An interesting note from this presentation was the percentage of already compromised mobile devices identified during the study. Out of the 608 compromised phones identified the majority were Apple IOS phones. Not Android as I would have expected. The main take away from the briefing was that BYOD is a new market and the security solutions are not fully developed. Encrypting data at rest can’t be the beginning and end of the solution. The entire phone needs to be secure and the devices need to be the monitored to the same extent we would monitor any other device on the network.
The second day’s keynote was given by Brian Murihead from NASA and was titled, “Take Risk but Don’t Fail”. Let’s be honest here. Giving a keynote on the second day of Blackhat after the director of the NSA is a tough job. Brian’s keynote was more traditional Blackhat keynote. It was uplifting material about overcoming obstacles, taking risk and innovation. However, for me it was pretty boring and I almost fell asleep half way through. That being said it was interesting to hear the amount of ingenuity that went into the development of the Mars rovers. I was piqued by the skycrane. The reentry vehicle uses jets to hover over the landing spot and lowers the rover to the ground using a crane. Once the rover is lowered the reentry vehicle jets off to a safe distance and crashes leaving the rover safely on the ground. That’s pretty innovative by itself but when you think it happened automatically on planet 225 million kilometers away, that’s pretty cool.
I also caught a presentation from a former coworker Alva “Skip” Duckwall, “Pass the Hash II”. Yes, I am biased towards speakers who are friends or former co-workers. The talk centered on how pass the hash was still a viable attack method. The presentation hammered home the fact that pass the hash simply utilized the Microsoft authentication process as intended. As is traditional, many pot shots were lobbed at Microsoft who actually had a representative sheepishly in attendance.
Beyond the traditional Microsoft bashing, Skip pointed out flaws in Microsoft’s Group Policy Preferences (GPP). GPP allows admins to set passwords across the domain easily. It’s a great tool for administrators and an even better tool for hackers. Because all of the passwords are set the same they have the same has h and that means you only need to get one and pass it gleefully along to access all the others. He also pointed out a similar issue with Smart Cards. When enabled, the accounts create hashes that never change. They don’t expire either. Ever. He did end on a positive note offering scripts for changes the hashes and configuration tips to avoid these problems.
The last presentation I will mention was a very high level discussion of security incidents by Jason Healey, titled “Above My Pay grade: Cyber Response at the National Level”. Jason made the very interesting point that at a certain level a cyber incident stops being cyber and simply becomes a national incident. At that point it is treated like any other disaster or crisis and the decision makers may make some surprising decisions. In one insightful example, Jason described an exercise where his team proposed the ability to hack into the financial markets and destroy a week’s worth of data. When presented with this information, the decision makers responded that they would simply restore from the previous weeks data. There would be financial winners and losers but the market would survive. Jason noted that these are the same people who have to make snap decisions on recessions, natural disasters and other crisis. For them the cyber aspect starts to fade at a certain level and they are left with a crisis that needs an answer.
Jason provided a very detailed flow of how an incident can go from your SOC all the way up to the president. It was definitely not a ones and zeros presentation but it was a pretty insightful journey into how national incidents are handled.
Lastly, I’ll talk about the overall setup of the conference this year. Each attendee was issued a RFID card with their name on it. This card was used to provide vendors information and also to sign up to provide feedback on speakers. In each presentation room there was a RFID reader setup. If you badged in you were emailed a feedback form for that presentation. Blackhat seemed very interested in getting feedback on the presentations from attendees. The vendor area was moved to a larger space and was very slick. There were a lot of huge LCD displays, presentations and even a full out racing simulation complete with cars and steering wheels. The swag was plentiful and creative. I saw everything being given away from tiny RC helicopters all the way up to Iphone controlled AR Parrot 2.0 quadcopters. Even more noteworthy, were the many help wanted signs vendors were displaying. I’ve never seen that at Blackhat.
I learned a lot, got see some old friends and met some new ones. If you’ve never been, I highly recommend the experience. If you have been I want to repeat some advice I’ve seen several times online. Given the chance to see a briefing or have a cup of coffee with an experienced Infosec professional, take the cup of coffee!!