BSidesSLC 2019 - Tech Panel

communicate with them and bring ideas to light having mics got all up in kismet so I would really like it if you would do this I'm basically the Quality Assurance engineer at this point for kismet Wireless project check it out kismet wireless dotnet you will love it new web UI engineer I don't know about a specific exploit like so I mentioned I work for RSA I did not work at RSA during the RSA breach happened back in 2011 but I have had the opportunity to look through all of the data on that breach and just the organization that the attacker has had and I mean this was it is still you know it's like it's 2019

now it's still like it sounds terrible when you're talking about these people attacked my company it was beautiful like I mean the amount of like I don't know prep that they must have done and the way that as different mitigations were put into place and they would circumvent it was this like beautiful you know in Diego Montoya like dance of a battle that was like I still I'm just incredibly impressed by it's not a specific exploit it's the bringing together of you know different aspects of of security or of in this case do you call it red teaming when it's real just like a very sophisticated attack executed in an incredibly organized matter that I was like whoa that was awesome

I mean it was bad but awesome like Voldemort it was there was one that I just recently saw I missed the talk at Def Con but they exploited printers over fax so they would call the fax line inject a fax to it and then get root access on the printer and actually could then exploit any devices that are plugged in via USB because there was a chain of vulnerabilities and it's that type of stuff that's like okay well yeah well we shouldn't be using fax but guess what like everybody still uses fax but we're also now throwing all this IOT at the world right now so as far as the trend goes and you know a lot of those

companies don't have like even a year firmware update plan let alone three year or a ten year end-of-life plan right and these devices are being plugged into critical infrastructure and I think that that is scary that's really you know crazy to me that we're putting computers literally computers that are the size of our thumbnails in everything and everywhere and we're plugging them in all these networks and and so I think that that's gonna be a trend that's going to continue I mean we saw it with them or I bought net and things like that but I think that that's gonna be something we're gonna see more of but it's just really fascinating to see out

a band attack vector through a phone line through a fax machine that enters your network it's like okay well is this 1995 or we you know hacking into computers on phone lines again and but it still is it still could be a thing right so it's it's that out-of-band that we don't think about it's like oh it's not Wi-Fi so it must be safe well yeah but it's 432 megahertz and it's still communicating and it's connected to an Ethernet port like there's bad things that can happen to that so the best facts attack I ever saw was we a company I worked at back this is like 2001 or something so fax was like legitimately

used more we would get all these like free crews like things like sent and one of the guys at work like came back from lunch with construction paper and he taped together two pieces of black construction paper and called back of a number that had sent the facts and then taped the end so it would continuously scan it and so whoever had sent the fax now was getting a fax from us that was essentially a long black sheet of paper that just rolled through this fax machine and he's like it's gonna cost him $75 in toner we stopped getting those like you know travel agency spam but I was like simple yet elegant she's like no I mean coming on and having

outdated knowledge if so we've had people come in and just prove the interview process just explained simple things to me but their knowledge is so outdated that they aren't able to explain it just lots of outdated detect that's being taught yeah or just I mean I think that's probably fair is that that was my experience as well was just I was like okay well this is this was relevant five years ago but it's not relevant now and so taking what you know and then making sure that it still I want to say matters because that sounds bad but that it's just still relevant to the career that you're trying to get into well I actually have some students working for

me right now that are in school and it's interesting because as part of one of their like second year computer science courses they did fit in some security and in that course it was the last week of the class was security and guess what the class was running behind so they actually pushed security like to a single day so I think that rather like start the semester out with hey let's talk about what is security what is secure protocol Finnick a ssin system for example like what are the ways that can be bypassed are you handling special characters do you know what sanitation is you know for Strings that are coming in and out like what are ways that you

know untrusted information is being put into this application and I think that having that is the mindset at least in the experience that I've seen that's not being taught out of the gate it's it's like how can you do math first you know it's like you you you do 1+1 you've got to learn all these steps but if we don't talk about how we're going to secure things like I think we're gonna miss a bigger bigger picture so that's what I see the gap is is missing that that conversation or having it earlier so that it doesn't get pushed out okay like so here's so how how many people said they were in school right now or

recently left a university or ever so come on there were more hands than that right get up now keep them up and like and now of these hands put your hand down if if you attacked a SCADA system like as who see so like I think like two hands went down so we still have all the same hands up right so like you can put them down now guess you know I'm just like wait for you to get tired like oh you know that like critical infrastructure you mentioned like I mean we're just hooking computers up to everything right people are like oh well it makes it easier because now I if I need to go to this pump station I can

just drive past it and I hook up to it on on the wi-fi's and everything's great I don't even have to get out of my car that's like should you do that like is that a good idea yeah but I don't have to get out of my car you know and that's why we'll always have jobs is because people talk about like we we haven't done a lot to fix security how can we be in this industry for 30 years and not not have solved anything and I don't think that's true you know the life cycle of a of an exploit is it's significantly smaller than it used to be you don't just trip over you know Oh

