Shmoocon 2017: Threat-Casting, Fake News, and Ransomware

Good luck getting in

So, you want to go to ShmooCon?  You better start planning now. This conference is harder to get into than your favorite music artist’s concert.  The conference is affordable, but tickets are extremely limited. You have to be prepared if you want to get one. Here are the stats on ticket sales: After 3 rounds of sales, 1460 tickets were held in a total of 8.16 seconds.  In other words, if you want to go to ShmooCon in 2018, you better have a plan and a fast Internet connection for each time the tickets are on sale.

ShmooCon is an annual East Coast hacker convention that hosts vendor-neutral discussions ranging from technology exploitation, inventive software and hardware solutions, to critical information security issues.

The attendees of the conference ranged from kids to senior citizens. Not everyone at the con was specifically in information security. Some attendees were more interested in investigating hardware to see how it works in order to make improvements, modifications, or simply to figure out how the device worked.  Another group of attendees were developers that build their own tools to investigate various areas of interest.

ShmooCon has a light vendor presence compared to conferences like RSA and Blackhat. The vendor floor was small and did not include all the typical companies. There were some big names but they were few and far between. And, all the vendors get is a table. No big elaborate booths allowed. I did not attend a single talk in which a vendor was talking about how great its own product is.

Like at most hacker conferences, there were side events, such as a lock-picking village and wireless capture-the-flag.

Misplaced priorities

The opening remarks were very good. Conference creator Bruce Potter went off on his annual rant, the gist of which was that organizations are focusing on the wrong things. For example, vulnerability scanners flag weak SSL ciphers as critical problems. Crypto attacks are not an easy style of attack; they need a specific skillset and, compared to other attack vectors, may not be worth a hacker’s time. Why focus on them when basic things are still not being done to secure networks (i.e., proper segmentation, access controls, and password policies)? This was a stark reminder that the awareness of the risks posed by weak controls has not changed in the last ten years and that there is still a refusal among business to change workflows for the sake of security.

Information sharing was also a central theme of ShmooCon 2017. We learned that, overall, there needs to be better cooperation and information sharing between the public and private sectors for protection from emerging threats.

How to stay protected from ransomware?

All of the talks provided an interesting way of looking at various problems organizations face. There were a few that really stuck out to me. The most pressing and relevant talk was by Gal Shpantzer and G. Mark Hardy, which directly correlates to a question the Information Security & Governance group at Kraft Kennedy is often asked: what do we do about the latest flavor of ransomware? The talk centered on ransomware, its commoditization, and how organizations can protect themselves.

So how do you protect yourself? Outside of the obvious, good backups, one needs to go back to the basics, firewall 101. First, start with network segmentation and micro-segmentation. The practice of creating different zones/vlans and allowing one zone/vlan to talk to another on all ports needs to be stopped. Proper Access Control Lists (ACLs) are needed that only allow clients to talk to ports on a server that are being served by a server, don’t allow a client to talk to all ports on a server. This is a completely lazy approach and does absolutely nothing to protect your organization. Network Engineers need to take the time to create proper rules and then test those rules to ensure only the minimum amount of communication is allowed on the network. The concept of micro-segmentation goes a little further and will prevent merciless pivoting by malware within a specific LAN. The concept is simple—use a host-based firewall to prevent one client from talking to another. All legitimate communications within organizations should be client-to-server communications. Peer to Peer communication is almost always a sign of bad things. Organizations should also consider implementing ACLs on outbound traffic. For instance, when a user clicks on a phishing email and something is installed on a system then next thing that will typically happen is the malware will call back to a command and control server. If you have egress filtering in place you may be able to stop the malware from making the connection back to its master. Proper firewall hygiene can not only stop bad things from coming into your networks, but also prevent malware from making a connection back to its control server when its inside the network.

Secondly, the practice of using mapped drives should be stopped. Ransomware looks for mapped drives/shares and then moves laterally. Instead of mapping drives, try desktop shortcuts with UNC paths as an alternative approach.

Thirdly, systems need to be patched. Ransomware needs a vulnerability to deliver it’s encrypting payload. Organizations typically patch in line with Microsoft’s patch cycles. When looking at FBI reports about the initial attack vectors of ransomware, the data shows that third-party applications such as Java, Flash, and other Adobe products are the culprits. So why do we not patch those more often if a fix is available?

Businesses need to understand the operational side of security. No one product is going to save you, a proper defense in depth approach is necessary with measurable metrics to drive risk management efforts and business decisions. Information Security is not an IT problem it’s a business problem and the business needs to understand where its winning and failing and where improvements can be made. Information Security (risk management), is a never-ending process, it’s time to accept that.

Fake news

The second talk that I found especially interesting was on attribution and disinformation campaigns. The obvious implication of the talk was the speculation about Russian influence on the U.S. election. The speaker, Mark Kuhr, painted a picture of how a disinformation campaign could be run, including setting up an architecture, creating fake stories, and the effects of social media. He provided details that support a theory that information discovered during the investigation of the election points to China. Each step of the way he described how to create the information that has been reported about the tampering of the election process. At the end of the talk he asked the audience how many people thought Russia was behind the attack based on the evidence he provided. Only a few people raised their hands.

This talk was eye-opening. Attribution is difficult. An attacker’s ability to use proxies, encryption, and cloud services around the globe, all of which can easily be created and destroyed, leaves little evidence for an analyst to look at. A lot of the security community is looking at the reports that have come out from various government organizations about the Russian influence on the election with the general question, where is the data that definitely proves this? I guess we will never know, or have to trust the government.

Threat-Casting

The last talk that I will mention, by two futurists, Brian David Johnson and Natalie Vanatta was about threat-casting. Together they are working on a project that casts potential scenarios that could happen ten years from now and try to define how it could have been prevented. They painted a grave scenario that with a nuclear bomb heading for NYC. Here is the gist of the scenario these futurists are looking at:

Smart refrigerators are commonplace. They detect when you are low on something and automatically order it for you. Suddenly, refrigerators across the country are ordering milk. This causes a shortage. Joe works at a logistics company in New Jersey, where he sees there is a milk shortage and diverts additional resources to deal with it.  Also in New Jersey, there is a shipyard using automated machines to scan containers for potential hazards, such as nuclear materials. The automated machine that scans the containers has a broken part. Due to the shortage of milk and reallocation of resources, Joe’s company is not able to deliver the replacement part for the automated ship container for a week. This has lead the shipyard to conduct manual inspection of containers. They are only able to manually inspect 10% of the containers, allowing 90% of them to enter the country unchecked. A container is loaded onto a truck with the destination of NYC. On its way up the New Jersey coast, a nuclear bomb that was inside of the container pre-maturely detonates in the town Joe worked in. It was later discovered that someone in eastern Europe caused the milk shortage that lead to the diversion of resources which allowed the truck to… you get the point.

So how could this have been prevented? These are the types of doomsday scenarios that futurists are considering to predict what technology is going to look like and what may be possible. As we introduce new technologies into our lives, we rarely look at what kind of impact or threat they could pose to us in the future. IoT is a good example of something that needs to be controlled and secured now before it’s too late. Or is it already too late?

ShmooCon 2017 had fascinating talks on topics that don’t receive much mainstream attention. That’s what make it more interesting than many others. Scenarios  like this should be examined as we grow our technical capacities, both globally and on an individual basis. It’s encouraging to know that a small group of people are looking at the potential future threats that we could be creating. I recommend this con to anyone on a budget who wants to hear crucial information delivered by brilliant people. Just remember prepare yourself for the extremely limited time you have to actually get a ticket.