Blink: The Network Perimeter is Gone

well first of all uh Edwin will beat me to death if I let her get away with saying I'm the director of engineering I'm the director of research and development but that's okay that's not my fault I didn't submit that Edwin I swear I didn't submit that oh man I should have slept last night how are you all doing today I don't know why you're all here but I really appreciate that uh especially since the last couple of talks I gave are all basically in the exact same vein it's uh me getting unhappy about something in general and just kind of ranting about it because it pisses me off and I think that other people should

you know share the fact that I'm pissed off I think we should all be a little bit more pissed off because quite frankly the world out there sucks and we all suck and that's why I'm here to talk to you because we suck and we should all get better and quite frankly if nobody ever tells us how much we suck we will never try any harder at least I know I don't so we'll just go ahead and oh my God who left slide transitions on that'll be fun today all right so a quick review what on Earth are we all thinking how many IP addresses do you have on you right now I mean like right now okay

maybe not just IP addresses I mean okay I've got the Wi-Fi on my phone's got one and then the Cellular's got one and then I was sharing it to some other devices last night over USB so I had like three on just my phone let me think about Mac addresses too I've got a smartwatch on got a Fitbit on you know I got to got to get the work week hustle with all my friends right it's really important we're just completely surrounded by devices and connectivity all the time and we all know it but we're not really handling the security for any of that stuff we're just like ah you know it's fine I mean just because I have 10

devices connected to my personal area network doesn't mean that I'm less secure in some magic Fairyland that we all convince ourselves that this is okay as we buy the newest Gadget from crapple or whatever man these slide transitions are really going to help me lengthen out my talk I really appreciate that so realistically what what do you have in your environment at any given moment right you've got cellular you got Wi-Fi Bluetooth all of these different things that we're we're reasonably cognizant of but but what else do you have in your environment okay some of the phones have NFC some of them have infrared some sometimes there's an infrared laser mic pointed at the window

of your office building I guess I'm in San Francisco not DC so maybe that one doesn't play as hard but in DC they're like oh [ __ ] okay zigby zwave you know all these uh you know Control Systems uh alarm systems for your house UHF radio VHF radio I put my UHF radio down but there's quite a bit of that going around here especially because they gave me a radio I don't know why so I have an awful lot of spare time because I didn't spend much time on this so you know you just sit there and you play with the radios and this just is just constantly penetrating the world around us so many

different ways to connect from one device to the next whether it's voice or data or whatever it happens to be it's just completely surrounding us all the time yet we all think that we have a handle on network security you know as long as we're talking about ethernet right as long as the only thing that exists is ethernet we totally got the problem solved because oh wait no we don't even have we're not even close to handling that are we KS okay yeah so we could just keep talking about different Technologies all day right I actually was writing this list and then we put it on the slide and then we realized we couldn't read anything so it's just

depressing how many Technologies are out there to connect us that were just simply not monitoring is is she doing a live caricature because that would be awesome that's not disturbing at all so what's secur he in you at at all right now today right we all are in network security or some kind of application security I I can see you too okay we're all in some kind of security we've all got all this stuff to protect us we've got vpns firewalls all of this garbage right that's theoretically going to protect us on our local network maybe stop a couple of the bad things from coming into the internet a whole lot of my friends just kind of

block all of China and they say that that works pretty well I I I don't know I IP addresses are very confusing to a layer two guy I just stick with Mac addresses just block all devices made in China that definitely solves the problem but does this really make any sense at all how much do you really see with all this traditional stuff I mean we've got some really impressive companies making things right now to just do some amazing things um my my friend the first thing he does on every pent test is he tries to make an SSH back door through Port 443 and assuming that establishes he immediately fails them because here's a protocol going out

on the wrong Port you're clearly not checking for anything like that and it's just like well it's encrypted we're good that's not egress filtering right that's an instant fail but they're like well we have a fir wall it went out 443 it was encrypted what more can you ask for well maybe make sure it's the right protocol I mean it's not like companies don't exist at make this kind of gear but we don't even use that really so what do we actually see today okay so what is really being monitored right it's it's ethernet you look at the Enterprise environment you're monitoring an Ethernet Network you're monitoring maybe maybe WiFi maybe in both bands probably

