Not really security related, but in response to this artice….
This is a typical example of someone generalizing for the sake of a shock value title to their article. He does have some valid points, but nothing he says is new or even a surprise. Business has been outsourcing commoditized labor since the beginning of time, my organization is going through an adjustment of all aspects of back office business not just IT. The author makes a valid point when he talks about ADP not just selling payroll software but doing it for you.
It’s the nature of the business beast that if someone else can do it cheaper, why not go with them? I used to work with a Managed Security Services shop whose customers outsourced their security practice to an external provider. This was a great idea for shops who weren’t in the business of securing networks but still needed a level of security that your average admin couldn’t provide. Where it got hairy was when the security team at a company was completely outsourced to our shop leaving 1 or 2 stragglers behind to manage the whole enterprise (with us of course). Of course we could do it cheaper, but their management often underestimated and grossly miscalculated the value of in house talent, especially when the shit hit the fan.
The main problem with getting rid of IT Services in favor of an external source (or getting rid of them in favor of “smarter users’) is that you lose that personal touch with the history and architecture of your IT systems. Senior management *is* disconnected with IT, that’s *not* a reason to outsource your IT force, it’s a reason for more IT people to become businesspeople, so the value of IT services is truly recognized throughout organizations. People like to focus on IT staff and services as a reactionary force: i.e. somethings down and we need to fix it, but what about the 99.999% (depending on your network ;P) of the time that these systems are up and running fine, the IT staff is continually working to improve services and keep things running smoothly so everyone else can do their jobs. The demand for highly skilled IT folks isn’t going anywhere, because whether you outsource your IT services or keep them in shop, the requirement to implement, manage, and maintain those systems will always be there.
The title of this article *should* have been “is IT being commoditized?”, much less sexy but more on point. The answer is “yes”. Will there come a day when people can use a computer just like they use a telephone or wall socket? Maybe, but I think it may be 50 years too soon to call IT on the road to extinction, I wouldn’t even put it on the endangered list. =)
March 24th, 2008
I recently started honing my lockpicking skills after my trip to defcon and gross exposure to the world that is physical security circumvention. I have a few padlocks that I can pick pretty easily now, so when my friend asked me to pick a padlock that was stuck on his snowboarding bag I thought “no problem”. Well, 2 hours and a bucket of grease (real and elbow) later, as well as a hand from my buddy Raven(who is better than I am), I gave up and looked up how to drill out locks. After a quick Google search I came up with this pretty good article. After 2 tries I got it, what to keep in mind is the higher you can get on the lock cylinder (the top of the sheer line) the better results you’ll have drilling out the pins. Obviously drilling straight down the sheer line would be the cleanest solution, but remember I’m a n00b.
The moral: if you can’t pick a lock and noise isn’t an issue, a good drill bit will get you past most locks in about 3-5 minutes.
The final disastrous result:
September 11th, 2007
Intro:
This was the first year that I attended the much renowned and famous Defcon/BlackHat conferences in Las Vegas. I somewhat knew what to expect going in from friends’ accounts from years past. My expectations were that BlackHat would be more formal and professional than Defcon, as it costs roughly thirteen times more for the briefings. I also expected more professionals and smart people at BH vs. tons of kiddies and wannabes at Defcon. My expectations were right in some cases and wrong in others.
Black Hat Briefings:
Day 1:
The briefings started with an introduction by Jeff Moss and a keynote by Richard Clarke. Clarke was the counterterrorism czar during the Clinton and some of the Bush administrations and widely criticized the Bush administration after 9/11 for not taking preventative measures. His talk was mostly theoretical about how technology (nano, Internet, bio) will shape the future of human civilization. Mostly it seemed like a plug for his book, but he was entertaining nonetheless.
Here is a list/quick synopsis of the briefings I attended on Day 1 of BlackHat:
Black Ops 2007: Design Reviewing the Web – Dan Kaminsky
Kaminsky gave an excellent talk on using just a browser’s API to completely own a network. He commented several times on how browsers now are their own operating system. He presented several tools to assist an attacker in using a “lured browser’ to create tunnels using just built in calls in browsers, with direct access to the TCP/IP stack of the target machine.
