Silicon Shecky

Infosec Practitioner

Connect

Thotcon 0x9

By Leave a Comment

Security/Hacking conferences are interesting. Each one has its own uniqueness about it, and yet they are all similar in some fashion, stemming from the “granddaddy” of them all, Defcon. These conferences are all over the place, and in the Chicago area we have two main ones, BSides Chicago and Thotcon.

Now Thotcon just happened over the weekend with the 0x9 iteration. Nine years is a long time to learn and find your voice, and each year should teach a conference something to make it better for the next. The joke the last number of years with Thotcon was the whole undisclosed location idea. For years it was at the same venue, even though they never officially let attendees know until a week or two before. This year, it was a new location, and I would say a huge improvement. The problem with waiting so long to reveal said location is of course people coming in from out of town, and where should they stay. I personally think this can be remedied with a longer heads up. reveal the location 6 weeks before, so people have time to make reservations at a decent price. Just a thought.

The new location, which I will not reveal where it is, as I said above was an improvement overall. The echo and open space issue that caused problems hearing talks was gone. Each track you could hear the speakers clearly, at least I could. The overall layout was not too bad either. There were downsides also, as Barcon was not as large an area and did not have an easily accessible outside for people to just walk out and enjoy the sun while drinking. The villages were almost out of the way a bit, and the traffic there seemed lighter because of that. The temperature in the building in some areas was an issue also due to the age of the building and where air conditioning was actually available. This issue drove some people up to Track 2 which had the best air conditioning in the building, just to cool down at times. Finally, there was the food issue. The old venue food was inside, and was plentiful. With the move to food trucks because of the venue, Friday saw only 2 trucks which had long lines and eventually no food. People wound up walking a few blocks to get lunch. Food trucks also mean weather could have been a factor, which was not the case as it was nice outside, but should it have been storming there was a potential issue. Saturday saw the addition of a third food truck, and between that and what seemed like lighter attendance on Saturday it seemed to hold up better, even with the long lines still there.

With the switch from a Thursday/Friday to Friday/Saturday the “After Party” was put in between the two days. It also was moved well off-site which is not a bad thing. The venue for that was nice, with 80’s dance music playing and tones of pinball and old school video games to play. The light food there was a nice add on to the candy and free drinks. It did seem to get a little more crowded, or at least packed in compared to past years. Also, I have to wonder if having in between the two days contributed to what seemed like lower turnout for the con on Saturday.

The keynotes I felt were an overall improvement. Some of that might be from being able to hear them clearly with little distraction, and some from the bigger ideas they seemed to cover. Talks overall were good and well received. I found myself in Track X which was more along the workshop lines most of the time, due to 2 fantastic talks, one each day. The Jaku Puppet Show was definitely a sight to behold and gave some nice levity to the whole con.

I still maintain that Thotcon should give the speakers the choice on whether to record their talks or not. This is a personal preference, as I believe that information should be out there, and there are always talks scheduled at the same time that one has to choose between. I understand the reasoning behind not recording the talks, but in this day and age of social media, things said still can get out of the open and protective shell that not recording the talks is supposed to provide.

When all is said and done, Thotcon 0x9 I felt was an improvement from previous years. There are lessons to be learned from it, but for value it is definitely worth it. I am curious to see how Thotcon 0xA comes together and what is planned to celebrate a decade of Thotcon.

Lack of Vision

By Leave a Comment

I have noticed something about our field. The lack of vision we have. We get comfortable with our knowledge, and are afraid of being wrong. We blind ourselves which makes us susceptible to attacks.

via GIPHY

Unfortunately this feeling can eventually lead us to feeling like this when things go wrong:

via GIPHY

I am not saying there is anything wrong with being confident in what one knows. I am talking about blinding ourselves. We have been seeing some old techniques and tactics come back into play again. We aren’t watching for these because they were eradicated years ago perhaps, or never were much of a threat. Instead they are being used as one part of an attack. We also get caught up in not only attribution, but a blame game. It is “X” companies fault. The legacy system needed only works on “Y” OS so it is the OS companies fault. I see this all the time. Watch twitter enough and you will see it too. The thing is we are all to blame. We have our hatred of X company because of reasons. We prefer Y because it seems more secure. We discount the simple answer immediately until we wind up taking the long way around and come back to it after eliminating the more complex and sexier looking possibilities.

There are reasons for so many things. For instance legacy and the countries infrastructure. I saw a talk at Cyphercon on the basics of ICS threat hunting. Lesley Carhart gave some basic information on the world of ICS so we could understand things better. There are reasons that upgrading systems are so slow in that world. Very good reasons, such as making sure your power is not interrupted. All the majority of us see is, legacy bad, change it now, instead of learning why legacy is needed.

The world of the theoretical is lovely, but it is not always achievable. We have to learn that. We have to take off the blinders and understand that we may be wrong, that the old ways may come back in a vicious circle. We need to realize that we do not know so much, and that it is okay not to know. What is not okay is to have tunnel vision.

Tuning up the intel

By Leave a Comment

Threat Intelligence feeds, a lot of thoughts surround these. They have a place, which in my mind is right around AV. Note I am talking about feeds. Think about it, one of the big reasons that there is a claim that AV is dead is due to it being signature based, not good at finding unknowns. Threat intel feeds are just the same.

Now you can dispute my comparison, but the truth is a bitter pill to swallow. I do not think that the feeds are useless, but I also do not think that AV is dead and useless either, both have their place. The feeds though, especially when tied in with a product, can cause more work than they should, especially if they are not kept current, and by that I do not just mean the newest threats and IOCs put into them. You have to remove the garbage.

Garbage, what do I mean garbage? Here is a scenario I deal with. Carbon Black Response uses intel feeds as part of the way to find potential threats, be they malicious software or actors on a machine. If you use it to keep an eye on you DNS machine, there is a lot of alerts that get generated from DNS, a majority of them being marked as TOR exit nodes. Of course with TOR those exit nodes can shift easily. The problem is when I start looking into these IPs, as should be done with any alert, the feed itself has the IPs put in there from years ago. I’ve found some that are 10 years old. Now a TOR feed should be updated regularly, and that should include making sure the intel is current, and marking it as such. Without that, you get too much extra work on the analysts end, which could be time spent not dealing with false positives. Up to date has to include removal of old, now unconfirmed data for all feeds.

The idea behind threat intel feeds is to help us fond the known issues out there, but without proper upkeep, they are nothing more than a time sink in seeing false positives.