Thales Blog

DefCon's Message: Are You Ready To Be Hacked?

August 14, 2015

blackhat defconAttending the combination of BlackHat and DefCon was once again an eye-opening experience. While speaking with people in our booth, I continued to look around in awe at all of the vendors there. I began to wonder if a customer had unlimited funds and they bought every vendor technology there at BlackHat and created this data security stack, what would that look like? Who would be the strongest in the stack? Would there still be possible security gaps? Outside of social engineering and employee oopsies, it would be hard to imagine a weak link in the chain. Although what I find most exciting is that all of these different types of technologies such as firewalls, APT, anti-virus, packet inspection, end point encryption, database access monitoring, SIEM, mobile etc. is that they all share the same goal. Protect the company from different layers in the security stack so that their data assets are safe. The hacker’s tactics and financial backing will only continue to grow more sophisticated but the target will never change. It is just simply THE DATA. In terms of your appetite for risk vs. where security budgets are spent continues to be a topic for conversation. We all know just being compliant is a baseline. I would bet most recent company breaches were in compliance but weren’t protected from an insider threat or protected against an outsider’s ability to elevate privilege on a server. The clock is ticking for those who have not taken that proactive stance to data security. At the end of the day it is all about risk tolerance. What is your risk tolerance vs. budget allocated in the security stack? And where is that budget allocated? I would start with encrypting the data…all of the data. This inside out approach ensures that not if, but WHEN someone breaks into your network, your data can protect itself and you won’t be compromised. There will be no need for all hands on deck to figure out what was comprised, how it was breached, and who. Encrypting everything simple creates a powerful barrier between your data and a hacker getting lucky once they are inside your network. Encrypt everything. Data is the more powerful asset of any company. It demands utmost precaution and to simply be encrypted.

ClickToTweet: The message from DefCon? Get ready to be hacked!

As BlackHat came to a close, I took off my vendor badge in exchange for an attendee badge at DefCon. The sessions were intriguing, thought provoking, entertaining, and sometimes downright scary!! Many of the sessions left me knowing nothing is safe anymore. One of the speakers kept repeating that “if man built it, man can break it”. Now don’t get me wrong, many of the speakers such as the one hacking the Telsa needed physical access. Hackers comprising corporate data typically don’t have to work so hard! So back to the Tesla. The Telsa is essentially 2 servers on 4 wheels. Given they had physical access to the vehicle, they were able to gain access to both systems and guess what the breakthrough was to hack the car??? ROOT access. Yes, ROOT access, provided them access to clear text passwords and confirmation details that enabled them to kill and lock up the vehicle while going under 5 MPH. They did state that if the car was going over 5 MPH and someone hacked the vehicle, it would just kill the engine and the driver would coast to a stop. Elevated privileges continue to be the easiest way to sensitive data and keys to the kingdom. The ability to blind ROOT, Domain Admins, System accounts continue to be a driver in providing high security posture to our Vormetric customers. Every customer conversation I have starts with talking to the ability to blind privilege users but empower them to get their job done. We all know that once a “bad person” is in the network, first thing they will do is elevate privileges and sneak around your servers for something of value based on intent.

Another speaker was talked about CHIP and PIN technology and how easy it remains to memory scrape for Credit Card numbers. The U.S. isn’t ready yet for this technology. How common is it that you take your CHIP and PIN card and just swipe it…or like at Target the other day, just stick the card in, read the CHIP, they hand you back your card and complete the transaction. When do I enter my PIN? We certainly have a long way to go!

Forget your garage door opener code? Need to break into your neighbor’s garage? Quick background on your typical garage door security. Your typical garage door opener has between 8 and 12 DIP switches. If you use 12 DIP, you choosing a code among the 4,096 available (212 = 4,096). When you open your garage door, the remote will typically send the signal 3x in a row, given how weak the signal can sometimes be. Someone can easily be recording the frequency used and just replay that with a simple device when you are home and open your garage door. You can also brute force it by playing all 4,096 codes in a chopped order and it will quickly find the correct one and open your garage door. I guess we have some options here: sell your cars and ride your bike, leave your garage doors open and just lock your cars, just leave your garage doors open and just lock your back door, or just get a rolling frequency garage door opener.

The most entertaining presentation was titled “I will kill you” by Chris Rock. Although it seems violent in content it was exactly the opposite in nature. The presenter spoke to how creating alias and virtual babies have become the future of terrorist financing and money laundering. Now how wrong does that sound??   He demonstrated how easy it was to find Doctor’s details and fill out cause of death forms. Even easier - become a funeral directory and complete everything necessary to obtain a death certificate and cash in…meaning you already created a fake online will and made yourself the beneficiary. The crowd was shown a 3 minute video how he created a fake baby alias, put life insurance on that alias, create a will, then killed the alias, all to collect the life insurance. With so many loops in the system, it really makes you scratch your head with the amount of potential financing these activities are bring in. Chris Rock has even wrote a book on this topic titled “The Baby Harvest”.

After this week I continue to recommend three things. Go to BlackHat, DefCon, and use encryption with access control for all your data!