BSides and DefCon – anyone in IT knows them well. Both hacker conferences have a world-wide reputation, and admission tickets are in high demand. The events offered not only lectures, but also hacker contests and workshops; opportunities for networking abound. Of course, InfoGuard could not miss such events! Umberto Annino, Principal Cyber Security Consultant at InfoGuard, attended both conferences in Las Vegas, and lived six most exciting days. Are you interested in hearing the latest trends from BSides? In this post, he reports about the highlights, and spills the beans for you.
The first item after a pleasant direct flight from Zurich to Las Vegas was sleep, as the nine-hour time difference got to me more than expected. So I used the first day to synchronise my internal clock to Pacific Standard Time, and inspect the hotel’s swimming pool, instead of exploring Las Vegas as planned. In retrospect a good decision, since in the following days I would clearly be short of sleep: a hefty dose of IT and Cyber Security news was before me. You are probably wandering what expectations had I made? I was primarily interested in learning what are the foremost themes on the hacker scene; because only by understanding such themes is it possible to be proactive and thus successful in the marketplace. And of course, I was also full of anticipation to quench my thirst of knowledge, even if only for a short time, which is usual in our industry.
150 events in 48 hours – BSides, Day 1
Registration to BSides is generally free of charge; therefore, tickets are in hot demand. As a financial supporter, however, I received a badge, and a full load of “swag”, such as a T-Shirt, decals etc. The lectures were grouped under creative mottos and were given in accordingly named rooms, such as for instance “Breaking Ground” for actual research, “Ground1234!” for password security, “Hire Ground” on recruiting and job applications or “I Am The Cavalry” for IoT security. A staggering number of presentations were available: over 150 events in two days! Not easy at all, to make one’s mind amidst such offering.
IoT: something wicked
At the beginning of day one I attended the apparently very popular lecture “Something wicked: defensible social architecture in the context of big data behavioral econ, bot hives, and bad actors”, on business critical technical and operational issues as well as dependence on unreliable things. The bottom line was, “If you can’t afford to protect it, you can’t afford to connect it”, which is a striking description of how information security still receives too little attention in the IoT industry. On which I totally agree.
Banking on insecurity – and how to fight it off
Next I moved on to a presentation on “Banking on insecurity: the ongoing fairy-tale of securing financial institutions”, which gave us an overview on large, well-known ATP attacks. The lecture had already been often quoted in advance on Twitter and other news outlets, which resulted in the room being chock-full already half an hour before the start. In addition, taking pictures or films was banned. I was lucky just to be there; and let me tell you something, it was definitely worth being there. The bottom line was that in the future the “goodies” must communicate with one another much more, if they want to check and restrict the “baddies” head start. It is as obvious as daylight that we have been making the same mistakes over and over again for years, without having learned much from the past. This knowledge is not new, and it is good that we are somehow going in this direction.
Fire alarms, next-generation security and travel ban: security at all levels
After a brief – thankfully false – fire alarm, the next item on my programme was networking with other Swiss cyber-colleagues. And because of the long queues, food time came scanty during the day; not to worry, though, I was not made to starve.
The finish-off of the day offered a multifaceted programme for prospective security specialists, including lectures and tips on the construction of a CV, with encouragements and information on how to best position themselves on the labour market in the future, where several enterprises are constantly scouting for new talents. My plan also included a presentation by Ayoub Elaassal concerning “Mainframe Hacking”, which I eagerly expected; but unfortunately Elaassal, with his Moroccan passport and the current travel ban, could not make it to the event, which saddened me a bit.
Day 2 – Hacking is easy, hiring is hard
Despite the disappointing closure of the previous night, I started happily into the second day, which began with a presentation named “Hacking is easy, hiring is hard”. The issue of motivation and recruiting of specialists has a special place in my heart. On the one side, I was glad to meet these “soft skills” themes at a hacking conference; on the other, staff management in a situation of acute shortage of skilled persons is a strategic theme for any information security enterprise.
Lack of specialists in the cyber security industry
One of the points that were made was that there aren’t just Line Management careers, and that there must be a provision for adequate career paths for specialists too. Not everybody is motivated and appropriate for People Management – especially those who chose this profession out of pure technical interest. There are also plenty of employees who don’t care for meetings, which – according to the speaker – are the most important management instrument. It must be remembered, however, that the heart of a meeting is the conflict: a meeting in which everybody nods in agreement and there is no real debate, does not lead anywhere.
Baby got hack back
Further ahead in the programme was a presentation called “Baby got Hack Back” - and no, it didn’t have anything to do with babies. It is an ingenious twist between a “hack back”, which is an active counterattack against an aggressive action, and “Baby got back” which alludes to a song. You will have noticed how creative hackers are! The content of the presentation was focused on the real meaning of a “hack back”, the difference from “active defence”, and the legal implications, which led to a controversial discussion. Of course, none of this is of any use under European and Swiss legislation.
On went the programme – and I was hungry again. The following presentation was a speech by a former NSA employee, who gave career tips. His advice: grab the current opportunities of knowledge growth, because never has self-teaching been easier than today, with scores of books and the Internet: do it now.
Don't cut your fingers off!
The day ended with a speech on “Improvised physical security tools for improvised situations”, which I was particularly interested in attending. It began with an explicit, humorous disclaimer: “When working with tools, be careful – especially when cutting metal, wear gloves. Don't cut your fingers off – fingers are important!” The speaker listed a number of reasons for building one’s own tools. He started relatively easy with a tool to open doors, basically a wire loop pushed under the door gap. The following tools saw a remarkable increase in difficulty. However, the presentation confirmed once again that the American door-and-lock system just cannot compete with ours: it is easy to build effective break-in tools with relatively cheap means; and of course the tools are only intended for commercial, legitimate usage, such as penetration tests.
Two days after the BSides conference…
In retrospect, the 2017 edition of the BSides conference was very interesting. For me, however, there was nothing really totally new; this is due on one side to ageing, and to the wide store of experience I have been gathering; on the other, to the choice of presentations. It is really not easy to pick the right lectures just by reading titles and abstracts; the presentations and discussions basically confirmed me in my everyday thoughts. However, for a newbie cyber security specialist with little experience, the BSides was in any case a very good opportunity to receive valuable input from experienced professionals and share their views. So this is my closing advice to all future experts: go to BSides 2018 and take your chance to plan your career accurately.
...on to the DefCon!
So much for the BSides. And now to the DefCon! If you wish to know what I experienced in the following four days at the DefCon 2017, then you just cannot miss the second part of my Las Vegas diary. It comes in a few days, so don’t miss the next blog post. The best thing to do is subscribe to our blog update; so every week you will receive new, exciting features on cyber security and cyber defence, right into your e-mail!