You Can't Handle the Truth

Note: this post deals with difficult topics. This is not suitable for minors, and may be inappropriate for others based on your history. I will also quickly admit that writing this is more for my own benefit than anything else (needed to get thoughts out).

This week I spent a few days in Dallas, TX at the Crimes Against Children conference. I started to say "I was privileged to attend…" but I'm not certain that imparts the appropriate gravity to the conference. This week wasn't a party. It wasn't a "good time". It wasn't fun. It was work. Hard work. I found myself having to force myself to attend the sessions.

The conference represented a gathering of folks from across the international community involved in fighting against the sexual exploitation of minors. The purpose included sharing stories, ideas, training, collaboration, and support. There were sessions ranging from digital forensics, techniques in interviewing victims and suspects, psychological assessments of both, avoiding burn out and fatigue of the officers and social workers in the field and many other related topics.

My role was a small one… to meet with other technologists and discuss the technical methods that these folks are employing to hide their activity, and to hypothesize on means by which we can better identify the suspects and victims with the goal of putting the best tools in the hands of Law Enforcement to enable them to quickly get the bad guys and rescue the children.

Unfortunately, to do this well, you have to learn a lot about what they are doing and how they are doing it. You have to think about how they will try to hide, and then think about how to uncover them without tipping them off as to your means and methods. This involves many hours of briefings of cases… details, specifics… enough to make a reasonable person sick to his stomach.

I leaned things this week that I cannot share. They are a burden too great to place on someone simply interested in how my week went. Even the broad topic is enough to turn many away. For all but a few- and in many ways, myself included - the reality is that we can't handle the truth. We don't want to know about the evil around us. We don't want to acknowledge that this sort of thing happens -and statistically is happening - around us on a regular basis.

For me, the saddest part of the conference came as I was walking around the exhibitor floor and came upon a table where two ladies were selling oversized stuffed frogs. Unlike your average stuffed animal, this one was specially designed to hold (and hopefully comfort) a child during a post-rescue examination. As they discussed the features included such as a squeaker built into the hand to allow children to communicate who were otherwise to traumatized to speak and a washable gown to provide hygienic protection for the frog, I found myself overwhelmed with the reality of it all. When they commented on how amazed they were with the advancements in software tools being brought to the fight, all I could muster in response was that if we did our jobs better, products like theirs wouldn't be needed. With that I thanked them and then walked away.

At one point, I stood on a balcony overlooking the conference floor and observed the over 3,000 men and women walking around… I felt like I was watching a group of warriors - and in many ways, I think I was. Here was a group of people who fight this fight each and every day. Men and women who pour over thousands of images and videos… emails, chat messages, search queries, etc. people who have the awful task of sitting down with a child that has just been rescued, and trying to help them regain a sense of normalcy… to regain the sanity that was stolen from them. I found myself proud to be in their company, and my resolution to help them strengthened.

During one briefing, an agent was discussing a bit of functionality that had been recently added to one of his team's forensics tools. "We have closed 7 cases as a direct result of that feature." That is the kind of thing that gets me jazzed. That is what pushes me on… maybe something I or my team builds could some day receive a similar accolade… I can think of little better.

If you are a technologist reading this post, I want to encourage you to look beyond the day-in-day-out of your work responsibilities and find something truly important to which you can apply your craft. You can make a difference. You can help someone. I'm not suggesting that you quit your job, but rather that you view your job and the skills it helps you develop and maintain as an enabler for good in the world. Look for an outlet - a cause you can get passionate about, and do what you can to help.

If you know someone who is involved in rescuing these kids and putting these folks away, thank them, give them a hug, and then buy them dinner. Talk to them about normal life… baseball, family, happy things… give them some escape from the horrors they face each day, and be understanding when they just need to be quiet or alone.

If you are someone on the front lines of this fight - I want to thank you. You are doing a job I wish we didn't need, but is incredibly important nonetheless. Each child that is identified and rescued makes it worthwhile. Each technology capability that we remove from their toolkit, each additional tool we add to the arsenal of the investigators that enables them to more quickly do their job, each time we make it harder for these folks to continue hurting kids… those are good days.

CodeMash 2014

I'm finally wrapping up CodeMash 2014 and, while it turned out much differently than I expected (I had to leave early on Thursday), I really enjoyed the conference and had a blast presenting and getting to interact with a number of folks.

As discussed, I've included links to the videos and slides below:

Scary and Amazing Security Things

I'm working on getting ready for my precompiler at CodeMash in just a few weeks and I'm incredibly excited. Last year I had a blast presenting along side Bill and talking with many in the developer and security community.

This year, Bill is doing a talk Tuesday afternoon on Applied Application Security that I'm quite excited to attend. You can learn more about the details of his talk here: http://www.sempf.net/post/Applied-Application-Security-at-CodeMash.aspx

I will be giving a talk covering a number of security-related topics on Wednesday morning. I have the following items on my list to discuss:

  • Hiding in Plain Sight
  • Passwords?
  • Software Defined Radio & the Hacker
  • How well do you know your Runtime?
  • Open Discussion – how do *you* guarantee your machine isn’t compromised?

