Mastering Black Hat, DEF CON and Las Vegas over 10 Days (and Nights)

Image

Well, to start off, Las Vegas is in my view and experience not the best location for all these annual cyber happenings. Prices are going up through the roof—it's just crazy. For example, my hotel cost $3,500 for 10 nights at Caesars Palace, and I paid $50 for a burger with fries and a drink. Really? Or a simple bottle of water for $10? Is that worth it just because of the pseudo-luxury into which the casino industry wants us to buy? A desert location consumes tons of transported water from out of the Colorado river (Grand Canyon), electricity (generated at the Hoover Dam), and extra money for almost everything is just not a typical “green” type of event. Also annoying are the cab drivers that take extra turns, back roads, or the red-lighted Strip (Las Vegas Boulevard) during rush-hours to make some extra bucks off their hapless passengers.

Image

Black Hat 2017

I think overall the Black Hat schedule is great and managed well, but it would benefit from creating tracks that are subject-oriented. Currently, the BH organizers classify the sessions into categories like “Application Security,” “Cloud Security,” and “Data & Collaboration Security” for the vendor/sponsored sessions. But for the briefings, they classify the sessions into categories like “Applied Security,” “Cryptography,” “Data Forensics and Incident Response,” and “Enterprise”. This division alone is confusing, but worse still is the fact that all these sessions are in different rooms, so you have to “run” between sessions from one side to the other (and in doing so bump into 15,000 or so other attendees who are doing the same thing). It would be much easier to have the same session types in the same area. (Of course, there are some sessions or types that will receive more attention, so a couple of different room types/sizes for each track is a good idea.) Another observation is that the session write-up was focused on speakers and their experience only instead of the sessions at hand. That is problematic, at least for the newbies who are trying to get their arms around the security bullet. A great idea was the BH “app,” but why did “my agenda” always display some ads (sessions) that I didn’t ask for? As a result, it consumed some unnecessary space on my display. The briefings were great, as always. Here are some examples of the topics discussed:

• SHA-1 crypto-analysis;
• the CVSS scoring system;
• application security maturity program;
• a “White Hat privilege” (or rather none);
• “How to secure 100 products” (in an enterprise setting);
• fighting the previous war (this time in the cloud);
• digital image counter-forensics;
• zero-days;
• purple team;
• EvilSploit;
• abusing O365 & Powershell for C2;
• USB hacking;
• DevSecOps; and many more.

The main issue here is that the briefings and vendor expo happened at the same time, which is not a smart idea if you really want to focus on both learning and establishing some new business relationships. If in doubt, as a C(I)SO, I will focus solely on the briefings, as they provide a wealth of knowledge – more so than the vendor booths, in my opinion. As for the evening events, I find it better to focus on a few dinners or small talks instead of the parties by the big players. The reason is that the parties land you in bed with a headache on the next morning(s), while you actually need your brain power to absorb the knowledge shown/presented. You also should be wary of vendors forcing you to pick up your “badge” at their booth… only to obtain your full contact data, etc. When it comes to dealing (pun intended) with vendors, here is my hint: before you hit the business hall (or the briefings, for that matter) you should pull the RFID-card out of your badge to prevent unintended data leakage. I did so on Day One when I arrived on Friday afternoon to get ahead of the long registration lines later, do some detailed planning of which sessions to participate in, and meet with peers/smart vendors. You would not believe how often I experienced the following situation (Wednesday-Thursday at least): booth babes or the like focused solely on “scanning the badge.” (Some actually asked politely “May I scan your badge” but were slightly irritated when I replied “no thanks”.) Sometimes when the product was interesting or the person was showing above-average interest in my requirements, I offered my (private) business card(s). But many of them did not even get to the point; they were so focused on why my badge wasn’t capable of being scanned. My point here is that there is a long way to go for almost all the vendors on how to first initiate, create, cultivate and maintain a true business relationship. If you think that by scanning my badge you'll make any inroads, and that I won't drop your mass emails upon receipt, then good luck. If you instead start a conversation by politely introducing yourself, asking for my needs (not my name, my company affiliation, my industry, etc.), and then focus on how your product or service is capable of solving these requirements, then we can have a conversation. Your approach needs to adapt to the customer—it should not be the other way around. On the other hand, the Monday Black Hat CISO reception was very nice. It was a good opportunity for networking in a relaxed atmosphere and with enough time to have a couple of good conversations. CISOs from all over the country had the opportunity to exchange war stories, which proved to be invaluable. The Tuesday Black Hat vendor reception was a nice start for attendees to orientate themselves about the booth locations and what they wanted to focus on visiting over the several next days. Just be aware that there is a horde of people running for the toys/incentives, so try not to get stampeded.