not okay so just the the amount of chuckling the audience requires me to take a poll who who's got why Wi-Fi installed most everybody okay now now keep your hand up if you have a Wi-Fi intrusion detection and prevention system and keep your hand up if it is doing full-time monitoring and not access point duties uh one and a half I don't know if you count I think you might be full of it I know you too well what do you have personally I don't really use Wi-Fi but okay so he doesn't use Wi-Fi but he's got a monitoring system 7x 24 that is impressive that is really important okay the point is is does this list seem

a little bit short I could have sworn there was a slide earlier in the presentation I've got a very short memory I didn't sleep much there might be more to life as we know it than Cat 5 and 2.4 and 5 gz Wi-Fi might be there's definitely like aund and some little 2.4 GHz drones that they passed out uh did anybody else notice that those were on channel 13 for Wi-Fi just above the Spectrum where all the access points are here uh anybody else have a hack RF with them anybody else pull the batteries out of the remote before they got themselves into trouble little things so what about you personally forget the Enterprise they've

got all the cool toys right what do you have in your house I know what I have at my house it's an embarrassing list what about like a nest nice little thermostat connected to your Wi-Fi and your heating and cooling system probably legit right drop cam some kind of a physical security system or a garage door opener what are all these devices they're all completely next to impossible to update for the standard consumer completely unpatched to any vulnerabilities I know that every time I plug in my drop cam to uh reconfigure it for different Wi-Fi network it says like Linux 2 2.49 or something awful like that it's it says it in the USB descriptor and I just

like I paid money for this too right so what do you do with all this stuff you have all of these things constantly surrounding you who who's who's monitoring their home network are you monitoring the Wi-Fi airspace in your house how about Bluetooth what about that really sweet security system it's only $99 installed right we're just going to put these Wireless sensors on all your doors and windows and it's completely foolproof for the installer who has a third third uh grade education right what about a garage door opener do you lock the man door that lets you in from the garage into the house or do you just kind of well you know there's this heavy

door I'm sure nobody could possibly replay my garage door code right we don't really look at all of this stuff we almost pretend that it's invisible and it's it's really really disturbing to me the amount of technology that all of us use every day that we completely take for granted that it is horrifically insecure uh if you're really bored I highly recommend YouTube Not only are there awesome cat videos but you can find all kinds of stuff uh SDR being my personal favorite hobby at the moment you can find all kinds of great uses for software to find radios things like hack RF and blad RF to not just make yourself a fake cell tower but to open car doors

and things like that they got some really great videos on how to energize a um NFC tag from far away and replay it to something close by so that like you're in your house and your car keys is in your house but I can point and energize your car key read it and then replay it into the door and just open your car and walk away um that's probably bad I mean my car is not that nice personal so I mean it might be good for me I have the 2007 Ultima so like if it was stolen maybe it would be better off but uh we'll talk later yeah uh there's there's some really really entertaining car hijacking

SDR videos out there and I'm not going to steal anybody else's Thunder but I I've spent hours watching just the car hijacking ones and it's awful awful so we've only been talking so far about what I would call approved or authorized devices that's things that you deployed on purpose right devices that you know exist like I know I bought this watch I might not necessarily consider it a network device but I know I bought this watch I know that I have a cell phone on me I know that I've got three access points in my backpack don't ask but what about everything else there's all the things that you intentionally bought and deployed under the network what about the things that

like well you know marketing people all use max right that's a fairly standard thing because artists use max and I guess some people who pretend to be hackers a lot of people use things like that and and you know Best Buy when you buy the MacBook Pro the the sales guys is always going to tell you that this thing this thing works way better with the the Apple AirPort Extreme access point right so you have to buy one of those two so you get the dual band AC one that's completely default wide open unencrypted and you just plug it in and you know the Mac Auto connects to the airport and you say I set up my own network and then the

marketing team proceeds to use that to share files because you know the corporate Network's only 81n and you know these PowerPoints are really big they take a long time to transmit so we're going to use this AC access point because it's a lot faster and I mean we set it up ourselves it doesn't even have to know it's fine right that happens in Enterprises more than a little and that's not even considering the ACT malicious devices that are placed like if I were to say work for a company that makes penetration testing Hardware occasionally and I were to like go and pretend to be a repair guy and put a little Knack bypass transparent Bridge

