System Overlord

A blog about security engineering, research, and general hacking.

BSides Workshop

I probably should’ve posted this days ago, but on Monday, I’ll be teaching a Web Security workshop at BSides San Francisco along with Niru. While capacity is limited, we may have a few additional seats, so if you’re interested, drop by and see what we’ve got.

Workshop description:

Web applications can fail in a variety of ways, from Cross-Site Scripting to SQL Injection and more. Join us for a look at a variety of common web vulnerabilities, including Cross-Site Scripting, Cross-Site Request Forgery, Weak Authentication, Logic Errors, and more – and an opportunity to test your web hacking skills against a simulated online bank. We’ll be covering the vulnerabilities from the ground up, but a basic understanding of web applications (i.e., HTTP, HTML, and JavaScript) and browsers would be useful background.

Participants will need to bring a laptop. Prior experience with server-side programming and an understanding of how web apps are built is recommended.


BSides Seattle

These are just (essentially) my raw notes dumped from the talks I attended at BSides Seattle (2015-ish). Unfortunate I developed a migraine so I only caught the morning talks.

Active Directory

  • Use scripts to dump AD
  • Use scripts to sync with 3rd party providers
  • Lots of story, not much technical depth

Red Team

  • Presenter: Sean Malone, FusionX

  • Types of Security Assessment
    • Vulnerability Assessment
      • Find vulnerability
      • Limited Scope
      • Broad & Shallow
      • Cooperates with SecOps
    • Pentesting
      • Achieve Technical Compromise/Domain Admin
      • Moderate Depth
      • Techniques include Network, Application Assessment
    • Red Team
      • Narrow Scope
      • Whole Enterprise is In Scope
      • Techniques include Social, Physical, Technical
      • RT Objectives
        • Simulate Sophisticated Adversary
        • Achieve “Nightmare Scenario” without detection
      • Client Objectives
        • Understand resiliency
        • Risk reduction, not just vulnerability count
  • Effective Red Teams
    • Hyper-realism (go all the way)
    • Do No Harm
    • Zero-Knowledge
      • Offensive team does not use any inside knowledge
    • Zero-Notice
      • No notice to defensive team
  • Developing Steps
    • Adversary Scenario
      • Who?
        • Nation-state?
        • Commercial Competitor?
        • Hacktivist?
      • Why?
        • Steal information?
        • Destabilize?
      • Impact
      • Objective
      • Starting Point
    • Campaign Plan
      • Be Creative
        • Wide Variety of Approaches
        • Webapps
        • USB Drives
        • Social Networking
        • Legal limits: can’t bribe someone, can’t blackmail someone, etc.
      • Be Adaptive
        • Can’t know how everything will go
        • May have several different approaches planned out, use as needed
      • Be Resilient
        • Even if detected, engagement is not over
        • Keep different techniques/footholds isolated
      • Even if technique is known to work (phishing, link clicking, social engineering), there is value in doing it
        • Is it detected?
        • Can mitigations come into place in time to prevent lateral movement/escalation?
    • Scope
      • Think Globally, Strike Precisely
      • Whole Enterprise in Scope
      • Stay Focused
        • Only move towards objective
        • May not be linear path, but still move to goal
        • Exploiting unnecessarily increases risk of detection
      • Right to Audit clause in Vendor Agreements Critical
      • Client should not limit scope
        • Confirmation bias
        • If concerned about availability, pretty big sign that system is already too weak
        • Forcing red team into small box does not simulate adversaries
    • Rules of Engagement
      • Should not need to get pre-approval for every exploit/phishing email/etc.
      • RoE should allow autonomy to exploit, move laterally, and escalate
      • Client should still be informed, have ability to push “big red button”, but red team should not wait for ACK (too slow)
      • Attacker should have 24x7 window (again, better simulates real-world adversary)
        • Vulnerability in timing is just another vulnerability
      • Predefined rules for sensitive data
        • Access is necessary to simulate adversary; avoid unrealistic limitation that impacts the accuracy of the assessment
        • Expectation should be that Red Team may see any data on any system (IP, passwords, HR data, whatever)
        • Rules for what can be used (i.e., personal credentials generally off-limits)
        • Rules for how to dispose of data at end of engagement
        • Rules for where data can be moved (i.e., shipping PII outside network?)
        • Retrieve minimum number of records to demonstrate impact
        • Redact in report
    • Communication & Escalation Plan
      • Need-to-Know Basis
        • Statement of Work vague, have separate authorization signed by CISO to avoid leaking even to procurement team
      • Keep Blue Team in the dark (adversaries don’t call ahead!)
        • Can’t accurately evaluate detection & response if they know
        • Point of Contact should have visibility into SOC
        • If SOC is overwhelmed by exercise (+ real intrusion?), suspend exercise
  • Summary
    • Only executive has authority to approve something broad enough
    • Technical compromise doesn’t matter if you can’t show impact
    • Stay focused
    • Maintain OpSec
    • Keep objective in mind
    • Risk/Reward to get closer to objective
    • Agile, Adaptive, Opportunistic

