Hack3rCon^4 - Eye of the Storm

Drum roll please!!!

I have been selected to present at Hack3rCon^4. This will be my second time presenting at what is one of my favorite cons. What is the topic you ask?

NSA wiretaps are legal and other annoying facts

I debated whether I wanted to display my outline here but, to be honest, my presentation grows with every day of research.

As usual, I will write a blog post about the con and will provide a link to the video provided by IronGeek.

DEFCON Shoot (Two days I never should have missed)

   

To sum it up...♫ I did a bad bad thing ♫ You see, while volunteering at BSides Las Vegas, I decided not to go the DEFCON shoot. After all, I didn't have a car, I didn't know anyone, and I was having a good time at the Tuscany. Now that I am home and the con craze is over, I realized I should have gone anyway. Here are the top 10 reasons why:

(Drum roll please!)

1. What better way is there to exercise your 2nd Amendment rights than to throw some lead down range!
2. Having no car is not an excuse! The DEFCON Forums include a shoot thread where details of the carpool are discussed.
3. The BSides staff had a shuttle bus that ran to the Rio multiple times a day.
4. Registration for the shoot is easy.
5. The price is right. $20 at the door. Cheaper if you register early and get one of the discounts.
6. You get to spend time with some really great people. Deviant Ollam (of DEFCON17 "Packing & Friendly Skies" fame) for one.
7. A bad day on the range is still a great day!
8. The smell of gunpowder is exhilarating!
9. Transfer of knowledge. I have been shooting for 30+ years and am still learning.
10. The chance to shoot guns that you haven't shot before. I have access to quite an extensive collection but there are still guns haven't shot. Friendly shooters will let you shoot their guns.

(Crash of the cymbals!)

     To correct my transgressions, I reached out to Deviant and volunteered for the DEFCON22 Shoot. After all, the top reason for me becoming a certified NRA Pistol Instructor and Range Safety Officer was to promote the shooting sports in a positive and safe manner.

     I encourage you head out to the DEFCON forums and the Unofficial DEFCON Shoot Page for more information. I hope to see you next year and remember to shoot safe, shoot accurately, and defend your 2nd Amendment rights!

Thanks Irongeek!!!

     I had the honor of assisting Irongeek (Adrian) with video capture at BSides Las Vegas last week. Not only did it get me a free badge to the event, it reinforced a lesson I learned years ago: The more you help others, the more you get in return. Volunteering at BSides connected me with a whole new group of friends as well as solidified my friendship with those I had met before.

   
Today I added Irongeek's RSS feed to my blog. His feed/website hosts videos from many conferences (BSides Las Vegas, BSides Boston, AIDE, Outerz0ne, and Notacon to name a few), InfoSec articles (Raspberry Pi recipes, How I Got Pwned, and I2P/Tor workshot notes) , and a host of other information. Please check it out regularly and don't forget to click on his sponsored links (he does get a few pennies when you do).

The BSides that started it all

This year I was fortunate enough to attend Security BSides Las Vegas. Security BSides spawned from the inability of Black Hat USA to include all of the worthy presentations in their lineup in 2009. This shortcoming resulted in one of the best InfoSec conferences in the nation.

     The first thing that I noticed was that the venue changed from the Artisan to the Tuscany Suites and Casino. I liked the unique atmosphere of the Artisan but felt cramped (this from a former Navy submariner). The Tuscany suites were nice and spacious, cheap, and clean. In addition, the hotel staff were friendly.
     Because I arrived the morning before the conference, I decided to take a stroll around the facilities. This is something that I learned in the military. Always know where you need to go, how to get there, and develop a sense of situational awareness. While doing so, I stumbled across the main meeting room for the con. There were many volunteers rushing around putting the finishing touches on the meeting rooms. Because I like to meet new people and felt the need to pitch in, I asked where I could help. Over 2 hours later, after folding what seemed like thousands of t-shirts, I managed to meet many new friends. Exhausted from the days travels, I turned in.