man in the- Middle device behind your printer and tell everybody it's a power conditioner or whatever ever I mean I I I don't do that I I sit in an office and and type mostly on IRC but don't tell my boss

that so malicious devices you've got your Rogue access points your very favorite you know people planting access points on your network whether they are your marketing team your employees or whether they are some guy that broke in uh I used to do Wi-Fi security professionally for for just about a decade actually and my favorite thing to do in a room of people doing Wi-Fi security was to ask this question who has seen an actually deployed maliciously Rogue access point like somebody broke into the building deployed an access point and then left the building okay so uh you're a spook you're spook you're that was easy thanks guys I normally do this in DC and nobody's ballsy enough to raise

their hand but the truth is is 99% of the time it's just deployed by some employee it's an accident whatever you said

iy who did not deploy it themselves and saw a maliciously placed Rogue access point like oh yeah I saw it I just plugged it in that doesn't count good show though I will choose my words more carefully for this particular audience um so things like Wi-Fi key loggers uh we actually had a a Rogue device scavenger hunt at my office um two weeks ago and we planted a whole bunch of stuff and just kind of left it around just to give everybody the opportunity to try to play James Bond try to find all this weird spy gear and I mean this this stuff is it's tiny it's undetectable it could connect to your Wi-Fi guest Network it could offer an

access point that's not connected to your network in any way it could connect to the neighbors's Wi-Fi guest Network and just be exfiltrating passwords all day long what are you doing about things like that and don't even tell me you didn't know they existed because nobody here is shocked in any way as I'm describing this device but I'm willing to bet that nobody's actually actively doing anything for that unless you happen to have silvered window film in your environment in which case again spook even thinks as simple as a Wi-Fi pineapple okay Wi-Fi pineapple just for those who don't know is an access point that simply says yes all of the time I'm looking for this AP oh yeah that's me

I'm looking for this AP oh yep that's me too and it just collects all of the clients to it okay so we talked about what traditional network security is that's you know firewalls antivirus HS uh you know all all this basic stuff that's on your network as soon as all of your clients are connected to somebody else's Network whether it's the neighbors's guest Network or attacker controlled Network what do all of those network security devices see nothing now I know that we're all pretty smart and we all know how to connect our a our uh laptops to different access points and we can connect our cell phones to different access points and we can we can turn on the hotspot feature

on our cell phone and we can connect our laptop to it and things like that we we're not the only ones that can do that the Norms can do it too I know I know like the Muggles they they can actually do this they they know how to turn Hotpot on on their iPhone and connect their laptop to it most of the time completely unencrypted right but they can do this stuff but who's actively preventing it show of hands all right I spooked the three Spooks because they're not even raising their hands anymore that means I'm doing my job and I like that so what's the problem the problem is is as always our lexicon think about

password versus past phrase as long as I say pass word what comes to your mind one word something reasonably short so we're going to make it ridiculously complex we're going to replace random letters with numbers and add special characters and make it all Le speaky and it's going to be so bloody complex that you can't remember it but that's cool because we know you're going to make a short password anyway so we're just going to force you to change it every 37 seconds so you're just going to put a new sticky note under your keyboard every day and remember it whereas if I say past phrase you realize that you can take a different set of song lyrics from

your favorite artist every 90 days or so and you end up with a 30 freaking character password that is painfully easy to remember and still infinitely more difficult to crack than that eight character gibberish you were trying to play character replace with I

some some of them some of the password crackers actually do look for you know Standard English stuff now but even still when you're looking at a 30 character passphrase brute forcing it is is painful and then you add in little things like proper punctuation my mother was an English teacher so there's typically a couple of commas in my passwords possibly a question mark the difference between is and R is very important sometimes I have to correct the song lyrics because Mom would not be proud but we're not talking about passwords we're talking about network security so what do people really talk about when they're talking about network security normally the terms are trusted and untrusted that would be the green ports

