Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘DEFCON’ Category

DEFCON, Hotel Sneek & Peeks, and The Law

with one comment

DEFCON 26 was last week and as usual there was some hacker drama. It is an inevitability that drama will rise out of the con because, well, hackers know drama! In fact, they cause a lot of drama and that is their thing as a community. So, this year’s drama is brought to you by two factors. The first factor is that the DEFCON community has a long history of being kinda unruly and causes mischief, and some of that mischief is illegal while other pranks just cause heartburn for the people and the venues that the conferences are held at. However, in a post Mandalay Bay mass shooting era, the pranks and the mischief may not be tolerated as well by the casino’s like Mandalay Bay or Caesar’s because they are on edge and the community of hacker snowflakes need to take that into account when they attend.

While the conference owners/operators try to combat and police their hackers, it is still not uncommon to find attendee’s doing things that might damage the systems of the casino (like mess with WIFI using deauth) or to mess with the artwork (e.g. put googly eyes on all the statues and artwork in Caesars) So it is understandable why, as some have said this year, that “Caesar’s hates us” In fact, when you have a convention like DEFCON in Vegas and the whole town is being told not to use ATM’s, you phone, your blue tooth, your wireless, or anything electronic while the con is there, you pretty much have a bad reputation that YOU are in fact reinforcing right?

Just sayin…

Anyway, this last DEFCON we had a new wrinkle post the mass shooting at Mandalay as I alluded to last year. It seems that since the shooting the hotels have decided that they can “sneak & peek” any room they feel they need to in case the occupant might be planning something like this incident. Now you have a zillion hackers known for odd if not bad activities in the properties and a conference on hacking where shenanigans go on all the time and add this new rule and you get wailing and gnashing of teeth. It seems that the hotel had been just opening doors and walking in on guests there for DEFCON as well as going into their rooms while they were out and pawing through their things. In some cases it was said that the hotel security people had taken things like lock picks from the rooms, confiscated, because REASONS! People took to Twitter and complained saying that this was illegal and made things more dangerous for women (some had been walked in on and at least one may have been walked in on by someone not in security) and this was illegal search and seizure! The Fourth Amendment was being violated and this was targeting poor hackers!

WE ARE BEING PROFILED!

ERMEGERD!

Well, yes you security snowflake you were being profiled because look at your collective history! Honestly people, you have a bad reputation with the hotels and you expect anything else? At best we are tolerated for the money kids, we are not a beloved institution that is welcomed to Vegas, you need to wake up. While I personally think it is pretty shitty that these security folks were walking on on people with no knock in some cases, it is also my opinion that it is not illegal and that the Fourth Amendment is not being violated here because they are not doing so at the behest of the government or agents thereof, i.e. cops. I had an interesting exchange with a lawyer I know on Twitter about this and the salient point he gives is that you are not really given Fourth Amendment privileges here and that the contract you sign when you rent the space allows for these actions. What’s even more salient is that it is likely in the small print you are signing off to!

 

 

 

 

The gist here is as I said, you cannot rely on the Fourth Amendment here and that they have the legal right to do what they did. It’s sucky, but it is the law and you have to abide by it or not stay in their casino. Now, given what happened last year with the mass shooting, and that the Mandalay Bay is in fact suing the victims of the attack as a pre-emptive strike on law suits against them for allowing this to happen, you kinda see what the situation is right? The casino’s are covering their asses and using the law to do so. In a case where you, the snowflake hacker who wants to act all furtive and hide shit all week denying access to the room “because reasons” does not exactly engender the right tone to make the Casino think you are just a snuggy bear and not going to potentially do something like a mass shooting right? Think about it, how many of you all went out there and put the DND sign all week? If you were in the hotel security shoes and have to profile your guests now because of a mass shooting terrorist incident how would it look to you as a security professional?

Hotels are soft targets and as that goes they have to tread the line between security and ease of access and fun. In the case of attacks like that which was carried out at Mandalay Bay, you have to realize that the “Soft Targets” are the hardest to secure from a security perspective. Fuck, come on you guys YOU ARE SUPPOSED TO BE SECURITY PROFESSIONALS RIGHT? You should get this if anyone ever could! Yes, it is shitty for them to just be walking in on people but once again, they have the right to do so just as you have the right to not stay at their brand anymore. However, what if you denied them access by adding your own layer of security to stop them from at least walking in on you?

Say you are at the hotel and you know they can do this, or in fact anyone else with a modicum of technological know how, ya know, like HACKERS, who can pick locks and bypass PROX CARDS! What do you do in a situation like that to protect yourselves? Well, you could start by getting a simple door stop or a door stop with an alarm right? For all the women who were walking in on and scared, this technology might have made some difference in the threat right? It would have stopped the door from being opened and given you warning that something was happening. These tools would give you the ability to enhance your personal security AND allow you to call the front desk in the knowledge that unless they have a battering ram they are not going to get into the room quickly and you can make the call.