Hacker Summer Camp Planning Guide

A couple of coworkers who have never been to DEF CON, BSides Las Vegas or Black Hat (collectively, “Hacker Summer Camp”) asked me about planning their first trips, so I decided to collect my tips here. I’m going to be splitting my advice into two parts: this planning guide for travel/scheduling/registration information, and a Hacker Summer Camp survival guide for advice that’s more relevant while you’re at the conferences.

Manage Your Energy

There’s a lot to do, the hours tend to be long, and unless you’re used to both the environment (typically hot, this is Las Vegas in August!) and the crowds, it’s going to burn a lot more energy than you’re going to expect. Two years ago, I attended all 3 of the conferences, helped run a company suite, and taught classes at R00tz (formerly DEF CON Kids). This was a serious mistake on my part, and failure to manage my energy adequately. I ended up not getting as much out of any of the events as I should have, and when I returned, I ended up sick for several days due to the toll of these events on my body. It was more than a full week afterwards before I felt fully recovered.

If this is your first time, don’t try to do everything. Firstly, it’s just not possible, and secondly, you will destroy yourself trying to do so. Prioritize, and make yourself okay with the fact that some things you’ll just miss out on. For myself, the most important parts of the week are:

  • Activities – I learn more by doing than by listening to some speaker try to tell you what he did in 45 minutes. I typically play in the BSides LV CTF and Capture the Packet at DEF CON. Others might find the DEF CON Shoot to their liking. (I’d probably like it too, but always end up busy on Thursday.)
  • Villages – Villages are a set of topical/related presentations and activities that are presented by people who are very into the particular topic. I’ll usually visit the tamper-evident village, lockpicking village, wireless village, and whatever is new. If you’ve never tried picking a lock, it’s really interesting just to see how the process goes, and the guys in the lockpicking village can tell you anything you wanted to know about any lock.
  • Networking – One of the most important aspects of DEF CON is networking, and it’s not just about lining up your next job. This industry is full of back-channel connections that help you get information, securely report a vulnerability, or help you find a solution to a problem. You’ll find out things that aren’t publicly known, learn who to talk to about esoteric technology, and generally meet some great people.
  • Talks – Talks are good and are obviously a core part of all of the conferences, but to me, they take a back seat to the above categories. This isn’t because I don’t like the talks (I do!) but because the other categories require your in-person presence and participation. Unless you want to ask the presenter a question, the talk won’t be recorded, or you really want to know about it before the recording becomes available, being there in person adds very little to the value of a talk.
  • Parties – Rumor has it that DEF CON, Black Hat, and BSides may also have parties. These rumors are completely unfounded. There is absolutely no partying, live music, alcohol consumption, or any other fun to be had in Las Vegas during these events.