PISA: Protocol Identification via Statistical Analysis - Dhamankar & King (TippingPoint)
This was a very interesting talk about using statistics to identify non-standard traffic. With the proliferation of different tools that use http or an encrypted channel it’s a lot harder for IDS analysts to identify what’s coming in or out of your network. Their tool will take a pcap dump of data and based on predefined statistical profiles identify what kind of traffic is traversing your network. The example given was a several gigabyte pcap was analyzed and Skype traffic over port 80 was identified based on specific client-server traffic that is inherent to the protocol.
Tactical Exploitation: HD Moore & Valsmith
This talk included awesome demonstration of complete pwnage by HD Moore (the creator of Metasploit). The gist of the talk was to use non-sploit methods to pen test targets. Using sites like domaintools, and gathering information about organizations with google, sending phishing emails to gather info about users, etc. etc.
Moore’s talk ended with him owning a completely patched WindowsXP SP2 machine without user interaction. Basically he exploited a trust model inherent to Windows that gives a LANMAN hash to a requestor without any authentication. The “non user interaction” piece came in by using a bogus proxy server called “WPAD” that windows looks for automatically if the “automatically discover proxy servers” option is used in IE.
IsGameOver(), anyone? – Joanna Rutkowska & Alexander Tereshkin
A lot of this talk was over my head because it was ultra-technical. Basically what I got from it is that Virtualized rootkits are alive and well and can evade detection techniques that have been presented since the introduction of the “red pill” rootkit by Rutkowska at Black Hat 2006.
Day 2:
Day two began with a keynote by Bruce Schneier on “the psychology of security”. Needless to say the ballroom was packed with people vying to listen to Bruce talk. He presented some interesting statistics on how people associate risk with events, people are more likely to associate risk with man made events vs. natural events, for example. Overall it was a fascinating speech and well worth checking out.
Here is a list/quick synopsis of the briefings I attended on Day 2 of BlackHat:
Computer and Internet Security Law – Year in review 2006-2007 – Robert Clark
Clark went through a synopsis of recent cases that involved Internet Security. Nothing too interesting but his talk focused on technical people being able to relay information to the legal field at a “3rd grade level” so that the legal system can interpret technology correctly and without confusion.
Disclosure and Intellecual Property Law – Jennifer Granick
Granick went over the procedures that security researchers should take when reversing or fuzzing software to find exploits. She specifically went over the Michael Lynn case where he tried to present a vulnerability in Cisco IOS and subsequently lost his job from ISS (pre-IBM) and was sued because of his attempt. He did present at Black Hat 2005 and was represented by Granick in his case and won.
Estonia: Information Warfare and Strategic Lessons
What I thought was going to be an interesting talk turned out to be a lot of fluff about how the Russian “blogosphere” came together to help DoS Estonia’s infrastructure. The talk was almost completely non-technical (purposefully?), but what I did find interesting was that due to the recent nature of Estonia’s existence, almost all of their financial and government infrastructure was Internet based. Therefore a DoS attack on their systems basically crippled the country for almost 2 weeks.
Strengths and Weaknesses of Access Control Systems
A fascinating talk from 2 MIT students about physical security and how it basically sucks. They covered the different types of locks and physical security measures(biometrics, etc.) and how to pick, circumvent, and otherwise bypass pretty much any “state of the art” lock mechanism.
Iron Chef Black Hat
This talk was better on paper than it turned out to be. Basically 2 teams from Fortify Software squared off for 45 minutes trying to find security holes in JSPWiki, a product that neither team knew they were going to be pen testing before the conference. In the end both teams found holes (XSS, SQL injection, possible command execution) but didn’t actually exploit any and listed them a “potential” vulnerabilities. I forget the results but the judges were more entertaining than the actual talk.
