Security BSides Delaware - Afternoon

lot of charges of of uh government conspiracies and coverups if you have the government do it right so all right so the government can't do it that's a bad idea let's have an international third party do it like I can yeah I can can't even control domains properly and we want to give them vulnerability information not a good idea uh and even if you did that who's going to fund it where's the money going to come from yeah see can you guys read these fonts because I can't read them and I'm right here membership so if you charge a fee for membership then you end up with uh accusations of people selling vulnerability in F and that's not what

you want from a Clearing House of vulnerability information so it comes down to who do you trust the bigger the organization the more likely the info will get out who is in who's out who decides these are all reasons why uh a industrywide map program isn't such a great idea yes it works great for Microsoft but if we try to expand that and include larger organizations uh the issues and the management manageability of the program becomes untenable oh that was not on purpose sorry that was not on purpose they also have a problem of the Rogue researcher that was on purpose um you have people who just basically say [ __ ] you I'm gonna do what the hell I want

it's my bug if I want to let the world know about it right now I'm going to do that uh so if you set up a major Clearing House for vulnerability information there's no there's no way to force people to send you that vulnerability information and not spread it out to the world this still happens even with Microsoft problems programs right researchers will find a vulnerability Microsoft product they don't necessarily report to Microsoft they do full disclosure and just release it out into the wild of course that means Microsoft has to scramble to cover that bug and Patch it up quickly um and you can't control that there's no way to do that [Music] all right all

right all right so basically I recover all my points that I just made you have governance issues uh information politics International politics money drama and infighting uh Rogue researchers these are all reasons why a nationwide a global map program is not going to work industry-wise all right right into topic one move on to topic two feel any questions I am but if you were paying attention at the beginning of the talk when I talked about questions we were too busy we were trying do you have a quick question I'll answer now well so what about something like the ISAC model where you've got um threat and vulnerability information being distributed along vertical obviously that's us C that limits the

blast radius within a vertical Microsoft Adobe and others plug into the top level of the ISS and distribute that I find that the ISAC information isn't all that private like it's already public a lot of it it's just not widely disseminated um it it's not and if it was more valuable information if it was more private it would leak better leak better it it would be more prone to leakage right um and I think you'd end up with the same issues there's no way to keep it private I love this I love the information dissemination point but if you're trying to do zero day vulnerabilities that's where it falls a part is that because you think sharing thre information is

not as critical or sensitive as Shar um sort of okay we can talk later yes I said cyber I'll say it again cyber cyber cyber drink drink no I will not drink all right let's talk about smoke good answer um let's talk a little bit about the word cyber uh it originally starts in Greece right as part of kybernetes meaning governance I don't I'm not pronouncing that right cybernet meaning governance uh wasn't really used in popular culture at all until 1948 when this guy named Norbert weiner uh I don't know what it is Major talks I do I always come up with this guy named weiner that I have to say his name a 100

times weiner um the last talk I did was a media hype talk with some representative from New York who who was submitting dick picks around his name was weiner so anyway I got another weer in my talk he he he coins the term cybernetics in 1948 there's a gift a yeah we're not gonna go there um cybernetics or control and communication of the animal and the Machine the word kind of doesn't go anywhere for a while it gets bed around here and there it's used a little bit 1966 they come up with a term called cybery which I I want to mention because it's the ultimate surveillance State um the high level of public awareness of

the surveillance State and the prospect of comprehensive technologically mediated social control uh the word cyracy was actually used quite heavily in the early 90s in Germany to as protesters tried to protest the census in Germany at the time but cyber as a word didn't really go anywhere until uh a little while longer uh sorry jump around so we have cyber Punk comes out in the music scene in the late 70s and it was specifically used to describe uh the song cars by Gary Newman which if you listen to it now is not cyber Punky at all um but at the time it was considered Cutting Edge but it wasn't until the 80s when William Gibson comes out with

burning Chrome and Neuromancer where cyber space really starts to take off and become popular but then uh so by the early 90s you have cyber anything and yeah that includes cyber sex and this is where everybody gets upset about the word cyber because it's used to describe cyber sex in 1991 uh and of course that means AOL chat rooms and IRC ch ch um and of course now everybody giggles and everybody or yells drink when everybody says cyber but in 1993 you also have the term called cyber War comes out right but by 1998 it's all over cyber sex was pretty much out of the vocabulary nobody was talking about it anymore nobody was doing it I don't know if any was doing

it before but they definitely weren't doing it by 1998 cyber sax was out cyber war was in and it's it's interesting that's what's wrong with the world sex and we started having war damn it make war not sex um so it it's interesting it's cyber as a word is interesting from a Linguistics point of view if you're a linguist and and you study how words evolve um the Cyber is an excellent great case scenario the problem is that it's modern and it's still evolving and changing and for some reason linguist like words that are like a thousand years old they don't like new words go figure it um but it's really an interesting word and how it's

changed and evolved by but now right cyber is used as a prefix and a standalone word it is in the Maran Webster's Dictionary of or relating to computers uh or computer networks there are 25 entries of the word or prefix cyber in the Miriam Webster's Dictionary cyber sex is one of them cyber war is not yet uh cyber war is in the Oxford dictionary so depending on what dictionary you get depends on where you get the word but the fact that there are this many words in the dictionary that start with the word cyber it's really evolved beyond the chat rooms of AOL of the of the 90s right so the word cyber is Now is really part of the

lingual fraa I can't pronounce that either of government meaning they use this word all the time right that is that what they say they say cyber left and right and they're serious about it and nobody's giggling in the back of the classroom talking about cyber sack um it's used in the title of the bills cyber intelligence sharing and protection act uh it's really an important word that is used to change to discuss technology in government in higher levels so if you really want to affect any sort of change with the cfaa Copa SOA dmca any of those other bills you you're going to come across the word cyber and you have to get used to it all

right I'm not saying you have to use it like I try not to use it that much same with the word hacker but that's a whole another topic um but you definitely have to stop giggling and yelling the word drink when somebody else uses it now here it's of course it's fine we're all friends we know we know everybody and we know what drink means when people yell it but if you're in a government hearing or something and somebody the senator says cyber and you start giggling and yelling drink it's not going to go over so well right um never know it's true you never know of day so cyber I think it's here to stay it's going to be used we have to

get used to it um as far as hacker goes I haven't given up on it yet but I don't really use either one of those words but if somebody else does use them it's probably best not to uh uh best to not start doing so all right where am I on time I'm a little ahead I'm not doing too bad okay all right next topic government cyber hiring hey I used the word cyber again um so this is a nice quote so if they can't run three miles with a pack on their back but they can shut down a ska system we need to have a culture where they fit in Major General William Lord

US Air Force cyber command basically what he's talking about here uh is that there's some people in the military specifically feel that they need to remove the physical requirements of quote cyber warriors uh in order to attract top people when I say cyber Warriors I'm talking about MOS 25 Bravo 35 November 35 uh Quebec information technology specialist signals intelligence analyst and cryptologic network Warfare specialist there probably a couple other MOS that fit in there as well don't you to money C oh is he like a trademark termy yeah good luck go ahead send me a bill um watch me pay it uh so government thinks of hacker as a stereotypical you know over underweight guy lives in his

mom basement eats Pizza um you know lives on Mountain Dew non- patriotic guy physically lazy obviously this is not a true depiction of people who are in information security I live in the garage well some of us live in garages that's correct and I just moved out of my basement this summer so there you go um but this is when when when General uh Major General William Major General it's only two stars so you know he's nobody uh US Air Force cyber when he says this that's who he's talking about that's who he's trying to attract because he doesn't know really who it is he's trying to hire he's not familiar enough so but why do people join the government

why do people take government jobs why do people join the military there are a few different reasons and usually for most people it's a small combination of all of these right money government jobs have some of the best benefits of any other job out there you know I put them up against any West Coast startup as far as benefits go um and education when I say education I don't necessarily mean GI bill or money to go to school with because that goes in the money category education I mean on the job training or else you going to learn to you know become a helicopter mechanic and have them pay you to do it right patriotism

is always a small part of it job stability Uncle Sam's not going out of business that job's going to be there for a while right they're not going to downsize they're not going to lose their funding um well unless we all start tax revolt but that's not going to happen and of course you have some people who join the military because they like guns I hate to get away from you know I hate to say that but it's true there are some nut cases in the Army uh and they like big guns and I cannot lie um all right so the government has a lot of things going forward about why people join the military why they take