     The morning of July 31st, I woke early and returned to the conference area to check in and badge up. The abilities of the volunteer staff was evident as the line constantly flowed and I got my volunteer badge and complimentary sling bag in no time. In addition, a random staff member handed me a social engineering badge and explained that I was now part of the Social Engineering Capture the Flag. Fun! I quickly found Irongeek since I was volunteering to be one of his video monkeys (he used a different name for me).

   
      What I experienced next was pure joy and

excitement. I was witness to 2 full days of information security, computer hacking, and life enrichment/self help. I only attended 2 presentations out of 16 that I didn't absolutely enjoy. These 2 just weren't to my liking (personally, not professionally). The con staff did an excellent job at selecting presentations/presenters. Every presenter was personable and stayed to ask questions after their talks (something that doesn't always happen at other cons).
     Some of the presentations I attended were:

• Christien Rioux: "The Security Industry - How to Survice Becoming Management" (KEYNOTE)
• Jimmy Shah, David Shaw, and Matt Dewitt: "Discovering Dark Matter: Towards Better Android Malware Heuristics"
• Jay "Rad" Radcliffe: "Mom! I Broke My Insulin Pump...Again!"
• Evan Davidson and Noah Schiffman: "Dungeons & Dragons, Siege Warfare, and Fantasy Defense in Depth"
• Jack Daniel: "The Erudite Inebriate's Guide to Life, Liberty, and the Pursuit of Happiness"
• Nicholas J. Percoco and Joshua Corman: "The Calvary Isn't Coming: Starting the Revolution to FSCK it All!"
• Steve Werby: "Crunching the Top 10,000 Websites' Password Policies and Controls"

     So, I have rambled on as usual. I will now cut to the chase. Here are the takeaways from my BSides Las Vegas 2013 trip:

Pros

1. The new venue (Tuscany) was open and airy with plenty of space
2. There were 6 distinct tracks (double last year): breaking ground, common ground, proving ground, underground, lightning talks, and training ground
3. The staff were approachable, helpful, and cared about their product
4. The volunteers did a great job
5. The price was right - FREE!
6. The talks were informative and high quality (new presenters were assigned mentors)
7. There were free shuttles to the other cons (Black Hat and DEFCON)

Cons

1. I didn't get my free drink coupons upon checkin (remedied quickly when I notified the staff)
2. There are not many budget restaurants within walking distance (the midnight Steak and Egg special in the hotel was only $5.99)

More information on BSides Las Vegas can be found at www.bsideslv.org and www.securitybsides.com.

***BSides Las Vegas presentations (and many others) can be watched for free on the website irongeek.com.

Lifelong learning, being 100% certified, situational awareness, and my thoughts

     My route to becoming an InfoSec practitioner was anything but traditional. For this I am thankful. Why? Because I discovered a breadth of information that has served me well in life.
     This story begins in 1990 when I first joined the Navy. I joined between my Junior and Senior years of high school. The underlying reasons for me joining are as follows:
         
1. I was 17 and knew that I wanted to see more than the "Golden Triangle" of Texas. ( my travels took me as far as Dallas to the north, San Antonio to the west, and Pensacola, FL to the east.)
2. I wanted to go to college but didn't know what I wanted to do when I grew up
3. Home life sucked and I wanted out

