Over the past decade exploitation techniques have been developed and refined to the point that very little expertise has been needed to successfully exploit software vulnerabilities.  These refinements have lowered the bar for attackers and drastically increased the probability that an attack will be successful.  This has led to the need for mitigation techniques that can prevent or otherwise reduce the reliability of a given exploitation technique.  In relation to one another, we can think about exploitation techniques as attempting to drive the probability of successful exploitation to 100%, whereas mitigation techniques attempt to drive the same probability to zero.  While probability gives us a nice measure for the effectiveness of a mitigation technique, it doesn't give us immediate insight into the specific problems being solved by mitigations or the techniques that are being used to solve those problems.

Understanding the problems that are solved by mitigations is what provided the motivation for the presentation I will be giving at BlueHat.  Many of the materials in this presentation were taken from my work with Leviathan Security Group and have been repurposed to focus on taking attendees on a journey through the technical evolution of the mitigation techniques developed by Microsoft.  This evolution is illustrated in terms of the problems each mitigation technique is attempting to solve, the methods used to solve them, and how well each mitigation has stood the test of time thus far.  The journey itself starts first with /GS and ends with a glimpse of the mitigation techniques we might expect to see in the future. 

So what motivates me to attend BlackHat? The #1 reason for me is networking — meeting new people and catching up with old friends and colleagues. Despite our best intentions, we are all busy and our networks are constantly expanding, making it increasingly difficult to stay in touch with old friends in the industry. Twitter and other forms of microblogging help you chip away at the communication gaps; you get a glimpse into peoples’ lives but it’s no replacement for a real conversation.

Obviously, the briefings themselves are a major draw. Even though it’s expanded to over 10 tracks now, the quality hasn’t really suffered. This year’s experiment with allowing paid delegates to vote on speakers seems to have produced a good lineup, though I’m sure there was still a selection committee that could and probably did overrule the votes in some cases. Either way, BlackHat presentations are a decent indicator of the overarching themes that will be prevalent in information security for the upcoming year or two.

When I first started attending BlackHat, I was drawn to the talks discussing 0-day vulnerabilities, tool releases, shellcode tricks, and the like. These days, anything relating to static analysis, automation, and of course web security are most interesting to me. I also consider who’s speaking, regardless of the topic (e.g. one of these guys presents, I’m there). In general, I’ll try to gauge how much value the speaker will add to the presentation — in other words, what do I gain by attending the talk vs. flipping through the slides later? I never attend every time slot; sometimes the hallway conversation is just more interesting.

Some of my other reasons for attending, in no particular order, most of which fall under the “networking” umbrella:

• The parties (duh)
• The Pwnie Awards
• Meeting fellow security bloggers
• Recruiting speakers for SOURCE
• Finding future Veracode employees
• Trading war stories
• Picking up vendor schwag for my kids (RSA is much better for this one)
• Meeting current and former customers — and future ones, hopefully

Things I could do without:

• The cigarette smoke
• The heat
• Quark’s

I’ve stuck around for DEFCON a couple times in the past, but I don’t anymore. I fly out Friday morning or early afternoon so I get home in time to spend the weekend with the family. Personally, three days in Vegas is plenty for me.

When it gets closer to BlackHat time, I’ll post my picks from the briefings schedule.

After hearing his speech, I thought about how Eric and Google are impacting the digital revolution after so many others have tried unsuccessfully over the last 25 years. He has led the company through a period of explosive growth from $1 Billion to over $16 Billion in the past year, while keeping the young, fun, irreverent culture intact. Considering the meteoric rise of Google’s popularity in a reasonably short period of time, to the point that the company name is now actually a verb!

The point that I found enlightening was his summary, which you can scroll to at the 26 - 30 minutes timeframe in the presentation, where he shared an interesting glimpse into the culture of Google. “Creating more luck, giving yourself more at bats, being out there… to think big and inspire a culture of YES.” The culture of Yes inspires people to aim higher and be ambitious in their reach and goals.

