OPENING SALVO

The feelings of 15,000 security enthusiasts, also known as hackers at the largest DEFCON ever are
surprisingly optimistic. It is always easy to talk about doom and gloom and how everything is broken.
I want to tell you about what is working and prove the resiliency of the human spirit and a growing
sense of community in the Hacker space. Despite the anarchy of large security breaches, the IT security
industry is coming of age.

The voices of Cyber Warfare and Cyber Armageddon have been muted this year. Nation states
can design, develop and execute offensive cyber operations at will. If you need an example of this
capability, Google “Stuxnet” and more than enough information will be provided.

What may not be readily discernable is that the information security community is at a philosophical
crossroad. The community is starting to accept the reality that the IT security has failed. Quick, non-
scientific polls conducted at the various lectures show that many of attendees have had to deal with
malware infections inside their organizations. Almost everyone has, or knows someone who has,
suffered credit/debit card fraud or identity theft in the last year. Criminal bot-nets and Advanced
Persistent Threats are overwhelming the network defences of most business.

So, based upon the 17, one-hour sessions I attended at the conference, I have broken the most
interesting lectures down into some basic themes.

BAKED FRESH WITH NEW EXTRA GOODNESS

DEFCON 19 had a few presentations that lifted the soul and elevated the IT security community. The
crisis mapping presentation, presented by George Chamales, is an example of the way the web can
used to help governments and NGO’s. Knowing where to deploy into a crisis zone and how to bring
appropriate aid to people in need can make a difference. Securing this information from “Bad Guys”
becomes vital in hostile crisis areas.

BarKode AKA Matt Lewis, long time member of the Network Ninjas, was diagnosed with a rare blood
disorder. An entire mobile blood giving truck was filled in an hour and half. The staff of the blood drive
had never see community support like this - people waited in line for an hour and half to give blood.
Although some wear white, black or gray hats in this community, we really support each other with
passion and enthusiasm.

The Electronic Frontier Foundation (EFF) has deep roots into the IT security community, as this
community is always challenging the 4th amendment of the US Constitution and the Bill of Rights. The
EFF advocates for transparency, open source and reasonable constraints on search, seizure and the
ability to conduct research. Because of the US landscape of patent law, PATRIOT Act, DMCA and DHS
border paranoia, their work is valuable for a democracy. They provided an electronic voting machine for
the hacker community to dissect and test. Since the notion of a universal right to privacy is not codified
in US Law (only through supreme court judgments on the amendments to the Constitution and the
interpretation of the Bill of Rights), their advocacy work is badly need to prevent infringement on citizen
rights. DEFCON is the single biggest fundraiser and the community provided them with 40,000 dollars to
continue their work, especially against warrantless wire-tapping and other issues. Check out their work
at Eff.org.

THERE IS BAD, AND THEN THERE IS EVIL

Corporate greed is bad, what is truly insidious is the structure of the American (and to a certain extent
Canadian) Credit Card companies. It works like this: Visa, MasterCard and American Express have
passed their liability for fraudulent transactions down to issuing banks. The issuing banks have passed
their liability for fraudulent transactions down to the merchants who accept the cards. This has been
the case for many years, until the brands, banks and merchants conspired to introduce Chip and Pin
to try and move liability down to the consumer. All three think that Chip and Pin technology will make
the user responsible for fraudulent transactions. Unfortunately, trying to wrap security around a
technology from 1946 is fraught with issues and backward compatibility requirements. Chip and Pin can
be compromised and your credit card is still vulnerable to cloning and fraudulent charges. Even more
depressing is the new wireless card enabled Chip and Pin scanners, which fit right inside the ATM, as a
shim between your card and the ATM’s sensor.

Your password has expired. With the advent of GPU computing technology found in high-end ATI and
Nvidia video cards, and the low prices of cloud services computing from Amazon and other providers, 8
character passwords are now trivial to compromise. Eight character passwords used to be a bench mark
standard because of the time it would take a traditional CPU to calculate all possible hash values. Enter
the video card GPU, with its ability to use 1000’s of processing cores to compute hash values and we
are in an entirely new world. The ability for anyone to rent multiple cloud based servers with multiple
GPUs and the speed of hashing passwords becomes terrifying. Nine or ten character passwords will help
limit the time it takes to hash, but as we near the threshold of quantum computing a better solution is
required. Two-factor authentication will soon be a requirement to secure any confidential material, due
to the shear computing power that can be assembled to break passwords. Kerberos authentication as
opposed to the almost 20 year old NTLM Authentication provides automated re-hashing of password
values for some defence against massive cloud based computing power. The future looks grim for
legacy systems protected by eight alphanumeric character or less passwords, change yours to nine
characters today.

