Tag Archives: Black Hat

Thoughts on digital forensics research

Posted on 2012-08-07 | 1 Comment

I always enjoy seeing crossover between statistics and computer science. In fact, one of my very first jobs involved using S+ (the closed-source precursor to R) writing code to support a textbook my professor was writing at the time. These days, machine learning usually comes to people’s mind for that mix, but occasionally digital forensics can make use of these techniques as well.

Stochastic forensics

At Black Hat a few weeks ago, I attended a presentation by Jonathan Grier on stochastic forensics. I had visions of Markov models of user activity and malware Monte Carlo simulations.

As it turns out, this wasn’t too far off. Essentially, the idea is that we can infer certain data from a system by looking at its collective characteristics. In other words, we can measure across a large number of individual members and observe the behavior of the body as a whole to draw conclusions. The initial case related to data exfiltration. A client organization wanted to prove that a user had copied a large number of files containing proprietary data to an external drive. Windows doesn’t normally track this information except to a very limited extent in file access times, but even that only records the last time a file was accessed. So subsequent access to a file will overwrite that time stamp and destroy any previous record. For an individual file, then, we might have significant difficulty proving that someone had copied it. Worse, the user in this case had legitimate access to the data, so any single data point would prove nothing.

By taking a statistical view of the system, however, particularly looking at entire directory trees, we can plot a histogram of last access times and compare to control data (from other directory trees not under suspicion). The observed pattern for normal usage might look one way, with most files not touched and recent accesses limited to a small set of files. But if a tree has been copied wholesale, such as via a drag-and-drop operation or zipping it up or some other recursive copy, then the access times would look different. You would (hopefully) have a clear delineation of all the files accessed at some particular time and then a sort of power law distribution following from that showing normal access patterns.

As I listened to the presentation, I noted a few weaknesses in his approach: manipulation of time stamps, for example, or perhaps other feasible explanations for this type of pattern. In particular, the file system simulator he wrote as an initial test did not strengthen his argument at all, because it essentially only verified the model he coded into the simulation rather than tell us something useful about “real” systems. In addition to explaining improved testing methods he used later, his responses mostly mollified me: this won’t always work, so you need to test carefully on a system (e.g. test to see if the AV software overwrites time stamps, etc.) And the most it will give you is circumstantial evidence pointing to the fact that something happened on the system at that time. Perhaps the user took a legitimate backup, for example. But now you have something to investigate further.

Forensic research

This led me to muse on the nature of research in information security. Sometimes we have a tendency toward the perfectionist fallacy: if it’s not perfect, then it’s worthless. In forensics in particular, this occurs for understandable because we have definitive standards of proof to meet (e.g. “preponderance of the evidence” in civil trials or “beyond a reasonable doubt” in criminal trials). So of course we really do need to look at the weaknesses of a system or an approach.

But if we find weaknesses, that shouldn’t be the end of the story. Instead, perhaps it can point the way for future research: if you think antivirus scanning will overwrite the time stamps, then test and report it. If you think that comparing access timestamp patterns only identifies anomalies, then say so and identify what sorts of anomalies might generate this pattern. Partial results can still provide value, even if not as much as we’d like. And of course further testing to invalidate a hypothesis or show problems with an approach provides great research value.

The research on stochastic forensics I discussed above will not revolutionize digital forensics. No long-standing large-scale theories will topple. On the other hand, we have an incremental result for other researchers to consider and try to validate or invalidate. We also have an idea that we can try to apply in other areas like network forensics.

Most scientific research advances, not in great leaps of intuition and revolutions that wipe the slate clean with an entirely new look at things, but in small evolutionary steps that work us closer to our goals of knowledge and information. We must treat our discipline as a science and not just an art to emulate the progress other fields of science have enjoyed.