on the firewall and the red ports on the firewall what do those actually mean does it mean you can trust this side and not this side well that's the way we teach it right but that's not correct that's not even close to correct it's pretty much literally this is inside my network and this is outside my network you have no idea if what inside your network is actually any more trustworthy than what's outside your network but you're going to totally draw a randomly placed Line in the Sand and say this is my network perimeter and everything on the outside is bad and everything on the inside is good and as long as they don't talk to each other we're

straight but does that work no but is that what we keep doing yeah so think about the latest trends in technology you got your smartphones your tablets your BYOD I am not going to name names but the BYOD thing is super awesome right it means that the corporation doesn't have to own any assets anymore so as long as the corporation doesn't need to own any assets anymore we don't have to worry about depreciation and [ __ ] like that so we can simply say okay I'm going to give you 1,500 bucks you go buy whatever you want and just go ahead and connect it to my network and it's totally great and uh if you want to bring in your personal

phone and just connected to the network to that's great you can get a corporate email on there just going to download our MDM agent it's going to make sure you're encrypted everything's fine well you know maybe that's not the smartest way to do it so here's what we're going to do is we're going to take the the inside like the trusted we're going take the outside the untrusted we're going to make another like little VLAN Network perimeter segment and we're going to keep all that on the outside and we're going to let all the BYOD devices connect to that but you can't reach any corporate resources from there so what you're going to do is you're going to VPN from

that outside spot right back into the middle of the network where everything's trusted and you have full access to everything on the inside and that'll work perfectly so we're going to segment You by putting you outside and giving you a direct tunnel to the inside so your inside the network who's seen that Network design okay that's almost everybody um who thought it was a good idea IDE I I I honestly don't even get it you you're literally you're building an outside Network segment that is only for the purposes of getting you enough connectivity to VPN back into the inside you may as well just put them directly on the inside it's the same active directory credentials that can

authenticate them to the Wi-Fi or the VPN what have you done you have made two encrypted tunnels instead of one and cut your data rate in half and I mean like the iPhone can't exactly do fast encryption to start with right so I mean this is not helping anybody it doesn't make sense it's not even wellth thought out it's super well documented though I can't count the number of network models I found and they all had a company name on them and I elected not to show one but it doesn't make any sense it doesn't even make any sense in the way we intended to design it it doesn't actually segment Squad literally nothing but then completely forget the

fact that it doesn't work the way we intended to do it it doesn't work for like a thousand cases beyond that as well there's too many different levels of connection to actually have that solid line and say this is inside and this is outside anymore okay this is where it starts to get kind of fun so is the perimeter kind of blurry or is it just entirely non-existent so you've got cordless phones that are just kind of transmitting what you're talking into the airwaves you can decode all of them all of them all of them not going to say I do but I'm saying you could right Network printers who's got an HP network printer who noticed that it comes with

Wi-Fi by default who noticed that the Wi-Fi is on by default who noticed that 37 printers are all part of an ad hoc network called HP setup I've seen that Network design it's great you just connect to the ad hoc network HP setup and you say I want to print something and like 37 printers respond to you it's awesome so if you're connected to the wired Network and you've got a wireless access point offering services and I connect to the wireless access point offering services and the printer is basically a really cheap Linux box that never gets upgraded bad bad we'll go with bad smartphones one of my favorite things and I apologize I'm a pony employee but

I thought this was funny before I joined Pony so I'm going to share it the smartphones whether it's a pone phone or a pone tab or or any Android device that has got some really entertaining hackery stuff on it the best thing in the world is you take this to work and they say oh yeah you can totally get your email on there you just need to install my mobile device manager and you say oh sweet no problem you install the mobile device manager and now you are authenticated on the network with your Android device and a full Suite of attack tools and I mean battery life's not awesome but I mean I can do an awful lot in four hours before

the battery dies and that's if I'm going really hard I mean if I'm like kind of bored and leave the screen off a bit maybe I can get six almost a full work day just from my phone of hacking you to death maybe it took me an hour to get the MDM to work properly that that seems reasonable right forget the damage I could do with the phone as an attack platform which side of the perimeter is the phone on in the first place if it's connected to my corporate Network and it's getting Corporate email and things like that obviously it's on the trusted side right but I could just switch the Wi-Fi from being a client to being an

access point I can connect my laptop to the access point that the the cell phone's offering and I can exfiltrate everything I want in 4G so 10 seconds ago I was inside the network as a trusted provider and now I'm outside the network exfiltrating data as fast as humanly possible which at 4G ain't half bad right so what is that device is it good is it bad is it trusted it's got an MDM on it it doesn't work right there's no there's no proper definition for this at all so whether it's a jailbroken a rooted phone with Badness on it whether it's got Wi-Fi turned on and you're using it to I man you could be playing