Scheduling

Black Hat Briefings are Wednesday and Thursday, with trainings either Saturday-Sunday or Monday-Tuesday (or sometimes covering both for bigger trainings). BSides LV is Tuesday and Wednesday, with a pretty full schedule both days. DEF CON is Thursday-Sunday, but Thursday doesn’t really get started until the afternoon (and even then, the villages have not historically been open), and things start to wind down a little bit Sunday afternoon, so Friday and Saturday are the “core” for DEF CON.

1 Conference, 2 Conferences, 3 Conferences?

So which conferences do you want to go to? Well, that really depends on what you’re looking for. I strongly suggest not trying to do all 3: you’ll end up just half-doing all 3. (This is borne out by personal experience.) Here’s what I see as the tradeoffs:

Common Elements

All 3 conferences have excellent technical content, and many of the presentations will be at more than one conference. Many of the attendees will be at more than one as well, so you’ll be running in to the same people throughout the week.

DEF CON

DEF CON is, by far, the biggest of the 3 conferences – reportedly somewhere around 14,000 attendees. It has the most hands-on activities with the villages, and most of the parties (oh wait, what happens in Vegas stays in Vegas…). DEF CON is somewhere between casual and chaotic, and is, of course, the conference that started the whole week of Hacker Summer Camp 24 years ago. For me, DEF CON is the “can’t miss” part of the week, as it has the most learning opportunities, most social networking opportunities, and most of the people I look to catch up with will be at DEF CON. The Vendor area at DEF CON is not a trade show – it’s suppliers who will sell you tools, books, parts, lockpicks, t-shirts, and other things for the individual to use, rather than a “turnkey enterprise solution.”

Black Hat

Black Hat is the business side of the week. If you’re most comfortable in a shirt and khakis, then this might be the conference for you. If you need a large trade show-esque vendor area, they have it. The talks remain high-quality, but it’s definitely got the feeling of corporate-run, enterprise-focused, and very little “community.” It’s also worth noting that Black Hat is an order of magnitude more expensive than DEF CON, so that may influence your choices.

BSides Las Vegas

BSides LV started as the “B-Side” to Black Hat: an opportunity for smaller presenters, attendees without the budget for Black Hat, and more. It’s grown into a network of regional conferences, and has expanded to a number of tracks of talks in Las Vegas. Most interestingly, they have a track dedicated to first time speakers, so you can get to meet some up and coming presenters and support those new to the scene. BSides is the most calm and laid-back of the 3 conferences, and a very casual environment. BSides is also the cheapest ($25 last year, if I recall correctly) and held at a hotel with dirt-cheap room rates ($49/night or so), so is clearly a way for a hacker on a budget to enjoy hacker summer camp. (They also offer a shuttle between the BSides hotel and DEF CON, so you can enjoy their low room rate all week!)

Travel

I’m told driving to DEF CON can be a great deal of fun when done with the right people, but I haven’t managed to do so myself. I imagine doing it yourself isn’t much fun. Do keep in mind that you’ll be driving through the desert, so a reliable vehicle is a must, and bring water, just in case.

Las Vegas, as a center of tourist travel, has relatively convenient air travel options from pretty much anywhere. From the SF Bay Area, there’s several direct flights a day from any of the 3 local airports, and on several airlines, and it’s just over an hour gate-to-gate. Keep an eye on airfare early and look for deals – booking early can easily save more than $100 on airfare. When planning, particularly for your departure from Las Vegas, please keep in mind that DEF CON travelers on Sunday evening are numerous enough to cause significant delay at airport check-in and security, so allow extra time.

