I’ve seen a lot of discussion of experience requirements and “entry-level” positions in the security industry lately. /r/netsecstudents and /r/asknetsec are full of threads discussing this topic, and I heard it being discussed at both BSidesLV and DEF CON this summer. The usual complaint is something along the lines of “all the positions want experience, so how am I supposed to get experience?” I’m going to take a stab at addressing this, and hope to at least provide some understanding.
I meant to write this post much closer to the end of Hacker Summer Camp, but to be honest, I’ve been completely swamped with getting back into the thick of things. However, I kept feeling like things were “unfinished”, so I thought I’d throw together at least a few thoughts from this year.
BSides Las Vegas
I can’t say much about BSides as a whole this year, as I spent the entire time Gold Teaming for Pros vs Joes CTF. (Gold Team is responsible for running the game infrastructure, scoreboard, etc.) It was a great experience to be on Gold Team, but I do miss having a team to support and educate. Overall, the CTF went fairly well, but there were a few bumps that I hope we can avoid next year.
BSides also announced that they are ending their free badges. In some ways, I’m disappointed, but I also understand the reasons they are doing this. Even though I’ve had a badge included with my participation in the PvJ CTF for years, I’ve also been a personal sponsor of BSidesLV for those years as well. I’m lucky enough to be well-employed in the industry that BSidesLV supports, and I want to support their mission. I hope others will do so as well, but I also want to try to find a way to support those who aren’t able to shell out for a badge. Once details are announced for badges next year, I’ll look for an opportunity to support passionate students in our community.
DEF CON 26
DEF CON 26 was an incredible event. I know there were some bumps and warts to it, but I had a great con. (Also, I think it’s the only conference I attend that I refer to simply as “con”.) The villages are my favorite part of DEF CON, and the villages were in rare form this year with the expansion.
This year was my first year speaking at DEF CON (as a village speaker) and I am incredibly humbled by the experience. To think that something I had done was seen as interesting enough for 150 or so attendees to choose to spend 45 minutes of their time listening to me really makes me feel like I’m making an impact. The audience was great, and thanks to the IoT village for having me. (Maybe one day I’ll get a DEF CON speaker badge to place on my wall of badges.)
I have hopes that next year, villages will have some way to divide their rooms or reduce noise for the presentations in their space. So many run another activity (a CTF, hands on activities, etc.) and the noise from that can be problematic when it comes to speakers in the same space. (I experienced this both as a speaker and as an attendee for the talks.)
I also hope that next year, DEF CON will have helped to work through the issues we had with Caesar’s security this year. A good friend of mine landed in hot water over a misunderstood tweet, and there were the obvious reports of “room checks” that were not going according to the established policy. (I’m not even a fan of the room checks, but rifling through guests belongings is completely unacceptable.)
Splitting across Las Vegas Boulevard was also not the best situation. I look forward to moving back to Paris/Bally’s and having Planet Hollywood join the con. (Plus, breakfast crepes!) Getting over to Flamingo was such an ordeal that I only went over there once, and it was a brief visit at that. The ICS village over there was really impressive, and I missed out on a chance to get a Car Hacking Village badge. Some of this was poor planning on my part, but also the sheer distance between the two conference areas made it anything but convenient.
I can’t wait until next year. I’ll begin my planning guide around the beginning of 2019 to try to provide support to those looking for travel information, and I have a feeling that DEF CON 27 will be an even stronger showing. Here’s to all the contributions of the hacker family!
Today I’m giving a talk in the IoT Village at DEF CON 26. Though not a “main stage” talk, this is my first opportunity to speak at DEF CON. I’m really excited, especially with how much I enjoy IoT hacking. My talk was inspired by the research that lead to CVE-2017-17704, but it’s not meant to be a vendor-shaming session. It’s meant to be a discussion of the difficulty of getting physical access control systems that have IP communications features right. It’s meant to show that the designs we use to build a secure system when you have a classic user interface don’t work the same way in the IoT world.
(If you’re at DEF CON, come check it out at 4:45PM on Friday, August 10 in the IoT Village.)