The job I signed up for in the Navy was entitled Cryptologic Technician (Maintenance). This is code for "mostly works in air-conditioned spaces" and Class "A" school located in Pensacola, FL. At least that is all I knew about it from the information sheet I read. An entire career of 20 years was based on those 2 things. Looking back I ask myself "how stupid could I have been?" and "how lucky was I?" My school lasted for almost 1 year (was supposed to be shorter) and I learned electronic theory, AC/DC theory, soldering, recorder theory, how receivers and transmitters worked, how to run a maintenance shop, and the troubleshooting methodology. This is where my first failure came into play.
     All my life, schoolwork came to me easily. I was bored with school and always spent minimal effort on homework, etc. This caught up with me in Pensacola. A class in power supplies theory and maintenance ended with me failing the module. I got rolled back into the next upcoming class and was told that I would lose my slot in school if I failed again. Nothing learned other than the "walk of shame sucked." From Pensacola I went to an advanced course in electromagnetic transmissions and intercept for submarine systems. Once again, I fell into the routine of just getting by. Once again, I almost got dropped from training. Once again, I took the "walk of shame" and learned nothing.
     At this time I met a man named Rob Bartlett. He introduced me to a thirst for knowledge, not just a quest for checks in the boxes. Rob, if I have never thanked you, I am doing it now. Still not knowing what I wanted to do when I grew up, I began taking college courses to figure it out. My majors, in order of declaration were: Mathematics, History, Psychology, Occupational Psychology, Computer Studies, and finally Business. I took classes at:

 The George Washington University                     Coastline Community College       
Hawaii Pacific University                                      Community College of the Air Force
University of Md University College                     Prince Georges Community College
Excelsior College                                                   American Military University
Carnegie Mellon University/CERT                        Webster University
National Cryptologic School                                  other formal training institutes

This 13 year meandering through collegiate life led to a very broad background of knowledge, a better understanding of how different people approach a problem, and an understanding of written goals/requirements.
     Something else I learned from Rob was to take any class offered by the military regardless of what it is. This led to me taking classes anytime offered (something I still do today). I have taken some really cool classes that were never meant to be taken by someone in my career field. I have not performed a pen test in over 6 years but I ended up taking Dave Kennedy's SET class at BlackHat. Why would I spend all that money for something I may never perform again? Because my boss offered and it is an opportunity to learn something new. Plus, I got to meet new people with various backgrounds and learned from their experiences.
     If you search for the subjective "knowledge" as opposed to the objective "results" (cough* paper MCSEs* cough * paper CISSPs*) you will understand the point of certifications. They are something you can frame and show your friends as a badge that says I took a test. Same goes for a college degree. A degree is something you can frame and show your friends that says I took lots of tests. If done properly, you can show your friends these pieces of paper and then debate the merits of, say, a truly air gapped network,  how it would be implemented, and the upside/downside of that network. Moreover, you can speak about it with authority and experience because you have operated/managed one not just read about one when you read the majority of an article in Slate magazine once.
     Do I see value in certifications/degrees? Absolutely! The value, in my humble opinion, is that I can put them on my resume as a check in the box. This should allow me to get my foot in the door for an interview and then I can use my experience to get the job. What about the plethora of jobs that do not mention certs/degrees in the requirements. Fine. I can put my certs/degrees on my resume, placing a check in the box I drew on the form myself, get an interview, and use my experience to get the job. This should be the emphasis of ANY hiring official. The questions should not be what boxes can you check, they should be what can you show me and tell me about how you would handle x.
     A short story to prove my point. While in the Navy, I was given the opportunity to screen all junior officers, all with fancy degrees, and senior enlisted members deploying to Iraq and making recommendations on who should go. I was told to give these guys a test to measure how successful they would be in the field. (As if could actually be done.) My test was simple. 100 questions. Multiple choice. You have 5 minutes to answer them all. Begin! After this was handed in, never completed, I would give each person a scenario.
           {You are providing tactical intel support to a Ranger company. Your purpose is to tell them which of 2 doors they should kick in, using highly specialized cell phone intercept equipment. What do you do. The officers with technical degrees would usually begin by walking in an ever increasing circle, attempting to get a fix on the target, and would then make a recommendation. The enlisted personnel would usually think for a second or two, then tell the Rangers to kick in both doors, interrogate the subjects, and arrest the guilty party (probably the guy with the cell phone in his hand).}

      I always recommended the enlisted guys. I caught flack for my recommendations because officers are required to lead for promotion while enlisted members are taught to lead and promoted because of it.

What is the point Branden?
1. Seek knowledge, understanding, and experience NOT papers, titles, and pretty frames
2. Never pass up a chance to learn
3. Like a child, learn from everything you do, taste, smell, and touch
4. Be humble. Nobody likes people who think they are smart, they like smart people.
5. If something you do now seems painful, it is ok. Next time will be less painful.
6. Teach others. You will learn from this too.

