Black Hat - A Little More than Commercialism and Less than Malicious

With General Keith Alexander back in the news, I thought to share some  Black Hat USA 2013 experiences.  As you may recall, the General was heckled during his keynote. The General handled it pretty well, but a four-star general has got to be accustomed to adversity.  Speaking with several attendees, there is some raw emotion about this issue – apparently the General previously denied the NSA Prism program’s existence just last year.

    

I heard some griping about the commercialization of Black Hat, since originally there was no Sponsor Hall, but there were a lot of interesting new technologies to see there.  Personally, I really liked the Sponsor Hall, and vendors who have called me following up were pleased with the leads they got from the show.

The talks were extremely valuable.  Brian Meixell’s talk, “Out of Control: Demonstrating SCADA Device Exploitation”, really represented the spirit of the non-commercial Black Hat.  They had a SCADA setup hooked to a pump attached to a tank of blue fluid, and demonstrated a hack into the system from a laptop nearby.  They showed taking over control, and it was funny, because there was almost a messy overflow when they took control, which apparently the Black Hat people had scolded them not to do.  By the end of the demo, they had Solitaire running on the tiny SCADA screen.  This was a crowd pleaser, with applause breaking out periodically.

Brian Krebs spoke about his recent “SWATting” incident, where FBI came to his house based on a tip by someone who didn’t like him. His talk was entitled “Spy-jacking the Booters” and addressed sites that allow you to easily and affordably purchase a denial of service against websites – using PayPal!.  He also had the concept of NPT – Noob Persistent Threats, done by people who “make script kiddies look smart.” 

Most humorous presentation I saw was Patrick Reidy, from the FBI, “Combating the Insider Threat at the FBI: Real-world Lessons Learned.”  His slides were great – my favorite quote from his preso: ”Every time you say BYOD, God kills a kitten” with a picture of the cutest darned kitten trying to evade space invaders in the grass. 

In his talk, Eric Fiterman former FBI, had an interesting observation: “Antivirus is just ten years too late”.   Saw similar thoughts at the Sponsor Hall, with many vendors featuring their expertise, either built into software or provided as a service, rather than old-hat signature approaches.  His thoughts were around assuming zero trust.  He pointed out that malware can, and will, turn off logging.  He pointed out that one way to look at hackers is that they are just Admins without authorizations.  Admins sort of look like hackers to security professionals.

It was a refreshingly friendly, inviting and educational atmosphere.   The word hacker sounds so bad if you read the press.  Black Hat was full of hackers, but there was more of a sense of discovery and joy in engineering and taking things apart to see how they work than malice.

NSA caught in Affair - FBI becomes the "Good Guy"

Everyone I know in IT security is not at all surprised with the amount of information the NSA is collecting, internationally and domestically.  It is also likely that only the most naive foreign government is surprised.  

If you were having an illicit affair, you would know it, and close friends and frenemies would as well.  Getting "called out" about the affair publicly is a far different thing.  The NSA got caught, and the worldwide press is still having a field day at their expense.  It's embarrassing.

There are some European countries with strict privacy laws, and there are people there who may be nonplussed with the news.  It appears to me that citizens in the USA currently seem to be painfully aware that they are entitled to not-so-much privacy, post 9/11.

Interestingly, I see the FBI positioning themselves as the "good guys" - at Blackhat 2013 the presentations I saw from the FBI were frank, humorous, and sort of endearing.  From a PR standpoint, the NSA is not in good field position, opening it up for the FBI to take a kinder, gentler position.  At last month's ISSA meeting in Austin, three FBI agents were there in the audience, interacting with us.

Maybe this is actually a good state of affairs.   We do want the NSA aggressively preventing terrorism, and the rules go out the window when it comes to terrorism.  It's their mission, ugly though it seems at times.  As for the purview of the FBI, law-abiding US citizens want them chasing down domestic criminals who do harm to us, not spying on our personal lives.  You have to admit, for the average law-abiding citizen, our personal lives are sort of boring in the scheme of things.