherraizs) and Justin Whitehead (@3uckaRo0)

Key takeaway echos the red team / blue team point from earlier: know your tech. Tools are there to aid the tester.

The deep dark hidden web

Aamir Lakhani (@aamirlakhani)

You caught me monologing: effective communication in security

Phil Beyer (@pjbeyer)
Link to slides

Is your crack-a-lackin'?

Jullian Dunning (@hob0man)

Jullian showed a variety of ways to streamline a password cracking attack, using the fact that humans tend to use predictable patterns. Hobo1234! meets the recommended password rules (uppercase, lowercase, numbers, special characters), but is a terrible password because it follows a very common pattern. This is a compelling case for using password managers (or at least random password generators). These tools don't succumb to human predictability.

The inmates are running the assylum: Why some multifactor authentication is irresponsible

Claire Nelson (@Safe_SaaS)
Link to slides

Beyond the scan: the value proposition of vulnerability assessment

Damon Small (@damonsmall)
Link to slides

I hunt sysadmins

Will Schroeder (@harmj0y)
Link to slides

Honeypot how-to

RoxyD (@theroxyd), Mike Sconzo (@sooshie)
Link to slides

Logs, logs, logs: what you need to know to catch a thief

Michael Gough, @HackerHurricane
Link to slides

6 Windows log events would have detected each of the major APT cases in the news the past few years. Log management doesn't have to be intimidating if you can distill your focusdown to 6 events.

Alas I am but one person, and there were multiple tracks to follow, so I could not attend every session. Josh Pyorre and Kate Brew each wrote their own blog posts from their viewpoints, covering some of the talks I missed.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen