The next convention, my attendance sponsored by my employer, involved IT Security. The theme very much revolved around two teams, red and blue. The blue team information was system defense. How to keep the bad guys from doing “X” to you. How to detect attacks. But the the red team information was very much about how to break into computer systems. Attacks that work. There were also sessions on how to exploit the weakest link in the chain, the humans, social engineering.
My favorite quote from the event began with, “There is a complex ethical spectrum…”
It was interesting to see where some of this stuff was at because it has been a while. Getting “work” to pay for a conference is complicated. I have been through it a few times. Paperwork submitted months in advance, every single time it gets approved in the last 48 hours. It used to bother me more. Now, I just go into it with that expectation and I have been the happier for it.
It had been a number of years since I have been to one of these. In the first session speakers admitted how much better security has become across the board. How doing some of these attacks is really, really, hard. Possible, still in many cases, but really hard. They might involve months of work, design and planning. He actually managed to wax rhapsodic over the glory days of fifteen years ago where you could program an attack in a couple hours that would be one hundred percent effective. I am really happy he said those words.
Day one was very interesting.
Hacking hotel security safes |
By day two, at some point early afternoon, I realized it had been a while since I had understood anything that was said. I still stuck it out. Some of the scenario stories leading up to whatever mind bogglingly complex attack they were about to employ were interesting.
There was one speaker who used the word elucidate in her talk. Style points! Well done!
Here is something new. AI Voice cloning. With just a small sample of the voice you want to clone you can feed it into a web site and get back any speech you want. An example would be to contact the mark’s boss to let them know the cooking class they had signed up for was cancelled. The boss will be surprised by this because they had not signed up for a cooking class. …You know, the class you just made up. In the resulting confusion a large enough voice sample will be captured to allow you, the attacker to clone the voice and use it to call the mark in their boss’s voice and convince them to reveal some private information. This was a wow moment for me.
There is balance. Between sessions I like hanging around the speakers as they come off stage. I learn more from the questions that get asked than the talk. Again though, woven throughout all this, is how much harder it has become. Good for us. Humanity, I mean. We have learned, fixed things, and made improvements. It was a long hard slog in the trenches that got us here.
The conference took a ninety minute lunch so I got about an hour walk in. I knew some of the details of the movie Pretty Woman were set in Hollywood. I started doing a little searching around on Google and discovered “Stallone’s House” as pointed out by the bum when Richard Gere was driving the Lotus, was only six blocks walk from where the conference was held. I *had* to go. Disappointment on arrival, that section of the block had been raised for new construction. Stallone’s house is no more.
Never a shortage of taco bars in Southern California! |
I have been to after-hours parties of the organization that puts on this brand of security conferences before. This one was no different than any of the others. The difference was, coming into this one, I had just two weeks prior come from SuperCon the micro controller conference. Two weeks before, I was immersed into all of those absolutely obsessed hardware hackers. Ok, here’s an example. The LA group had a happy hour. There were also some sessions going on at the back of the bar. Four people had laptops. At SuperCon, during happy hour, 90% of the people kept working. A percent of them went and got a beer and took it back to where they continued to work. Some of them seemed too focused for even that. Whatever they were designing, crafting, giving demos, exchanging information, showing off, whatever *that* was, that came first.
I did attend the rooftop session. Oh, and I did have a laptop, though I did not deploy it. First off, let me say it was amazing to be on the roof of the hotel. The weather was perfect. The Hollywood Roosevelt is right in the thick of it and the view everywhere was incredible. The only thing missing, a view of the Hollywood sign. There was another taller hotel blocking that particular view.
The session was about hacking into the “Internet of Things” or IOT devices. This is starting to become everything you buy. Your TV, security cameras, house thermostats, microwave, spa, *door locks*, KIDS TOYS! All of that stuff wants to connect up to your wifi. Once connected, all of it is trivial to break into if you are on the same wifi. (Don’t give out your home Wi-Fi info!!! Buy a router that has the capability of a guest network!) Scarier though, some of it, if the right conditions can be manufactured, can be hacked into from anywhere in the world.
Who doesn't need a wifi enabled toothbrush? |
Having these devices is so cool and leading edge. But the actual technology, software & chips, running all those things is almost twenty years out of date security-wise. They run the software and chips they do because they can be purchased for pennies. Even big companies, like TV manufactures, cut this corner. When you report a bug to a company like this there is every possibility they will attack the reporter and attempt to sue. There is also high odds that if they fix some security problem, if you check a few years later the bug will be back, indicating at some point they started over. I thought this whole talk was fascinating.
Later that night, no big surprise, I ran into a bunch of Pokemon players. A group of us went out walking and took over a section of the city, captured gyms, spun Poke Stops and caught characters. We helped one of the team toward achieving a goal. In that group of five, I was second to the lowest ranked player. It was a fun walk.
The BV sits Just visible, bathed in the cool glow of high intensity security lighting. |
Van wise, between google map research and my recon nights I found a surface lot just a block and a half from the hotel that had twenty four hour parking. Half a block off Hollywood Blvd. It was the noisiest place I have ever parked. The most visible I have ever parked, and in an area with real crime. At night that parking lot was lit up brighter than a sunny California day. I am a good sleeper, for all I know everyone started to whisper a few minutes after I laid down my head. I didn’t have any problems, but two nights there was enough for me.
No comments:
Post a Comment