→ 1 Comment

Posted in Conferences

Tagged , , ,

Black Hat conversation with Neal Stephenson and Brian Krebs

Posted on 2012-07-31 | 1 Comment

Like a lot of hackers, I have always found Neal Stephenson‘s works (especially Snow Crash, Diamond Age, Cryptonomicon, and REAMDE) particularly resonant. So when Black Hat announced that Stephenson would attend as a keynote speaker / interviewee, that provided half the reason I originally wanted to attend the conference. In my excitement, I didn’t even realize that they’d asked Brian Krebs to lead the conversation with him, so for me that resulted in a pleasant surprise. I noticed that Stephenson really warmed up when Krebs got off of the standard questions for authors and more into things that reflected the specific interests of the Black Hat audience.

Krebs and Stephenson

So I decided to post my notes here. These do not represent a transcript, only a paraphrase of what I got out of the conversation. I alone take responsibility for any mistakes and inaccuracies, but I did my best to capture things as well as I could.
Continue reading

→ 1 Comment

Posted in Conferences

Tagged , , , , , ,

Shame and sexism in Las Vegas

Posted on 2012-07-30 | 2 Comments

Last week, what I saw in Las Vegas made me sick. And I blame RSA for that.

I’m not a prude and there is a time and place for everything under the sun, so let’s establish context for this. Our expectations for, say, cocktail waitresses in a Las Vegas nightclub, will differ materially from marketing staff and engineers in a daytime business function. I enjoyed my time at the RSA party Wednesday night, because the nature of the setting matters. I’m grateful to the company and its employees for inviting me in. That said. in 2012 at a professional conference such as Black Hat, we must not accept blatant sexism on the conference floor on the part of an official sponsor. What I saw this year disgusted me as a professional, and everyone at RSA involved with Black Hat should be ashamed of themselves for letting this happen.

RSA booth at Black Hat 2012

Of course, part of human nature includes the idea that some people will always attract attention because of their good looks and charisma. (I’m idealistic but not naive.) As adults and not adolescents, however, we all can distinguish between a woman’s physical attractiveness and her professional value, not to mention as a human being in general.

Yes, I said “women” in particular. In IT and information security, the inappropriate sexism nearly always occurs against women. We should not pretend that turnabout is fair play, of course: male strippers on the conference floor would also draw our ire, as it should. But our society has held women to a different standard for a very long time. Pretending otherwise would be disingenuous.

So while we can have a separate debate about charisma and professionalism, including for marketing and sales professionals, what happened last week offended on a lower threshold: women dressed in a sexually provocative manner for the sole purpose of attracting the classic “male gaze” and drawing in visitors not based on anything remotely related to the company’s offerings.

RSA should think about the message they send when they do this. Maybe they have so little confidence in their public image that they believe they need to drop down to this level just to stay relevant somehow. Maybe they still haven’t figured out a good PR response after they so badly botched the handling of last year’s compromise. Or maybe they just feel like this is still okay because, after all, security nerds are a bunch of nerdy boys just happy to be able to see girls anytime our bosses let us out of the data centers and cube farms. I can only imagine what the highly qualified women at the conference felt when they saw a major security company essentially affirming that this industry is a boys’ club where the only exception to the “NO GIRLS ALLOWED” sign is a stack of their dads’ Playboy magazines in the corner.

Others noticed, of course:

Money grab and booth babes at RSA’s #BlackHat booth by Neil Rubenking

RSA wasn’t the only offender here. Foreground Security and SecureNinja also provided booths with women in scant attire just to draw in visitors. But RSA went over the top here as a major sponsor of the conference, not to mention as a subsidiary of a large publicly held company and the organizer of a similarly sized large security conference every year.

I have no doubts that many people at RSA did not feel good about what their organization did last week. In fact, RSA certainly has policies about hostile work environments and sexual harassment that set a different tone from their public behavior. Thus I hope that they’ll have a vigorous and honest exchange of views internally and then join the rest of us in the 21st century the next time they sponsor a conference. An apology would be even better, but despite the “corporations are people too” meme, that’s not true. Corporations are made up of people, and the people who let this happen are unlikely to take public responsibility for their inappropriate decisions – but they could give us all a pleasant surprise by standing up and showing integrity. Apologize and show us what you’ve learned from this. Set an example.

