[podcast] Black Hat 2019
Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
On this episode, Strategists Jim and Jeff talk about Warshipping, US military CAC’s on the way out, and how to identify Deepfakes... all topics of discussion brought to the table by Jeff who has his boots on the ground at the annual Black Hat conference in Las Vegas.
Brought to you by identropy.com
Want to join the conversation? Leave us a message here: anchor.fm/identity-at-the-center/message
We hope you enjoy this episode and please subscribe to the podcast for updates on new episodes!
LISTEN HERE or read the full transcript below.
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #6 Full Transcript:
Identity At The Center #6: Black Hat 2019
Jeff: Welcome to Episode 6 Black Hat Edition. I'm on site here at the Black Hat Conference in Las Vegas. We've also got Jim, Hey, Jim.
Jim: Hey, Jeff, how's it going?
Wearing my tinfoil hat, have all my electronics properly wrapped; make sure there’s no breach.
Jim: Paranoia radar on full.
Jeff: Definitely. They put signs all over black Hat. That's like basically saying, like the suspect, the conference, everybody present, don't ask other people and others. I'm sure there are people who are already doing it.
Black has turned more into like a corporate event and then Defcon, which is essentially next couple days after this. That is kind of more of the deeper dive technical type things.
Jim: The hardware has to avoid talking about last week.
Jeff: Exactly. So we had a little of a black Hat edition that we're gonna talk about today. Some of things that I thought were pretty interesting that I saw here at the conference, Couple of maybe not necessarily specific to Identity and Access Management, although we might try to loosely tie it. But that I thought were interesting just from a general security perspective. The first thing I guess I'll talk about here is we had a keynote speaker from Square that was really good. And one of things that he pointed out was that cyber security already has plenty of attention and it's no longer an afterthought. And I think to some degree that's true. There may be some components of cyber security that are not as much less afterthoughts that as than others, just based on, some of the clients said that you and I have worked with, there is always something that needs to be improved.
But I think and let me know if you agree with this, cyber security as a whole, people kind of get it now or at least they're starting to get it and understand the need for it. Would that be fair to say?
Jim: I think it's a continuum. I think, financial organizations and I'd say most corporations get it to some degree, but we've run into clients where they say, I'll just say widgets is if I get into specific products, you might know who I'm talking about. But they say we make widgets, we don't do security or we don't make computers or we're not a bank. And I don't like to get it, because if they're a brand, if they're out in the open, they are targets. They have data. If somehow they can be exploited for money, which almost every organization can, especially when you think about some of the ways that organizations get hacked and held for ransom these days, they're all targets.
Jeff: Yes. I think it's why I think some companies are a lot better pay more focus on specific areas, network security vs. maybe identity, those sorts of things or, physical security vs. logical security. That's kind of what I was thinking from some folks are getting it. But at the highest level, it's I think just, cyber security, I kind of agree with that statement is that there's definitely gaps that are still out there and that need to be worked on.
Jim: I think there's also. There are companies I'd say overall companies are getting more and more. But companies are made up of people. Sometimes you get it. Some people still don't get it.
And I think in industries where they've been the center of attack after attack, almost everyone there gets it. And industries where it has been afterthought for so long or so, a majority of people who don't get in.
That's where you see Chief Information Security Officers and people who are responsible for IAM and cyber security is all pushing the boulder uphill.
But, I guess we'll focus on today cyber security and doing things the right way and attitudes are going to change over time. It's not going to be a light switch.
Jeff: Yes, I think it's a mindset. If you're open to new things, if I'm a CISO, when I'm looking at what's next, these are type of things that I'm really looking for. It's a continual battle, to try and secure all the things, but if you get into this kind of. Yes, we're fine, not to worry about it mindset. I think that's where there's definitely some risk. But you have to be continually evolving your posture.
Jim: So, Jeff, one of the things I love about conferences. You're getting into the exhibit hall and see all the new vendors and the problems that they're trying to solve and then attending sessions. So, what are some of the best ones that you've run into and you saw.
Jeff: The best one I saw is one around deep fakes. And I kind of want to save that one for the ad because I think that is going to open up pretty good conversation. It's something that I've been looking at for the last few months. At least it's not before that, just from a curiosity perspective. But maybe on top of that one last before that, there was a session on war shipping. And this is a new term that I had not really heard of before. Have you heard of war shipping?
Jim: Not before today.