Angry Birds or you could be going to fantasy football or Victoria Secret or whatever you do during the work day on your lunch break what about Cloud technology what's what's Cloud technology mean Cloud technology means that youve got this device on the inside of your network that is going to call out to the untrusted internet download all of its configuration back down into your Enterprise I'm going to stop for just a second until you all start laughing catch up this is awful this is absolutely awful we have this whole fantastic Network design that depends on this secure perimeter and literally the configuration of half of our security devices are being pulled from the untrusted side

One Step worse managed security equipment what about when you're paying somebody else to manage your firewall or your data loss prevention system you've got a device to protect you from bad things coming from the internet that pulls its config from the internet and then sends all the interesting data up to the Internet for somebody else to read one person still paying attention and I appreciate that Miss I work on the delivery work on the delivery is that the problem I I have I have slept enough for one person in the last three weeks one night or so yeah theoc thank you pen I really appreciate that pen Gillette wants me to pimp his movie okay so third party managed gear

like managed infrastructure but again we're talking a lot about corporate stuff think back to your own house what do you have at home that's managed by a third party anybody here have a cable modem how about a Verizon FiOS Action Tech router did you know that it automatically pulls firmware updates even though you tell it not to I found that out that was really really cool yeah it's not allowed on my Network anymore it's segmented into its own little spot yeah but that's the problem problem is there is no perimeter this is not a blurred line at all to me this is completely absolutely gone there is no trusted side of my network there is no

untrusted side of my network I don't even implicitly trust single devices because that device could be compromised at some point right it's really not something safe to say assume design around and yet we still keep pushing these ideas is of well you just make a VLAN and Fir wall it off and you know I mean PCI says I'm just going to stop there before I get myself into trouble so there isn't a perimeter I'm super sad to see it go I've been doing Wi-Fi for a while Wireless technology in general has generally ruined our lives no security makes any sense anymore uh when we used to have like sweet BNC Loops that we could connect all the computers to and

you could tell if somebody cut into your network that that was a good spot to make a perimeter you could make sense of that as soon as all of this other Wireless stuff started existing it just doesn't work uh we had a a near comical conversation upstairs about this Wireless goes through walls everything is wireless wireless is energy energy is physics physics just keeps on going and ruining your life right I mean it it's a transmitter it goes as far as it feels like going and it stops and there's some kind of black magic that determines how large an antenna I can make it magically go farther and I mean there is no way to easily handle

this again silver film on The Window Guys aside this is a very difficult problem not just for Enterprises but for people in general my my phone is calling out to the internet right now getting my emails and my my marketing staff is telling me that I probably should have prepared more for my talk uh it's a really big problem for instance my company has a really interesting policy there's no Bluetooth or or Wi-Fi allowed to be used at conventions like this because well you know there's a lot of Bluetooth hacking gear out there there's a lot of wi-fi hacking gear out there those are bad so instead of authenticating me to an access point and letting me go out

through the firewalls and the protections that are available here or you know on on the the open wi-fi at this facility or the hotel or whatever it is or even allowing me to connect to the trusted you know you paid way too much for the internet at RSA internet through a wireless technology 4G should be used because that's safe right 4G is totally safe it's authenticated it's encrypted and I on the punch line folks give me a second we're paying attention paying attention I appreciate that you're laughing too early I'm trying here come on let me bow first gez okay so I I want to say maybe 2010 was the first time it was publicly shown at at a

convention I think Chris pageant did shukan and Defcon in the same year of putting up a fake cellbase station and letting a bunch of phones connect to it it was 2G absolutely certainly not 4G although there was a 4G device found at shukan this year so things do Advance over time but if you notice has your phone been going back and forth between 3G and 4G today mine has has it been going down to 2G I haven't hit that one yet personally but I noticed a lot that my phone's going back and forth between 3G and 4G and that's because the towers on 4G are so overloaded at least so I keep telling myself it's definitely not because

