Silicon Shecky

Infosec Practitioner

Connect

First Defcon – The results

By Leave a Comment

This year marked the first time I made it out to Defcon. I have known about this conference since the 90’s, just had not figured out a way to get out there and experience it. For those that want a TL;DR, it is a supersized conference. There are also plenty of smaller conferences that I enjoy as much or more than Defcon. That is how I perceived it. Now lets get into the nitty gritty of it all.

In the Beginning…

Before I got to Vegas for Defcon, I had been told about things like linecon, the merchandise lines and the like. There are still people and especially news outlets that give advice based on what Defcon used to be in a different era. This covered what to and not to bring, use and be prepared for, and much of it has changed over the years. When I arrived and went to linecon, the fact that where I work pre-paid for my entry, meant that linecon itself was a much shorter and less involved situation. I did observe the old fashioned, cash only linecon going on though, and how everyone went about their business. It also, while many times longer than what I stood in, seemed to move pretty well. The Goons kept people in the right areas, and were quite helpful. Like with anyone, you be nice to them, they will be nice to you. Merchandise was another long wait, and the fear of things selling out is real. I get it, you can only afford to have so much on site. It makes people wonder if the item(s) they want will be in stock when they get up front or at least in their size. Having 30,000 plus of each item is not realistic, and of course people will be disappointed in the end, unless you get there early enough. The organization of it was well done though. The line again moved smoothly, and I did not see any incidents. After going through both lines I walked into a War talk, which that first day was held int he main track area. Considering they were the only talks going on Thursday that I saw in Hacker Tracker(an awesome piece of software by the way), I was surprised there was standing room and people allowed into the track.

The Main Event

Moving forward to Friday, Saturday and Sunday daytime, overall things were decent. There was a lot of walking. My knees hated me, and I do Ninja Warrior workouts multiple times a week. How spread out areas were from the main building is the problem. It also causes a problem of getting to talks, or even back to your room to watch talks on the closed circuit TV, or even twitch. WiFi in the hotels tends to be limited to guests unless you wish to pay for it, and mobile data in areas seem to be spotty, or flipping around between networks. I get that it is Defcon, and you “shouldn’t be trusting anything” but how else do you use things like Hacker Tracker to keep up on what is going on where? The closed circuit T.V. did not always have all the tracks in the hotels. Mine only carried track 1,2, 3. Some carried track 4. Both Twitch stream and the CCTV had network glitching and freezing making the talks tough to watch as you would miss things.

One of the more interesting things I had heard before going to Defcon was, “do not think you will get into the main talks, but watch them on T.V.” Also it was mentioned to focus on the villages. I personally had no problem getting into any of the main talks. Where problems came up were a number of village talks. Red Team Village, the Misinformation Village, and the A.I. Village all were at capacity most of the time, and in the case of Red Team Village, I did not even try to go in just to look at non-talk stuff due to how long the line was. Also most of the villages I did make it into were talk based. By that I mean, unless you were the to do the village CTF or see a talk there was nothing in the village of note. The 2 exceptions to this that I came across were the RF Village and the Ham Village. Both of those were easy to get into also. Blue Team Village, which I was excited about, I had heard was moved at the last minute so their layout had to be adjusted, and that could be the cause of it not having some things that I thought it should, at least from a non-talk perspective. I did love that there was a lot of focus in ti on training, and the organizers did their best with what they had.

The Nightlife

So much goes on in the evenings. There are tons of private, invite only room parties. Some people go out and just hang with friends. Then there are the main Defcon parties. I got a taste of all of the above. The Defcon parties are nice, with the exception of drink pricing, but there is not much Defcon can do about that. With no open bars at any of the main events, it seemed to keep trouble down to a minimum, except for one thing which I will get into in a moment. One of the things I was looking forward to was Hacker Karaoke. I love to sing, and had heard about how fun it was. MY issues had little to do with how long the wait was, and more about the feel. Having run karaoke in my past I know the line was going to be long. The only thing on that which could have been better is making sure first time singers got up first. Not always easy to keep track of, but it is possible. Instead, the big issues I had are, the sound system was awful. You couldn’t really hear the music, especially when on stage singing. The mix needed to be better. Next was the screen itself, which was projected on the wall. Makes it tough to make eye contact with the audience to bring them into the song. Finally, back to sound, it was very tough to hear the KJ. between ambient noise, echo on the mic, and the low quality sound system it became tough especially when the main KJ stepped away and their associate would take over, who was more soft spoken.