Jeff: Ok. So essentially, it is a Trojan horse attack that takes place as a bridge between the physical world and the networked world. That sounds very convoluted. So may explain that. So basically the way it works is you put together a real cheap network device with cellular connectivity. Something like a 3G connection does need to be, you think, fancy, typically something that is 100 bucks or less, you drop it into a box or an envelope or something. And it's typically around the size of a smaller cell phone and you ship it to whoever your target is. If you're a company, etc. that goes into the mail room, probably a bigger company or maybe it sits on someone's desk if they're a smaller company. And this little device is basically looking for wireless networks that connect to and then because it has a 3G connection or, some sort of size or connection, whoever is operating the device can sniff out those packets and attempt to run exploits or cracks against the wireless network from a remote position. So they don't actually have to be sitting in your parking anymore doing that. They can basically ship this thing. And this is presented to us by IBM X-Force. I think it was X-Force read that kind of proved this out. But basically, it's a Trojan horse. And the fact that they were this thing that looks benign, it's a package, how many times are packages really closely inspected in a company? And that's just looking for Wi-Fi networks to connect to. And once you're able to exploit that network, you're inside the firewall. Typically, you're inside the physical perimeter and you can start looking for data, etc., which I thought was, it's a cheap way to get access, good anywhere in the world.
Jim: Pretty amazing. And the other thing is that there are so many network connected devices these days things like printers that put off their own wireless network and there they can serves if they are hacked, you know, they're not designed to do it, but if they're hacked, they could end up as a bridge into the network.
All Hacker would need is, a bridge long enough to go ahead and create some accounts or to run a few scripts and find some exploits and get some software installed and living on the network.
Jeff: You're in and you're basically moving laterally and up as you find opportunity to do so and you start with the printer. Then you move over to the coffeemaker which sits on the Wi-Fi and IOT Security is something that's come up quite a bit recently. I think there have been some reports that I don't know enough or details are on the stock intelligently. But I recall seeing recently some reports around IOT devices becoming a target for different tacks, which isn't new, but seems like there was some sort of recent work around that.
Jim: And probably for our audience, Jeff, our audience probably includes people who would be responsible for more generally securing the network and highlighting this as a tax collector is important. I hadn't heard of war shipping but when I heard of it, It reminded me of war dialing, which was popular. You know, 20 years ago where he was set up modems and they were just sequentially dial phone numbers looking for other modems and then tried to connect to the modem and see if they get onto the networks, if they get some kind of log in prompt or something like that, and hope that they could gateway into somebody's network. Remember, I worked at a corporation. I probably am a liberal ashamed to admit this, but at the time, our administrative group had a couple of modems in our small data center that connected back that we could use to connect to the network in case everything was down at the routers went down.
We could go ahead and do work at nights. That's not the case these days. I mean, any good network team is going to go ahead and shut those suckers down. But I saw a presentation, I wish I could attribute it to whoever came up with this, but they were saying, what they do and they were kind of ethical hackers. So probably a lot of people that are at the Black Hat conference, but these are more white Hat type people.
And they would basically sell into Information Security Department said we know we can get into your network and they put that challenge out to most of the folks to say, tell me you can't.
Two of the methods that I heard that were similar to this war shipping was one that could take a drone and fly it up on to the ceiling of a building with a Wi-Fi connection, probably a cell phone, And just look for IOT devices like printers. The other was they would go to the front desk and say, I'm here for a meeting, but I really just want to go to the bathroom. And most people are going to say, go ahead, go to the bathroom. When you're in the building, you're behind the security desk. And so, I'm not saying that's going to work at every place, but I bet you most places the drone idea could work if you executed the attack properly.
Jeff: They may see as a Wi-Fi pineapple to act as a fake AP access point for the network and try to get people to connect to it.
It's kind of like a man in a middle attack. one of my friends, Mark, I believe he has some experience with this and I'd love to have him on at some point as a guest to talk about that, because I think I'm pretty sure that he did that for one of the companies that I worked at in the past. So some of the exploits that is available. So I hope we're not turned there. But Mark, if you're listening, we definitely want to have you on. Let's talk about that.
Jim: Are going to apologize.
Jeff: That's exactly right.
So that was war shipping. And this other topic they'll bring up here isn't wasn't necessarily at Black Hat. It's something I saw on my way out to black Hat.