The jackbooted thugs are turning the Internet off. It was inevitable that the young idealists of the
Arab Spring turned to robust communications among each other with smart phones and other devices
during the Middle East uprisings. By keeping attention to their cause, and the excessive response by
the regimes in power, Twitter, Facebook and other social networking sites get the messages out. At
some point, the dictatorial powers came to the conclusion that their computer skills were less advanced
and they went for the kill switch. Imagine their surprise when Facebook and Twitter updates continued
to arrive and shape world opinion. It is good to know that when the government goes for the kill, the
message can still get out. How does the connection to the Internet get out? There are several ways
that the Arab Spring managed to keep the updates flowing and many of them used traditional means
such as Fax, traditional wire-line telephone networks to towns next to bordering cellular networks that
still had Internet access and dial-up access hosted in other countries. More exciting, is the ability to use
amateur, or Ham radio technology and send TCP/IP traffic over this medium. By using weather stations,
earthquake sensors, classified military ECM systems, satellites and the International Space Station, Ham
radio operators in middle-east countries can “bounce” TCP/IP into many adjacent countries and these
packets then get to the social networking services. It’s impressive that the voice of those that want to
be free cannot be silenced - access to the Internet is incredibly hard to stop.

“U-G-L-Y, U-G-L-Y, Your ugly, your ugly”, - from the Movie ‘Bring it On’

Any conference, especially an IT security conference, has to have a healthy dose of sensationalism,
scandal, or controversy. DEFCON provided many presentations that raised significant issues about
privacy and hacking. Philosophical debate around the actions of LulzSec, AntiSec and Anonymous
about the HB Garry hack ranged from condemnation to exaltation. The consensus of the IT security
journalist panel was that demonstrating your hacking skills on targets like HB Garry, Sony (repeatedly)
and recently the Arizona Police Department may result in “Extremely High-Level” people becoming
scared. When people who govern become scared, legislation far more restrictive to rights and freedoms
than the PATRIOT Act or DMCA may be adopted. If LulzSec and other groups turned to hacking child
exploitation sites, jihadist sites or security vendors who are selling Fear, Uncertainty and Doubt
(applause), they could redeem themselves. On the theme of redemption, Mr. Aaron Barr was in the
audience, but unable to participate in the discussion due to the threat of a lawsuit from his former
employer, HB Garry, if he spoke on the subject. Did HB Garry, under the leadership of Aaron, conduct
and consider some morally and ethically questionable business? Yes - they did, but not any more morally
and ethically questionable than SAIC, Level-3 or many other defence department contractors. The
questions left with the audience were, what are the consequences to real people, who have families and
mortgage payments, when they are publicly identified? How far do you go to punish an individual for
the actions of a corporation? The Arizona Police Department hack, putting a list of undercover officers
and confidential informants on the Internet, because you don’t like the new immigration law in Arizona,
is contemptible. Internet chaos will continue, but improvements in IT security need to balance against
discretion. Corporate public announcements, policy decisions, or ethnically questionable projects can
require adjustments to an organizations IT security posture. Announcing that you have the world’s
most secure network is a direct challenge to the Internet’s anarchists, they will break in and your secrets
will be revealed. This is the first time IT security folks need to consult with an organizations Public
Affairs, Corporate Communications and Executive. If a policy, court decision, controversial staff cut, or
morally questionable project is about to be revealed, the IT security staff needs to shore up the network
and physical defences from the potential repercussions.

THE BLINKIE LIGHTS WILL NOT PROTECT US

At this year’s DEFCON the IT security industry has suddenly realised there is no IT security without
physical security. If you have a great door lock, but I can throw a rock through the front window and
steal everything, what is the point of the door lock? The idea that endpoint anti-virus, encryption,
firewalls, network intrusion/prevention devices will prevent Cyber Armageddon, when the keys to the
server room are hanging on a hook marked “Server Room keys”, is hysterical. Like most industries we
need to return to the basics. Many penetration testers, folks hired to infiltrate and test security posture
(my dream job), are identifying basic failures in physical security. One “Pen Tester” has a 100% success
rate of infiltrating top security environments, and he has pictures to prove this. By all means place
anything confidential in a box marked “shred”; this makes it easier to identify the good stuff to steal, if
your organization is being infiltrated. It’s better to just shred everything.

Nothing get’s management thinking about security more quickly than setting the building across the
street on fire. I have been saying for years, that good IT security rests on physical security, education
and training of users, IT technology and situational awareness. I was happy to see my thoughts
vindicated by some of the top-guns in this industry. Please forgive me for being a little self indulgent
here - my blog after all - having a plan to handle an IT security breach before it happens may be
extremely prudent - plan for failure to realise success. Remember the Fukushima Daiichi nuclear
reactor press conference where large chunks of power plant are rocketing skyward, while the public
spokeswoman is saying everything is “OK”? Everything was not “OK”. So being cool and dressing all in
black and “doing” IT security and not giving any thought to the physical environment and building user
awareness will end in epic failure. Creating an environment where everyone is part of your IT security
team and is situational aware of what is at stake in the physical and IT security environments, will let
you “Win” at IT Security. Make sure you thank “Grace” in Accounting when she sends you the 20th copy
of that strange email, - one of these days she may send you a real situation which requires all your “mad
IT security skillz” to deal with.

Secure your stuff and peace out

Ian