Tuesday, August 12, 2014

Black Hat and DEFCON 2014 - Boots on the Ground

The Black Hat 2014 conference was held at the Mandalay Bay hotel venue in Las Vegas Nevada, USA.  Dan Geer, CISO for In-Q-Tel, provided this years keynote (video | text) presentation.  The presentation was sobering but I don't think his ideas surprised too many in the room.  Still Geer communicated what many in the room feel but perhaps lack the skills to articulate.  Geer covered ten different security concerns relevant to society in 2014 and provided his commentary.  Solutions to many of the concerns described by Geer require action from lawmakers as well as the technology industry, not small tasks by any measure.

A couple of larger themes emerged in this year across the security conferences.  The NSA Playbook, this is the NSA technology catalog of information for targeted surveillance and exploitation of information systems.  Not to be confused with bulk surveillance of Americans, a completely separate concern in the media.  I'm surprised to see any focus on NSA playbook frankly.  None of the tools and techniques presented are shocking or surprising to me.  All these tools were covered by Greenwald and the Washington Post long before the conference.  Regardless, the sessions where well attended and the public is both terrified and fascinated with these tools.  Next, Software Defined Radio(SDR) peaked interest at this years conference.  For those unfamiliar, SDR is a radio front end-front that connects to your computer.  The benefit of SDR is that the computer is used to tune the radio as well as provide modulation and provides flexibility over dedicated hardware solutions.  A limitation of SDR is over dedicated hardware is that SDR is not useful technology for scanning or frequency hoping gear (or at least with lower cost gear like I have).  At DEFCON, I picked up a low cost SDR rig ($20 USB stick) and created a short video clip of SDR so you can get an idea (video) how it works.  In my case, I'm tuning into a radio station but you can tune into other frequency bands like aircraft or Ham radio.  There are also some examples on the net of SDR rigs downloading satellite images.  On of my favorite radio hackers is Oona Räisänen (Twitter: @windyoona).  In one article she describes step-by-step reverse engineering a helicopters flight path from RF signal to a set of waypoints superimposed on a Google Map - bad ass!  Anyway, I don't know Oona personally and not sure if she attended the conference but I can't help think of Oona when I'm thinking of SDR.


I highly encourage checking out SDR.  More expensive SDR rigs allow transmitting as well as receiving but may require a FCC Amateur Radio License.  The security significance of SDR is that it's useful to receive RIFD signals, to duplicate access badges, bluetooth, and other radio type hacks.

The best session of the year between both conferences was, "Weaponizing Your Pets: The War Kitteh and the Denial of Service Dog".  I'm not sure if DEFCON will make the presentation public so I included a link to the same presentation provided earlier at Shoocon.  The project and presentation was as you would expect, strapping WIFI to a pet, and sending the pet on a mission.  No spoilers, you must see for yourself, but the presentation was very entertaining and freshens the topic of war driving.
Photo: Grossman (Left), Smith(Center) and Hansen(Right)

Next, no conference is replete without some celebrities.  Photo on the right, from left to right, Jeremiah Grossman (Twitter: @jeremiahg) from WhiteHat Security on the left,  I'm in the center, and Robert Hansen (Twitter: @rsnake and ha.ckers.org) on the right.  Jeremiah and Robert both work at WhiteHat Security.  I know Robert since we both attended the Austin OWASP chapter some years back.  During the Black Hat conference, I was walking the vendor floor and noticed Robert purely by chance so we spoke for a few minutes.  Jeremiah is always followed by a throng of security practitioners and press, that today was no exception.  I didn't think it was appropriate to interrupt with a greeting but Robert pushed everyone aside so I talk a few moments with Jeremiah.  It's really strange, sometimes I feel like Forest Gump - I'm just a nobody in the right spot at the right time.  I met Jeremiah last year when I received an opportunity to present at Black Hat.  Both these gentlemen are security legends and if you get a chance to meet them or attend one of their talks you should.

Photo:  Not so sneaky hacker
On one evening, I was up playing with my SDR rig.  Unfortunately, tethering from from iPhone was not working very well so I decided against my better judgement to use hotel WIFI.  After I connected I noticed an interesting host in the network.  Check out the, not so sneaky hacker, in the photo to the left (click to expand).  Anything interesting about this host name?  This guy needs to go back to hacker school.  A word of advice, if your an amateur don't try to show your hacker mojo at Black Hat or play with your new toys.  Case in point, someone got their Pineapple popped at DEFCON.  Pineapple is a WIFI man-in-the-middle device for security penetration testers.

Photo: DEFCON22 conference badge
The DEFCON badges where awsome this year.  Erik Costlow (Twitter: @costlow) on our team figured out the letters are touch sensitive buttons.  Press the DE together for one pattern of flashing lights, press ON together for another, press FCO for yet another.  Someone said the micro-controller vendor Parallax has information on the badges and how the USB port (on lower left on badge) works.  I need to check that out sometime.  Some mentioned there is a IR sensor and transmitter so the badges can communicate to each other as attendees pass by each other in the conference halls.

One of the annoyances I had at both Black Hat and DEFCON this year was trying to get into my sessions.  Often I would leave a session in one track only to find I cannot get into the session in another track since it would reach capability before I enter.  This sometimes occurred at Black Hat and always at DEFCON.   At DEFCON the only way to ensure you see some sessions and get some value is to attend all sessions for the track with the greatest number of sessions of interest to you.  Remain in the room at the close of the session.  Minimizing track swaps and room changes helped me get the most value out of the experience.  There are some rumors DEFCON will be held at a larger venue next year.  If so, it seems likely to reduce congestion.  Keep in mind, these conferences are packed because they are wildly popular and educational.  I'm sure the events are difficult to coordinate with skyrocketing attendance.
Photo: Iron Clad Java book celebration

I will close with a shot of Iron Clad Java book team celebration.  The four of us have been working on a web application security book project for about 7-months.  In a stroke of luck, we all attended the Black Hat conference in Vegas together so we decided to assemble for dinner.  Photo from left to right, Me, Kevin Kenan, Jim Manico, and August Detlefsen.  Jim treated the team, let's say I have never had such a wonderful dinner.  But thinking for a moment beyond my stomach, the meeting was a great opportunity to speak with team members in person. We all agreed that we learned so much from each other in this project.  This project was a great experience.  Will there be another book?  It's not my place to say but we all enjoyed working with each other.  I can think of no better team for another book project.  It was a great experience and opportunity for us all.

--Milton

Share It!