And that's around common access cards or cards that the US military uses. They're looking at replacing that with a wearable identity token in the future. So the way this would work is you would have this sort of wearable that, you know, someone in the military would wear that would in conjunction with a pin that the person would type in, would give them access to whatever device that they're looking at in the field or touch in the office. Those are sorts of things. So I thought it was interesting.
Just from a modernization approach, credit cards have been around since 2001, so probably due for an upgrade at this point, 20 years later or roughly that time, I'm sure that day tokens get out there. But can you imagine, soldiers now wearing part of their multi-factor outfit, walking up to a terminal or a laptop or something that you in the field now, haven't you? They'll have that. They'll type in a pin and that'll give them access to when they're doing, certainly interesting. Probably solves some of the physical things that could go wrong with a card reader in the field. If it gets damaged, etc. I mean the same thing probably with a wearable but introduces maybe new ways that there could be a potential attacks on a wearable in the field.
Jim: Definitely a tax, the thing coming to my mind also was what about the use of bio metrics? I mean, it would seem to me that facial recognition or a fingerprint would be another way to go about this. Obviously, you need to be able to connect back to some kind of service that might be more difficult or more unrealistic in kind of the war environment.
Jeff: I can imagine things like fingerprints might not be the best way if there's a field and things that might be happening there. So if that's the right answer or not. I mean, there's probably a combination of things that could be done. But, the first thing I think it was there where any wearing a wearable is, I think my Apple Watch and my MacBook. I can walk up to the device. And it authenticates me because it sees my Apple Watch as an approved device, and, interlocked my PC. I think the same kind of concept plus a pin is what they're looking at on the military side. But in my mind, it also opens up that opportunity for what, some sort of denial of service attack, which you and I were talking about before we had done this whole here could be something to think about too.
Jim: I guess the idea with a wearable is that it would be multi-function, so wouldn't just be something to as a form of authentication, but because otherwise what's the great improvement over the credit card.
If it's just a way to prove that hey, I have something. So if we think about multi factor authentication is something I know something I have or something I am. So if it's something I have, I would think a wearable or a credit card, either one would be that kind of form of identification. If it's a wearable, if it's like a Fitbit or an Apple Watch or something, that's more than you can get from that device than just the identity of our identity verification.
Jeff: I think it's probably just the use case around. How do you make it easier? I think the intention is they go for like a proximity based authentication in addition to something that you have to take out, slide into a device, hope that physical connection isn't filled with dirt, grime, whatever might be out there. Try to remove points of failure from a physical component and really think about it. So it's very much like phones these days, no longer having physical buttons on them or trying to remove as many physical buttons on them. So, iPhones never have a whole home button. They say its part of it is to improve the screen size. But it's also one part that would typically fail on a device that's going to use over and over again. So if you could remove switches and physical components, you reduce error rates or failure rates, I should say.
Jim: How many times have you and I talked about the iPhone 10, though, and not having a home button? I refuse to upgrade to the new phone because I don't want to give up the home button, even though I will say that the thumbprint scan is kind of hit or miss of your thumb is even slightly wet. It usually won't pick it up, but I do like the ability to push that button.
Jeff: I am torn on it. I think the technology works fine. I have the iPhone and it has the face I.D. And it works OK.
I typically don't have any problems with it. What I miss this is gonna sound really stupid and not dangerous. So kids don't try this at home is in the car. So to unlock your phone, you have to look at it.
Whereas if you have the fingerprint right, you can just touch it and it's unlocked. So I find that really irritating at first. I've gotten used to at this point and, technically it is illegal in some states, mine included, even having a phone in your hand at this point. You're driving usability factor for me. I still prefer the touch, the fingerprint approach versus the looking at approach. And I'm sure we'll see that come back. Samsung has already introduced ultrasonic, some print readers that are underneath the screens. They don't work as quickly as a physical component that it's on top of the screen. And now we're really starting to get away from IAM, but definitely a mobile device there. But I think you'll see the comeback of under screen some print or fingerprint readers continue to get better. And that'll be sort of the next thing that's coming out next year.
Jim: What is the deep fake?
