Browsing articles from "July, 2013"

The Future Home of Black Hat

Media worthy talks on the latest hacking techniques, big vendor parties, and rubbing up against a random 300 pound man whilst battling with the other 7,000+ pre-registered attendees to get to the room of your choice…it’s all part of the show here at Black Hat USA in Las Vegas, but maybe not for long. As depicted by signs around the conference, Black Hat will be moving out of the Ceasar’s Palace digs it has long since out grown. Next year’s Black Hat venue will be the Mandalay Bay, whose conference center features an expansive three levels that will be more conducive to the size of the crowds now attending Black Hat USA. This move is largely an effort to meet the growing number of attendees and also likely provides a more attractive venue for vendor sponsorship.
For many this will come as sad news, as the sights and sounds of Ceasar’s Palace undoubtedly serve as a portal into years past for loyal Black Hat goers. The need for larger grounds is however a welcome change for the Black Hat conference which continues to mature and grow alongside of the broader information security market. It is clear that the information security industry requires a conference with more depth than RSA USA and more industrialist professionalism than DEF CON. UBM is keenly positioned to fill that need with the Black Hat conference. However, the relative size of the Ceasar’s conference center and the somewhat convoluted access to vendors (either in a room much too small, hallways much too narrow, or in a large room removed from the conference) has limited the continued growth through vendor sponsorship.

Much of these issues, and potentially (hopefully) the issue of standstill hallway traffic between talks will largely be alleviated. This should make Black Hat an increasingly attractive target for vendors who, as some know, will find that the demographic of attendees at Black Hat is much more likely to consist of a potent population for sales lead generation versus other security conferences. With this demographic and the new venue, the only thing standing in the way of Black Hat combining both the vendor support of RSA and the professional hacker community, is the time of year. Given the typical security sales cycle, it is difficult to generate leads at Black Hat and close them before the end of the year five months later.

Regardless, enlightened vendors recognize that market leadership is a continuous cycle and not just a year-end goal. As the Black Hat community continues to grow its influence over the broader information security market, the list of vendors sponsoring the event is likely to grow as well. Moving to a larger floor plan, will assist in allowing that growth. Either way, here today, there tomorrow…

The Acquisition of Sourcefire by Cisco

Cisco announced their intention to acquire Sourcefire for $2.7 billion dollars this week in a somewhat surprising move given their relatively recent divestitures in well-known and adopted Cisco security products. Examples such as the end-of-life of the Monitoring, Analysis, and Response System (MARS) and the continued deteriorization of the Cisco IPS/IDS product the Adaptive Security Appliance (ASA), which itself was a re-engineered and re-branded IDS that came through the acquisition of the Wheelgroup in 1998, had many believing Cisco no longer wanted to invest in their presence in the security market. In retrospect however, these were also indicators as to why acquiring a company like Sourcefire was necessary for Cisco. While the acquisition may have shaken many of the Sourcefire loyal, in time, if done correctly, this acquisition could be a great step forward for the community as a whole and may have been a necessary one for the advancement of Sourcefire in general (and certainly one for Cisco).

Perfect Timing for Sourcefire
Sourcefire is a security community pillar functioning as a community organizer, open-source pioneer, and provider of leading security products. However, the industry is rapidly moving towards a newer iteration of security capabilities (I refuse to say Next G*&$#ation). Sourcefire has struggled with shifting OEM suppliers as well as major upgrades to their flagship product (I’m still holding my breadth for that Snort 3.0 release date). Furthermore, in recognition of the move to the next iteration of security products, Sourcefire has made investments into Next Generation (*cringe) Firewall technology and malware protection. However, these jumps are costly and difficult to make for vendors the size of Sourcefire. Especially considering that the market currently consists of largely focused niche vendors like Palo Alto in the realm of NGFW and FireEYE in malware protection.

The collective result could have left Sourcefire in a rather precarious position with their core market of IDS/IPS, still existing, but rapidly shrinking and finding themselves in direct competition with already established industry leaders in emerging markets. While this precarious position was anywhere near being that of signaling significant decline for Sourcefire, it would have been difficult to continue the rapid growth it has enjoyed in previous years.