     So I know that this is kind of scattered all over the place (I blame insomnia). To make matters worse, I will not edit this in the morning before I publish it. Hey, why write something twice? Especially when no one reads this anyway.

Book review: The Basics of hacking and penetration testing

    This story, of the book review anyway, began in the class Inside and out of the Social-engineer Toolkit (SET) by David Kennedy. I decided to attend this class when my boss discovered money in our budget that had to be spent before the end of the state fiscal year. 

     A surprise student in the class was Kevin Mitnick. During a break, Kevin began to chide Dave Kennedy about the fact that his book, Ghost in the Wires, supplanted Dave's Metaploit book as the Amazon bestseller. Dave's response was to point out that another book beat his out on another bestseller's list on the Amazon site. Lo and behold, the author of this book, Patrick Engebretson, was sitting next to Kevin Mitnick! Never one to pass up an opportunity to support a good ribbing, I immediately purchased to book, The basics of hacking and penetration testing: Ethical hacking and penetration testing made easy.

     I am glad I did. Engebretson does an outstanding job of laying out, in an easy to read way, a complete guide for those interested in breaking into pen testing. This book begins by introducing the concept of "zero entry hacking." Much like a zero entry pool, that gradually slopes from dry land to deep depths, the ZEH concept allows anyone to pick up this book and begin work. 

     Engebretson follows the ZEH concept with a quick differentiation of blackhat vs. whitehat. He focuses on three key concepts that separate the two and clears the air for the reader. Next, he introduces the reader to some of the most important tools a pentester will ever use, BackTrack Linux and a good lab.

     Finally, Engebretson introduces a simple 4 step methodology that summarizes what pen testing is all about. He spends the rest of the book detailing his simple methodology in a concise and comprehensive manner.

     I recommend anyone breaking into the pentesting world buy this book before they start. In addition, even though this book title begins with "The Basics of," I recommend it for even the seasoned pentester. 

     Good luck Patrick! May you sell plenty of books! At least enough to allow you to buy some cool toys.

Yeah! DerbyCon!

     Last year I had the distinct pleasure of attending the first DerbyCon. I say pleasure because this conference, in its inaugural offering, was better than any previous conference I had been to. **Hold your horses** That is a bold statement you may say. Let me explain myself...
   
     1. The presentations were top notch. BlackHat (in the old days) and DEFCON style topics. Hey, you don't believe me. Check out last year's schedule for yourself. https://www.derbycon.com/schedule-2011/
     2. The attendees and presenters did not walk around with "rock star" attitudes. One of many examples I witnessed first hand: Deviant Ollam, well known for his physical security and pentesting skills, could have taken over at the Lock Picking village. He did not. Why? As he put it at the time, "This is their show and they are doing a great job!"
     3. As far as I know, there were no security issues and the Goons/Jockeys/Security Team or whatever they were called were professionals and without the attitude I saw from some at DEFCON. Not knocking DEFCON, I understand how difficult it is to herd 15,000 attendees around. They did a good job too but some had a "because I said so attitude."
     4. The founders/organizers seemed to care on a personal level about the attendees, not just the conference as a whole. I mean, hey, with a handle like PureHate, I expected something different from Martin Bos. Now that I know more about him, that handle is way off the mark.

This brings me to the reason I decided to ink this today. It all started with a tweet.

Uh, What! Really! Who does that! Especially since the previous tweets were talking about how they received 10 times as many CFPs this year as compared to last year!

This is something I could not get mentors in a formal mentor program to do. Much less a small team of people to do for hundreds, or possibly thousands, of people.

Now I know that everything is not all roses and there are still questions about how this Con will be in 10 years, but I think you will all agree that the foundation is right.

I am so looking forward to seeing everyone there this year. Lets get together and do lunch! Or come to my presentation (fingers crossed).