government jobs here's another quote on Cyber hiring government cyber hiring uh FBI director James Comey I have to hire a great Workforce to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview besides just insulting everybody he's trying to hire uh he actually later had to retract this statement he said he was only talking in general terms uh and kind of make trying to make a joke but and I don't know anybody in any job anywhere where you can show up to the job interview stoned and actually get the job except for maybe Burger King or something um bus our anymore um so you have a lot of people

complaining about the fact that there aren't enough people for these jobs to work in government right that's not the problem the problem is government now has to compete against the private sector and there are plenty of people for these jobs it's not like there there's three of us and we're all we're trying to get into 100 jobs there are plenty of jobs out there and plenty of people for them um in fact the the government has the national centers of academic excellence and information insurance and cyber defense of which this University is a member there are 48 of them across the country they're run by the NSA and the DHS uh and it started in 1998 they're

graduating thousands of people a year out of these programs with associate degrees straight up through doctorates and the government gets basically first pick out of all the graduates out of here now so there's plenty of entry level people now the higher level people there aren't as many people but you're not going to attract them by relaxing physical fitness standards and and uh allowing them to smoke dope it's just not going to happen um so there's no shortage of people for jobs and I it upsets me when I hear government people talk about recruiting and they really don't know what they're talking about because there are plenty of people out there looking for jobs um maybe they just need to uh pay a little

more or or otherwise incentivize people all right next topic this why I just added this morning um default passcodes for TRX and trit ATM printed in manuals and posted online this was discovered in 2005 give or take um the companies uh uh Triton and tranx posted a default password or printed the default password in their manual and then somebody basically scanned the manual posted it online one of their support companies including the default password so what does this mean is that you can go to any ATM that's operated by these companies punch in the default passcode have it change a dollar bill a 20 to a one to a 20 and just take out five bucks and get

100 um the password Itself by the way was 1 2 3 4 56 right some people's luggage password some people's luggage password pretty simple basic password now they did have a line in their configuration manual where they recommended people change it but they didn't force them to um so this of course by 2006 uh the company says okay we're going to release a patch but they of course they don't Force anybody to install it um and so nobody does uh in 2007 in 2008 and in 2014 uh this flaw was actually used by criminals to steal money out of the ATMs basically just walk into the the the Corner Grocery the gas station you go up

to the ATM that nobody else is paying for you type in the passcode you're entering a couple other commands you change your your $20 to $1 and you withdraw five bills you get 100 bucks for five right pretty simple attack um so you would think that that people would learn about this eventually and fix the problem but no as a matter of fact this morning there was another uh story uh this one this morning was in I think Tennessee it made $400,000 uh attacking 44 different ATMs um in this case the guy worked for the company that installed the ATMs and then he quit like two years ago and they never changed the password so he just

went around to all their company's ATMs and took out all the money so yeah another case of we're not learning where am I on time think our money is so secure yeah money secure all right uh some of you know I used to run a website called Hacker News Network um started in the 90s late 90s as a website and then I re re re brought it back in 2000s uh as a video blog covering information security news um and I keep getting people to asking me to bring it back saying oh love the show you know you really should bring it back it was awesome you know I just spent 20 minutes a week watching it I didn't spend 40

hours a week building it um so the answer of course short answer that is no I'm not going to bring it back um reason being is that it took me 40 hours a week uh to build the show and that was two people uh plus I had a 40 hour 50 hour 60 hour week job on top of that uh and basically it destroyed my life um so it's not going to happen unless and it it didn't make any money I do have to thank the two sponsors I had which is trust r spider labs and aaro uh neither one of which exist anymore oh wait one of them does sort of but not really um

so oh I have stickers here of h&n later if anybody wants any not bringing that back I also other gifts I think I tweeted out that I would bring gifts I have some left over uh h&n shot glasses for you later on um so yeah so it took a lot of work I made no money at it destroyed my life what now can we yell drink yeah you can yell drink if you want you can drink you can yell at anytime you want I'll just think you're crazy that's all all right um so the other thing people sometimes ask me to bring back is wack Knack archives um wack Knack archives was an FTP site it used to run back in the late

90s um basically had Mac hacking software which was really hard to find at the time uh you know things like war dialers and viruses and you know cool little stuff like that um um but yeah the answer again is No not bringing that back why viruses are illegal uh don't want to go to jail um and o 10 is UNIX so you know GitHub uh oh yeah what's cool all right next topic I need a drink drying here cyber squirrel one anybody familiar with cyber score one other than Jack nobody good so uh in when was it brwon 2012 Thon 2012 Brian Martin and Josh Corman did a talk called cyber War not what we

were expecting one part of that talk Brian Martin Compares outages uh electrical power outages as caused by cyber war attacks to those of squirrels right and if you know Brian Martin at all nutrition.org he's a big squirrel guy so he compared outages caused by War to outages caused by squirrels he found that every state had an outage caused by a squirrel except for Hawaii because there are no squirrels in Hawaii there's a mistake on his slide he wanted me to point that out um there are outages caused by other animals in Hawaii but not squirrels so I I saw this talk I saw him give this talk and I was pretty uh taken by and I thought it was pretty

awesome like somebody really should document all these outages that are happening by squirrels because they're really impacting our cyber infrastructure and we need to make sure that people are aware of just how much damage the the Insidious cyber squirrel is causing so I created the cybercore one Twitter account um and basically I have a Google search that looks for squirrel and power outage and then I tweet all the power outages that happen by squirrels so a couple of nice interesting um stats we had had seven attacks by squirrels in August but 23 in October uh and yes there was a a jellyfish attack where a nuclear power plant sucked in a whole school of jellyfish and had to

shut down the intake so I counted that as a Cyber attack of jellyfish um swirls are getting smarter swirls are getting smarter some of the some of the some of these stories are pretty interesting I also I made cyber squirrel one stickers so if anybody wants some stickers I got some stickers for you today um these are the stickers are expensive how many people have actually made gone out and made stickers they're not freaking cheap cheap um so if you got a dollar or something I would appreciate that uh because I paid for those out of my hand the h&n stickers a sty paid for those so I'll give those away for free um all right I want to talk about a

organization called securing change um securing change is a nonprofit organization based in Boston run by a guy named Oliver day he's a very bad self-promoter um he's a very good altruistic person and is very good at organizing his organization um so I'm going to help promote his little Organization for him today uh basically what he does he has a nonprofit that is helping other nonprofits securing their infrastructure so his tenants are basically the securi is expensive and nonprofits don't have a lot of money um and but nonprofits deserve just as much if not more security as everybody else right but they don't computer stuff is like the last thing they think about they want to get blankets onto people's

houses are just burnt down right they don't really are worried too much about whether their website is secure or not um so his focus in his organization is on basically recovering their websites or their operations as quickly as possible he wants fast recovery uh so that he can help the helpers right so he offers three services one of them is website security he does incremental backups of websites so that if the website is compromised or defaced they can uh look at where the uh intrusion was happened from and restore from backup and close the hole and get them back online as quickly as they can this helps prevent driveby downloads uh water hoing attacks webell Etc also does

a scan of java JavaScript scan of the website looking for if frames and uh shells and obsc JavaScript stuff so that if the website is compromised you can strip that stuff out quickly and get them back online online it also covers endpoint security um where they do basically they check their desktops and mobile devices against best practices to make sure that they're applying patches and doing things they should be doing that they don't really have time to be doing because they're busy giving blankets to peop whose houses bur burnt down um they also do they try to assist with incident response so if there is a compromise of either a system in the organization or

their website they can try to figure out what happened and how to close the patch so I said securing change um they're based in Boston uh it's run by a guy named Oliver day he's got some really cool people helping him out he just really sucks at self-promotion um so I'm helping him promote today uh if he does have I don't want to say offices he's basically volunteer-based uh organization so if you want to help him volunteer send him an email tell him I sent you uh and I he's trying to Branch out so if he knows that you're in Delaware and he has nonprofits in Delaware and he can point you to them and help make that link up that will

probably go really well all right how we doing on time we're going fast as I suspected all right oh wow we fast all right maybe we'll get some ranty going here I want to talk about user blaming we do this too much right as an industry we all heard about the id10t error right idiot error guy behind the keyboard not that holds the wheel um we blame users for a lot of different things we blame them when they choose a weak password it's not the user's fault that chose a weak password it's your fault for letting them choose a weak password I don't want to get into the whole passwords or useless debate because that's a whole another story um but