Of course having maturing products in a breadth of segments can assist an organization in growing despite more mature products on the market from niche vendors if the larger organization has more mature sales channels to help rapidly grow their install base. This however, is not an arena where Sourcefire is particularly strong. While Sourcefire enjoys solid penetration in the US government space and in various east coast enterprises, Sourcefire on the whole has struggled to achieve deep market penetration west of the Mississippi, let alone on a global stage versus market competitors in virtually every realm Sourcefire competes. All these elements combined to form the perfect time for Sourcefire to accept an acquisition offer. Far from desperation, at the peak of their abilities but facing potential hazards ahead and in need of a partner with brand recognition and strong sales channels.

Cisco Getting Back in the Game
While some analysis is required to understand why Sourcefire would need a Cisco type partner for growth, understanding why Cisco needs Sourcefires requires virtually no analysis. Sourcefire represents a clear opportunity for Cisco to get back into the security market in a big way. Though, given Sourcefire’s $2.3 billion market cap, $233.1 million 2012 earnings and years of continuous growth it is by no means a cheap opportunity ($2.7 Billion dollar acquisition!). That said, Cisco can provide the sales channel, and (non-security) executive-level brand recognition that Sourcefire currently lacks to continue growth. In addition, the Cisco brand opens up two key demographics that Sourcefire previously did not play as well in. The first is in the realm of inexperienced network administrators and architects not familiar with security vendors who put a lot of faith into the Cisco brand. The second is board room personalities, who, though interested in security, likely are not keenly focused on security in general. For top level executives, it must be noted that security is typically a small line item versus their companies overall expenditures. Having the ability to introduce and influence these decision makers to be more aware of security is invaluable for a pure-play company like Sourcefire. The influence that Cisco can assert in this realm is heavily assisted by looming US Federal Government influence on private sector businesses to ensure a better baseline for security (see the Executive Order on Improving Cybersecurity). It is not unlikely that, as these political forces continue to raise awareness and push senior-level decision makers to adopt more comprehensive security practices, that they will turn to giants like Cisco to help them get their businesses there (but that’s a whole other story).

Of course much of Cisco’s success will lie in the balance of whether or not they can appease the Sourcefire community with high-quality solutions and maintain the strong open-source following of Sourcefire and more particularly Snort, which I would argue has allowed Sourcefire to be highly competitive with frankly less sophisticated engine in the IPS/IDS market (referring to Snort 2.x engine versus McAfee or IBM). The real question is whether or not Cisco will be able to capture the passion of the security folks within Sourcefire as Sourcefire has been a refuge for many passionate security folks. While much of the community of passionate security professionals outside of Sourcefire have found themselves in a diaspora, Sourcefire has remained relatively potent with top-tier folks in research, development, marketing, and decision making. The result of this potency of passion for security has resulted in leadership in virtually every sector they operate, despite the challenge of being a standalone pure play. Sourcefire has set a high standard for marketing, product development community leadership, , and delivery. In order for Cisco to get their moneys worth out of this $2.7 billion acquisition, it is imperative that they capture that passion and cultivate it into market leadership.

How to Capture the Passion
It’s simple. Fund development, encourage innovation, support research (even if it’s controversial), retain top-level visionaries, and promote elitism (make those involved feel like they are a part of something special) while humbly continuing to build an external community. Of course these things are easy to evangelize when strictly focused on security. The true challenge Cisco faces is whether they will be able to meet these goals while of course recognizing that Sourcefire, though an industry mogul for security, currently would account for less than a 0.5% of Cisco’s annual revenue. If however, in the face of adversity, Cisco can manage to capture the passion of Sourcefire and properly integrate Sourcefire into the Cisco family, Cisco will certainly be a force to be reckoned with long into the future.

BlackHat Picks 2012

July 25th

10:15 Advanced Chrome Extension-Leveraging API Powers for The Better Evil

2:15 Don’t Stand So Close To Me: An Analysis of the NFC Attack Surface

3:30 Intrusion Detection Along the Kill Chain: Why Your Detection System Sucks and What to Do About It

5:00 Adventures in Bouncer Land

July 26th

10:15 A Scientific (but not academic) Study of Malware Employs Anti-Debugging, Anti-disassembly and Anti-virtualization Technologies

11:45 iOS Kernel Heap Armageddon Revisted

2:45 Digging Deep Into the Flash Sandboxes

3:30 Mobile Network Forensics

You Would Have to Know Dark Tangent…

If you haven’t by now heard that Feds have been politely asked not to attend DEF CON this year, you may be living under a rock in the information security community. The news came Monday in a post on by Dark Tangent (aka Jeff Moss) entitled, “Feds We Need Sometime Apart” which politely states the following:

"For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.

When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a "time-out" and not attend DEF CON this year.

This will give everybody time to think about how we got here, and what comes next."

