The Coalfire Blog
Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, Retail, Financial Services, Healthcare, Higher Education, Payments, Government, Restaurants, and Utilities.
The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts. We look forward to your comments, so please join the conversation.
The Coalfire Blog
My DEFCON social engineering talk and DerbyCon
September 11, 2012, Noah Beddome, Associate Assessor, Coalfire Labs
This year has been a year of firsts for me and for Coalfire. I was recently hired to my first Information security job as a penetration tester for Coalfire Labs, the forensic and app/network testing side of Coalfire. Many of the Coalfire Labs team attended DEFCON in Las Vegas in early August.. Not only was it my first visit to DEFCON as an attendee but this was my first time speaking at a conference. Because it seems to be a year of firsts, we at Coalfire Labs thought it would be a good idea to share a first time speaker’s experience and an attendee’s views on this year’s DEFCON.
At first impression DEFCON is intense, and it only becomes more so as you experience what it has to offer. The days are full of everything from talks on privacy rights to highly technical talks on the latest exploits, while evenings are packed with vendor and networking events. While there are a myriad of different topics to discuss I wanted to bring to your attention a few sessions. Below I have listed the three talks I felt were most worthy of highlighting and beneficial to review (linking to videos or slide decks, if available).
Thoughts on Social Engineering
Owning One to Rule Them All - Dave Kennedy and Dave DeSimone
This talk was great because it demonstrated a real integration between network administration knowledge and mastery of Metasploit. Dave leveraged Metasploit and PXE boot to compromise a massive amount of systems simultaneously.
Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2 - Moxie Marlinspike
This talk made the list because it highlighted a flawed protocol that is still widely in use. In the talk Moxie explained how it is possible to break crack any PPTP password if you are able to capture a handshake.
An Inside Look Into Defense Industrial Base (DIB) Technical Security Controls (PDF) - James Kirk
In this talk James discusses the lack of a strong certification process for defense contractors as well as an outright lack of sufficient Linux security controls being enforced for these contractors. This talk could have been titled “Why we need FISMA and FEDRAMP”
In addition to the main track of DEFCON speakers there were a lot of great talks at Skytalks (the smaller, unrecorded venue). I had the opportunity to speak in a Skytalks Talk on social engineering and discussed:
The idea that the manner in which many social engineers currently approach social engineering perpetuates a poor mentality. The focus recently among many subsets of the community is that social engineering is just telling a good lie or making a good counterfeit. The reason this sucks is because it relies on the victim consciously and critically interpreting external stimuli. The goal needs to be to cause an internal reaction in line with the nature of the target.
I touched on several concepts that could help make social engineering attempts more effective. One of these concepts was “the RIP” , Reactionary Identity Preservation. This is when someone reacts to the compromise of their externally perceived Identity. This is exploitable because, the basis of human drives (excluding self-preservation) is closely tied to the exploration, definition, and preservation of our perceived identity. Simply put, we are what people think we are. And we don’t like when that is threatened. We can exploit this by using this to illicit predictable reactions to specific stimuli in a interaction.
A Takeaway for First Time Speakers
For other first time speakers (or seasoned speakers) I feel the single most important piece of advice I can give to first time speakers based on this experience is to rehearse and revise as much as possible. I spent several weeks writing, rehearsing and revising my presentation, and it was the level of comfort my many hours of practice gave me that allowed me to comfortably present and field questions.
Aside from the talks and events the thing that is really memorable for me as a first time attendee of DEFCON, was the atmosphere. DEFCON lacks the corporate restrictions of BlackHat, instead replacing the restrictions with a feeling of open collaboration and community that goes beyond industry and into shared passion for a field. The hallways were littered with groups huddling around power outlets trying to hack this year’s badges, while heated discussions about a variety of security topics were taking place in nearly every room. Overall it’s a great experience that I don’t think you can really get at any of the other cons and I would highly suggest attending.
See you at DerbyCon?
As a result of the Skytalks experience, I have been invited to speak on a similar session at DerbyCon, this September 2012 in Louisville, Ky. While it’s not Vegas, I’m looking forward to speaking with and learning from other security practitioners. If you’re going to DerbyCon, consider attending my session or reach out via the comments section below to meet up.
<< Go Back
Blog post currently doesn't have any comments.