that's not blaming the user blaming them for choosing a weak password even if it is their pet's name with a number on the end of it as the guy who ran silkroad 2 did it's still you can't blame the user for that we tell users don't click [ __ ] that's their freaking job is to click [ __ ] you give them a computer with a mouse and a bunch of things to click and you say don't click [ __ ] what are they supposed to do they're gonna click stuff it's our job is security Prof fenals to to be able to allow them to click stuff and do it safely we tell them don't visit bad

websites what the [ __ ] a bad website how do they know what a bad website is right don't do that don't visit you caused this problem because you visited a bad website my favorite which happens recently don't take new selfies especially you don't take new selfies we all know that anymore look if people want to take nud selfies let them take new selfies you know if that's kind of like telling people oh don't don't put your spreadsheet on your computer because it might get hacked uh you know don't don't leave your email out because somebody might look at it don't don't take new selfies that's not the user's fault it's our job as Security Professionals right

this is our job it's what we get paid to do we need to tell we need to make systems secure enough that people can use them without fear of bad things happening by blaming the victim you're saying that you didn't do your job properly instead blame the people the people who made the flash or the PDFs or the Internet Explorer for being so exploitable and then sold it as being secure all right it's our job to prevent attacks it's our jobs to detect attacks it's our job to recover from those attacks we need to prevent attacks if we can by any way we can as long as systems remain usable if we can't prevent the attack

then we damn sure better detect it quickly and of course we need a way to reconstitute our environments after a compromise of course we're failing pretty badly sorry uh as an industry at the first two and not so sure we're doing so well at the last one so in the interim yes while the industry and everything else is still broken we can't magically fix that overnight there's still no interaction how do you get the interaction to the user clients on median point to get them a little more secure get them some more responsibility on it until you get to that end point tell you what it's not one hour PowerPoint once a year yes yeah your

your industry training I mean sure you can do training you can train your users and have them sit in your class and tell them don't click things that look bad but have you seen some of the more advanced fishes that are out there they're pretty like they fool me like the users are going to do stuff they're going to click stuff that you don't want them to click okay you need to accept that and you need to be able to fix that when it happens because it's going to happen people still get in car accidents no matter what we do so we try to make the cars a little safer right so we need to try to make our networks a little

safer it's not perfect people still get accidents people still click stuff but we can't blame the user for the for when happens right we can't say oh it's your fault you broke the computer you clicked stuff you don't blame the user when their car gets stolen even if they leave the keys in it it's the other guy who goes to jail so anyway any other questions yes so can we blame them if they take new selfies out work well that's a problem of your of your acceptable use policy um that's HR issue that's an HR issue thank you yes uh any other questions I covered a lot of ground yes your second wasant or in prevent tax that's our job

that's what we're supposed to do that's what we get paid to do right as Security Professionals it's our jobs to detect Andor prevent and if we can't do those then fix it afterwards right that's what we get paid for we can't sit around and say oh it's your fault because you did something you weren't supposed to because you don't know any better you're a user I know better we know better that's our job and I'm I'm still 10 minutes short so I hope you got some more questions yes why you is this a metric hour that you're measuring with yes I told you I was sure I talk fast that's why I add all these topics

because it was supposed to fill out a whole hour but I still talk too fast any other questions it's okay I might try to beat you for Speed okay good it's not a race but you can you can I'll I'll see that to you if you want all right um this another question I have I have gifts I can't even bearing gifts I have coffee if anybody wants coffee all right I've got old h&n stickers i've got cyber squirrel one stickers what do you mean you have coffee I have $2 off coffee oh like you just clean out your freaking car and be like here's a coffee do you not know how this works with besid Del yeah moners

here what's up the monsters here

2

there we

go

and we're having technical difficulties

yay get it to come up on the projector be

good you probably have it in extend mode that's probably why there we go it's on the projector is it on your

laptop

I think

looks good here it looks terrible up

there

for

ter terrible or not I'm just going to go with it doesn't matter how it looks so one thank you all for coming to security bsides Delaware thank you all for hearing my talk and hopefully you learn something new if anything you learn I'm not to give a presentation um so what am I talking about today IP log a IDs for the win um IP log is an open source um project it gives the beginning level cisem in um actionable Network intelligence without the complexities of more advanced IDs Solutions and speaking of not giving not knowing how to give a presentation I need to slow down just a little bit here so what I'm going to do is start

out with talking about some of the other more well-known Solutions and then we'll end talking about IQ so actionable And Timely intelligence this is the sole purpose of an IDs solution um if you are not getting in actionable intelligence out of your IDs if you're not getting it in a timely manner your IDs solution is simply so what are the solutions that are available surot you can also deploy tcv p d wire shark snore IP log and I'm going to go grab some

water I told you I didn't know what I doing you you speak louder it's hard for okay I'm sorry thank you very much yes I'll try to speak louder so every get everybody in the back there can hear me too sorry about that so as I said the open source Solutions are surot TCP dump snore IP log and there are probably some other ones that I don't know about so what's wrong with surot I really don't know all I know about that solution is that it exists if you know if you have experience deploying surra cotta and you know of some pitfalls in the deployment that would H um hamper it from giving you actionable or timely

intelligence you can save that for the Q&A at the end of the talk you will be able to add value so I'll move right on so what's wrong with TCP dump or wire sh well for the beginning level sisan most of them probably can't read a peap like a story book you know they can't just open that file and know what's going on most of them can't dissect tcpip or other network protocols in their head and now we are at a bside so probably some of us can probably the guys downstairs doing the CTF definitely can but then we come to the problem that we can conquer the skills barrier we have speed can you do it at 10 megabits

a second no not really so yes TCP dump will give you pcaps you will be able to tell what's going on on your network but probably not in a timely manner um snort complexity that is the biggest problem with deploying snort one snort itself has lots of options I have very few um dead tree versions of software manuals on my desk the snort manual is one of them and I still don't know or understand everything that snort can do out of the box next you go to rule management and IDs solution without rules is kind of like a crossbow without bolts you can't kill anything with it Le you can't shoot anything with it you can't use it the

way it was designed so you need to have a rule set you need to decide what rule set you're going to use there's the community rule set which I believe is somewhat outdated the emerging threats rule Ru set which is an excellent rule set I highly recommend it the brt rule set or if you are one of these people who can read a pcap like a story book one of these people are very smart you can build your own rule sets for this that that's great and that's a lot of fun to do I've tried I've not ever had much success building my own rules for snore um then you have a rule update solution so let's see we have an

IDs engine that we're deploying we're deploying a rule set now we have to keep these rules current because the threat landscape out there changes it doesn't stay still it's always you know new things are coming out old things are coming back slightly changed you know the bad guys are always trying to invade the rules so the rule sets are always changing so you need to keep the rule sets current so we have deployed the IDS engine the rule sets and a rule set update solution some of those that are available are link master and P port and there may be more that I don't know about um and we haven't yet gotten to getting actionable or timely

intelligence out of snork We're just trying to set the thing up all right we've got our rule sets now we're going to get data lots of data initially and if you are in a situation where you deploy a lot of snork sensors lots of data times the number of sensors you are deploying which means to search that efficiently you're going to probably have to deploy a database you know open source Solutions are MySQL or poster SQL um I believe the latest versions of snort do not support dumping the snort alert logs directly to the database you have to have some kind of middle software connecting to the database um Barnyard 2 is the one that I

know of there may be more they said I don't know everything that's out there and we're still not to the point where we're getting action or timely data out of our IDs we are just deploying software after software after software and finally we'll need a web app to get the data out of snore which means we have to deploy a web server and the web app itself um Bas that's somewhat outdated then there's snorby and squeal which are soft um software that can get you actionable data out of a snort installation so we've deployed our IDs solution rule sets rule set update solution a database software to connect to the database for each of our

sensors um a web app we can finally get actionable intelligence out of our IDs we can finally get it in in a timely manner out of our IDs of course that is once you've tuned your rule sets to eliminate the noise I mean this is my experience with snort you know I was getting all this data and most of it was stuff I didn't care about like I had a website I don't care if somebody's grabbing my robot's text file that's irrelevant I I put it there I expect people to grab search engines especially they get that another thing is like um as I said earlier the landscape of stuff changes like in our shop a year ago we

started using Dropbox internally all of a sudden our rule set alert count went up realized that the um emerging threats policy Dropbox rules requiring like crazy I don't care about that I know I'm using that so that's the problem with snort snort is a great product but it's the learning curve and the complexity of deploying that and getting actionable And Timely intelligence out of that can be daunting and especially and for the beginning level system and so if you're just starting out you don't know much about networks you don't know anything about um pcaps or how the protocols work but you want to find out what is going on in your network what would you what