Jeff: So a deep fake has a variety of different things, but it boils down to some level of impersonation around faking video or faking audio to make it look like someone is saying something that they did not actually say. One of the it's been around for a couple of years and it's something that has grown up quite a bit just in these last roughly three years or so. So it sensitizes and was kind of brought out. And some of the more famous ones you might have seen out there or maybe not seen or known about is, there was one with President Obama saying something and then someone basically synthesized audio over that to make it look like he was saying something else, saying, mouth gestures, etc., but the audio had been tailored for him to say something he didn't completely say. And this has come up quite a bit. And I think it's something that we really need to be on guard for in the future is how do you how do you validate that what you're looking at, is in fact, real, because the deep-fakes, as they're called, have gotten so much better than they have in the past, because there have been tools that have been developed specifically for that had written that had been leveraged to make it appear as if people were saying things that they haven't really. So it's definitely scary to think about how it could be used to influence public sentiment.
Jim: Yes, it is. And you think about it right now, it's probably the general public is probably not super concerned because the technology and effort required do this, as is the challenge right now, but, 20 years down the road, if it's software that is consumerised, you can just take a funny video of somebody from YouTube and then you can dub your own words. And I mean, there’s going to be a real somebody who will really get concerned about.
Jeff: So, you're saying 20 years or now the technology is already here. I can do this on my own. You do this on your laptop. The tools that have been recently written around making this easier exist today and can be done in a relatively quick time frame. The way that it typically works is all you need is source video. So you got to basically think about it from this kind of logical stuff. You've got video A, which is the target of the person that you want to impersonate. And then you've got video B, which is video of what you want that person today. It could be you. It could be me, and video A could be Fletcher. Let's say, for example, we want to make Fletcher say something else. All we do is. We certify images or video that exists already of Fletcher saying different things. We see that into an A.I. model. We take video that we put together to say, here's what I want that person to say. Feed those together, extract out the components that we would use. So in this case, we want to use everything about Fletcher, his face, everything he's at. But we want to superimpose our mouth on top of Fletcher and try to make it look as realistic as possible. Tools already exist to do that, essentially to an automated format. All you have to do is feed at the source information and then export it out into the final video where you would see a video of Fletcher saying something like, I like puppies or something like that. When we all know Fletcher doesn't like puppies.
Jim: No, but I'm wondering if you can see all kinds of nefarious uses for that kind of technology. So does it require some kind of supercomputer? I mean, you're there in the session where they're doing, pretty much standard equipment.
Jeff: Standard equipment. The only thing a supercomputer and once a supercomputer, just anything powerful is speed up the time it takes to perform the machine learning and the A.I. components of it, and then to render a copilot video.
It's really no different than trying to produce a video, for example, on a laptop versus a desktop. If you have a good video card or some like that, extra processing power definitely plays into a fact.
But the actual code can technically run on just about any type of modern hardware, whether it's, your basic business laptop or if you've got something a little higher end, say make it go quicker. And these tools are free and they're out on GitHub. They're continually being improved. And it is a very slippery slope. I'm interested in it because I think just from a fun factor. We certainly like our means on the inside Identropy, being able to put together videos of people doing dumb stuff internally is probably one thing or doing friends.
But when you start to leverage it for the nefarious things, financial gain and election influencing, political, and military, whatever it may be. Certainly opens up that very slippery slope of OK, how do we guard ourselves against that?
That was we kind of point of the session that I went, but I was at was, OK deep fakes are here, they’re not going to go away. And the technology already out there and people can do it. So how do you detect when someone when there is a video that has been deep fake or an audio of those sorts of things? And there's a few different ways that you can look at it. The way that you would probably approach it would be a few different signals or different detection authorities.
The first one might be at the signal level. So things like the noise on the sensor might be different for let's take an example, let's say in that example we took my mouth and we put it over Fletcher's video so that it's Fletcher in the video, except for my mouth, the stick, the sensor noise between the video associated with my mouth and Fletcher's rest of the component of the image might be different.
So might be different interpolations, etc. That could be different types of compression that's being used at the jpeg level, a lot of very technical kind of things that I want to get too deep into that. But that's one well you can look at as the signal level. Another one that might make more senses is that the physical level, which is around the lighting conditions. So if you think about a video and you've got the subjects, who is the target of who we're trying to impersonate? And maybe they had a light and it's shining on them from the left and creating shadows right that go across the right because of the way the light works. If you don't rehab that exact same lighting, the lighting might look different around different areas of the video. So maybe, the mouth or etc. might have different lighting compared to the rest of the picture. Something that, if someone's paying a lot of attention could obviously fake as well.