Hotel

There’s two schools of thought on hotel: stay at the conference hotel (for one of the conferences, if doing more than one), or stay away from the conference hotel. I personally prefer the DEF CON hotel (i.e., Bally’s or Paris for DEF CON 24), but I’ll review the pros/cons of each so you can make up your own mind:

Staying at the Conference Hotel
  • (Pro) You can easily get back to your hotel room after evening “social activities”.
  • (Pro) It’s easy to dump stuff in your room so you don’t have to carry everything around. (This can be somewhat mitigated if you have a friend staying there.)
  • (Pro) It’s fun to meet random people from the con around the hotel.
  • (Pro) Usually, DEF CON sets up “DEF CON TV” to the rooms in the DEF CON hotels, which will live stream the talks, so if there’s one you really want to see but the room is slammed, you can watch it from your room. (Or you can hang out with some new friends, drink a couple of beers, and watch talks from your room.)
  • (Con) Everywhere at the hotel will be busy. Everywhere. Every bar, restaurant, and shop, will be slammed at all hours. Seriously.
Staying Elsewhere
  • (Pro) You get a break by getting away from the conference. This can be a good option for introverts. (Though I personally find going to my room enough for that – I usually need to do so about once per day to mentally recharge.)
  • (Pro) You can often find much better deals off site, especially if you start looking early. DEF CON even has room block that is close by, but not Paris/Bally’s, and is generally cheaper than those hotels.
  • (Pro) Food options will be much less busy than at the conference hotel.
  • (Con) You’ll need to get back and forth to the conference, which may negate some of the potential savings. (You may think you can walk, but temperatures during this week often exceed 100°F (38°C))

Other Things to Be Aware Of

  • As of DEF CON 24, registration is $240, cash only at the door. Since DEF CON 20, pricing has fairly consistently been ($year * $10) – so $200 at DC 20, $220 at DC 22, $230 at DC 23, and this year will be $240 for DC 24. While historically, there have been crazy waits for badges, registration got much better with DEF CON 23.
  • Currently, even numbered years get electronic badges, and odd numbered years get non-electronic badges. The electronic badges tend to run out, so you may want to make sure you get a badge on Thursday (they’re usually good through Thursday) if that’s important to you.
  • International travelers: Las Vegas basically runs on tips. Nearly everyone expects to be tipped.
  • Be an active participant. I’ve personally spent too much time not participating: not talking, not engaging, not doing. You won’t get the most out of this week by being a wallflower.

Resources

There are a lot of resources for finding out more about what’s going on. Obviously, the conference websites are your first stop, but as DEF CON is a large community event, there’s also more opportunities out there:

Conclusion

I hope this proves helpful to those new to DEF CON. Get out there, meet people, and have fun. If you’re a seasoned veteran and see some suggestions I’ve missed, please email me or find me on twitter: @matir with your suggestion and I’ll add it.

Thanks to the @dc404 group for some of the additions and suggestions!


Time for More Changes

This isn’t the first time I’ve changed blogging platforms, and it probably won’t be the last. I got tired of having to do maintenance on a blogging platform, so I decided to look for something lightweight. Enter Jekyll.

Jekyll is basically a static website compiler – it takes templates and content and produces static HTML output. No databases, no runtimes, no attack surface (beyond a static webserver). Given that I don’t mind writing in Markdown (in fact, I was using a Markdown plugin for Mezzanine), it seemed like a perfect fit. I wrote a quick script to get content out of Mezzanine/Django and export as HTML/Markdown, then spent some time tweaking the settings and theme (based on Hyde).

I’m going to be setting a goal to blog at least once a week, so watch this space for updates. And if you notice something odd going on (I know there are some issues with old posts and code blocks) please email me or ping me on Twitter.


Offensive Security Certified Professional

It’s been a little bit since I last updated, and it’s been a busy time. I did want to take a quick moment to update and note that I accomplished something I’m pretty proud of. As of Christmas Eve, I’m now an Offensive Security Certified Professional.

OSCP Logo

Even though I’ve been working in security for more than two years, the lab and exam were still a challenge. Given that I mostly deal with web security at work, it was a great change to have a lab environment of more than 50 machines to attack. Perhaps most significantly, it gave me an opportunity to fight back a little bit of the impostor syndrome I’m perpetually afflicted with.

Up next: Offensive Security Certified Expert and Cracking the Perimeter.