could you use um that's where IP log comes in now what is IP log it's open source software it was originally written by Ryan MCC in 2000 he stopped development at version 223 okay there's a link to that old code base there um it's simple but it's not PC d basically what it does it's a connection logger a packet comes in it will log what happened how am I doing here okay I could slow down just a little bit more so and they said connection logging it also has some scan detections it can detect for sin scans null scans fin scans xmus scans UDP scans um attacks it can detect ping floods and Smurf attacks

frag mation attacks also the bogus TC you know attacks with bogus TC key Flags it experimentally can evade end map scans I don't know I've never played with that particular capability of it but that's what it can do so if you're beginning level system in this will be able to tell you very quickly what's going on on your network so what does it have for logging as kind of like snort this will generate lots of data it can log to CIS log I don't recommend that I'd say dump to a a regular text file dump to the regular text file then you can feed it to a scripting language and cars it and get actionable intelligence

out of this as um oh what was that guy Marcus Harry mentioned learn a scripting language especially if you're a beginning level system learn a scripting language I taught myself Pearl parsing logs that look like this and as you can see it is you know doing we got some bogus TCP plags some scans going on somebody's attacking Slammer the SQL Port probably um let's see miscellaneous stuff you can filter out the noise here's a config example where I'm filtering out um return answers from the gtld name servers I don't care about again I don't care about those so I don't need to process them in my logs um I Le a I contacted the original

author a couple years ago and asked him about continuing the project he gave me permission to do that um a newer version that compiles on Modern systems has been released on my site CMP publishers.com the directory OSS that's open source software um one thing I basically all I've done to it so far as made some changes so it would compile on a modern Debian system and then a cleaned out the log messages a bit as you can see back here going backwards a bit the like for UDP or a TCP packet it's a whole different log message for format for each thing I've tried to standardize that a bit so that's pretty much IP log that's

why I think it's a beginner's IDs for the when you don't have a high learning curve to get data out of it that you can start using when I started parsing I log data I didn't have Pearl scripts I didn't even know Pearl I was just reading the files and then building firewall rules based on what I was reading in the the log files so that's pretty much it um my contact information Nathan publishers.com you can find me on Twitter at christor media I'm also on LinkedIn some of my previous um presentations are available on SlideShare check those out um thanks I'd like to thank first my Lord and Savior Jesus Christ for giving me giving us an entire universe to hack

the mental capacity to ask the question why and the skills and the abilities to find out the answer to that question without him no bsides Delaware no bsides anywhere I'd like to thank the staff of bsides Delaware for one inviting me to come down and talk for putting on an awesome conference I I was here last year had a blast in I'm not disappointed that I came this year I want to thank Ryan mckc for writing some very useful software that helped me out when I was just starting out and for giving allowing me to continue his awesome work um Q&A because I always forget so it's in my slide deck anyone have any

questions okay well you guys have a great time enjoy the rest of the coun

make sure you send the slides to um us so we can have a copy because our one of our tools isn't working which pulls them from I I got so the video is on video of me playing on my phone it be just like me giving a presentation

really you know you can trade letters St too huh sorry sorry get my water out

here

for

go

pleas

thanks that's such a Charming photo Oh

yay good the room started clearing out

perfect it took took me 15 minutes somebody to walk out last year I didn't start

talking oldest of three I remind you of this every time

whates Point rushing I'm

get

I figure out how get darn move shut this should be up over there I can't get it to do that am I doing

WR I know you were using this program this they want that I know is that is that am I texting you who am I texting no no you're not texting me though come up here I came up here because you coined at me but I do know this I don't know

well because apparently I haven't been streaming the sponsors for like the past three presentations

like it's pry

bu so what kind of d& are we talking about more are we talking about the more role playing DND or the more strategic turn based DND

okay to start early and time for questions oh oh no this this will go fast all right well it's four o' anyway so we'll get started welcome uh my name is uh Joey lost knowledge this presentation is what Dungeons and Dragons taught me about infos so I start out every slide of pictures that kind of try to describe me um thank you Frank I appreciate that I um so just a little bit of back background I'm really a 12 year old stuck in a 32y old man's body um I like Legos I like Star Wars I science fiction Star Trek I like bourbon yes B I like good cigars um so in addition to having a

really good love of bourbon I also put an event at Derby con every year called bourbon con um we've done last couple years at the golf house on Friday night so it's it's how much I like it um can't do a D&D talk about giv something to describe myself in D terms um though I do believe my Lim is starting to shift a little bit I kind of tend to mostly fall towards chaotic neutral in the end it's more about me um I'm allowed to be self uh so disclaimers U I actually think I got a talking two once about my presentations and that's how it's SP so all views and opinions in this presentation are my own and do not

reflect the opinions or beliefs of my employer or any other Affiliated organizations so don't write angry letters to them write them to me pleas I like it feeds me um so what is Dungeons and Dragons you've never played actually forgot to ask that question how many in the have actually played Dungeons and Dr all right good you're a no you so I originally gave this presentation I thought the VIN diagram of like Dungeons and Dragons players and like d andd players would be like very like thought oh it must almost be the same Circle no um actually um I think the first time I presentation two people in the room actually answer that as an affirmative

on a room of like 20 30 some OD people so I was a little surprised um but you know it's it's a standard role playing game you know before we had computers you role playing games weren't world Warcraft they were you know dices character sheets lots of role books um and all these things came together uh in Little Adventures um as of most of my presentations I enjoy searching the internet for things um safe mode safe search being an optional function of that uh so I I always like this slide it's kind of the what people actually think of Dungeons and Dragons the people who play it um you know it's uh I think it's very true

I think it speaks a little bit to to the mentality of some of the people but also to the way that people are perceived uh you know people were I think this even kind of hearkens to um a point that space was talking about earlier today in his talk he was talking about this perception um you know you had the quotes from from the FBI director and from from the head of the Air Force cyber command basically talking about you know um they they very much hinted at these stereotypes of hackers and of it Professionals in general I think and and so you know you see a lot of that here um in the way people have

perceptions so uh the first less that I kind of take out of Dungeons and Dragons is that it takes the team um you know and and by that in Dungeons and Dragons you have your characters um and the important thing to take away from this is if you've never whether it's Dungeons and Dragons or modern RPGs like World of Warcraft um you know PC based systems they all have similar constructs and that's because most of them in the end are somewhat based on Thunders and Dragons um so all those games have different races races have different skills and abilities and different traits they all have different they have different classes which have different skill sets

right um you know you have you have combat and physical characters like barbarians and fighters who get in there and beat the crap out of those thing and you have magic users who stand in the back and cast Wizards cast spells and heal people and so you have these different classes that kind of come together to make a cohesive team because you know so um one person alone can't necessarily do everything so whether it's you know dungeon of dragons you're going into a dungeon um you know you've got your dungeon master there leading the story or you know you're playing Modern role playing games and you've got Dungeons and raids and all these other things you know you can't go in there by

yourself you need to have a team of people skills come together to make you stronger than you actually are um again searching the internet way too much I actually did find a picture where somebody had kind of explained the classes of been Dungeons and Dragons using the Avengers um so what are classes in infoset um so I kind of tried to break this up kind of give a high level view of a couple what I will call classes U but it's not strictly speaking all of them right you're going to have developers guys who are great at code who who who build the programs that you're using who maybe build the explo that you're using if you're doing pin

testing um you know writing the scripts that you use for automation whatever else they might be doing you've got you've got your metas Masters you've got your PIN test teams you have your guys who who go in who do your testing and whose skill sets are very driven behind those behind those tools and those functions uh you have Hardware guys right you have guys who who know the ins and outs of electronics who know uh who know know how to how to configure and maintain the computer system um the most abstract one I have up here is the network Heroes um you know guys who don't figure out exactly what's going on without any tool except wire shark and a

couple filters they're like this is exactly what's happening you know there's dozens of tools out there that automate lots of that right you can ingest all these pcaps and it'll show you pretty pictures and data flows but you know you in the end those nothing's perfect you still have those guys who who can to do that um and then you have OS guys right whether that's desktop server based OS folks or mobile guys and a lot of times these are overlapped with other areas right because your developers odds are going to have some specialty in one or more of the operating systems because anymore with all these mobile constrained architectures developing is more restrictive than just writing hey I

wrote NCC code that will compile in any system and it should work um so the second it got that difficult G more fun um so in dungeons of dragons there's this concept of multiclass um you know in the real world we call it the Jack of all trades but it's very you know it's this idea of you know somebody who's good at multiple multiple things um you know there's a saying you know Jackall trades master none I tend to disagree someone with that I think you can have somebody who has a broad range and he's maybe not good at all of the skills but he might be excellent at networking but when it comes to you know he might know nothing