That is a very interesting point in which I really believe. If there is one thing that all companies and especially small companies struggle with because of natural resource constraints, it is building a strong culture of Yes. We have tried to do this from the very inception of ScienceLogic, but it continues to get harder and harder the larger the business grows. To consistently inspire a principle of Yes, without agreeing to every idea that flows across my desk is amongst the most challenging parts of our daily jobs. However if I could create the perfect scenario, we would intuitively strive for a principle of Yes and inspire our associates and our ecosystem of partners and customers to use this simple concept to confidently go forward.

Eric says, “It is possible to build a culture around innovation. It is possible to build a culture around leadership, and it is possible to build a culture around optimism.” Google is a great example, but by no means the only example. I agree with Eric’s summary and hope to lead ScienceLogic according to these very basic but essential principles. “Let’s be revolutionaries. Let’s take this opportunity, this huge change that is before us with technology and let’s change our businesses, our communication and the way we interact on some new principles that reflect the very best in America.”

ShareThis

Yesterday, the emails and group posts were flying around like crazy. Our little neighborhood has a private Yahoo Group for residents to communicate and connect- I’ve been overjoyed to have the online venue and it certainly proved useful these past couple of days.

We live at the end of a cul de sac, with a lovely wooded area occupying the space past our fenced-in back yard. Past the woods is a main street they’re in the process of widening. (I know, grrreeat). A couple of weekends ago, two adult men (who were obviously out of place) came up behind our house out of those woods. Our lab/rottie mix (who looks like a full Rottweiler) took notice and wasn’t happy.

So, as any good dog owner would do in that situation… I let her out to have at it. The yard is fenced, so there was no danger of anyone (them or her) getting hurt. But- it was enough to scare the crap out of them and their lackadaisical walk quickly turned into a swift gait the other direction. I couldn’t help but giggle a little.

Mission Accomplished. For now anyway.

I didn’t think much about it until yesterday when my inbox lit up with posts to our online neighborhood group. It seems there have been several similarly suspicious situations (say that 3 times fast) occurring at various times of the day and night in our little corner of Earth. Mostly, what we (the neighborhood) deemed a childish prank has now turned into a full blown ‘security’ issue. (You knew that word was coming!)

It started with harmless prank doorbell-ringing, but the offense list has grown to include instances of beating and kicking doors in the wee hours of the morning. Other neighbors have noted recent instances of someone coming onto their back deck and tapping on the back door, only to have disappeared before the home owners could make it downstairs. Each time the culprit takes off if -or before- the occupant can respond. There have been only a couple of partial-sightings, where another neighbor caught a glimpse of the incident, and it has been confirmed that these are not kids. From the posts yesterday from a handful of folks, I’d say there were at least a dozen or so instances already documented.

So that leads me to wonder… are they merely childish pranks… or are these adults scoping out a neighborhood and testing to see who’s home… ?

Either way, midnight window-tapping and 3:00am kicks at your front door (which evidently left dents) are nothing to dismiss. We’re asking the local Police Department to increase the frequency of their drive-thrus in the area. And, I’m thinking of having the group organize a neighborhood camera system.

For now, our 75-pound, four-legged black and tan security system helps me feel a little better about it all.

# # #

"Like most major corporations, it is our corporate responsibility to have systems in place, including software systems, to monitor threats to our network, intellectual property and our people," Wal-Mart spokeswoman Sarah Clark said in a statement in April. Following the Gabbard firing, Wal-Mart said it conducted a review of its monitoring activities. "There have been changes in leadership, and we have strengthened our practices and protocols in this area," Clark said.

[...]

At a gathering of security specialists in New York City in January of 2006, David Harrison, the former Army military intelligence officer who was hired by Senser to head Wal-Mart's analytical security research center, provided a rare glimpse into the company's monitoring operations. Harrison told the gathering Wal-Mart faces a wide range of threats: "A bombing in China, an armed robbery in Brazil, an armed robbery in Las Vegas, another bomb threat, and that was just yesterday," Harrison said.

To safeguard its employees and operations Wal-Mart has tapped its massive data warehouse of information, now believed to be larger than 4 petabytes (4,000 terabytes), to look for potential threats. It tracks customers who buy propane tanks, for example, or anyone who has fraudulently cashed a check, or anyone making bulk purchases of pre-paid cell phones, which could be tied to criminal activities. "If you try to buy more than three cell phones at one time, it will be tracked," he reportedly told the audience.