days like you used to like it takes a lot more to find these things but but with then we do things like go ah we used to hook everything up with wires now gonna do with wireless it's gonna be wireless and then there's like no security on it and everyone goes holy crap and then they're like well we've created this thing called WEP and you're like still bad right like so we take security it gets better and then we set it back ten years by trying to hook it up to something new than shiny and now we're taking the same like now we think we've solved the wireless thing or whatever right have we ah Wi-Fi cactus

guy- and so so now we're taking all these systems that are legacy systems some of these literally a hundred years old and we're like hook it to this thing and then we'll put that sensor also on Wi-Fi or just because that'll be easier to manage you know and it's like but none of those things were ever built with security in mind no one ever thought that you would be remotely able to access that system in any scenario ever like the internet didn't exist when that system was built yes let's hook it to a computer and put it online it's horrifying so if you're looking for like you want to make some money get good at

SCADA cuz when the lights start going out and the water stops running you're gonna be in demand and on that get good at shodhan too because it turns out there's a lot of skata on show didn't we have a question in the front

that was the worst route ever their brightest I don't know the hell is going on there now it's cool how you do you but I just want to point it out wait if you're gonna chime in you got to come up

[Applause] how's it going good to see you but with an industry so trying to bridge that gap is near impossible so yeah I think that's fair because you're also I mean like you're expected one to update the textbook but also be a professor like it's hard enough for us to stay current right but then to also write the textbook and I guess I should like I say like you know yeah I dropped out like you know a college wasn't my thing I wrote a book instead which they like at hiring managers like that too so it took the place of the degree so if you're gonna drop out write a book but but I guess yeah that's fair to say

like it's already hard enough for us to keep learning but then to also try to like have a classes for me college was like an experience for learning how to learn like I didn't have a lot of classes that were particular to like computer science things I didn't already know and then the other classes I wasn't really interested in like English but I learned how to I learned how to learn you know and that was that was something and it gave me the confidence to know that I know how to learn things for the future so I totally agree with you oh you can stay we only got a couple minutes you will into her way up

for me I'd say absolutely breath because I don't really have a focus like I do Wi-Fi stuff before that I was way into web pentesting stuff I've done DevOps a ton of DevOps I think they all go hand in hand though it's like all these skills are necessary in order to secure an infrastructure especially if you're on a small team you're gonna have larger roles right you're gonna have more things you've got to do and I don't think there's anything wrong with that I think just be cognizant the fact that you're only one person and you can only do so much so don't hold yourself to be you know the Neal Wyler of 12 for

example you know but you know make sure that you know that you can only do so much in the time you have but like give it your best you know and go after the stuff that you're most passionate in for me stuff just naturally gravitates out like you know my interest in Wi-Fi just kind of grew and grew and grew and it's like I'm passionate about it I love it and it blew up into a project yeah I think that was like for me too it just I have always been like the packet guy like I would bathe in pcaps all day just like I love it I just love it I don't know like some

people are like why how can you even look at that like they go cross-eyed look at my packet captures I just for some reason I just do it so for me it was just kind of I am a generalist like I do a lot of random stuff and I like to know if like a new technology comes out then I want to learn about it and everything and it does help to have that general knowledge base for my role but we even within my team other hunters that are within RSA we all have a specialization right so and that exists in anyone that analyst bias is a thing some people are just become better at

certain protocols even than than others they just get them and that's okay like but figure out what's that thing for you and then that can be your focus on the side in like what keeps you up at night like what what keeps you going what what wakes you up in the morning to go do that thing what is that for me that definitely recently has been wireless and data analysis and I think it's good to be a generalist until you figure out what your specialty is I kind of came at it from off-site I knew what I wanted to focus on and it kind of bit me in the ass in some ways because there

was so much more to security that I had to learn so I think until you figure out what your focus you really want to focus on learn as much as you can in all areas of security I think is just a smart thing to do so I am a system and network administrator so I'm kind of younger in the field and this whole security thing has always just kind of been a hobby for me on the side because my husband's really into it and my friends but I guess my answer would be just kind of like exactly what she just said I've been a systems and network admin for seven years now but the job hasn't

gotten stale because there's so much to do within it but I have been recently looking more into different job paths and more towards the security and networking side so just kind of follow your interests and if you start getting bored or stagnant recognize that in yourself and do something else do something more

bless their hearts I've got a mortgage so I'm really stoked about those developers developers developers yeah I agree I think you know I also agree just from a standpoint of know where you come from all right know the security history and people will complain about security now who don't understand how wide open things were before like I almost like it's you get a little bit of that I feel like a fraud sometimes where I'm like oh yeah like I've been hacking since like the like in 1989 right so it's like yeah but that was just called logging in back then right so like were you really hacking or you just log it in like whatever you know but I've seen it get

increasingly more difficult to be successful the problem is you're still always successful that is

[Applause] you think about being attack