about Hardware but he could be you know a good Dev or um or have or just have you know General skills and other areas that may be useful um another portion of Dungeons and Dragons is alignments um and the first time I did this presentation I got really bogged down into the alignments and and the second time I did it I got even further bogged down into it because this is when the question questions I got asked was well I don't understand the alignments and then I realized something important U least from the perspective of this presentation which is it doesn't matter the there's a couple slides I haven't here that are seriously so so so the important thing

here you know with all these isn't so much to get fogged down in the wherewithal and howtos of how characters and classes and alignments work within Dungeons and Dragons but the thing I think that is most important and what I'm trying to get across is that it takes a mix of of all these things right so you can apply to some extent people into different areas and alignments and you have to have that right in the end you need different personalities on the team if everybody's the exact same and thinks the exact same way and has that same mentality you you don't have somebody who you may not necessarily have that person who can look at this from a

different perspective and be like wait why are we still doing this the same way if we did you know something else maybe it would work better so I did leave this one extra slide about alignments to kind of clarify for anybody who really does care you know explaining the good versus evil uh you that one's pretty clear most people get get the concept uh you know caring and concerned for others protecting the innocent all that fun stuff wants to kill everything everyone or take over the um law cha always gets a little more confusing for folks so I let this in you know but the the lawful side you know rules order tradition uh you know I try to explain the lawful

evil because because people are like well how can you be lawful and evil um and the best way to describe it as the the world Dominator you know the person who has this moral code and structure but it may be different from everybody else is but he wants to impose it on everyone right he wants the world and kind of his vision um whereas the chaotic evil individual is the world Destroyer right um you know you don't care kind of the one of the better examples for chaotic evil is anyone who saw the Dark Knight the the the portrayal of the Joker in that movie is pretty spoton for chaotic evil and so what did I do I had to make

a version of this that has alignments in um so you know I tried to break it down a little bit um the the good on the top and I'm you know because some my background be a little biased but um you know the it's basically all your different types of of testing them right so CNA your your certification guys they're going to be lawful good right they have a set of rules they want to follow those rules and make sure everything gets checked off and everything's done right that meets those rules they're not you know they're just like okay this is good this is good this good it all looks good there you go neutral good uh you know I kind of put

routines there um and the reason I said that put that there was they're not quite following the rule of of doing CNA work but on the same side they're not where I say that think the red teams are which is when you have a red team who's doing a true penetration test they need to be looking at your networks and the same methods and ways that that your black hats and your white hats are going to particularly your black hats your your main adversaries are going to attack your network right so they have to be more on the chaotic set and in the end within your organization within your groups those are always going to be

perceived as the good right they're the ones trying to make better you know some of the some of your admins and your health Des folks are probably going to see them as evil because they come in break everything and now they get stuck fixing right um lawful neutral the Lego blocks are developers because I couldn't find another good picture for a developer um the the help desk is true neutral white hat is chaotic neutral the bottom the lawful evil um those those are the Boston right they have the rule they have the order but but but ultimately they get they sometimes get in the way right um the I put the I put neutral evil as the lawyers um you know you

would think they'd be the lawful people but um you know it's to them it's more you know about keeping their keeping the the company keeping your butt out of jail and out of trouble than it is you know anything else and then chaotic people is the black hats you know these are the guys who in the end want to break into your networks they're the ones who want to you know steal information they want to um the face your websites whatever nefarious reason they might have you know whether it's just for the for the for the giggles or or for the ls you know that's ultimately that's you know those are your enemies I suppose so the second lesson I have

from um you need a good director and this is where the dungeon master comes in so so for those who haven't played before you know the dungeon master is the one who's created the scenarios that you're playing in who's um who's depending on how evil how evil he is I've had some whose main purpose in life is to make sure you all die um others want to see you progress and and then kill you um so it it's really you know this is what's behind that little screen you know it's all the scheming all the plans um I think that's the important thing right this is the person who who has the plan and has the vision

of what of what needs to be done and a lot of times the other side it's the it's the players the ones actually playing the game whose job it is to actually execute it right um in the end how many of us have managers who are actually you know doing the doing the day-to-day technical I know there are some but it's not all of them um it's you know leading the way I'm hurting cats um it's quite the reality um I I'm in my second runaround as a manager and trying to get everybody in the same place at the same time to do the same thing is or even something similar to the same thing is very hard

right uh if you've hung out with people at hacker conferences it's again very similar right how do you get everybody moving in the same direction at the same time um yeah even then I'm pretty sure if you pulled the fire alarm right now there'd be a couple hackers looking around like I don't I don't smell I don't smell smoke yeah okay we're good um the laptop let's go new laptop I I will admit to coming up this time I don't know if you noticed by the elevator there's these stacks of recycling bins and the top one has a cell phone on it um there are no cell phones in it right now I was a little

sad um I was hoping somebody might be might be dumb enough to leave a cell phone in there um then I was going to change the whole direction of the talk we're g to talk about why you don't leave cell phones and um so we have many dungeon matches right um you know people will dictate what we're doing dictate the story to us you know how things are going to be done whether it's the our customers whether it's customers external to your company if you're doing consulting if you're doing it support and and U an internal support for your uh for your own company right then you other people with your company or your customers um your team

leads whe your technical team leads your your TR supervisors even upper management because in the end you know as you go up they how much Vision they have specifically for you Narrows but their Vision overall fits in so at the upper management level there's the global you know I have this this is what the company needs to do and the supervisors below that all say okay well to make this happen in my group we need to do this and so then that leads down to you and if you have team leads between you and and a manager they filter out and they delegate tasks you know they they're the ones that keep us truly on track then right so all these

people kind of dictate the story to us they're the ones who leave and if you didn't have if you didn't have this sort of structure right then you put 100 100 guys in a room and try to convince them to all go in One Direction are they going to go there somebody truly to step up and Lead You know the the odds of that the odds of them all walking in the same direction are going to be slimmed enough um or at least in the same general direction um so we get on to the third lesson um and and this kind of grows out of again me Googling and searching on the internet way too much um so every

network is a dungeon right um I did not have to fabricate these pictures in any way shap or form but I thought they look incredibly similar for the fact that one is a network diagram and one is a dungeon M uh it just it shows I think it shows kind of the it's a little bit it's maybe a little it is a bit too literal um in some sense but it's um it's kind of diagram to look at but um the reality is when you're playing dungeon of dragons you navigate a dungeon you go in as a team you're looking around to find you know Treasures or save the princess you know you put another pencil and you you go

through I got laugh you go through and ultimately you're trying to get to your end goal right whatever that is it it varies but you navigate through from point to point you know we do the same thing in networks right if you're coming in as a pen tester and you're looking at a network you're doing the exact same thing if your end goal is to get back where all the data is stored you're going to navigate through and whichever method is most effective sometimes you can walk straight in because there's a giant hole in the wall instead of a door um and other times you have to work a little harder at it and so that's where the

first thing comes in obstacle when you go into a dungeon and in D and you have things that are going to be in your way you know they might be doors they could be walls they can be traps we have the same thing in networks right we have firewalls we have you know we have you know different types of appliances that are all doing the same thing and to some extent you can even argue that well not direct necessarily directly a strict obacle you know if they're set to block traffic ids's and idses can become the exact same thing right so how do we Dodge offic well if it's a door and Dungeons and Dragons you

might just you have a rogue who comes and fixs a lot right get you through and now you're on to the next to the next stage um when you're looking at a network if you're doing if you're trying to attack it trying to get into a network in the outside you know you might be looking for places and different points to where you have to Pivot in from oh I got one machine and now I need to try to use that to get so it's not necessarily a straight be um and so you know we work around obstacles right um and sometimes you might just turn them off if you can um you know if

you don't have a rogue to pick a lock you throw a barbarian at the door until it falls over um which comes to tracks um you know whether it's the Indiana Jon style giant rolling bow or you know it's um Honeypot or other defensive mechanisms designed to lure you away from your ultimate Target you know it's all ways to try to to capture your attention and keep you from getting to where you want to go in the end I guess they're just other forms of obstacles um sometimes you just have to run away uh there's creatures right uh in a in a good dungeon you have different types of creatures um but you never play

