Posts tagged: 'technology'
The following posts are associated with the tag you have selected. You may subscribe to the RSS feed for this tag to receive future updates relevant to the topic(s) of your interest.https://blog.logrhythm.com/tags/technology/feed
This past week, I had the privilege of attending Black Hat, DEF CON, and BSides Las Vegas. I had a great time, met some incredibly talented people, gave a talk, learned a ton, and reconnected with old friends. I’m already looking forward to what next year will bring if I’m fortunate enough to return. For those who weren’t able to join in the mischief, I’d like to break down some highlights.
The general theme for all three conferences was vast but mainly centered around the internet of things, privacy and general disobedience…
There were multiple talks centered around covering our tracks, improving Tor anonymity, enabling the security community, supporting the EFF, and much more. There were some excellent discussions around these topics, and BSidesLV even held an open session with the EFF which was very enlightening.
[[ Hacks ]]
It’s been a while since so many neat hacks emerged during these conferences, in particular It was rather enticing to see Zero Day exploits launched publicly against conference goers and newly released security products alike. Among the standard, packet sniffing, USB dropping, social engineering, and device rooting, there was one attack that really stood out among the rest…
In my opinion, the most prominent attack was launched by a fellow who goes by the Twitter handle @ihuntpineapples. He showed up to DEF CON with a clever Zero Day exploit (as many conference attendees do) that takes advantage of insecure code within the Hak5 WiFi Pineapple and turns the device into a paper-weight. Word on the street says that well over 1,000 pineapples were owned by this exploit during the conference…
This is a good lesson learned for folks new to the security industry… If you don’t know what you’re doing, have not researched how ‘hacking tools’ work underneath the hood, and are planning to mess with people at the largest hacker convention on the planet, you better be prepared for the consequences of those actions. I am rather familiar with the Pineapple myself and like to demonstrate basic wireless attacks using this tool-set; however I am glad I kept it at home this year and would never consider using this or similar script kiddie technology in this setting.
note – Hak5 has since released updates to remediate against this vulnerability.
[[ Conferences ]]
The general atmosphere at BSidesLV is reminiscent of the early days of hacker conferences. They provide top-notch content with the advantage of a more personal venue, allowing attendees to approach speakers in a relaxed atmosphere, fostering collaboration and community. It is a free event that is supported by donations, releasing all presentation recordings (with the exception of Underground tracks) to the community following the event.
I tried to attend a majority of the underground sessions since I wouldn’t be able to watch them later and was very impressed with what I saw. One of my favorite tracks was by Dave Kennedy, who presented on ‘secret pentesting techniques part deux’. This session covered at a high level many of the ways his team gets around most all security tools as the malware they generate never touch the disk, leaving little for Security Analysts to go off of.
A unique aspect of BSidesLV that I personally have never seen at any other conference is the speaker development program, dubbed the Proving Ground track. This is a fascinating opportunity for folks new to speaking publicly (such as myself) to get their work out there, present it to a larger audience, and get better at public speaking in general. Once proving ground speakers are selected, they are paired with a mentor, someone who has spoken at many conferences and has significant experience doing so. They guide their protege and give them advice to help tune their talk and get it ready for the public. I was more than happy to take advantage of this opportunity.
I was paired with Kevin Riggins, an InfoSec pro with a long history of producing and presenting top-notch talks. He helped guide me and tune my talk in preparation for the conference. I think I did all right, but you can be the judge of that.
Following my talk I received this neat Challenge Coin.
Black Hat is a very large and impressive conference that is geared primarily towards security vendors and their customers. If you were there, you probably saw me holding down the booth with my awesome co-workers or wandering the halls in search of the next session.
I sat in on some excellent talks at this conference, and was incredibly impressed by Dan Geer’s Keynote speech. He covered many topics during his talk, but I was most interested in his thoughts on responsibility. More specifically, the responsibility that organizations owe to their customers and the general public in regards to security best practices.
“Either software houses deliver quality and back it up with liability, or allow users to help themselves […] You’d better do it well, or be responsible if it goes poorly.” – Dan Geer
What a great way to kick off the conference, if you ask me. The statements he made are exactly in line with what the security community needs right now. It is astonishing the number of companies that are not handling the security of their systems and customer data properly; which puts everyone at risk for identity theft or worse. Having someone of Dan Geer’s status drive these points home in a large setting like Black Hat is key for ensuring progress on these fronts.
If you didn’t make it out to Black Hat this year, you can watch many of the sessions on the official Black Hat YouTube channel here. If you don’t ever want to trust the devices that you plug into your computer, I highly recommend the BadUSB talk by Karsten Nohl and Jakob Lell. Their research is an absolutely fascinating take on USB attacks that will drastically affect the security industry going forward.
DEF CON, the mother of all Hacker conferences… If you work in the security industry, you owe it to yourself to get to DEF CON at least once. As many folks have been attending the con for years it is constantly gaining in popularity. It’s obvious that it is quickly outgrowing the Rio and there’s a rumor going around that it will be moving to a different venue next year in an attempt to hold the massive crowd that this conference brings to Las Vegas.
Since I gave a talk at BSidesLV this year, I was invited to theSummit, an annual party which supports the EFF. This was a really neat event as I had the chance to speak with quite a few of the influential people in the industry whom I’ve looked up to over the years.