The second night, i was just moving around from room to room. I wasn’t able to get into Hacker Jeopardy, but did go into the Arcade Party, which was pretty cool, especially the physical pong machine and the huge Foosball table. The people I caught up with there, we started walking to check out some of the other rooms when we slipped into the Chill Out Space cause of things going on in the hallway. This wound up being the start of the lockdown and evacuation due to the suspicious package. The Goons, and security were amazing during this whole situation. Their calmness helps keep the rest of us calm and everything went smooth getting people out of the building.

The Highs/Lows/Conclusion

I got to see a few cool talks. I missed out on other village talks due to lines. I saw some of the things I expected, such as unique outfits, furries, and people just being themselves mixed in with parents and their kids. If there is still a counterculture/deviant aspect to Defcon, it was not out in the open. The truth is Defcon felt to me like a conference that has matured over the years into a more normal conference with some small aspects of its former self. Would I go back, yes. Most of what would stop me is cost. Talks will be online, or at other smaller conferences. There is only so much on person can go and see. That said, it was definitely worth going.

Are you sure it is the execs?

By Leave a Comment

Security is all the rage today. Supply Chain attacks, Ransomware, Data Exfiltration, it is all in the news pretty consistently. We as security practitioners have a tough job. We know there is no such thing as being 100% secure so we make our best effort at securing and detecting. We also realize that detection and reducing dwell time is huge, so we ask for more people, more tools, more money, and it seems that execs are listening. Reports show that security is high on execs minds. So if you are a small to medium business why can’t you detect better? We all know that there is a bottleneck somewhere, and I am becoming more and more convinced it is not at the higher levels. It is more a division of duties and departmental struggle.

If your company from a security and IT perspective is designed well, accounts have only as much privilege as they need. A person in security should not have Domain Admin rights as an example. A person in the security department also should not be in charge of configuring endpoints, but should be working with the other IT departments to deploy such technology. So if you want to configure and deploy say Sysmon, the security people should get everything set for deployment and then pass it to the proper department to deploy. Here is where a bottleneck can come in that we do not think of initially.

Using Sysmon and collection of the data from it as an example, since Sysmon is a quality, free and popular product, how are other IT departments possibly the bottleneck in deployment? We, as security engineers, should be able to pass a set of install packages and configurations to the IT team for them to deploy. They just need to deploy it, but wait. How swamped and understaffed is that IT department? Have they bought into the need to deploy this? Do they have time to test on their standard configurations? Then you need to think about what SIEM is the data going into? Who owns that product? Does it actually fall under Security’s budget, or is it under ITs and where under ITs? Is there going to be an increase in cost because of more data coming through (This is one spot where SIEMs fail us is in the pricing of ingestion)? Will this kill their budget? Is there going to be a fight over this that will leave IT less likely to work with us in the future? Who is going to support this new addition to the systems? Do they need training? What is the cost of training and how long will that last? Will it cut into time for their day to day job requirements? Is there a different, more business critical project going on that will cause this to be put on the back burner?

It is easy to point fingers and lay blame, but are security departments doing their due diligence on the whole situation, or are we creating yet another problem. Yes it gets frustrating to us when we know something we see as a simple, no-brainer can’t be implemented. Yes it does blind us when the tools that we got buy in from the execs on are stuck in limbo and not as effective as they could be. Are we though bringing the other teams to the table, just like we want to be brought to the table when they are bringing in/developing/deploying new technology, or is it do as I say not as I do?

Security is something we need buy in from all aspects of our organizations, not just the Executives. Are we sure that the bottleneck is not IT, or even us and how we treat others?

Year End Musings

By Leave a Comment

So here we are, the end of 2019. I know I have been lax on blogging this year, but I also have been a bit busier, both professionally and personally. I am planning on doing more posts in 2020 so stay tuned.

As I look back, it has been a good year professionally. I have started writing Python scripts and modifying those I find that do not quite do what I want to do what I want. Not great at it, but getting better. I have been learning KQL for Microsoft Defender ATP and wrote alerts that helped for the yearly penetration test at the office. I gave a talk at Circle City Con that was well received. I made it to my first GrrCon. I got to spend time with people I do not see in person very often, and make new acquaintances that could turn into friendships. For all of that I thank you.

2020 is shaping up to be a cool year. I can’t go into too much right now, since I do not want to jinx some things, but here are the cons I am planning or will be at:

  • Cyphercon (Definite)
  • Thotcon (Definite)
  • Circle City Con (Probable)
  • Blue Team Con (Definite)
  • GrrCon (Probable)

There might be more but nothing exact at this point.

As far as predictions go for this upcoming year, mostly it is going to be a lot of the same. There will be some sort of major items that comes up, be it a breach or vulnerability (probably both). We will still be trying to get better intelligence and stay in front of things. The community at large will have more drama, and that will cause tighter cliques to form, which is unfortunate.

I hope everyone has a great Holiday Season. May the New Year be good to all of you! Peace!