D and D there's probably hundreds if not thousands within the various books uh and Rule guides and then your dungeon master can also be evil and wicked and come up with his own [ __ ] excuse me um you know whether it's little innocent looking Cobalts or skeletons or the ferocious dragon you know you have different things you have different creatures again um who who's who are always occupying and in your way so I I tried to create some creatures of infoset you know and and this is where you have your IDs your ipss your um your antivirus your seams you know anything doing log collection any of those sorts of things that are monitoring and

watching the network that you know the they may not necessarily unlike the creatures in a dungeon which could actually literally kill you more times than not these are going to just alert you to the fact that somebody's there and somebody else is going to come in and kill you afterwards um so um but in the end all these pieces come together and so you get this this view where you know you're trying to get to a goal and that goal is your treasure right so in a network this treasure could be anything right if if the if the main person who's going to be attacking your network is you know people who just wanted to face your website maybe the

goal is just your web server uh if if you actually have real proprietary data or um or Hell personal personal information within the network people might want then that probably becomes the treasure uh you know Dungeons and Dragons It's always you know it's almost always just gold and armor and you know things sort of stuff You' find you in role playing game right in the end your goal is to get something you know sometimes there might be more altruistic methods you might be trying to save ability but I mean and kill the dragon and usually that has a side effect of coming with lots of gold um so so the fourth lesson um using your

imagination or playing the game as a right um you know here's this map again you know how do you go from pieces of paper and little markers on on there to to seeing yet you know seeing your team and seeing your your group come together and destroy a dragon well we have to use our imagination right if you don't have any imagination then Dungeons and Dragons isn't going to be much fun so what's the reality of computers and I hate the very cliche image but it's there um you know when we interact with computer systems and electronics in general we have some sort of human usable interface right but the reality is that human usable interface is just a

cover for what's actually going on um and this goes all the way down to um you know both working on computer systems to looking at networking traffic data um my background uh from college was in networking and uh I I think I'm probably one of the two people who actually likes looking at Network traffic at the data link layer um going all the way down looking atet frames and um curs you double um but the reality is even that's not everything right I mean the reality is the physical layer depending on which media you're using that signal is sent in one of various methods right over ethernet the the voltages along the wire are modulated to represent bits U

the you know over Wireless you know the signals the signals are changed amplitudes and frequencies in order to to accommodate the same the same concept right so we have to in some ways abstract this because you know it's not we can work with um so this also leads to solving problems um you know just two pictures again I like I love Googling um so you know the keyboard not found press F1 to a zoom uh or the you know using six different adapters so that you can put your uh micro SD card into a computer system and read it out um but ultimately you know when you're doing dudes and Dragons you you you know whether you're

running into a trap or you run to a wall um or something gets in your way that keeps you from going where you're going um you know when we have in infos we have problems we have to solve right things don't always work the way they suppos to you know it's one of those Oddball little things that drives most of us nuts I'm sure which kind of feeds us nice into lesson five which is the elements of chance nothing ever goes the way you expect it to um I think anybody who's ever worked with a computer is well aware that even some of us who are really experts every once in a while fix something by Magic right we don't know

why it wasn't working five minutes ago but I just did X and now it works um so in Dungeons and Dragons you know what kind of showed at the beginning you know one of the elements was all the dice sitting on the table so everything in the game is based on this on the system of chain you know you have a character sheet that has you know certain stats and points in it but in the end in order for you to do anything you have to pick up one of these Dice and roll it and if it's a bad night cursing the whole time so again more great pictures um you know dungeon dragons the dice have the

ultimate control um they when you're doing character creation you roll the dice to to get your stat points when you go into combat when you perform any actions you roll the dice to see if you hit what you're going to hit you know when you're go to hit something you know you roll your damage and there's nothing more frustrating than having the big looking Barbarian swing and miss and roll one and then chop the head off of his front um you know in infos it's the same way right we have devices that break we have equipment that won't work there'll be code that doesn't compile um you know an exploit that won't run um a blue screen

at the blue screen whatever it is um we run into these problems right um so it's always not clear cut you know sure 90% of the time you might go in and run the same five commands on on on every computer and it's going to work perfectly but you know the next week you go back and you do it and it could be you know you know did it one day Patch Tuesday came around you come back the next week and you know something's not working again um it's always fun to try to figure out what Pro um and then there's just Murphy's Law um you know anything that can possibly go wrong with um you know

there's there's plenty of lists on the internet of Murphy's laws of combat and Dungeons and Dragons and everything else and there's probably 10 times as many for morphy's laws of computing um apparently some very angry sis admins exist out there who have nothing to do in their free time except write lists um let's hope they don't have list of names so the summer get so there's five lessons right um it takes a team um you know having a group of people who who can work together and who have different skills who can come together and um together be better than you know they would be as individuals um the funny thing about it takes a team is I

probably took a lot longer in life to learn that one than I should have um I would I'll be the first to admit that up until probably about five years ago yeah thank you thank you for me honest yeah that would be about right um till about five years ago yeah I more times than not my mentality was I can do it faster my myself plus people to get my away um and I probably messed up some crap along the way um you need a director you need somebody to keep you in straight going in the right direction uh you know every network is a dungeon you have to use your imagination um and as I learn every

day nothing ever goes the way you expect it to that's just the heart reality of things um so I put up a thank you slide I added this I failed to do this with every other time the other times I've done this presentation this year um so this U this going to be the big retirement of this presentation he kind of makes me hurt that I gave him four times um but um much like space work said this morning you know uh how you know how of Janice came up and asked him at Deron to submit a talk uh I got it too but it definitely felt a little threatening um you know I'm not saying she thought

she threatened me at harm but it definitely was kind of like yeah you should really submit because you know not everybody goes to every conference and she's like I'm sitting down and she's standing up which is the only way she could be looking down at me um and and it was a little it was a little intimidating that's all I'm G to say but I would like to thank pides Delaware for having me here the second year in a row to present and um I like to think I actually taught somebody something this year last year I think I just tried to anger people and get them out of the um um you know thank derbycon sky.com

outou Zone they all uh all allowed me the opportunity to get up here and try to part some knowledge don't know if it was much but if somebody takes something away that's better than nothing else a couple more thanks um and he won't like it but I'd like to thank spiky for all the feedback um yes I knew you would do that um for for all the feedback um and I'm sure I'll get it again um I also like to thank him and fzy hack uh for heckling me from the couch at sky.com but it was an effective heckling and not mean spirit so I appreciate it um I'd like to thank everyone who's here

today for coming and listening to what I have to say um and anyone else who may be watching who attended my talk earlier in the year and who I failed to than um so does anyone have any questions I managed to get through in 30 minutes I'm sorry yes on your creatures page uhhuh

theur um so alen VA is the new name of what that's bro oh that's

bro really ask ask Liam that next time you see

him your brain stop function don't draw that on the command [Laughter]

line yeah they may have changed logo what they're using okay yeah I it's on the web page like I was like okay me have seen the logo once it's kind of scary yeah it's weird

I it's crying ethernet tears see that it's crying ethernet

tears

anybody anybody else have any other question nothing well thank you all [Music]

again have a have an error on a blue scen yeah so I've seen a couple images on the internet so I can't confirm nor deny that legitimate yes it must be true um I do want to say I've actually had somebody show me it happen but I can't recall where like maybe if you're emulating it and something and I think that was the case I think well actually in one of the cases I think it was a really btx process when I'll

buy

[Music] Sur in the wild wow the first one I've seen that wasn't on a television program and everything got a couple of surface one

