Suits and Spooks Collision DC 2014 wrapped up this week, and I had the opportunity to speak on two panels at the event, "Exploiting End Points, Devices, and the Internet of Things", and "Is the Cloud and Virtualization an Attacker’s Dream or Nightmare?".
"Exploiting End Points, Devices, and the Internet of Things" (Dave Dittrich, Kurt Baumgartner, Remy Baumgarten, and Roel Schoewenberg in Terry McCorkle's absence)
This technology environment of realtime connections, massive data collection and availability of automated daily routines is truly new. Current events demonstrate malware is attacking that environment specifically, and indirectly acting on our everyday routines.
All of these "things", like Google's recent purchase of Nest, the Nike "things", Sonos "things", health care "things", all support administation with Android and iPhone apps, and drive dependency on smartphones and tablets. Both iPhones and Android are demonstrably insecure in many ways. Our concern is attackers pivoting from these devices further into critical infrastructure.
"Is the Cloud and Virtualization an Attacker’s Dream or Nightmare?" (Anup Ghosh, Kurt Baumgartner, Billy Rios)
Researching this topic uncovered complete data leakage across "cloud" customers due to poorly audited and logged partner application for a massive cloud service provider. There are also challenges with maintenance like wiping file systems and maintaining layers of web application security requirements.
The recent openssl.org and .net compromise and resulting defacement demonstrated difficulties in hypervisor management console access and authentication protection.
While hardware features that cloud systems run on may help enable exploitation, there are much lower hanging fruit for attackers to target.
On the offensive side, attackers love the cloud. Incident response is often stymied by cloud providers that will not work with research teams investigating drops, C2 and other criminal assets that private owners would most likely assist with. Quickly spinning up another C2 becomes very easy. An example of targeted attack operations hosting a portion of their infrastructure in the target country is outlined in our NetTraveller report. And finally, cloud computing provides some of the most powerful and cost-effective cracking platform and mass attack platform available.
Some of the discussions regarding the NSA's involvement in the development of DUAL_EC_DRBG and several companies implementing it as a default algorithm in their products became heated but seemed unfinished. While a slew of products support the algorithm, it seems that only a handful use it exclusively or by default. And the question of usage cases remains unanswered.
Other discussions were very interesting, with individuals debating the usefulness of creating a legal framework for organizations to actively defend themselves.
Conference organizer Jeffrey Carr discussed his decision to revoke his talk at the RSA Conference this year. He also made the very interesting note that Blackberry holds the patent on the algorithm, but their response to the situation is entirely mute.
It was a fantastic lineup of speakers to join. Chris Inglis (former Deputy Director at NSA), Christopher Hoff from Juniper, Steve Chabinsky from Crowdstrike, former Navy seals and US Secret Service Technical Security, intel analysts, and others brought informed views to debate, clarify and expand on extraordinary topics. The location unfortunately was hit with winter snow and weather, creating difficulties for speakers coming and going to their next event, but Jeffrey Carr has assembled an event that is definitely not the usual security con.