This of course has sparked much debate and left many to ask the question “why?” Especially given the nature of Moss’ governmental advisory role, it would seem that this move is at best symbolic in nature and even somewhat hypocritical. There has not been much to explain why this move was made, other than some vague statements made by Moss to Reuters recently where he stated, “”The community is digesting things that the Feds have had a decade to understand and come to terms with,” Before going on to say, “A little bit of time and distance can be a healthy thing, especially when emotions are running high.” (Reuters)

It would be easy to assume that this announcement is a move to denounce the the activities allegedly revealed by Edward Snowden and certainly there are a number of articles that have been released discussing exactly that. However, I think, to truly understand why this announcement was made you would have to understand Jeff Moss, or better yet, Dark Tangent, and while we’ve barely ever even met, there is one run-in I had with Dark Tangent that I think was somewhat revealing of his personal motivations as a DEF CON leader.

Years ago, in 2007, I met my now good friend Ming while sitting on the Wall of Sheep (WoS). Ming and I quickly bonded over pwning sheep and handing them to the WoS folks to post. Since that time meeting up at the WoS, collecting packets, sharing information, sharing tools, etc has become somewhat of an unspoken annual tradition for Ming and I. This tradition, is one that I look forward to all year. Early on, working on the WoS made me a little nervous, when you’re on the outside of the tables set up for WoS, everyone could see your computer, everyone knew what I was doing, it was just a little uncomfortable. That was until an incident involving Dark Tangent.

In 2008 (I think) during DEF CON at the Riviera, Ming and I were sitting on the WoS like we had the previous year, collecting packets and enjoying ourselves, when suddenly from behind us a stern, authoritative voice shouted, “YOU RIGHT THERE, STOP WHAT YOU’RE DOING AND STAY RIGHT THERE!!!” Stunned (and raised with Catholic guilt) I immediately spun around thinking, “Uh oh, I’m in trouble.”

To my surprise however, I looked up to see that a gentlemen was standing in a skybox hovering over Ming and I taking pictures of us with a high powered camera and a telephoto lens…I was shocked. Tangent instructed a DEF CON goon to watch the man and make sure he did not move. No more than a minute later Dark Tangent appeared on the Skybox balcony to confront the man. To be frank, I mostly went back about my business at that point and am not entirely sure what happened next, however, I believe, Tangent removed the gentlemen’s camera memory.

As an industry analyst, I often attend DEF CON with a Press Badge, and know and understand that their are certain standards around my interactions with others at the CON as a result of that level of attendance, some are unspoken standards, like never publish anything unless all parties involved know and understand that it will be published ahead of time (basic etiquette really). Others are well-spoken and documented. One specific documented standard surrounds how and when a picture can be taken (a screenshot of the standard from can be seen on the right), each and every Press pass attendee must sign an agreement regarding photos each conference. The gentlemen in the skybox was not abiding by these standards, whether he was press or an attendee. As a result, Dark Tangent took care of the situation.

He took action, not because Ming and I were complaining (heck we didn’t even know it was happening), or because he wanted to be flex his power. Rather Dark Tangent took care of the situation and likely created the standard in an effort to promote a safe and comfortable environment for people like Ming and I or really any other DEF CON attendee, which in its core has always just meant, “hackers.” It was frankly successful, it was the last time I felt even a slight bit uneasy working on the Wall of Sheep and the memory largely fell to obscurity in my mind. That is until I read the announcement requesting that Feds stay back this year.

I believe that Dark Tangent feels as though he has a responsibility to make sure that hackers may operate in the most comfortable environment possible, one that is conducive to sharing thoughts and having some fun while doing so. That is the core of what DEF CON is. To preserve that, there are both spoken and unspoken standards of how specific groups may behave and within reason they are held to those standards. Hackers, are a naturally paranoid crowd and while since 2001, hackers and Feds have intermixed to a point where in a lot of cases it is very difficult to separate the two, recent media has made a fair portion of the hacker collective uncomfortable, as such an unspoken standard has been broken. Maybe Dark Tangent respectfully requested that Feds refrain from the conference for the time being, not as an affront to the Feds or as a political statement, but rather in an effort to preserve the core of DEF CON, which is again, to provide a comfortable environment for hackers, nothing more, nothing less. I think that is something everyone could and should appreciate.