[Applause] see and and I

got

yeah I got regular that's the yes

I'll have to go back

thein

riing they have most of them are like open FTP servers or

open

the keeps coming up probably

probably so science TNA here's a real

J

communic yeah but I mean like this you have like off theall we had two talks about cooking this morning all right guyson get started so if you don't know hi my name

is with a happing problem right I actually programs so welcome to securing your assets from Espionage stop pillaging keep your

beauty General disclaimer yeah anything I say doesn't reflect on past present future employers this is all me it's all my fault if you don't know me there's the re it line of certifications that I hold I've been doing it for 16 years but the last 12 as a government contractor so a lot of the experience and stories that I will pull from are from Mostly that range and yes there's a lot of pirate them along the way and you'll also see some long space stuff too I'll make it fun so going to go over you know what business Espionage is discuss discuss targets methods and counter measures that we can deploy for this of course to really

understand this quote by Alder jams really sums up the whole essence of things so Espionage for the most part involves finding a person who knows something or has something that you can get them to secretly give to you that almost always involves a betrayal of trust because we all know people you are the weakest link if it doesn't matter you know what who you are what your role is we're the weakest link in the chain and we're the biggest exploit Vector out there just a kind of highlight that this is you know it is a concern it always has been but it continues to grow it's it's a big money maker so and this one's just from

the end of October so the Department of Justice they are reorganizing for their uh cyber and corporate Espionage because obviously this is important it's you know the requisite cyber work we're having a lot more threats as we become even more dependent upon all things technology all things internet our lives are very internet based you can't even go out to dinner with your friends without there being a substantial amount of time spent on your smartphone checking in tweeting posting Facebook yeah we all need our selfies and along with that and corporate Espionage again that's a huge Money Maker well Money Saver too but we'll get into that and one other thing also in the news just this week

so they're looking at expanding laws around the Espionage Act to include civil lawsuits not just Federal lawsuits so if this gets passed we're going to be seeing a lot more lawsuits along the lines of you know perhaps the way patent trols have gone in terms of corporate Espionage so this is really going to be a real hot button issue if this gets traction and it passes and gets put into La so something to be aware of especially with a lot of the things that get rote into ndas that were required to sign on almost each and every project so you know kind of keep the in mind so start off with the essential under pendings so back in 1996 the

economic esan Act was passed and this allowed the federal government to you know prosecute in terms of theft of Trade Secrets and actually you know get something done and this is at a federal level so imagine this happening at civil level if things start getting expanded all those lawyers you know that don't have jobs might have jobs again and this really revolves a lot around Trade Secrets and Trade Secrets these are these are different than things that have been packed patents are out there you can see them you can see what's involved doesn't necessarily give away all the secret sauce but it gives you so much information Trade Secrets however have not been documented now

these are things like you know Coke Pepsi recipe Bush B be all these secret recipes that are held nearest and dearest so yeah it's one of those it's not documented and if anyone gets their hands on it there is potential for some money to exchange hands which of course leads us into our driving forces so corporations whether they're locally based in the states or maybe foreign corporations a lot of the jve is of course money if you're in a very fiercely fought field and you have something new and hot to bring to the market you're going to have a research and velopment curve you're going to be investing a lot of money if you can

shave several years off of that that's a big money maker and if you can take what your competition is done already leave frog off of that and get to Market sooner you've already created the market name knowledge and locked it in with you and that's a huge game of course our individuals our weakest links and they're in it for the typical things and you see this across the board whether it's corporate Espionage you know National Secrets it doesn't really matter it's the same motivators they might want more money someone's offering them whatever they find to be a fabulous painting frankly looking at the history of what people have sold stuff for I think they're idiots the RIS does not come anywhere

close to being worth what other things blackmail this is a traditional one get someone to feel guilty about pretty much anything hey it's a weak point Revenge sometimes people just don't like where they are or who they're working for or with and they want to do something about it instead of you know just slashing tires or putting shaving cream in someone's car and then of course there's things like accidental disclosure where it's unintentional and it's just stupid human tricks people are lazy by Nature people don't think about what they're doing they're just thinking about hey I need to get this done and that can inadvertently create an exposure oh yes for request too that's one of those things need to

be reviewed in terms of classification levels and a continual status and yeah that that also kind of falls into human fallacy for not being aware of expiration [Music] dates so we have targets of course these are everything that people are going to be going for now Trade Secrets these are the near and dear so of course these will be one of the primary targets it's not documented so if you can get it there's good money Client List you may not think that a Client List could do something for you but you got some product that you're trying to sell and you're trying to make an inroad into a certain sector having Client List for your

competition it opens up a whole new amount of people that you can sell to potentially and you can also start poking around and try to undercut them that's a big part of the competition anyone that's in Government Contracting knows about lowest cost it's a big factor and it's determining pretty much anything and everything in life for what you're going to buy you know why do we go to Walmart sometimes instead of Target Personnel records this kind of plays into brain drain you're targeting a company let's let's see who's working on Project team a and we'll start circling and start making them job offers spring them over it's another way to play the game in terms of

research course this is development and marketing you know this this can include things such as pricing lists when you're doing competitive bidding this can be a real leg up of course in Government Contracting if the company is caught with having that Insider knowledge of pricing it also gets you kicked out doing too much bad stuff can get you disar for going my contract too and of course research and development that's always a major Target how many times are the shes hacking into us in order to get you know the latest and greatest plane specifications I think there was one just the other week

actually of course along with this we have our threats so we have obviously The Outsiders and this is what we're mostly familiar with you know we have all our threat vectors everyone trying to hack in get into the networks and still everything but one of our biggest concerns actually and our biggest threat is our insiders simply because they already have authorized access and this is where you're going to see a lot of your weakest Links come into play you know how many people Point click about things that they shouldn't perfect example right there

no click on

everything Nigerian prince give me $10 million no he wants to give you $20 million you just need to send your bank account your firstborn son about that

resume yeah even things you canembed bad stuff in anything know suddenly getting a resume out of nowhere maybe you should check that it's okay nothing bad ever came in a PDF what are you talking about foreign governments this can be a governmental concern as well as business concern because we have a lot of government contractor companies so by extension they're also getting targeted for you know developing planes tanks hes nice little Rockets there's a lot of stuff out there that's in the corporate sector that we get lot of the bleed over and of course you know I really need to change this to say crackers instead of hackers but yeah I forgot to my bad but yes

crackers the people out there doing all the bad stuff either for fun for pay or you know thinking that they're writing the wrong yes all of our half this and some of the key methods that I'll go through these are just like this is the summary of how they break down so key methods would be uh Deli pre- texting attex obviously computer hacking and open source intelligence and just to keep it a little interesting I'll try to throw in some scenarios and with that you know assume you've got a company it's a new technology it's a highly competitive field and you're making the next greatest version of something that's really sought after and it's going to make your company

Millions but not if the competition still your stuff and gets to Market first because if you have to spend three years doing the development before you can start selling your product you know have an actual working product and you have to have say a team of 10 developers that's a lot of money yeah so you have a huge investment and you really want to protect that investment so we're talking about Deli and pre- txting taxs now this is when people that have really good social engineering and Charisma skills this is where we come into play this is where we can really shine there's so many ways to get information out of people consider the last time you had a

phone call for a survey you know maybe you're getting like phone call from some computer magazine it's like well hey we want to send you a free subscription so what kind of operating systems do you have what kind of software are you running what what kind of networking architect texture do you have are you running Cisco Jennifer what's the deal and you might just be thinking you know because they have a nice little breakdown of the different magazine types they have that are specified towards these interests you know networking daily Unix Linux windows it's not really you know kind of sticking in your filter that there's information that they can get out of this you know this is what marketing

does right nothing's free yes nothing is free they're getting fabulous information about what your network is like because most likely you're not thinking about this for your home network and stuff that you might want to learn about you're thinking more like okay what do I need to know for my day job so you're going to be putting in a lot of information that can easily tie back to that because guess what how many of you guys have profiles on LinkedIn yeah this also ties into open source and so this is all circular information that they can start tying together along with this this does count as the information volunteer when you're answering these surveys think

two someone calls up hey uh let's try to reach Bob well Bob's on vacation this week maybe try back on Tuesday this is another information volunteering that you've just given and your Wy social engineer can now use this you know if they're good they can potentially pose as Bob to someone else say oh hey yeah I'm out at this conference I just locked myself out of my computer but I need this document so I can go talk to our client who's actually here could you send me a copy of this just send it to my personal email here it is it's really that simple if you find the right person and you're convincing because this is

100% owning your [ __ ] be confident be who you say you are and own it and you're there and this is no different than doing a job interview that's essentially it because you want to get paid you know it really comes down to what we just saying to you here because this is the question they're asking and you know what this is what most people are answering too so the next time you're presented with a survey you've got people asking you questions you know for the guys out there you're out at the bar at a conference some chick comes up starts talking to you maybe she's out of your league hey you do that sexy ska of stuff it's hot

tell me it could [Music] happen obviously I'm gonna have to dye my hair again before I try that but you just think about the environment know maybe not have that conference call while you're at Starbucks hanging out because you got bored of working from your living room you know it's little things like that stop think so you hacking computer abuse misuse however you want to classify it this really encompasses a whole lot of things now zero days well the media likes to make a big thing out of it it's it's not our biggest concern they happen but know really our biggest concern are all these default settings and unpatched machines if we're being honest um a lot of this has to do with