Image

Figure 1: My book on display at the Black Hat bookstore The swag room is full of Black Hat-labeled stuff, some of which is a bit overpriced, though. Of real value was the bookstore, which had a nice selection of security books on display and all at a great discount of 40 percent. My book, of which you can get your copy here, sold very well. The NOC (Network Operations Center) does an awesome job each year. I recommend those who are new to Black Hat visit and get a peek into the event's operational aspect of security. For those that were on the Wi-Fi, I hope you knew what you were doing… and those with 3G/4G/LTE mode only, it’s still a good idea to change all passwords after the conference. The Black Hat staff did a really great job this year. They were absolutely professional; they treated everyone with respect and were really helpful guiding everyone to the right rooms and locations. It saved all of us a lot of time not stalling in the hallways, so you could really make it from the “Southseas” or “Jasmine” areas to a session in the “Mandalay VIII.” I personally found the keynote from Alex Stamos interesting and appreciated the focus on education for the younger people. The light-show opening was nice and worth it for the 20^th anniversary. Compliments to the Black Hat team for changing the hand-out procedure for the DEFCON badges on Thursday. This time, they opened up the counters at 7:00 AM, which helped keep lines short and made this way better than in any prior years I attended. Still, I wonder why this extra step is really necessary and could not be combined with the first time badge pickup on Friday (or whatever your arrival date is). Skipping the MS “invite only” party, I decided to have dinner and then check out the DEFCON conference sessions (nice booklet; really well done).

DEFCON 25

And then the shock back at Caesar’s: hordes of clothed-in-black hackers everywhere, probably 25,000 in total and with some in short distance from my room. I was concerned of rogue cell phone towers and kept COM at a minimum. When I checked out the elevators, I found that the badge scanners for the high floors were probably tampered with (see Figure 2 and 3 below).

Image

Figure 2: Tampered with door card reader Friday morning, I focused on the government surveillance software talk in track 4, which was very good, and I skipped the keynote this year, which I believe was a wise choice. The “goons” have also improved their communication skills and were very helpful and polite most of the time. This time there was also no crazy “nothing goes anymore” like in the middle of Paris-Bally’s last year. You still had to get in line to get into your favored tracks, but it was managed well and I witnessed only a few mess-ups. I spent the whole day in interesting sessions (such as offensive malware analysis, hacking smart contracts, SSRF, application DoS in microservice architectures, phone system testing, designing active directory DACL backdoors, and the (soon) famous Cisco catalyst exploitation) before heading off to the evening event. I was up early the next morning (Saturday) to not miss the Siemens S7CommPlus hack. Next was anti-forensics, evading next-gen AV with AI, DNS privacy (or not), and some Kernel exploitation sessions. I loved the DOOM on PoS show – nice way of making it real. The talk about Israel’s way into the cybersecurity community impressed on me an important fact: this was and is a global community, and we have all the same roots even if our foci narrowed in on different subject areas, such as offense vs. defense, etc. The Saturday night music party was a blast with all the tiny lights and light sabers. (My kids loved them.)

Image

Figure 3: tampered with elevator controls On Sunday, I focused on Android, a few villages, a great session about exploiting continuous integration, and a session about internal DDoS attacks that will come. Most impressive were the demonstrations on bypassing Android Password Manager Apps without root, proving again the old proverbial adage to “never put all eggs in one basket.” I also enjoyed the weaponizing machine learning and program analysis sessions before the very nice closing ceremony. Congrats on the 25^th anniversary, DEFCON! Flying home, my mind was still boggled with all the (bad) news and latest zero days. When will the time arise that defense is applauded? Yeah, I think that ain’t gonna happen. Media is a business, as well, and nothing sells as good as bad news/crisis/horror. I get that, but it's a serious problem when CISOs all over the world have a difficult time finding quality defense people at a decent price tag. If all the action and hype/fame is given to the dark side, who will defend (critical) infrastructure or applications? Make no mistake: if a whole generation focuses only on the offense, then we will not leave behind a robust future. Don’t put your head in the sand and state that you can’t do anything about it. We all can and shall do our part to secure the cyber space.

Final thoughts

Finally, there is hope, a new hope (pun intended for those familiar with Cyber-, umm, Star-Wars): the rising media attention has put the boards of companies on so much pressure that they are scared and more willing to adopt a “must do” attitude. Granted, this will not get us to the perfect state of security. (They will likely focus only on the biggest risks.) But it is at least a start.  

Image

About the Author: Michael Oberlaender has a broad, global, diversified background in various industries and markets, 28 years of IT including 18+ years full-time security experience, and a strong focus on IT & security strategy. Michael is a globally recognized thought leader, book author (“C(I)SO – And Now What?”), publisher, and has written numerous articles for security magazines, and also has been frequent speaker, panelist and moderator at security conferences. He holds a master of science (physics) from the University of Heidelberg, Germany. He is member of (ISC)², ISACA, ISSA, and InfraGard (FBI). 

Image

Michael is currently serving as the Chief Information Security Officer of a larger corporation across the US, Canada and the UK. His expressed statements and opinions are that of his own and do not reflect on any current or prior employer or customer.To find out more about Michael´s book, “C(I)SO – And Now What?”, click here.You can also follow Michael on Twitter here, and connect with him on LinkedIn here. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.