Malware, Democracy and ICS at Risk – And Other Thoughts Following Blackhat and Defcon 2017 Conferences

Every year in late July or early August, a legion of hackers, crackers, makers, and feds, swarm into the dry heat and bright lights of Las Vegas on a mission to be part of the info sec scene at the Blackhat and Defcon conferences. Some may play a large part and others much smaller, but it’s clear that everyone who goes is part of a special community.  That community is special not only because of the incredibly diverse and intelligent membership, but also because it is currently engaged in something akin to a cold war that most folks have no idea is being waged. More on that later, so go get your tinfoil for hats while we wait.

Also ever year, about two weeks after the last $12 beer has been drunk and the last hand has been doubled down on, folks who were lucky enough to go to this party on a company sponsorship fire up their Macbooks and pen a blog highlighting their experiences of that year. Some articles are great, others (dare I rhyme) are click bait; but overall, they are useful summaries of what happened during that week. No substitute for being there, but you can get a good run down of what went on.

Since I fall into the category of mid-August authors, I’ll say this year was a special year for both conferences. It was 25 years and 20 years ago that Jeff Moss (aka @thedarktangent), launched the first DefCon and BlackHat conferences respectively.  It was special for me personally as this was the first year I got to spend time with the dark agent himself. Now to be fair, I did accost him in the foyer of a men’s room where he had escaped to do some email, and managed to chat him up for about 15 minutes. Obviously no shame in my game, but if you want to hear that story, make sure you come out to some of the events where we are presenting The Six Steps to Secure Access.

As for trends and take-aways from ‘hacker camp’, three areas stood out to me as common themes from both events:

1) Malware, Malware, Malware

It felt to me like malware was getting the attention that it needs at both conferences this year. You might say that was clearly bolstered by WannaCry and Peyta, but the speaker submissions were due long before those attacks hit – so we can chalk it up as a good coincidence. The clear take away for IT Operations teams is to keep systems patched and focus on the fundamentals of security. What was also clear, is there isn’t enough attention on the remote access pathways that exist in our organizations that make remotely accessing a system that has been popped all the easier. Self-serving yes, but I would like to see these topics discussed in concert.

I’d be remiss if I didn’t mention the post conference shocker that involved the hero of WannaCry, Marcus Hutchins (aka @malwaretech), being arrested after being indicted by a grand jury for the creation and sale of the Kronos Malware. As of this writing, he has pleaded not guilty and the security community has rallied to his defense both on line and physically by raising money for his bail. We are all standing by to see how this one plays out.

2) Democracy at Risk

Remember that tin foil hat mention earlier? Here is the part where you might consider folding one up for yourself. This year DefCon spawned a new village thanks to voting machine hacking being a hot topic after the presidential election. The Voting Machine Village had more than 30 Voting machines purchased mostly on eBay and ready to be hacked on. It only took about 90 minutes for the first group to find and exploit vulnerabilities in five different machines. We saw some early tweets with pictures from the help/about on one of the units showing the versions of open source software it was leveraging. Of course, these voting machines were using old versions of that software with known vulnerabilities, that have since (mostly) been patched.  It didn’t take much from there to compromise a machine. Many experts at the event complained that the average desktop in today’s modern enterprise has light years more security than these voting machines. The scary thing, according to event co-coordinator and University of Pennsylvania professor Matt Blaze, is "only one of these models has been decommissioned. The rest are in use around the country." Now the good news is, all of these attacks required physical access so all is not lost (yet) - but we should demand real info sec around these systems while we have some breathing room.

3) Industrial Control System (ICS) Wake Up Call

This is the part where you put on the tin foil hat you just made. To be fair, ICS researcher and CEO of Dragos, Rob Lee, cautioned that we need to be careful fanning the 'sky is falling' flames.However, I don’t think anyone would question that we need serious focus on these systems. After all, ICS are used in all of our critical infrastructure like power, water, oil & gas, and manufacturing; and these systems are coming more frequently under attack. As proof, Dragos and eSIT shared their research at Blackhat on the first ever malware framework designed and deployed to attack electric grids called both CRASHOVERIDE and Industroyer. There is some good news here. This malware is not mature enough to function at the real scale it would need to take out New York or cause us to lose Texas if the target was the power grid. However, it is a huge start for the Advanced Persistent Threats (APT) that are likely behind the development and deployment, and we should continue to voice concerns until we see governments publicly and globally embrace their roles in cyber warfare and espionage before those APTs can begin to work at scale.

If you want to learn more about what goes on at these events, I’d start by grabbing the media that Defcon.org makes available. It generally takes a bit of time for the talks to upload post conference, but they put a ton of the content out there for those that may have missed a talk or want to experience 2017 over again. My personal recommendation would be to watch the DefCon talk that Chess Master Gary Kasparov gave on AI and its potential to separate us from our jobs and maybe our humanity. He blew hacker minds when he expressed that no matter the sophistication of AI, AI and humans can live together because Humans make up that last decimal - and that last decimal is what makes the difference.