Vulnerabilities / Threats // Insider Threats
8/6/2014
04:05 PM
Tal Klein
Tal Klein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

The Illegitimate Millinerís Guide to Black Hat

A less-than-honest "Abe" goes undercover to get a behind-the-scenes look at Black Hat and its infamous attendees.

For this, my most clandestine assignment to date, Dark Reading asked me to go undercover among the hacking Black Hat masses to clear away the fog of public relations, false bravado, and one-upmanship in order to take a true pulse of this shadowy gathering.

My nom de plume for this incognito mission: Abe Abrahamson. (Who wouldn't trust a man named Abe?) A quick call to Kevin Mitnick to vet the aforementioned hypothesis with regard to my alter ego was met with his cunning impersonation of a disconnected number message (which I knew to be code for "Your cover is impeccable, grasshopper").

Under said auspices, and with my ticket to Las Vegas in one hand and a potent gin and tonic in the other, I settled into my seat and began to work on Abe's backstory, something learned from reading The Grugq's Guide to OPSEC and Thai Cuisine (amazing how much the two have in common). You see, one does not simply stroll into the world of a Bangkok hacker without knowing the rules.

  • Rule 1: Always smoke cigarettes.
  • Rule 2: Always have a backstory.
  • Rule 3: Well, I stopped reading the slide deck before Rule 3, but I want to believe it's "One does not speak of OPSEC when one's mouth is full of Thai cuisine."

After hacking my airplane's WiFi by cross-site scripting my credit card information at the login page, I learned from a stout United Airlines first officer that smoking is not permitted due to FAA regulations. Vaping is a gray area, and I didn't want to bring undue attention to myself before becoming fully immersed in Rule 2, so I endeavored to test my alter ego with the hoi polloi in preparation for prime time.

I began by socially engineering the friendly looking San Franciscan seated next to me in the exit row.

"Hi there. Name's Abe. Like Honest Abe, but I assure you, no relation whatsoever to Mr. Lincoln, although I do drive one," I began. "A Lincoln, that is, for I am a milliner. I design hats."

"Oh?" said the man, clearly falling for my ruse.

"Yes, my father was a haberdasher from Cornwall. But I never had the generalist's touch," I said, enriching my story with impeccable detail. "I knew from a young age that designing hats was my calling. No slinging silly bespoke buttons and frivolous silk ties from a fading red-bricked storefront in Cheshire for me. I would design hats!"

"So you make hats?" he replied, obviously impressed.

"Not so to speak. A hat-maker makes hats," I replied with confidence. "I am a milliner. I design hats."

"What's the difference?"

Cornered! Clearly this tourist in disguise was an expert hacker with full marks in social engineering. I had inadvertently walked into one of those infamous "capture the flag" contests, so I shifted strategy to earn his confidence with the hacker's secret handshake.

"I, er… I specialize in a certain kind of hat," I said, regaining my balance. "A black hat, if you get my meaning."

"You only make black hats? Like for hipsters or something?"

Oh, he was a wily one, clearly skilled in the dark arts. I was merely an amateur learning the ropes.

Thinking quickly I feigned a fit of narcolepsy, closing my eyes and going limp -- apart from the hand that still clutched my cocktail, the aid of which allowed my ruse to lapse into a real sleep that lasted until the plane descended on to the tarmac.

Avoiding eye contact with the flag bearer beside me, I rang my contact on the ground, a Mr. Hoff, who assured me that my cover was still good, but that it would be best to head for my hotel posthaste. Things were afoot. Wheels were in motion. Balls were in the air, and other such clichés of the trade.

Upon my arrival at Mandalay Bay, Mr. Hoff administered a brief Turing test of sorts, asking me to identify mine among a scroll of 1.2 billion passwords. Fortunately, the list was alphabetized, so I was able to find FlyingColours123 in no time. With the smug satisfaction of a test well passed, I was spirited away to a cocktail party, whereupon Mr. Hoff had me hobnobbing and rubbing elbows with various information security luminaries.