It’s my suggestion you spend the money and use them…

For a bunch of people who claim to be security professionals including and up to physical security you all seem kinda snow-flake like to me of late. Either don’t use their hotels anymore or assess the situation and adjust accordingly. For fucks sake people! I have said it before and I will repeat myself now, you are now targets of not only hotel searches because you seem scary but also because YOU ARE TARGETS OF NATION STATES BECAUSE YOU ARE AN ASSET!! How long till you finally figure this out? Hotel sneak and peeks by nation state actors including our own are NOTHING NEW! It’s just that now you are the targets as well because you now work in a space where you can and will be targeted.

Wake up.

K.

 

UPDATE: Dave Cochran makes a reasonable point about the dickishness level of the no knock on the people involved here. Yes, it is dickish, but, it is still not against the law per the cited text here. So, yeah, you don’t like it you can go elsewhere or you can try to get the hotels to not be dicks about it.

See what works.

Written by Krypt3ia

2018/08/14 at 14:13

Posted in DEFCON

DEFCON 24: I Miss DEFCON

leave a comment »

index

Alright, I am gonna say what others may not say for fear of reprisals or coming off as an asshole….

I FUCKING MISS DEFCON

Yes, I am at Defcon 24 and yes, it is the same con in theory but in spirit it is not any more. Gone are the days when this felt more like a family affair (i.e. seeing folks you know and partying until stupid drunk with each other pulling hacks and pranks) where you could see a everyone around one pool. It used to be about hanging out and showing off your stuff as well as just blowing steam off. Now, it is a fubar festival of lines and fuckery that makes one just not want to go because you know you won’t be able to see the talks you want and you will be cheek to jowl with people the whole time. Today’s attempt to just get to one talk felt like you were in a cattle chute waiting for the nail gun to put you out of your misery.

That is no longer DEFCON, that is now instead a marketing money machine grinding everyone into security sausage.

I know, some people are gonna take offense but fuck it. It’s how I feel and I think it is how some others have felt this go round. Maybe I am just the asshole…

Meh.

Cya kids.

Dr. K.

Written by Krypt3ia

2016/08/06 at 01:01

Posted in DEFCON

KRYPT3IA KRYPTOS CRYPTEX CHALLENGE 2016 TEASER

leave a comment »

Snip20160708_4

OK KIDS!

HERE’S THE PUZZLE IMAGE! I CALL IT KRYPTOS. NOT THE FINAL IMAGE MIND YOU…

NO SPOILERS!

DR. K.

Written by Krypt3ia

2016/07/08 at 21:44

Posted in DEFCON

2016 DEFCON24 KRYPT3IA KRYPTOS CRYPTEX CHALLENGE

leave a comment »

 

Snip20160708_4

Hi kids!

I have decided to carry out a little insidious game with those who wish to play at DEFCON24. The prize of this little game is a two thousand year old Roman coin that I have selected out of my stash of cleaned coins. All you have to do is solve my puzzle and follow the instructions therein. I will be posting the puzzle just before DEFCON24 (August 4th 2016) so keep an eye out on the Twitter feed and the blog.

Good luck!

Dr. K.

Written by Krypt3ia

2016/07/07 at 13:34

Posted in DEFCON

Defcon Grows Up and Gets Recruited As An Asset…

with 3 comments

I came to Defcon this year as it turned 20 and after much had changed on the world stage regarding our business (INFOSEC/Pentesting/Dev/SECOPS) much remained the same. What has really changed though, and could be seen at this anniversary year was just how much our antics and interests were now the new “hotness” to the government and the military. Never before had the NSA had a booth at our conference but this year, they were there with recruiting in mind and that is a big change.

However, you may be saying to yourself right about now “Uhh, but, this has been going on a while, not just now” Well, yes, it has, but, what I have noticed this last con was that it’s not all about the tech, this year, it was also recruitment of human assets who would give “intelligence” to the players like NSA. No more are they just looking for programs and programmers, but also seeking out to make connections with people who have connections. You see, as Shawn Henry said as well as General Alexnder, “we need you to keep an eye out and tell us if you see something” What I heard was the equivalent of “if you see something say something” that the TSA has plastered at airports.

This is an important paradigm that we all need to be aware of. With the advent of Anonymous and Stuxnet as well as the nascent idea of the internet becoming a “digital nation state” we all have to be mindful that while the technologies out there are a commodity, so too are we in the great game of cold war intelligence and cyber war. We are the commodity that makes the new exploit as well as being the HUMINT asset that intelligence agencies need to “collect” with.