Defcon 15:
My Defcon experience started Friday morning when I got to the Riviera for registration. Registration at Defcon was much more organized and smooth than BlackHat, I got my badge and materials quickly and was off to my first talk. The Defcon badge this year was killer, it consisted of a PC board with a fully programmable LED system (to display messages) and an RFID chip.
Here’s a list of the talks that I attended in my 2 days at Defcon:
Church of Wifi Wireless Extravaganza – Renderman et al
A cool talk about what’s going on project wise with the Church of Wifi and in overall wireless security. Renderman talked for a while about the lack of tools and API’s for hacking/testing Bluetooth, they released their wifi pen testing live boot linux distro, and talked a bit about their WPA cracking rainbow tables, which have now grown to over 30 gigabytes.
SQL Injection and out of band channeling – Patrik Karlsson
A very interesting talk about hacking a backend SQL server and using covert channels to export the data. Protocols such as http and DNS were used to get database info using only built in functions in SQL Server and Oracle.
Breaking Forensics Software – Palmer & Stamos
My first talk on forensics focused on flaws in specifically Encase that can be used by attackers, specifically inherent flaws in authentication, data collection, and trusts that could be used to falsify images, data, and network traffic.
Re-animating Drives & Advanced Data Recovery – Moulton
A talk about getting data off of dead hard drives, actually removing hard drive parts, platters etc. to get data that can’t be lost. (i.e. make backups)
Bridging the Gap Between Technology and the Law – Benson
Yet another talk about the Law and Security. This talk focused on a substitute teacher who was served jail time because some of her students accessed porn on a school computer while she was teaching. Very funny, and very enlightening.
Tactical Exploitation – HD Moore
Same talk as blackhat but the proxy exploit worked for Moore this time. This was also the talk where the dateline reporter was exited from the conference.
Meet the Feds
The feds took the stage instead of being “spotted”, the tide was turned when they played a game of “spot the lamer” when they brought up a bunch of kids and asked them geeky questions. Some insightful questions were asked but a pretty boring talk all in all.
No-Tech Hacking – Johnny Long
I’d heard about Johnny Long’s talks in the past and how entertaining they were, so I was pretty pumped about this one and I was not disappointed at all. Long went over some examples from his forthcoming “no tech hacking” book. He shared techniques on shoulder surfing, taking pics in public places, dumpster diving, and just plain talking to people to gain information. He uses a combination of social engineering and just plain exploiting the general public’s stupidity when it comes to security to gain access to some pretty interesting places.
Tor and Blocking resistance – Dingledine
A talk about Tor and how the developers are planning on making the app more extensible and less vulnerable to blocking in the future.
Securing the Tor network – Perry
Another Tor talk, this time focusing on making Tor more secure from the standpoint of preventing rogue servers that may compromise the identity of the user maliciously.
CaffieneMonkey – Automated Collection, Detection and Analysis of Malicious Javascript – Peck & Feinstein
A very fascinating talk about using automated tools to deobfuscate malicious javascript code, even on the fly with IDS!
Hardware Hacking for Software Geeks – Gustin
An awesome talk about the basics of building PC boards and hacking different hardware platforms for people who are EE novices.
Hacking Iraq – Schearer
Another talk from the Church of Wifi, this time dealing with a deployment of one of their members to Iraq to help combat the proliferation of wireless devices as they relate to Improvised Explosive Devices (IEDs).
Conclusion:
Many of my assumptions about the conferences going in were completely off base. I think maybe in past years Black Hat was more low key, professional and less crowded than Defcon, but the explosion in attendance has left it overcrowded and in dire need of a bigger venue. I was disappointed that most of the talks given at BlackHat were going to be duplicated exactly at Defcon, considering the price of both conferences the quality of speaker and talk were almost exactly the same. So, in hindsight I would probably have gotten almost the same experience and exposure if I had just attended BlackHat, but the good part was that I could attend overlapping talks I missed at BH again at Defcon. Overall the experience and knowledge I gained was great, and would recommend the BH/Defcon experience to everyone in the security field.
September 6th, 2007