There are no pre-requsites for my talk other than an open and inquisitive mind. We will have a number of demonstrations and will try not to adversely affect anyone else's talk :).

I hope you will consider joining me and participating - I look forward to seeing you there!

 

Offensive Forensics/CSI for the Bad Guy

This talk was interesting as it relates to some of the forensics work I've been doing for my day job, however the premise was that rather than using it (forensics techniques) to uncover illegal activity, it can be used for uncovering material important for pen testing/red teaming. They gave some examples from real-world pen tests that they have worked on where they were bit by having not used these tactics, and some wherein they were benefited by having used them.

 

Making this more interesting, they announced that they were going to be releasing a metasploit module (forensics_scraper) that, once you have a foothold on a machine (i.e. meterpreter shell) could be executed to batch collect/download this forensic data (MFT, reg data, etc.). They are expecting that the module will be released “soon” (probably a few weeks) – status can be followed here: http://www.rhinosecuritylabs.com/blog/

 

The slides for the talk are available at this post: http://www.rhinosecuritylabs.com/defcon-21-offensive-forensics/

All Your RFz Belong To Me

This was one of the best sessions that I attended at DefCon, and was also the longest (double-length). The room was packed, and the aroma “fresh”... however the content made up for all of that.

Essentially, the guy is an RF nerd who, utilizing old-style equipment and now SDR, pokes around with (i.e. listens to) signals in the air and tries to figure out what they are.

 

As an example of what he has been learning, he referred to the ATCBRS and, of particular interest, the ADS-B Mode S signals that are provided by all airplanes. (http://en.wikipedia.org/wiki/Automatic_dependent_surveillance-broadcast) He demonstrated an application he has written that will simply listen to the (unencrypted) signals in the air near airplane traffic paths. They include all sorts of information about the plane, including GPS location, status of on-board equipment, etc. It is fascinating that the information is out there, that it is unencrypted, and that, technically, you could transmit the signal yourself (NOTE: this is illegal).

 

If you are thinking through what I just wrote, and saying “no... that can't be true”, I point you to the following: http://maps.spench.net/aviation/ and http://spench.net/drupal/research/mode-s

 

A couple of links/tools of particular interest:

Wireless Penetration Testing 101

I attended this session as my last of the day, and honestly didn't expect much. As some of you know, I have spoken on wireless pen testing a handful of times, have done some training and certification work, and generally feel like I know the basics fairly well.

I was pleasntly surprised to walk out having picked up a number of small, but useful tips/tricks.

  1. http://wigle.net - an interesting site that I may contribute to as a result of my "research" driving
  2. airdrop-ng: a program used for targeted, rule-based deauthentication of users.
  3. Espoused the benefits of a three-card setup for wireless pentesting... I think I'm going to spend some more time discussing this with them.
  4. As they should, they stressed the importance of having clear rules of engagement defined ahead of time, and the use of one card for pure logging/defense of what you did/didn't do.
  5. airgraph-ng: a tool for generating graphs of what you are/are not seeing in the air.
  6. Practice, Practice, Practice! - I like this point as I learned it the hard way... testing RF stuff is challenging, and the tools can be confusing... practice repeatedly, know your gear, know your setup.
  7. Precision - also something I appreciated was their focus on precision... it is easy to spray & pray when it comes to wifi testing, but it is a different thing altogether to very selectively target a network/client set in an RF-heavy environment.


There was also some conversation around studying other RF protocols such as zigbee, bluetooth, amateur radio, etc... hoping to learn more on this topic in Day 1's talk on RF.

Decrypting DEF CON

This talk was given by one of the head guys of the con, specifically the guy responsible for the human badge challenge. He talked a bit about himself, the way he views the world, and gave some hints as to how one might go about solving some of the challenges associated with the badges, the lanyards, the stickers on the floor of the con, etc.

I found it interesting that there are over 40 distinct challenges/puzzles tied up in this year's badges. Further, the number of distinct badges is high... and it will take seeing all of them to solve all of the problems. One of his primary goals in constructing the challenges is to force people together... to work as teams, to get to meet people, etc.

What I appreciated the most about this talk was not the primary topic, but rather the side comments that the speaker made... he spent some time bemoaning the state of "computer science" practiced by many - esp. those who do the forms-over-data type work... he was being reasonable (there is work do be done, etc.) but he is concerned that we are turning out a large cadre of developers who don't really understand the platforms that they are building on - and that fact might have implications far into the future.

For example, to the programmer who claims he knows that computers are made op of 1's and 0's, he suggested that you take a box of switches and "go make Pong".

He also challenged the "hackers" who spend so much time being excited about the vulnerability they discovered... he flips the coin and asks... did you study it to find how to protect against the attack? How should it be secured? Do you really understand what is going on? or were you just lucky to find a particular overflow string?