Now, while you are pondering that, consider the fact that the “opposition” is also trying to curry favor and recruit us as well…

Yup, that’s right. That party you might be attending might in fact have operators from other countries clandestine services too. In fact, that party could even be funded by said agencies and players to get you to chat and perhaps leak meaningful information. Think about it, how many of you out there reading this post work for fortune 500 companies as security technicians? What kind of data is in your head that might be of use to a foreign operative?

Ponder that as you sip that free drink late in the day. Say, did you know that the Chinese most preferable means to gaining intel with visiting professors and the like, is to have them over tired and tipsy? It’s true, it’s low level but its been used on many an occasion. You see, once you start talking, then you open the door for more rapport building, and then it’s pretty much over. One wonders how many Los Alamos folks had the same treatment on trips to China. Now think about the average Defcon party and the amount of alcohol and sleep deprivation we have going on there.

Just sayin…

So, look at it from that perspective. Now the NSA has come to the con just as the FBI and other agencies and security bodies so too will the “other guys” I don’t know how many of you out there come from military or “other” backgrounds where you will have a DSS or counterintelligence training,but, I am assuming that a vast majority of the folks attending the cons today do not have that background, especially the younger ones who’s only been in the security arena a short time. Pentesters who know SE should be able to easily detect some of the techniques used to recruit an asset, and tease out information.. Others, maybe not so much.

So here we are today, APT (Yes China being one purveyor of APT attacks) are not only using malware to get into systems but also recruiting sources to help them in their goals. Used to be a time that it really only was the nuclear scientists getting the attention… Today though, everything is game, you might make widgets, but that doesn’t mean that someone doesn’t want to know what you know.

Pssst… It’s still espionage kids… And now YOU are part of it because you hold interesting information.

How’s that for some “Threat Intelligence” huh?

Which brings me to the second line of thinking or topic that came up this year. The government is asking us to consider more “threat intelligence” and to bring them in on the loop. See, right there, they are asking you to be an asset.. Did that occur to you? Of course I know for the most part you all thought, as I did too, that the idea was a bit silly.

Why?

Because who really has that kind of threat intel program going on today? Hell, we are all pretty much trying to just keep our shit together right? On average, unless you work for a major company,you may not even have an SIEM or even snort instance right? How are you going to convince your employer that you need that stuff and then more so, to pass that intel to the government? The only groups I have known to do this are the DIB partners, and they do it because they don’t want to lose contracts for the military.

So now, we would all be assets? All corporations out there, whether they are being attacked by APT or Anonymous, would be reporting their incursions or attempts at them to the government? That’s kinda spooky really. This also circles back nicely to the idea that we all now, all of us in the INFOSEC community are now collection nodes for SIGINT/HUMINT/MASINT/ELINT and not many of us have had the training to be analysts.

You see, when you use the words “Threat Intelligence” this has some context that some may not get right away. It’s not just what IP is hitting us and with what attacks anymore.. It’s about the context around all of that and the attribution that is needed for cyber warfare, or more likely, cyber intelligence operations. I expect to see a lot more of this lobbying going on at all of the cons as well as more people sidling up to the attendee’s and asking “so, what’s going on out there?”

For those of you not acquainted with HUMINT and it’s techniques, I suggest you read “The Art Of Intelligence” By Henry Crump and learn… Why? Because that guy you’re talking to at the cool party might just be a PRC case officer…

Interesting times….

K.

DEFCON PANEL: Whoever Fights Monsters: Confronting Aaron Barr, Anonymous, and Ourselves Round Up

with 2 comments

A week before this year’s DEFCON, I got a message that I was being considered to replace Aaron in the the “Confronting Aaron Barr” panel discussion. It was kind of a surprise in some ways, but seemed like a natural choice given my tet-e-tet with Anonymous, LulzSec, and even Mr. Barr. After coming to BlackHat and seeing the keynote from Cofer Black, it became apparent that this year, all of these conferences were about to see a change in the politics of the times with reference to the hacking/security community and the world of espionage and terrorism. Two things that I have been writing about for some time and actually seeing take place on the internet for more than a few years with APT attacks on Defense Base contractors and within Jihadist propaganda wars.

“This is a very delicate window into our future,” he told the hackers. “Cold war, global war on terrorism and now you have the code war — which is your war.”

Going into the planning for the panel discussion, I was informed that I was hoped to be the stand in for Aaron in that I too see the world as very grey. Many of my posts on the Lulz and Anonymous as well as the state of affairs online have been from the grey perspective. The fact is, the world is grey. There is no black and white. We all have varying shades of grey within our personalities and our actions are dictated by the levels to which our moral compasses allow. I would suggest that the example best and most used is that of torture. Torture, may or may not actually gain the torturer real intelligence data and it has been the flavor of the day since 9/11 and the advent of Jack Bauer on “24” face it, we all watched the show and we all did a fist pump when Jack tortured the key info out of the bad guy to save the day. The realities of the issue are much more grey (complex) and involve many motivations as well as emotions. The question always comes down to this though;

If you had a terrorist before you who planted a dirty nuke in your city, would you ask him nicely for the data? Give him a cookie and try to bond with him to get the information?