Baseline configurations dare I say the dreaded compliance

word uh one thing I've said a few times comp iance is not security but let me clarify that compliance on its own is not the end all be allall of security it's a starting point it's fabulous for giving us a Baseline and somewhere to start so we can all have a standard core to work from but we really need to use it to reach Beyond and stop acting like it's check don't just do okay passwords they expire every 90 days good to go well along with that and your password complexity policy and your general you know every year re-education of your employees maybe start including things such as hey don't tape it to the UND

side of your keyboard you know people do that we tell them they still do it you know us start including things you know offering them Alternatives a lot of places do but a lot of places also have the same annual training that does the same stuff every year so no one really listens to it anymore we just point and click and get it done it's it is what it is that's all I can say but you know it's thinking Beyond just what's there and using it as a stepping stone

start and of course one thing with all the compliance methods and everyone's starting to utilize the N Baseline it is giving us a common Baseline to utilize you know that way of someone's saying yeah we've got a moderate rated system you know what they're coming in with at a base at least according to them I would still say double check because what someone else considers as meeting compliance doesn't necessarily mean it's going to meet your method of meeting compliance guidelines are guidelines they're not set in stone they're there for flexibility and that leaves a lot of room for interpretation during the times I've gone through and done audits I have reviewed things in a much

different way than other reviewers have and part of that is just simply having different backgrounds coming from a system administration background there's a lot of things I view in a much more technical you point the people that have come in straight into just doing audits even minor little things for complexity of settings just because you're I have seen people flag it as a issue if you have a more strict control so there's a lot of issues there a lot of stuff still be

addressed okay this is way a lot of us feel at the end of the day so yeah and this is also how systems end up if we're not actually implementing good security so just a thought open source intelligence there's a lot of it out there there's a lot of it coming from companies and government agencies themselves and employees so good example of this if you go on federal Vis this is where all rfps over a certain money amount are posted for the federal governments so this gives you a whole wealth of knowledge about what they're seeking there have been at times where it says you need to be able to scan x amount of Windows systems Linux systems

and it'll give a high level breakdown not everybody that writes rfps thinks the same way not everybody has a security mindset so there's a lot of information that's out there that can be exploited back during Cold War Russian spies came over and simply utilizing a lot of stuff that was in you know trade Publications they use that to write up and set back their reports there's just so much information that's really given simply because there's a whole lot of marketing that needs to be done and a whole lot of hey look at this awesome stuff we've done you in terms of things such as even truit movements you know you may not think about it but a newsletter

saying you know family saying farewell to their loved ones as they deploy it gives you kind of a heads up nowadays that doesn't necessarily mean anything back in the day it meant more but it seems sort of information that's being freely given and we're not being as offset conscious and we've with the expansion of social media everybody has become kind of Public Live yeah it's it's All Out For Better or Worse consider how many people post stuff that have cost them their jobs there's not necessarily a lot of forethought that do

essenti there's so much information you can get not necessarily from minina but from anybody else that answers the F so what can we do for counter measures to all this well we definitely need to do more training information security physical and personnel and just training overall really it's all training we've all felt this way one time or another no one's really missing it so on the information security front guidelines you know all these fabulous things that are out there fsma you know nist ISO ISO more than PCI they're all starting points they give us a baseline that we can work off of and we can use it as a spring board and we can improve continuous monitoring is the new

hot buzz word know we can't just be having huh

everybody's moving into continuous monitoring you we we we can't just set a vulnerability scan to go every quarter and not look at it and say yeah it's going we're good that that means we're compliant right I think so technically compliant versus real world compliant is how I would put it it's like you might meet someone's loose definition of compliant but if you're not doing the followup you're not looking at your results you're not resolving your vulnerabilities you're not complying but to a lot of people simply having that vulnerability scan that scans and sets there yeah check that's not how compliance works not time your H encryption encryption at rest encryption in motion encrypt everything there's probably back doors

and everything but at least it gives them something more to work on we want to make it harder you know you don't want to have a situation where the interns taking the backup tapes to the store facility in their car they stop they go get subway someone breaks into the car takes them hey backup tips weren't encrypted oh [ __ ] there goes 50,000 Social Security numbers and everything else someone needs for identity that those are the kind of things that get you really bad publicity that you don't want and it still happens that's the sad thing it still happens yeah there's no lessons learned I mean there's Lessons Learned but no one's actually learning implementing

from it because security costs money we're a cost center we're not a profit Center so we kind of get the end of the budget it sucks and we really need to work on changing that insurance everyone pays Insurance yes that that's a good analogy security is

Insurance well n of civil penalties are starting know implementing intrusion detection systems passive active scanning more monitoring it's another one of those things get spot over oh it's going to clog up the network no just do it unfortunately Executives kind of don't like that no just do an answer so this is where you need someone to sh them a little bit more and proper data classifications you know mentioning Foo requests once something has been classified as a certain level there needs to be a periodic review and especially when it's something that could be requested there should be a review before it reaches that deadline but part of the whole thing with proper data classification is a lot of stuff gets

classified higher than it should be which causes a glut of information to have to review and that's where you start getting all these holes in terms of it's not being reviewed because there's too much to go through so there's there's a whole lot of issues that contribute on both sides you know because along with that having someone to smoo your Executives and explain it to them in their language not all Engineers can work with the customers that good not all Engineers should now in terms of physical and Personnel security obviously things such as USB drives these are a continue issue some places simply do away with it it's it's an issue things such as bring your own

device people are connecting their you know iPods cellones iPads everything else to corporate networks and this this is introducing even more vectors for bad things to come in we need to be more diligent about kind of safeguarding and keeping all this out it's a hard balance because at the same time you want to make it a good environment to keep your employees happy so there's you know give and take and the understanding that they're not necessarily going to listen to you otherwise USB drives would be such an issue still of course access how many times have you been somewhere where your job has changed your permissions have not and someone goes from being a assist

admin to being a security admin but they still have all the permissions associated with both or they've G from something completely different you know say you were an engineer you have access to all the development environments now you're a project manager you should not necessarily be able to go in and change code depending on the type of project manager you are simply doing a regular review of you know when someone gets promoted backing out accesses that they don't need that would solve some of our Insider threat and that is a large of it because they're already authorized so they can get in there they can get the information one place you'll see that you when people are leaving their place

of employment for somewhere else some people will do data dumps this is when you want them to not have more access than they need this is usually also when they turn in their two week notice and you turn off all their access because if they haven't already then at that point they probably will go in and start doing data dos you know the bad people most of us are good but not everybody is we've just a bad seat taking all those client lists all that marke information exactly just download everything background checks this is a standard for us but background checks don't necessarily cover everything so part of this is don't just rely on some of these

things to tell you the entire story someone may not have convictions doesn't mean they haven't screwed up and done something bad doesn't mean they haven't stolen anything just means they haven't been caught this is where assessing a person as a whole interactions you know things they say how they act references from past management this is where all these things tie in because the background check alone is not going to tell you whether an individual is trustworthy and hey holographs don't really help either Alder James passed him with flying collars that really worked out well right uh same thing with credit checks uh just because someone has good or bad credit isn't sort of a reflection on

them and we've had some bad economic ups and downs and it's affected a whole lot of people so this again Falls within the considering a person as a whole and reference checks how do you know that person is actually who they say and not just a friend that they've asked hey when you get called for this interview for me you're this person I worked for you at this place just say good stuff and that I did this specific kind of [ __ ] you maybe before calling their references you should check out their LinkedIn profile because all that's out there usually same if they did work at the same company and you know investigate their references just a

little bit there's not a whole lot that you have to spend energy on to find out stuff like this it's all there because you know they could just decide to burn the whole thing down we kind of want to be cognizant and avoid that and of course training really wraps everything up we do need training our Personnel need training our Executives need training now we as Security Professionals we need to be training our management and our Executives in why security is important we need to be proactive from our side and you know kind of I know be security evangelists we need to make them see that look it's not this big cost center that is a black hole in your budget line

this is going to save you in the long run if you hear your stuff now you're not going to have a lot of pissed off customers later when you expose all their personal information now that that seems to really make a dent people going to Target or Home Depot it's a factor of Life most people have really stopped caring about their privacy and it's something we need to work on recultivated we need to work on recall fing a care for privacy care for OPC and being aware of everything going on and yeah certifications are not the be all end all of anything really just means you can pass a test but again it's a standard that's

out there and take that for what it is professional training is better than training towards a certification I will give you more information but you we also need to be out there as part of this and pushing the information because yeah one thing we need to consider like don't think of it in terms of is this good for the company think about is this good for our security yeah and be Evangelistic self security and yeah let's just work on pulling it together and bring everybody around to our team because everyone needs security so that's all for me uh this is my Twitter uh warning most of my stuff on Twitter is more related to H Jinks

around conferences and going out and doing things like Triathlon and Spartan Rises so you've been one but feel free to hit me up if you have questions or comments

questions