somebody's spoofing a high power 3G Tower and jamming the 4G tower that wouldn't happen I'm I'm going to be able to sleep tonight because nobody could possibly break into my phone via cellular networks because I'm the only one in the world that owns a blade RF sorry no no actually you should probably just not egg me on at all that would be better right so realistically technology today is designed exclusively for convenience with security being a complete and utter afterthought entirely right down to the security systems in your homes that protect you that tell you when the windows are open or closed right down to the garage are openers in your cars right down to the fact that my Bluetooth

watch uses the most insecure possible method of pairing rather than any of the San ones that make perfect sense right no one wants to have to deal with making these things secure by default because almost everything that we use today wasn't even designed for the Enterprise space at all it was mostly designed the consumer space and the consumer people don't want to deal with that right it was years nearly decades that we had ethernet inside of businesses before people started having ethernet networks at their house but people had Wi-Fi in their house and they went to work and they're like chain do a desk what are you talking about I'm going to pick up my

desktop and take it to the conference room because that's more convenient I don't want to lose my work well I better get a laptop that would be a little more convenient I'll just plug it in in there well I'm tired of plug it in let's just get Wi-Fi but it wasn't designed for that it wasn't designed for security you started off with really wonderful encryption protocols like web things like that and you know Wi-Fi has gotten a good bit better as long as you don't own an iOS product uh it's reasonably secure right don't get me started on Apple seriously don't get me started on Apple but otherwise most things have actually improved for Wi-Fi but almost every

other Wireless technology is literally considered a a black magic of some type it's all security through obscurity you know do you know that you can sniff Wi-Fi actually wait no we're in San Francisco uh that's that's still ninth circuit right so sniffing Wi-Fi is illegal because Wi-Fi isn't radio because the judge told me that but back where I live in the real world on the East Coast you're allowed to sniff Wi-Fi because Wi-Fi is radio and that's allowed unless it's owned by the Telo providers they are specifically Exempted you're not allowed to monitor their traffic so rather than using the hack RF or the blade RF or your $12 real Tech SDR to look at the fact that half of

your text messages are unencrypted you are barred from Legally doing that okay okay you are not allowed to monitor anything allocated to the Telos no pagers no cell phones nothing like that you're not allowed to modify a scanner to do it blah blah blah right right except them yeah explicit uh exemptions for law enforcement and cell providers and whatnot for testing obviously well the point is is not only is it security through obscurity it's even worse it's legislated security through obscurity it is saying not only are we just going to make this thing magic so you can't figure it out we're going to tell you you're not even allowed to look at it but we're totally

sure it's secure don't worry the guy at Verizon told me it's lightning fast and I have nothing to worry about yeah trust us we're law enforcement anybody else buy an IM Sid Dragon shirt I didn't say that right it's a problem it's a very big problem and it's one that quite frankly I don't think all of us are nearly enraged enough about I only slept 5 hours tonight and three the night before so together that makes up eight and I just can't really show how angry this makes me mad mad this sucks we all do this all the time and we just don't even care because it's such an insurmountable problem we choose to ignore its

existence and it is such an insurmountable problem that we choose to ignore its existence because we're completely defining things the wrong way we're architecting networks the wrong way we're caring about security the wrong way what is the absolute first thing you need to do to secure what you care about you need to find out what you have for God's sake thank you I'm not the only one right so forget this perimeter BS you're randomly placing a line that I think mostly I've shown doesn't really exist except in your head start with visibility start with identifying what you care about and then literally identify every possible thing you can network security isn't about my devices it's not about I bought these