Or, would you start using sharp implements to get him to talk in a more expedient fashion?

We all know in our darkest hearts that had we families and friends in that city we would most likely let things get bloody. Having once decided this, we would have to rationalize for ourselves what we are doing and the mental calculus would have to be played out in the equation of “The good of the one over the good of the many” If you are a person who could not perform the acts of torture, then you would have to alternatively resolve yourself to the fates as you forever on will likely be saying “I could have done something” Just as well, if you do torture the terrorist and you get nothing, you will also likely be saying “What more could I have done? I failed them all” should the bomb go off and mass casualties ensue.

I see both options as viable, but it depends on the person and their willingness to either be black and white or grey.

Within the security community, we now face a paradigm shift that has been coming for some time, but only recently has exploded onto the collective conscious. We are the new front line on the 5th battlespace. Terrorists, Spies, Nation States, Individuals, Corporations, and now ‘collectives’ are all now waging war online. This Black Hat and Defcon have played out in the shadow of Stuxnet, a worm that showed the potential for cyber warfare to break into the real world and cause kinetic attacks with large repurcussions physically and politically. Cofer Black made direct mention of this and there were two specific talks on SCADA (one being on the SYSTEM7’s that Iran’s attack was predicated on) so we all ‘know’ that this is a new and important change. It used to be all about the data, now its all about the data AND the potential for catastrophic consequences if the grid, or a gas pipeline are blown up or taken down.

We all will have choices to make and trials to overcome… Cofer was right.

“May you live in interesting times” the Chinese say…

Then we have the likes of Anonymous, Wikileaks, and the infamous ‘LulzSec’ Called a ‘Collective’ by themselves and others, it is alleged to be a loose afiliation of individuals seeking to effect change (or maybe just sew chaos) through online shenannigans. Theirs and now their love child ‘LulzSec’ ideas on moral codes and ethics really strike me more in line with what “The Plague” said in “Hackers” than anything else;

“The Plague: You wanted to know who I am, Zero Cool? Well, let me explain the New World Order. Governments and corporations need people like you and me. We are Samurai… the Keyboard Cowboys… and all those other people who have no idea what’s going on are the cattle… Moooo.”

Frankly, the more I hear out of Anonymous’ mouthpieces as well as Lulzs’ I think they just all got together one night after drinking heavily, taking E, and watching “Hackers” over and over and over again and I feel like Curtis exclaiming the following;

Curtis: If it isn’t Leopard Boy and the Decepticons.”

So, imagine my surprise to be involved in the panel and playing the grey hat so to speak. The panel went well and the Anon’s kept mostly quiet until the question and answer after, but once they got their mouths open it was a deluge. For those of you who did not see the panel discussion you can find the reporting below. My take on things though boils down to the following bulletized points:

  1. Anons and Lulz need to get better game on if they indeed do believe in making change happen. No more BS quick hits on low hanging fruit.
  2. Targets need recon and intelligence gathered has to be vetted before dumping
  3. Your structure (no matter how many times you cry you don’t have one) can be broken so take care in carrying out your actions and SECOPS
  4. Insiders have the best data… Maybe you should be more like Wikileaks or maybe an arm of them.
  5. Don’t be dicks! Dumping data that can get people killed (i.e. police) serves no purpose. Even Julian finally saw through is own ego enough on that one
  6. If you keep going the way you have been, you will see more arrests and more knee jerk reactions from the governments making all our lives more difficult
  7. Grow up
  8. The governments are going to be using the full weight of the law as well as their intelligence infrastructure to get you. Aaron was just one guy making assertions that he may or may not have been able to follow through on. The ideas are sound, the implementation was flawed. Pay attention.
  9. If you don’t do your homework and you FUBAR something and it all goes kinetically sideways, you are in some deep shit.
  10. You can now be blamed as well as used by state run entities for their own ends… Expect it. I believe it has already happened to you and no matter how many times you claim you didn’t do something it won’t matter any more. See, all that alleged security you have in anonymous-ness cuts both ways…
  11. Failure to pay attention will only result in fail.

There you have it, the short and sweet. I am sure there are a majority of you anonytards out there who might not comprehend what I am saying or care.. But, don’t cry later on when you are being oppressed because I warned you.

K.

http://www.darkreading.com/security/attacks-breaches/231300360/building-a-better-anonymous.html

http://www.pcworld.idg.com.au/article/396320/three_tips_better_anonymous

http://www.wired.com/threatlevel/2011/08/defcon-anonymous-panel/

http://venturebeat.com/2011/08/06/defcon-panel-anonymous-is-here-lulzsec-is-here-theyre-everywhere/