Honest Abe was once again fully engaged. With the aid of conversation's finest lubricants, my charade knew no bounds. I discussed iOS jail breaks, Faustian USB accessories, and the cuts of attendees' jibs (or hats, as it were). You see, through cunning interrogation, I learned that, though this tradeshow is called "Black Hat," it is about more than mere variations of the quintessential Chapeau Noir.

I met one sober bloke by the name of Jeremiah Grossman, crowned by a white hat, which I wrongly presumed to be in defiance of the status quo. He kindly stood me corrected. His hat was white, he explained, because he and his compatriots protected companies from black hatters who meant them ill. I also met chaps from Microsoft whose hats were blue, the explanation of which became lost in a hazy fog of disconnected memories aswirl in tinkling glasses, and perhaps a jester cap and bells.

The next morning, I awoke on the carpet facing the exhibit hall, my head resting on a makeshift pillow of ATM receipts. I had danced toe to toe with the infosec royalty I'd come to study and, like a butterfly out of metamorphosis, emerged as one of them. But what great epiphany could be drawn from this cyber transformation? Only this:

Heavy hangs the head that wears a black hat.

Tal Klein is Vice President of Strategy at Adallom. Previously, he was senior director of products at Bromium where he led product marketing and strategy from stealth mode to a multimillion-dollar business, disrupting the enterprise information security landscape. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TalKlein
50%
50%
TalKlein,
User Rank: Author
8/11/2014 | 7:58:44 AM
Re: "Heavy hangs the head that wears a black hat."
Yes, in the immoral words of 90's pop divas En Vogue, "back to life, back to reality." I would like to imagine that for all the money I've lost in Vegas, I've gained a cornucopia of knowledge, but we shall see. Thank you for the opportunity to go deep undercover. I doubt anyone who met me in Vegas suspected my ruse. :)
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/11/2014 | 7:41:32 AM
"Heavy hangs the head that wears a black hat."
"Abe" -- Hope your "heavy head" is a little lighter now that you are back at home after all the revelry at Black Hat (not to mention the mind-blowing research and info from all the briefings). Thanks for your witty view of all the fun going on behind the scenes. 
TalKlein
50%
50%
TalKlein,
User Rank: Author
8/8/2014 | 11:17:38 AM
Re: try harder whitehats
From an OPSEC perspective, it would seem contrary to a Black Hat's cause to identiy themselves as a Black Hat. No?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/7/2014 | 9:20:23 PM
Re: try harder whitehats
I would agree with that, I have not heard anybody identifying themselves black hats, they always think they are white hats, if not gray hats.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/7/2014 | 2:29:36 PM
Re: BH is for WHitehats
Really appreciate your honesty, there "Abe."
TalKlein
50%
50%
TalKlein,
User Rank: Author
8/7/2014 | 1:08:42 PM
Re: try harder whitehats
yes, honey four zeros, you might have a point there. Shall we meet in the expo hall by the popcorn machine and compare tchotchkes?
TalKlein
50%
50%
TalKlein,
User Rank: Author
8/7/2014 | 1:06:30 PM
Re: BH is for WHitehats
Sir, as I write this, I am in the midest of a Jiu Jitsu headlock administered by the same Jeremiah Grossman you speak of. I wish him no ill, he is a champion of industry, a man among men, a

I'm sorry I passed out there for while. What were we talking about?
honey0000
50%
50%
honey0000,
User Rank: Apprentice
8/7/2014 | 11:06:42 AM
BH is for WHitehats
I esp am laughig at the part of the article where you reference jeremiah grossman as being "against" the status quo by attending blackhat. You are severly incorrect. Jeremiah grossman is perfect for attending blackhat. As well as all other whitehat fools who think they are at a "dark" conference obtainig leet iformations about upcoming trends or zero.

What a f*cking joke to the real commuity.

 

LOL

 

like a real BH is going to pay 3K for your training courses/attendance. And if a BH's firm pays for it? They are passed out and not in attendance of * talks or the conference itself. Have fun "learning" at BH kids. lolol
honey0000
100%
0%
honey0000,
User Rank: Apprentice
8/7/2014 | 10:55:07 AM
try harder whitehats
conferences are for tools. try harder.

real blackhats DONT GO TO BLACKHAT

Conferences are for sellouts and wishers.

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.