800 laptops they all run Windows and I'm managing their patches so I'm perfectly secure well then you've got to worry about all the infrastructure you've got to worry about the things that are on your network that you didn't mean to get on your network you've got to worry about the fact that people went out and bought a printer and they left the Wi-Fi turned on you've got to worry about all the people that had to buy an Apple eyew Watch On the first day yeah you do you really do I can tell you my phone is fully encrypted it's got a strong passphrase on it and I have ADB turned off so I truly believe that if I

go through security and the FBI pulls me off of a plane because I fly and awful lot and I say stupid things I would have that phone completely secured from them for at least 13 14 seconds until some schmuck text M messages me say yo zero you land yet and my watch goes and then they're like Oho and then they go through the buffer on this thing which has got to be like 900 megabytes because it seems to have every email I've ever received stored in the buffer of my watch yes I'm telling all of you this but I'm going to punch the next person who touches it I swear to God literally I have a fully encrypted phone

and all of my email is unencrypted on my wrist hold on hold on hold on my name my name is zero and I'm a hacker it's been 37 seconds since my last text message and I really really should have stopped talking before I told you all how to pone my email but seriously this is an enormous problem we're keeping track of devices instead of data we're drawing random lines in the sand and saying everything on this side is fine and I promise you that it is not and if it really really is in your organization wait about 30 seconds and then check again because it's not if we're not looking for these things in real time if we're not monitoring

everything in the airspace if we're not at least seeing where our data is going there's no hope there isn't we need to be tracking what's critical we need to be tracking everything we possibly can because it works for the NSA and those guys seem to have it together right data exfiltration they're definitely good at and large data centers see it happened again hey look at that I have a fully encrypted phone 900 megabytes of email is unencrypted on my wrist thanks Brenan yeah see that's kind of a problem isn't it every little thing and then it goes right to my wrist it's awful so where do we go from here right I I say we throw

away all of the principles all of the BS all those poor kids in school that are learning the trade in the completely wrong way because they're being taught by people who haven't worked in the field for 30 plus years I said we throw all that garbage away and we start focusing on what actually really matters and honestly I don't have a whole solution for you because this is a massive undertaking it's a giant fraking problem but I think we start by identifying what we care about and getting as much visibility as humanly possible I know I get bored and monitor as many things as possible and I suggest all of you do the same does anybody else

get a text message when their garage door opens yes I'm not the only one my wife said I was weird but I told her I wasn't that wasn't the joke no but seriously I mean a $112 rtlsdr and in a little Raspberry Pi and it sits in my garage and it tells me when the power goes on and off and it tells me every time my garage door opens it also tells me if somebody does replay attack does anybody else have a garage door intrusion prevention system at their house why am I the only one why is that a joke seriously that's not funny it's funny because I'm the only one this is important this is important

everyone you know who buys a security system today there's the nice expensive box downstairs that has all the electronics and the smarts and then there's the little box by the door that they touch their key fob to that unlocks and disables the alarm and that box talks wirelessly over zwave down into the basement so you intercept that and you replay it and you can just disarm somebody's security system so forget the fact that all the sensors are Wireless you can ignore that garbage just send the disable code saves time and effort right it's really important to just you know be as lazy as possible and do the minimum possible and that's what we've all been doing isn't it it really is we

said okay I learned in school I set up a perimeter I Harden that perimeter and I make sure that everything inside of it is trusted and we're cool and as it turns out you know that I'm not telling you anything new at all I've managed to stand up here for 44 minutes and not say a damn thing you didn't know before I started talking yet for some reason you feel worse now and so I have done my job and I would like to thank all of you for your attention we need to care [Applause]

more yeah I initially wrote it just to remember if I had closed my garage door or not so I could just check my messages and then I realized that I could check for replay attacks too and I thought that was kind of awesome because I have one of those really bad rolling code systems so you can just see if it's pushing the wrong

number how many cryptographers does it take to secure a garage door opener uh clearly answer is more than zero and that's how many of a Ed it so far

comprom I I I gently touched on things like rooting your phone and having bad things on a completely authorized device but same general idea goes whether it's a rooted phone with you know all kinds of attack toolkit on it that happens to be running the MDM agent and authenticating or whether it's you are who here listens to anything jaded security says uh I'm a giant fan of his Sticker Collection don't click [ __ ] which is completely ignored by I don't know everybody um yeah I mean malware is just absolutely rampant people will be on a trusted and secure device and then they click on stuff and Badness and yeah again there is no way to say here's my