I’ve spent an unhealthy amount of time over the past 6 months or so participating in the craze that is #badgelife. This year, I built badges for my Security Research Group/CTF Team: Attacker Community. (Because community is important when you’re attacking things.) Like last year, all of my badges were designed, assembled, and programmed by me. There are 24 badges this year, each featuring 8 characters of 14-segment display goodness and bluetooth connectivity. I may not be one of the big names in #badgelife, but if you just make some badges for your friends, there’s a lot less pressure in case something comes up.
I actually thought I was done with the pre-con portion of my Hacker Summer Camp blog post series, but it turns out that people wanted to know more about “the most dangerous network in the world”. Specifically, I got questions about how to protect yourself in this hostile environment, like whether people should bring a burner device, how to avoid getting hacked, what to do after the con, etc.
So, is it “the most dangerous network in the world”? Well, there’s probably some truth to that in the sense that in terms of density of threats, it’s likely fairly high. In terms of sheer volume of threats, the open internet is obviously going to be a leader.
First off, the DEF CON network is really multiple networks. There’s the open WiFi, which is undeniably the Wild West of computers, and there’s the DEF CON “secure” network, which uses WPA2-Enterprise (802.1x) with certificates to verify the APs. The secure network also features client isolation. Additionally, the secure network is monitored by a dedicated NOC/SOC with some very talented and hard-working individuals. I would assert that being compromised on the secure network is approximately the same risk as being compromised on any internet connection.
So, there’s 0-day flying around left and right? Not so much. Most of the malicious traffic is likely coming from someone who just learned how to use Metasploit or just found out about some cool tool in a talk or workshop. Consequently, it’s unlikely to have much impact for those who patch and are security-aware.
What you will see a ton of is WiFi pineapples. People will go buy one at the Hak5 booth, and then immediately turn it on and try to mess with other attendees. It gets pretty old, pretty quickly. Just make sure you’re connected to the DEF CON Secure WiFi and this will be a minimal problem (maybe a denial of service).
In all honesty, the con hotel WiFi is a worse place to be than DEF CON secure, by a large margin. Plenty of stupid things happening there.
The minimalist carries a flip phone with a burner SIM. He/she maintains contact with friends using SMS or (gasp) actual phone calls. No laptop, no smart phone to be compromised. This is a great approach if you’re not going to participate in any activities that require tech on hand. If you’re going to hang out, listen to a few talks, and drink, this is the approach with no need to worry about getting compromised.
No, this isn’t about Burning Man, although DEF CON is kinda like Burning Man for “400-lb hackers in basements”. This hacker brings a burner version of everything: so a smart phone, but a cheap burner. This probably will get compromised, as their carrier hasn’t pushed a patch in 3 years. (And even before that, it shipped with some shady pre-installed apps that send all your contacts over plaintext to a server in China…). They also bring a $200 Dell or HP laptop with Kali Linux on board.
They connect to the first WiFi they see, never mind that it’s labeled “FBI Surveillance Van 404”. If you plan for your hardware to get pwned, it doesn’t really matter if it’s bad WiFi, right?
Of course, in order for this to work correctly, you have to never use your devices for anything sensitive. Hopefully the urge to check your real email doesn’t get too strong. Or maybe your card is suspended for potentially fraudulent activity (like that $300 SDR) and you decide to log in “briefly” to reactivate it. This route really only works if you can maintain good OpSec.
“Good Enough” Security
If you can set aside ego and assume nobody is willing to try using a $100k+ O-day on you, you can get by with a reasonable level of security. This involves bringing a modern fully-patched phone (iPhone or “flagship” Android phone), and optionally a well-secured laptop.
For the laptop, I’ve previously discussed using a Chromebook. Even with dev mode for crouton, I believe this to be reasonably safe from remote exploitation. This can also be cheap enough to be a disposable device. In my previous post, I suggested 3 Chromebook options:
Alternatively, you can get a cheap laptop and run fully-updated Windows 10 or Linux with a firewall enabled and be in a pretty good state for passive attacks over the network.
In either case, you should then run a VPN. I like Private Internet Access, but there’s a lot of options out there, or you can even run your own OpenVPN server if you’re feeling adventurous.
There’s never a guarantee of security, but with updated devices & good security hygiene, you can survive the DEF CON networks. The basic elements involved are:
- Fully updated OS
- Be super careful
- Use a VPN
- No Services Exposed
Good luck and see you at Hacker Summer Camp!