Shame on the people who did this, and shame on RSA. You can do better, and next time I hope you do.

→ 2 Comments

Posted in Conferences

Tagged , , ,

Lessons learned at Black Hat and DEF CON

Posted on 2011-08-07 | Leave a comment

'Black Hat' by Jimmy FlinkI’ll fly home today after ten days in Las Vegas for three conferences, two of which focused on information security (Black Hat and DEF CON). This has represented a really new experience for me, as I’ve never traveled to Las Vegas before, and I very rarely attend professional conferences of any significant size.

Being in Las Vegas this long is like eating too much chocolate cake. When you first dig into it, it tastes awesome and you really like it. After you’ve had more than you should, though, you can’t imagine taking another bite or what possessed you even to start eating it in the first place. I’ve had a great time here, spent some time with some really awesome people, and learned quite a bit from the speakers and classes and conversations. I also greatly appreciated the streaming via the hotel TVs at DEF CON. But I want to capture the meta lessons I learned.

General Las Vegas

  • Cash still reigns. You will cover a lot of ground with credit and debit cards, but often at a significant markup. Get cash, preferably not at ATMs on the Strip.
  • Food costs a lot here. I think it costs even more than eating in NYC or SF. So bring some nice clothes: not for the conferences, but if you’d like to go out to a nice restaurant (most of them), our standard geek uniform of cargo shorts and a black T-shirt won’t quite do it.
  • Don’t bother with moving hotels that much. You can reach most via walking, and taxis don’t actually cost very much. Far less than the hassle.

Black Hat

  • If you come before the briefings start, understand that the training follows a fairly intense schedule relative to most other tech training. It runs from 0900 to 1800 with two prescribed coffee breaks and a nice lunch. But my class, at least, easily ran all the way through the full allotted time both days. Don’t think of these classes as the normal breeze-through training that IT folks generally get.
  • You can easily avoid most of the vendor show, though having the coffee in that area does mean you’ll need to venture inside a couple of times, at least. Most of this will just consist of product demos by marketing folks or booth bunnies (yes, still, in 2011), but obviously some of them take it seriously. Meeting Dave Aitel in person impressed me more than it probably should have.
  • Look at more than just the briefings. Tool demos at Arsenal, workshops, the aforementioned training, and of course the social events all combine to make the conference much more than just a series of presentations.
  • Study the map given out at the registration desks carefully. Caesars Palace, like most businesses in its space, have purposefully designed their layout to make it difficult to find locations outside the casino areas. The conference center in particular will present a significant challenge unless you’ve spent lots of time there already.

DEF CON

  • Prepare robust communications. Lots of battery life (this applies to Black Hat as well), a hardened laptop possibly running some flavor of Unix, and a proper VPN connection (even via SSH if needed). Don’t simply trust the local cell networks, and definitely don’t depend on the conference network for normal surfing usage.
  • Just like Black Hat, don’t focus on the talks. Some of them have really awesome content, of course, though most of those will also present at Black Hat. But instead, find a contest or a workshop, meet some folks, perhaps support some of the vendors (as the vendor show is less about corporate demos and more about small businesses selling cool stuff).
  • Don’t bother with the official conference hotel if you can avoid it. The Rio, which has a two-year contract and thus should host DEF CON 2012, may look nice compared to the previous venue (or so I’m told), but I’ve had lots of problems here: elevators not working, odd stains on the couches, really loud shows in the public areas, and much poorer circulation than other places. I don’t plan to come back to the Rio.
  • You will need to navigate large crowds. I don’t mean the normal problems inherent to popular tourist traps, but something like thirteen thousand people attended DEF CON this year. Lines can get really long, not everyone showers, and alcohol plus impatient people equals possible trouble. Just take a deep breath and relax. Well, if the neckbeard next to you thinks SOAP is only a data protocol, maybe don’t breathe so deep.

→ Leave a comment

Posted in Conferences

Tagged , , , , ,