When Corporate Interests Supersede Nationalism

Over the past generation and increasingly the past decade, information security has become a key arena for international warfare. Cyberwar, as it is commonly referred to, has the ability to forcefully derail economic, social, and combat capabilities absent of the direct physical confrontation previously required. The progression of human conflict into a domain where confrontation is defined by intellectualism, and casualties are measured in lost data, in no small way speaks to the advancement of humankind. However, these advancements have been coupled with global collaboration that have unified intellectuals of multiple nations in efforts of technical invention and innovation. There are no better examples of these unifications than within global corporate entities, where billions of people work collaboratively to continue growth.

Though we tend to view these entities as singular, they are actually large conglomerates of individuals. Individuals who hold multiple allegiances beyond the walls of their corporations and borders of their nations. In information security communities, where national security is not mutually exclusive of private sector security capabilities, when these allegiances come into conflict, questions arise. For example, when does a global company choose to publicly report covert operations conducted by a nation to hinder another nations ability to become a nuclear power? Indeed this question sounds like the premise of a cheesy suspense film, but was actually the specific question posed to Symantec analysts in the discovery of Stuxnet, a computer worm targeted against Iranian industrial control systems, likely built collaboratively by Israelis and Americans. This article will explore these conflicts as well as the role that the growing community of information security professionals currently play and indeed will likely continue to play in the realm of international conflict.

An Ever Shrinking Planet
It has been well over a half century since the United States and indeed much of the world could have claimed any real amount of isolationism. Rather, we live in a global economy where international relations and alliances can exist simply through adding friends on Facebook. Interconnection has altered the world in ways that even the brightest visionaries previously could not have imagined.

These advancements and collaborations may have been summed up best in a 2001 speech entitled, “Globalization, Free Trade, and National Security” delivered by Kenneth I. Juster, former Under Secretary of Commerce for Exporta Administration, when he stated:

Advances in information and communications technology have made it much easier for companies in all sectors of the economy to “go global,” to create multinational workforces, to set up operations and facilities in remote areas of the world, and to market their products and services worldwide.

Yet, while the affects of globalization are in many ways widely recognized, most studies and considerations surround economic implications and the relation of national security to nations economic stability. What separates information security beyond this realm is the antithesis of this relationship. Rather, what may be economically best for security companies may largely negatively impact national security. This is a distinct possibility in the aforementioned incident involving Iranian nuclear efforts. No doubt, Symantec made a few pennies off of the free publicity.

Amongst the unanticipated bi-products of technological innovation and indeed corporate globalization are new intersections between corporate interests and national security. Despite the numerous areas where these issues exist, few are as complex as within the realm of information security.

Information security in many ways is knee deep in espionage between corporations, and indeed governing entities. As a result, security researchers are often working directly on issues of national security without knowing it. Yet, while it is simple to report when a researcher finds a foreign country is hacking an organization, it can be far more difficult to determine when to report when the researchers own country is hacking another business.

Such has been the case in numerous instances, where researchers were paid to determine root cause analysis of attacks that infiltrated businesses or perhaps even disrupted capabilities. While a researcher uncovering their own nation state being the culprit behind the attack is rare, it does happen. This leaves the very simple question, when does one report that their own country is hacking another?

When to Report
The patriotic answer would seem quite simple, “this should never be reported.” However, the stark reality is not so black and white. There are issues with not reporting. Consider first, that there are of course security implications for failing to report information publicly or even privately within an organization. In certain cases, synthetic malware can be re-purposed for further attacks against other entities. Such was certainly the case for Flamer, which was re-purposed and utilized in an attack against Aramco. Without proper disclosure of the original piece of malware, detection would be more difficult and damages could be much greater.

In addition, there is a business component of not reporting. At this point in time, security research is being done by global vendors in a multitude of countries. Thus, as a result, if one entity fails to report an issue, it is not entirely unlikely that another entity will not fail to do so. There is therefore a level of marketing competitiveness involved in the reporting of issues.

These things considered, the answer becomes a bit convoluted, in fact the best answer is that it depends. One should report issues of state sponsored attacks from the country that they hail when it is first and foremost safe to do so, both at a personnel level and at a national level within their particular nation-state. Should one face jail time retaliation for such a disclosure, then the answer is simple, it shouldn’t be disclosed. It is a corporations responsibility to be a good citizen and protect their employee who was merely doing their job. If alternatively, a disclosure will be controversial but not particularly dangerous then that is the time to disclose. And yet, while these time frames seem rather simple, they still somehow manage to be incredibly complex. One thing is not complex though and is plain to see, security researchers will continue to play a large role in international relations whether they like it or not…