perimeter here's good here's bad it just absolutely doesn't exist

conect yeah so so looking at visibility of all the things is definitely where it starts and then you have to start looking at each individual thing as it is as I bring things into the Enterprise but really going about it by device by device is probably at some point going to be a failure identifying everything you can possibly see is great as a starting point because that gives you the ability to see what's connected to what to the best of your ability and where things are actually going but it really ends with where's my data that I care about what can access it what has access it and keeping a track of that because if everything is in some Central

server and you're trying to protect that the person has to get to the data first so if you're really letting everybody get you know pii on their laptops and their doctors with iPads at the hospital that have full medical records and things like that you need to know where your stuff is so that you know what your EXP osure is so that you know what to protect there's never I mean you can't say well it's encrypted on the iPad so it's fine okay hold on phone's encrypted right and then we uh type in the password and hey look here's all my data so clearly it's decrypting everything in memory as long as I'm the user right so

if I click on a website and there happens to be an Android browser exploit or a Chrome browser exploit here it is running as the user the users has the ability to transparently decrypt all of the data on on the fly so what exactly am I protecting with that encryption nothing literally nothing if the device isn't off it's not protected at all so we need to keep track of where we put things how they interconnect and really get a better understanding of what our exposure is and again I I think that the first step to that and this is where I focus all of my work because I'm a layer one and Layer Two guy is seeing

everything you possibly can because if you don't even know what you're defending against you definitely are doomed so watching everything that happens on the network building a map of what happens on the network who is passively listening to their Network right now and building a network diagram off of it at my office at my house at the hotel where I slept last night everywhere I go every time I plug in it's just kind of chilling there and telling me all the hosts on the network their Mac addresses their IP addresses how much data that they've sent it's all multicast it's all free I don't even have to do anything it just comes to me when I

connect and you can see so much but everybody's like well I deployed four computers there's a four port switch I'm probably fine and they just completely put the blinders on and pretend like nothing could happen even though literally every last one of us knows that's not true so yeah I I really again maybe I'm biased but I think visibility is the start don't run iOS don't run iOS what should we run um a marathon away from places like this re realistically speaking um most of my personal work is some kind of Wireless related the vast majority for the last 10 years has been Wi-Fi and the last 18 months or so has been all kinds

of other fun stuff uh iOS has the absolute worst Wi-Fi implementation I've ever seen in my life if you have a stored un if you have a stored encrypted Network and I put up a network with no encryption in the same name it will connect I could keep going with horror stories but the fact of the matter is it's not a bug It Is by design it is because Apple thinks that you are literally too stupid to handle if it doesn't connect they think that you might accidentally reset your router to default yet somehow it keeps the same SS ID and you would just be devastated if it didn't magically autoconnect for you so then make sure that as vulnerable as

possible to things like Wi-Fi pineapples so Android mob uh yeah so what what's the option on yeah Blackberry I I wish I could say that still but at the moment you can't do I can't do enough to to make myself happy on the BlackBerry anymore I've I've spoiled Myself by having a pone phone in my pocket that I can drop networks at the drop of a hat and I think that's super handy uh I I use Android personally I also develop for Android and I mean not like on their team or anything but I I hack around on it a lot and I like making random hardened builds and all kinds of fun stuff on Android so yeah I mean making

it as close to saying as possible but I mean Android's got its problems iOS has its problems everything has its problems the importance isn't finding all the vulnerabilities and fixing them it's accepting the fact that absolutely everything we do is vulnerable and going from that is the starting point realistically everything is owned whether it's this second or the next second or you really have to have patience and wait three more just consider absolutely everything to be broken and go from that as your starting point because otherwise you are lying to yourself and you'll be the only one that believes

it yes we should absolutely give everybody the ski room um most of my friends have built a skiff in their house 509 locks aren't that expensive and the uh silver window film I've got a great guy upstairs the wireless Capture the Flag that'll get you a good discount and uh you know cinder blocks are nice you know they they look at you a little weird when you ask them to put rebar and pour the concrete in the middle but you know yeah yeah you could do the little pop your own skiff tent yeah that's where I check all my emails in my skiff tent in the backyard got a fiber optic line drop straight to it

because you can't tap fiber optic since oh wait all right I don't even know if there's a talk after me but they flagged me a while ago so if you want to chat I'm upstairs doing the wireless capture the flag and otherwise thank you very

much