Pre Black Hat And DEF CON Primer

As I am writing this particular blog post, I am just eight days from flying to fabulous Las Vegas, Nevada. Why on earth would I, or anyone not required to, go to the middle of the desert during the hottest possible time of the year (the first week in August)? Because that weekend is the biggest, and oldest, hacker gathering in the world.

The gathering I am talking about is the 24th annual DEF CON where more than 10,000 hackers and security geeks will descend upon the Bally’s and Paris Casinos for four days of nothing but hacking and networking (with people, not the IT sense of the word).

This will be my third year in a row attending both the Black Hat and DEF CON security conferences. Every year, I have received a crash course in something that has made me better at my job. The first year, I saw a very enlightening presentation by Benjamin Delpy and Alva ‘Skip’ Duckwall in which they discussed many uses for mimikatz.

Mimikatz is a small malware-like binary file that will scrape and analyze data from the RAM of any compromised Windows system. They also discussed a very exciting new feature, Golden Tickets, that would allow an attacker (read: ethical hacker/pen tester) to do more than steal clear text credentials and encryption keys directly from the volatile memory of compromised systems.

A Golden Ticket is an attack method that takes advantage of several weaknesses in Active Directory and its integration with Kerberos. In short, that presentation changed how I approached penetration tests; mimikatz is one of my favorite post exploit tools out there now. If you are interested in reading more about this, click on the link above to the presentation and the related paper.

This last year I spent most of my time at DEF CON in a few “villages:” lock picking, wireless, hardware hacking, SCADA, and social engineering. These villages are a communal place for those interested in learning from their peers about whichever topic the village is dedicated to. After last year’s DEF CON, I was able to use my newly earned (and still not great) lock picking skills during a Penetration Testing Assessment for a client. I had been hacking away at their AD servers, and the IDS caught me and blocked the port I was using. I waited until there was no one left on that side of that floor, picked the lock to the switch closet, and got a new port.

Seeing Through the FUD

In the next several weeks, we will all see an uptick on IT security and hacking related news. In fact, if you work in sales or recruiting in the security field, I am sure these next few weeks will be for the security industry what Christmas is for retail. Unfortunately, a lot of that news and buzz is going to be rife with fear, uncertainty, and doubt, or FUD, as it is affectionally known in the industry.

This is the one thing about the security industry as a whole (with exceptions of course) that I think is one of our biggest problems. Security, and the lack of it, is a scary thing. Many would say that those that don’t understand it are the ones most easily scared. I do not think that is the case – those that should know better are more likely to be swayed by FUD. This is in part because if you understand information security and how it works, you also understand how it doesn’t work. As someone who has worked in security for close to nine years, I am guilty both of using FUD as a tool and allowing it to sway my opinion.

A few years ago, during my first trip to Vegas for Black Hat, I began to see how FUD was being used to market security products in the same manner that many other industries use sex appeal to sell their products. Of course there were vendors there that used beautiful models as an allure to their booths, but even most of them still used FUD in their pitch. This bombardment made me examine my own behaviors and practices, and I quickly realized that I was also using this tactic.

Now, as I said a bit ago, security is scary; the more you know the more actual fear, uncertainty, and doubt you have. So, it is not actually possible to completely separate the two. For example, if I give a presentation about current hacking tools or social engineering, some of the things I talk about are going to be scary and cast doubt. The difference that we, as an industry, can make is to not use that inherent FUD to leverage our customers and clients into doing something they don’t really need.

So, I hope to see many of you next week in Vegas, and I will be sure to write about my experience here on the blog so those of you who are not fortunate enough to attend can at least learn some of the things I felt were most critical or interesting. If anyone reading this is going to be in Vegas next week and would like to meet up for a coffee or lunch, shoot me an email and we will set something up.