Jim: yes, I think the things you're bringing up are, as the quality gets better and better expert to detect. So if I was interrogating you and I'm trying to get you to admit to a crime and then I show you a video of your buddy in the other room who'd said the Jeff did it you're not going to be like a guy who's different in the sense that it has to be. I mean, that's I think that's a big concern. Is technology like this, like cloning, DNA cloning, and what do we do with DNA “Cloned a sheep”, Kelly, 20 years ago. But there it's probably not that far into the future if it hasn't already happened of cloning human being. So the technology is moving so fast and society is going to have to deal with these types of technological advances. And are we ready for it or not?
Jeff: I think that's the frontier that I think a lot of companies are starting to figure out is how do you detect these? I know Adobe has something that they've started to work on and they've even released the session that I was that was sponsored by ZeroFox. They have no skin in the game around social impersonation and so forth. And they say and I believe they're going to be releasing later this week the tool that they use to try to detect a deep fake and it focuses on specifically the mouth region of videos to try and tax some of the things that might be indicators of a fake video versus a real video. But, as the offense gets more complicated, the defense, meaning the audio check to make sure it's real or not, is going to have to evolve as well.
But it was very interesting, is definitely worth looking at more if you're interested in that sort of things, because I think it has really huge ramifications for not just security, but kind of society as a whole. Can you believe your eyes anymore or not? And where are you getting your data and your information from? Because, that could also play into it.
Jim: Great topic. And I think the overall, the first ask the question, why would somebody in your position and Identity and Access Management go to the Black Hat conference? I'm going to suppose that part of it is just awareness and getting you to think about these topics and it maybe isn't directly part of kind of what you do. Like an IAM conference would be an open drive to a lot of things.
Jeff: That's exactly it. I mean, like coming to Blackhat specifically because this is typically where the exploits and the things that come out of this conference and also, defcon that comes right after it.
The things that you're going to see in the field in the next if they haven't already started within the next couple of years as they become weaponized. So from an awareness standpoint, being able to understand, how do these things work? What's the genesis of it? And then what are some of the products that are out there that might be able to help the defense or mitigation of some of the risk associated with it? I like seeing the other new stuff, and that's probably the lights out here, too, is what's new. Because, I’m sure you get this, too. Writers need to be an expert in all products, and that's very difficult to do.
It's more reasonable to have an awareness of what's out there and then bring that knowledge back and try to apply it to the real world.
Jim: Absolutely. And then hopefully we can take some of this and maybe some of the folks that you're meeting and ask them to be on the podcast at a later date.
Jeff: absolutely. I'm sure we're working on already a couple of guests. We have our booking agents on it.
Jim: And if anyone's out there listening, who would like to be on the podcast? You have an interesting angle on Identity and Access Management or related technologies. Reach out to us. Jeff, you want to give that contact information?
Jeff: Yes, you can send it to firstname.lastname@example.org, or you can feel free to leave a voice message. Then I'll be on the link in the show notes. And, we’ll get back to you and talk about, how we get on and have a conversation that you had to make it something that we can all find interesting listen to.
Jeff: So, I think I'm gonna call it here. It's the end of Black Hat, at least the next couple of hours I'm heading back trying to find a quiet place where just not working. I'm gonna head back to the conference here in a few minutes and see what else I can dig up.
Jim: Just from a logistics standpoint. The conference is at Mandalay Bay, which is the people in Las Vegas at the end of this trip, correct?
Jeff: Yes, totally himself.
Jim: So people are thinking about going to a next year and assuming that in the same spot, like any tips or tricks, people should keep in mind.
Jeff: Yes, book early, get a room at the Mandalay if you can.
Luxor is right next to it. And that's definitely walking distance, and then so as Excalibur. All three are connected. So you don't actually have to go outside if you don't want to. But, it's certainly a longer walk. Depending what you do, there's plenty of stuff to do in Vegas. But I would say if you're at all interested in security and you haven't been to one, it's worth going to just kind of experience and see what it's like and, take advantage of the different vendors. There are all kinds of events that are going on. All the vendors want you at them. So, there are parties at different types of clubs and different types of events and music, things that happen throughout the week.
But it's interesting for sure, but booked early because rooms go pretty quickly and you don't want to end up having to trek 30 miles in everyday if you don't have to.
Jeff: All right. I'm going to head back to the conference. Hope you guys enjoyed listening to the show. I'm sure we'll get back to more Identity focused and Identity Access Management focused things the next couple of weeks. But we thought this would be a good kind of timely recap of what I've seen with boots on the ground here at Black Hat. So we'll talk to you again hopefully next week, Take care.