[...]

Gabbard, the Wal-Mart employee fired for recording reporters' phone calls, said in his interview with The Wall Street Journal that Wal-Mart uses software from Raytheon Oakley Networks to monitor activity on its network. The Oakley product was originally developed for the U.S. Department of Defense.

The Oakley software is so sophisticated it can allow administrators to visually see what types of information are moving across the network, from Excel spreadsheets to job searches on Monster.com, or photos with flesh tones that might indicate a user is viewing pornography.

And this article talks about ex-CIA agents working for corporations:

The best estimate is that several hundred former intelligence agents now work in corporate espionage, including some who left the C.I.A. during the agency turmoil that followed 9/11. They quickly joined private-investigation firms whose U.S. corporate clients were planning to expand into Russia, China, and other countries with opaque business practices and few public records, and who needed the skinny on international partners or rivals.

These ex-spies apply a higher level of expertise, honed by government service, to the cruder tactics already practiced by private investigators. One such ploy is pretexting -- obtaining information by pretending to be somebody else. While private detectives have long posed as freelance reporters or job recruiters to get people to talk, former agents have elevated pretexting to an art.

[...]

Similarly, ex-agents have helped popularize the use of G.P.S.-based monitoring devices and long-range cameras for following people around. One corporate-espionage technique comes straight from the C.I.A. playbook. In the constant search for the slightest edge, some hedge funds and investment companies have turned to a handful of private-investigation firms for a tactic that seems to fall between science and voodoo. Called tactical behavior assessment, it relies on dozens of verbal and nonverbal cues to determine whether someone is lying. Signs of potential deception include meandering off topic rather than sticking to the facts and excessive personal grooming, such as nervously picking lint off a jacket. This method was developed by former lie-detector experts from the C.I.A.'s Office of Security, which administers polygraph tests to keep agents honest and verify the stories of would-be defectors.

[...]

Most of the ex-agents' activities, from surveillance to lie detection, are perfectly legal. In the wake of the 2006 Hewlett-Packard scandal, detectives used pretexting to obtain the private telephone records of company directors, employees, and journalists. In an effort to track leaks to the media, federal law was tightened to prohibit using fraudulent means to obtain telephone records. Financial records were already off-limits. But federal law doesn't forbid assuming a false identity to get other information -- an area that ex-spies exploit.

Still, a few techniques favored by the spies-for-hire do appear to violate privacy statutes. One of these involves using "data haunts," extreme methods of electronic monitoring such as tracking cell-phone calls and gathering emails by relying on secretly installed software to record computer keystrokes. An ex-C.I.A. agent described a group of his former colleagues who set up shop offshore so that they could tap into telephone calls -- a practice prohibited by federal law -- outside U.S. jurisdiction. "They call themselves the bad boys in the Bahamas," he said.

Even some of the legal methods are controversial within the industry. Certain old-school firms won't stoop to dumpster diving or stealing garbage -- which is usually legal as long as the trash is on a curb or other public property --" because they consider it unethical. They say that the prevalence of former intelligence agents in the field and the rise of unscrupulous tactics have tarnished a business that often struggles with its reputation. One longtime investigator complained that he recently lost business to some ex-C.I.A. officers who promised a potential client that they could obtain the phone and bank records of a target -- something that is illegal in most cases.

[...]

Current and former employees said Diligence's ex-spies also held classes in using false identities to obtain confidential information. Ex-employees said it wasn't unusual for an investigator to have five or six cell phones, each representing a different identity, on his or her desk. And while ex-C.I.A. and former MI5 agents were old hands at such deception, the new initiates sometimes got confused and answered a phone with the wrong name.

All interesting. It seems that corporate espionage has gone mainstream, and the debate is more about how and when.

On a related note, this paragraph disturbed me:

On occasion, Diligence investigators were dispatched to collect garbage from a target's home or office. In some cases, two former employees said, Diligence hired off-duty or retired police officers to take trash so that they could wave their badges and fend off any awkward questions.

It's public authority being used for private interests. We see it a lot -- off-duty police officers guarding private businesses, for example -- and it erodes public trust of authority. In the case above, I'm not even sure it's legal.