Four days in Reno was cerebral overload.
Attending the Wild West Hack’n Fest presented by Black Hills Information Security, I tried to squeeze as much data into the ole’ brain-box as possible. It’s a small box as far as brain-boxes go, so I’m pretty sure I tore something, and now my personal data is leaking out all over the place.
The first night there I dreamed I was at a diner and the waitress asked me, “How would you like your brains: Compiled, compressed, encoded, hashed, or salted? When I woke up I discovered I had developed a stutter that lasted most of the day.
By the time it was all over my brain felt like it had been in a pie-eating contest that never stopped. One of those last idiot-standing contests. Skull stuffed to near bursting and face a slaughter of smeared blueberry confusion. I wonder what drives me. This blog post is the inevitable regurgitation of that cerebral gluttony.
This is part one of my sloppy attempt at summarizing the 4-day info feast.
The Nugget Casino hosted the conference. The ringing bells and whirling whistles of the casino floor opened up my dopamine receptors as I walked through the door. The blinking and twirling lights aroused my limbic system which started pumping adrenaline into the mind-mix. My lower brain wasn’t sure if it was supposed to fight, flee, or poop. Casinos have to be one of the apex environments for social engineering. I felt a little like I was about to get on a rollercoaster. Kinda sick to my stomach, kinda excited, I realized the siren song of beer and slot machines were calling to me. I hovered a second or two before managing to gather my withering wits and turn my nose to the scent of nerd and find my flock.
I followed the odor of burnt neurons to the second floor where I heard the enigmatic chatter of cryptologists debating blockchain. My class was in a large conference room that could have fit a hundred people easily, but physically present only ten were seated in front of the giant screen displaying pdf slides of the inner workings of websites. I won’t pretend that I understood everything. In these classes, I often feel like a monkey punching buttons as fast as I can. All the time hoping for a banana that never comes. But at least I keep notes and hope with repetition comes familiarity and competency.
The very first thing mentioned was situational awareness.
Be still my sweet martial art heart. He had me at “situational”. I knew no matter how techie this got, the instructor was connected to a narrative I could follow.
The instructor’s name: BB King. He provided a master’s class in more than just pentesting the delicate membranes between user-input and website interface. This was also, for me at least, a dissection of the complexity of language and its primordial underpinnings. It was a study in the history of technology and communication.
Let me say upfront, I was intimidated by the technical material. I was also very anxious about the travel after being in my Covid bubble for a year and change. So as was wound uptight. BB’s presents helped melt that away. It felt ok to be in the deep end of the technical pool with BB as the intellectual lifeguard.
I paraphrase liberally, but he said: One of the keys to mastery of cybersecurity (and life in general) is curiosity. The hunger to know how everything works offers unique leverage. As BB put it, all tools have uses beyond their original design. What can a tool do that it was not intended to do? Ask, what would MacGyver do? For this class, that meant testing the user input fields with a tad bit of sql injection, a dash of URL manipulation, and a smidge of fuzzing.
BB set up a great VM with Juiceshop and Burpe. He walked us through developer tools in web browsers and the functionality of Burp’s tools to examine websites and by-pass WebApps. BB made multiple rounds around the room to check on each of us individually. He never seemed rushed by the fact that we were stuffing 24-hrs worth of information into 16-hrs. I just tried to keep up as we blew through a dozen labs picking apart the vulnerabilities inherent to the system.
Something that was super valuable was that the class broke down the Top 10 OWASP list into just 3 issues. Not 10 issues. 3 issues. Aside from 1) Malicious Input, there was only: 2) Insufficient Logging and Monitoring; and 3) Sensitive Data Exposure. 80% of attacks are some form of malicious input. The other portion of OWASP is basically people shooting themselves in the foot.
Midst all that tech talk, BB had a couple of comments about bird songs and body language that really stuck with me.
The sound of birds chirping, that sound we find lovely and melodic, it’s actually a bird’s warning to other birds. It’s a declaration of territory. I own this tree. This is my branch. Keep your distance. BB added, that the reason humans like the sound of bird songs so much is that the sound informed our ancestors that they were safe in the woods from predators. If the birds ever went silent, if the bird song stopped, then that was a very bad sign. It meant predators were near. Big ones.
The key takeaway: you don’t need to know the whole language to decode useful information. We had no idea that the bird song was a warning to other birds, but the lack of its pattern was a warning to us about nearby threats.
Another nugget BB shared: there are 21 culturally universal emotions that can be communicated with body language. Did he say body language? Totally speaking my language. This was when we were talking about encoding information and it made me wonder about the pros and cons of language. How easily things can be misconstrued or miscommunicated. Use the wrong word in the wrong context, things can get ugly quickly. It matters what you put into the system.
Or simply put for defenders: Input Sanitization matters.
The first rule of apps is that they are made for people to use. There must be an interaction between the person and a program. Requests are made. Responses occur. Anywhere a user can add information into the system, and possibly poison the ecosystem, that spot is a dangerous place to be short-sighted about security.
Imagine WebApp testing as a tiger sniffing out a good place to execute an ambush. Once the tiger knows where the animals go to get water (information crossing a boundary), they have discovered a vulnerability in both the environment and the prey’s behavior that can be exploited.
It’s now a matter of just watching and learning the patterns. Lying in the tall grass, hiding in wait for the bird song to return and all the little animals think it’s safe to come out again. Or maybe tigers aren’t the best analogy, but I do like tigers a lot. And if you’ve never read Tiger, you’re missing out.
Anyway, in my case, it means to sit and practice hacking labs taking advantage of cross-user privacy invasion; client-side controls; faulty assumptions; unlinked items; directory indexing; insecure direct object references; and redirect filters. And that was just the beginning. Did I mention, I developed a muscle tick in my right eye?
By the end of the 2nd day, the stutter was gone. But on the 3rd day, my right eye started randomly winking closed. I think that means my left brain wasn’t completely up and running just yet.
I grabbed coffee, kept my head down, and got ready for round 2. The final 2-days of lectures included: Red Team Automation, Gamification of MITRE ATT&CK, Cracking Cloud Security, Network Defense Modeling, and Offensive Deception.
Ever read A Scanner Darkly? The protagonist is a detective hunting a drug dealer. Spoiler: the detective discovers he is the drug dealer. Or Fight Club, in which the unnamed protagonist discovers he alter ego is a cult leader of an anti-civilization urban-guerilla terrorist organization. That’s the feeling I was getting. I was two different people. A double agent moving between the good guy and the bad guy until there was no difference between the good and the bad just knowledge, tools, and leverage. It’s not ethics, it’s actions along a barrier. There is attack and defend the barrier.
Cyber is about controlling the flow and the mastery of the space between all things. Even the space and flow between the many minds that make up our minds (A Thousand Brains Theory).