There were so many great sessions this year, it’s hard to focus on just one that left the biggest impression. As much as I enjoyed the various NSA Playset talks, the discussions around privacy, and the cavalry; the very last talk I attended actually ended up being one of my favorites — Elevator Hacking, by Deviant Ollam and Howard Payne. This was surprisingly informative and very entertaining as they presented a ton of information in a short amount of time and did it very well, complete with embedded videos and entertaining commentary. If you can, you should watch the live talk as the slides simply won’t do it justice.
What I found most intriguing about this talk is the fact that they discussed using event correlation to trigger on physical activities observed within the environment. This hits home for us at LogRhythm as correlation is what we do.
Lately the Labs team has been focused heavily on physical + cyber event correlation use cases such as this. It’s relatively easy to detect physical events using a SIEM, as most everything is networked these days and everything generates log data; the trick is capturing that data, analyzing it, and triggering on the anomalies. One of the examples they demonstrated was exploiting a service elevator that ‘was not supposed to open from the outside on the service floor.’ They utilized cloned keys and opened the elevator, riding it up to gain access to the secure facility. Had the company been alerted to the outside door lock bypass followed by triggering the elevator they would have been caught prior to gaining entry.
[[ Comunity ]]
If there’s one thing that people should come away from these conferences with it’s a better understanding of the security community.
The folks at these conferences are some of the most intelligent folks in the IT industry and most are very friendly and open to talking with just about anyone. If you use your time wisely and approach the right people, I guarantee you will learn something new and have a great time in the process. Heck, even John McAfee made guest appearances at BSidesLV and DEF CON this year and stuck around to chat with folks in the audience! Plus, Dual Core, Dale Chase, DJ Jackalope, YTCracker, and many more were not only up on the big stage, but did shows for private parties and hung out with the crowd afterwards.
Just be careful with what technology you decide to bring with you, it will most likely get pwned…
none | Security
Last week the Department of Health and Human Services flexed its HIPAA enforcement ability in a ruthless and unprecedented way. Heavy fines were dropped on not one, but two organizations totaling $5.3 million.
Last Thursday a civil monetary penalty of $4.3 million was handed out to Cignet Health for violating privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). The Department of Health and Human Services said that the fines were being issued for two different reasons. First, $1.3 million for not handing over the medical records of 41 patients (between the years of 2008 and 2009) as requested by the patients. Second, in what appears to be a clear statement of power, an additional $3 million for lack of cooperation by Cignet with the investigation surrounding the first fine.
And a second organization, Massachusetts General Hospital, has agreed to pay a $1 million dollar fine related to a HIPAA privacy violation for an incident in March of 2009 when an employee allegedly left documents containing personal health information of 192 patients on the subway. Since its enactment in 2006, HIPAA has a total of 12,791 (source 1) violations registered. While many are reporting that this is the first time the DHHS has issued fines related to HIPAA privacy violations, it is not actually the case (source 2). In 2008, Seattle based Providence Health and Services was issued a $100,000 dollar fine for privacy violations surrounding the loss of data for over 386,000 patients.
Although the breaches related to last week’s fines do not appear to be the result of electronic data theft (it is not clear at this point why Cignet refused to turn over patient records when requested), a recent report by Kaufman Rossin and Co (source 3) shows theft to be the leading cause of data breaches with respect to personal health information from September 21st, 2009 to September 21st, 2010. These dates are significant because they represent the first year that these kinds of breaches were required to be publicly reported under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
With personal health data increasingly becoming a prime target for theft and with these recent fines it would seem clear that the DHHS is becoming more serious about enforcement. And while there are many factors at play influencing how the DHHS comes up with the amount of a specific fine it seems clear that it’s going to be getting a lot more expensive for HIPAA violations in the future.
The other day I was writing a response to someone about a particular point on our product architecture – one that I have seen come up before. The question was about whether or not LogRhythm’s use of a relational database somehow impacts overall performance.
The answer is actually pretty easy – the backend has been developed to maximize speed and performance, without giving up any of the usability and analysis advantages tied to the use of a relational database for log and event management. Our engineers also make sure that we architect our solutions based on a customer’s real requirements, not on flashy and exaggerated marketing numbers. The end-user will ultimately see an improvement in performance, not the supposed drawbacks that some people ask about.
But that’s not why I’m bringing it up. What it really got me to think about was the idea that a relational database is somehow a liability, despite the fact that the obvious gains in usability and functionality far outweigh the potential disadvantages. So how do concerns like that gain momentum? Maybe it’s just easier for some people to play off of the standard Fear, Uncertainty and Doubt arguments. It would be better for the customer if vendors focused more on their own strengths, rather than their competitors’ theoretical weaknesses.
The whole thing reminds me of the shark attack panics that hit the news every few years. Suddenly they show up like a global pandemic – even though the odds of being attacked are less than one in 10 million. Sure, occasionally random shark attacks do happen. But if you don’t go sporting a wetsuit made out of meat, you’re probably okay to swim.
The same is true when you decide to leverage one technology over another. When approached properly, you minimize any potential drawbacks while capitalizing on the benefits that influenced your decision.