Security Ripcord

Now that I am back from my very first DefCon experience I have two questions. “Why did I miss the previous 15? What was I thinking?”

From the very start the whole trip seemed like it was on a slow and deadly spiral downhill. I got packing late and had to rush. I couldn’t get the Sprint EVDO card running under BackTrack 2.0 installed on a Dell D600. I suddenly had to do actual work while I was on the trip so I had to take my Mac Book Pro but couldn’t get the Verison EDVO card for it because it was locked away in a file cabinet (now that I know a bit about lock picking I could have gotten it). Then, when I finally got to Las Vegas I realized that I had never been here and I had no idea about how to get to the Riviera.

Once I got to the Riviera things started to pick up a bit. I met up with Mike Henry who graciously let me sleep in his room with he and Martin McKeay. We soon met up with Larry Pesce and Jon Squire and we all loaded into a cab for the Accuvant party at Mandalay Bay. This turned out to be a great move because of the open liquor and sushi bar. I also got a chance to met with several of the Accuvant attendees and they were all very knowledgeable and friendly. I can definitely see why Michael Farnum (who did not attend DefCon) likes his job so much. After the party it was back to the hotel for my last real nights sleep for the next couple of days.

In the morning it was on. I had already picked up my Press badge (Thank you very much, Nico!!) so I filtered into one of the sessions. Sean M. Bodmer, the Director of Federal and Military Programs at Savid Technologies, gave a talk on how it is important to extend your incident response plan to include “attack characterization” in order to understand why you are being attacked and by whom. After the presentation I asked him a few quick questions about how much extra time this would cost an incident response team, if he had a common framework the community could leverage, and if there was a central repository so that people could look for similar attack methodologies to help them identify attackers. He told me that once an organization had a framework in place it only takes about 6 to 8 extra hours to detail the attack methodologies and familiarize the rest of the team with the results. The framework that as been developed by Savid is not public as they have not been approached to make it available to anybody else. Same goes for the database of attackers. Although I like his idea I very much doubt that a small or even mid-sized business has the extra funds and manpower to devote to this extra work (I’m not saying it wouldn’t be helpful information, just that it will be hard to promote). Large business including the government, however, could definitely benefit from this type of information. Also, I am surprised that he did not offer a common framework to this approach. Obviously he and his team are very knowledgeable about how to profile attacks and attribute them to specific individuals. I would have like to have seen them take this next step especially since they were presenting this at DefCon.

After this first presentation I decided to wander around a bit. It only took me a few minutes to end up in the WarGamez Capture the Flag room where eight teams from around the world were diligently setting up their systems and preparing for the competition. A few minutes of looking around showed me that Kenshoto was running this event so I quickly cornered one of their members to get a quick introduction and ask him if he was open to answering questions periodically during the con. This person turn out to be “invisigoth” and he was more than happy to help while he was not assisting the competitors. There will be more about his competition in the near future.

By the time I finished up in the CTF room and wondering through the vendor area, it was time to start the Mystery Box Challenge. Volunteering to be a member on the Security Catalyst team was definitely the best move that I could have made. Firstly, the contest is an embodiment of everything that DefCon represents. Break in anyway that you can using any resource that is necessary. Secondly, I couldn’t have been a part of a better team. Although none of us were particularly strong in all aspects necessary to complete the challenge, each one of us brought a necessary skill level. Together we knew how to get it done or somebody who could help us do it. Although we did not win I am very proud of the fact that we kept the amount of outside influence to a bare minimum (basically, we need a lock picker). Although I could write up exactly how we did everything I would rather point you to James Costello post titled “Back from DefCon” which sums it up very nicely.

After 36 hours with 2 hours of sleep I was dead beat. I tried to wander around some of the parties but my body was not up to it. Everybody I talked to told me not to sleep at DefCon but I just couldn’t help myself.

After such a positive and involving experience of the Mystery Box the rest of DefCon was a bit uneventful. The TCP/IP Drinking Game and Hacker Jeopardy were fun (Winn Schwartau is hilarious BTW) but I didn’t get the same sense as trying break into something. As this was my first DefCon, however, I felt it was important to experience some of the things that make it DefCon.

The next day however, it was back to trying to learn new tips and tricks. I spent the day floating in and out of the Lockpick Village, the Wireless Village, the CTF competition area, and one or two talks. The only other talk that I was impressed by was the one given by Marc Weber Tobias and Matt Fiddler titled “High Insecurity: Locks, Lies, and Liability”. They had a very informative presentation that points out some of the inconsistencies of physical security. Oh, yeah, I just remembered Matt Richard and Fred Doyle also gave an interesting talk titled “Beyond Vulnerability Scanning – Extrusion and Exploitability Scanning”. Basically they have created a set of tools that can test an organization’s outbound countermeasures.

Wow, I just realized how long this post has turned out to be. I guess I can really sum up DefCon as a great opportunity to meet new people and participate in competitions that stretch your imagination and skill sets. What more could you as for beside “how do I do this year around”?

Will I return to DefCon next year? I have already started working on the very topic and hopefully my wife and I can negotiate a sufficient exchange of personal vacation time to get me out to DefCon 16.

One thing of interest that I did take way from DefCon was the emphasis to physical security. What I mean is that the Lockpick Village was completely pack from the moment it opened to the moment they closed down the area and asked everybody to leave. What does this mean to your organization? Well, if hackers are looking into this then maybe you should start considering what you are doing and where the weaknesses might manifest themselves within your environment. You might have the best OS hardening skills in the business. But if you cannot limit and protect the physical access to your systems and other resources then you are going to be in serious trouble.

Go forth and do good things,
Cutaway

DefCon15, Kenshoto, invisigoth, CTF, GenesysWave, Security Ripcord, Mystery Box Challenge, James Costello

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.