Notes from Hacker Halted 2017: The Art of Cyberwar
Oct 24, 2017
Last week I attended EC Council’s Hacker Halted conference in Atlanta. The theme of the conference was “Lessons from Sun Tzu”, the ancient Chinese general who wrote “The Art of War”, a treatise on military strategy that is still applicable today. “The Tzu”, as I like to call him, created his philosophy with war in mind, yet his ideas apply to cyber warfare as well. “Every battle is won before it is fought” is one of his quotes on warfare, but it also applies to other aspects of life. In essence, Sun Tzu means plan for all possibilities, and you will win.
The first presenter was Jay Bavisi, CEO of EC Council. Jay told us a story about an oil company in a foreign country that hired EC Council to perform a penetration test against the company’s servers at their production facility. During the preliminary discussions, he asked the IT guru what service pack level the servers where on. When the IT guru (cough) responded, “What’s a service pack?”, Jay knew that performing any exploits against the network would result in taking down the plant. The Tzu would say, “Know when NOT to fight.”
A major point that Jay discussed was that cybercrime will have an estimated cost of six trillion dollars by the 2021. To put that another way, $6 trillion is more than the worth of Google, Microsoft, and Apple put together. Attackers have some serious firepower with which to attack. The Mirai botnet launched a Distributed Denial of Service Attack (DDOS) against Liberia, disabling internet access to a whole country with a record 620 gigabit/second attack. Normal botnets hijack computers to attack other computers. Mirai is different in that it is an Internet of Things botnet (IoT). IoT devices are consumer products, such as IP cameras, routers, refrigerators, TV’s, almost anything with an IP connection to the internet. These bots can then attack other networks and systems.
Mr. Bavisi then discussed the four major problems in the penetration testing industry:
1. Finding penetration testers.
2. Retaining penetration testers.
3. Scalability, as in increasing the number of testers and targets.
4. Trusting the testers you already have.
This led into the new LPT Master certification. The Licensed Penetration Tester Master is the ultimate EC Council certification. It is the world’s first fully online, remotely proctored, practical exam, which challenges the candidates through a grueling 18 hours of performance based, hands-on testing categorized into three practical exams of six-hour duration each, which will test your perseverance and focus by forcing you to outdo yourself with each new challenge. Currently, the LPT Master is still in beta, so EC Council is offering free testing for qualified candidates.
The Truth is Owned by the Government — Greg Carpenter
The next presentation was a debate between Former NSA agent Greg Carpenter, Winn Schwartau, the founder of The Security Awareness Company, and Hollywood producer Michael Masucci. They discussed hackers, the media, truth, trust and alternative facts. The premise of the debate was that the government manages the throughput of information to the civilian populace in an attempt to keep everyone happy. The ex-NSA agent said, “I’m the guy that makes the Kool-Aid”. He worked in the Psychological Operations department (PsiOps). He said the government participates in massive disinformation campaigns to keep “the secret stuff” secret. He compared the government to Russia’s Pravda—we manage information.
Remember the Maine? On February 15, 1898, a mysterious explosion destroyed the American battleship Maine in Havana Harbor and helped propel the United States into a war with Spain. In a world without Twitter and Facebook, the government reported that the Maine was sunk by a Spanish mine or torpedo. In April, Congress declared war on Spain. The only problem with that is Maine was actually destroyed by an internal boiler explosion. Can you say “Fake News?” I knew you could. In 1976, Admiral Hyman Rickover led an investigation team that exposed the disinformation.
Mr. Masucci’s platform was the government is not truly malicious. The government is just “not Six Sigma”. Government employees are just like regular people
at the office; there’s a lot of playing around and not much work is done. He compared NSA to a government jobs program. There are more workers there
than are absolutely necessary to get the job done; work output is only about 20-30%.
Mr. Schwartau’s argument was that we want to be lied to. How many times do you meet someone and say, “How ya doin?” Do you really want an answer like “well, my back is hurting and my dog ran away and …”? No. We want them to say, “Fine” and move on. The government does the same thing, until someone leaks confidential information. Then the spin control kicks in. His theory is that there is a form of Mutually Assured Destruction between hackers and governments; they have both agreed not to mess with each other. It might be possible for hackers to take down public infrastructure systems, but they’ve agreed not to do that in exchange for governments’ not damaging the hacker’s business model.
Wayne Burke, from SecureNinja, did an outstanding presentation on drones. His first demonstration was using a drone to simulate a cell phone tower. Law enforcement has the “stingray”, a device that does man-in-the-middle intercepts of cell phone communications. A researcher has developed a system that does the same thing as stingray for $1500 and is portable. It could be (or already has been) mounted in a drone. So, you’re probably asking yourself, can my phone be hacked? This CBS news report and this 60 Minutes report say “yes”. CBS’s 60 Minutes report details hacking the SS7 Signaling System used by cell phone companies to connect all cell phones. The report describes how US Intelligence intercepted the German Prime Minister’s phone calls. 60 Minutes also intercepts cell phone calls between the reporter and a Senator. All the hacker needs is your actual cell phone number to connect. Mr. Burke recommends never giving out your real telephone number. Instead, use a system such as Google Voice to get a Voice over IP number.
Do you have a drone? Does it have a camera, GPS tracking, an iPhone app? What happens to all the video and GPS coordinates that the drone processes? Does it go to Chinese servers? Is there someone in Beijing looking at your backyard? Apparently, the Pentagon thinks so. https://qz.com/1046724/the-us-army-is-reportedly-banning-all-drones-made-by-chinas-dji-over-security-concerns/
Not all drones are bad. Some are used by law enforcement to perform reconnaissance before officers move into an area. Shield AI, has an artificial intelligence drone for just such a purpose. Hivemind Nova learns from experience to access and navigate denied or high threat environments. Without a remote pilot or human input, it autonomously explores buildings, urban canyons, caves, tunnels, and other high threat environments ahead of personnel. It live-streams HD video and a map of the building layout to operators. In addition to its autonomy and AI features, Hivemind Nova can also conduct searches without an RF link, be flown manually, and has the standard features available in commercial quadcopters. Hivemind Nova learns and continuously improves over time. The more it is used, the more it learns, and the more capable it becomes. (Skynet, anyone?)Miscellaneous Stuff
I won’t go through a complete description of every single tool discussed at Hacker Halted (I would still be typing next year), but if you feel like doing
a little research on your own, here’s a list of some interesting toys and sites.
USB Rubber Ducky
Poison Tap and Raspberry Pi Zero
Kali Linux Websploit
If you would like information on any of these tools and many more, attend Lantec’s Certified Ethical Hacker course.
Contact your Account Executive for details and class dates.