Last updated at Fri, 21 Jul 2017 15:12:52 GMT
The music from the Rapid7 party last night is still buzzing in my ears, but I thought I'd share some of my highlights from my experiences at both Black Hat and Bsides yesterday.
Black Hat: Dan Geer, CISO of In-Q-Tel, delivered the morning keynote. He hit a lot of the major security issues of the day: Privacy, the Internet of Things, security legislation, the right to be forgotten, et cetera. He would often pose a question to the audience for them to consider -- for example, most products in the world would be held legally liable for its flaws, but for the most part software has escaped this kind of scrutiny. Geer warned that won't last long. The topic of abandonware another issue I found especially interesting. What happens if a company stops owning its code, and subsequently, stops sending out security updates? His example: What happens when a public key certifying authority goes bankrupt, who owns those keys? Our industry is maturing to a point where these questions are exiting the realm of the theoretical and have become very real, pressing issues.
One of the morning sessions I attended was "Evasion of High-End IPS Devices in the ages of IPv6," demoed by Antonios Atlasis and Enno Rey. Their research has been ongoing for a few years now, and this talk was an update and refinement of some previous research on this topic. The leadup and push to IPv6 was a massive media event, but afterwards the attention fizzled a bit, and to some degree, the industry is still finding its feet. As a result we're seeing a lot of vendors declaring their devices fully IPv6-ready without putting them through robust security testing. This session showed specifically how a lot of the fuzziness in what actual "IPv6 readiness" means resulted in a lot of issues: Ambiguous specifications mean sloppy practices and plenty of attack opportunities. In this case, IPv6 Extension Headers, which aren't always used or needed, can be exploited for evasion purposes -- I wouldn't do the research justice by trying to summarize it (especially as this is not my area of expertise), so I'll point out that the full research is here: A Novel Way of Abusing IPv6 Extension Headers to Evade IPv6 Security Devices - Insinuator.
I also live-tweeted a talk called "The Big Chill: Legal Landmines that Stifle Security Research and How To Disarm Them," hosted by Marcia Hofmann, Kevin Bankston, and Trey Ford. (Search for the hashtag #bhchill to see everything I tweeted from the session.) Though not everyone might think a session on legal issues would make for thrilling listening, this talk went over the major laws that affect security practitioners and researchers, and the potential legal ramifications of just doing what a lot of us normally do in our day-to-day.
What a lot of us discovered in this panel was that, yes, as many of us know, these laws are very outdated and not firmly rooted in sound security knowledge. What's more alarming though is the language many of these laws use is very ambiguous, but the punitive measures are not.
For example: the Computer Fraud and Abuse Act (CFAA) prohibits "unauthorized access;" however, it doesn't actually define what "authorization" or even "unauthorized access" mean. Does it mean that you purposely went beyond a point you were supposed to with malicious intent only? Or maybe that you were conducting security research? Or even that you just used a new method to access a certain point? The speakers noted that the courts have not been clear on this, to disastrous effect: Violating the CFAA, even on first offense, can be a felony.
Another big example was that a recent Electronic Communications Privacy Act (ECPA) Wiretap Act ruling explained that unencrypted WiFi sniffing is against the law. Yes, unencrypted. That means anyone who has ever used something as simple as Firesheep just to poke around at Starbucks has potentially committed a crime. Very scary stuff.
There were many more examples, several of which were frankly stunning in how harshly punitive they were for "crimes" that are very broadly defined. To top it all off, most (if not all) of these laws do not have an exception clause for security researchers acting in good faith.
The session was a clear call to the community to be engaged in the discussion around better, smarter legislation to protect security research. There's a lot at stake here.
BsidesLV & John McAfee: The ending keynote speaker at BsidesLV was a secret... until almost the last minute (though I saw some discussion about it on Twitter a day or two before) -- but mid-day yesterday, everyone knew that *the* John McAfee was the super-special secret speaker. Needless to say, I had to hear him for myself. Talking to the other people around me at Bsides, all of us were curious if this would be a bit of a spectacle.
McAfee certainly didn't disappoint, and admittedly he much more engaging speaker than I anticipated. The video of his talk is going to be on YouTube soon I'm sure, if it isn't already. And if you have read any of the articles about him, or watched his YouTube videos, you know that any summary I might try to give won't come close to capturing what he said.
Yes, McAfee was... interesting, charismatic, and quite amusing. He spoke for a little while about his (infamous) story, his views on privacy, but then he opened it up to the floor for questions -- which ranged from "do you think the anti-virus industry is dead?" to "what are you most afraid of?" Of all the audiences McAfee could have, he certainly received a warmly curious but healthily skeptical group in the Bsides crew.
The Rapid7 Party: As always, Rapid7 put together a fantastic Black Hat party, and I am glad I got to meet a lot of you there (judging by the happy faces, you all were having a good time, too!) My favorite fixture of the party was the scotch tasting, as any chance to get a wee dram is quite welcome in my book, but I have to say the DJ really got a lot of people dancing and the music was phenomenal. I had a wonderful time there, and if you were there, I hope you did too. (And if you weren't there, FOMO not needed - just make sure you pre-register for our party next year!)