informa
/
Attacks/Breaches
Commentary

The Illegitimate Milliner’s Guide to Black Hat

A less-than-honest "Abe" goes undercover to get a behind-the-scenes look at Black Hat and its infamous attendees.

For this, my most clandestine assignment to date, Dark Reading asked me to go undercover among the hacking Black Hat masses to clear away the fog of public relations, false bravado, and one-upmanship in order to take a true pulse of this shadowy gathering.

My nom de plume for this incognito mission: Abe Abrahamson. (Who wouldn't trust a man named Abe?) A quick call to Kevin Mitnick to vet the aforementioned hypothesis with regard to my alter ego was met with his cunning impersonation of a disconnected number message (which I knew to be code for "Your cover is impeccable, grasshopper").

Under said auspices, and with my ticket to Las Vegas in one hand and a potent gin and tonic in the other, I settled into my seat and began to work on Abe's backstory, something learned from reading The Grugq's Guide to OPSEC and Thai Cuisine (amazing how much the two have in common). You see, one does not simply stroll into the world of a Bangkok hacker without knowing the rules.

  • Rule 1: Always smoke cigarettes.
  • Rule 2: Always have a backstory.
  • Rule 3: Well, I stopped reading the slide deck before Rule 3, but I want to believe it's "One does not speak of OPSEC when one's mouth is full of Thai cuisine."

After hacking my airplane's WiFi by cross-site scripting my credit card information at the login page, I learned from a stout United Airlines first officer that smoking is not permitted due to FAA regulations. Vaping is a gray area, and I didn't want to bring undue attention to myself before becoming fully immersed in Rule 2, so I endeavored to test my alter ego with the hoi polloi in preparation for prime time.

I began by socially engineering the friendly looking San Franciscan seated next to me in the exit row.

"Hi there. Name's Abe. Like Honest Abe, but I assure you, no relation whatsoever to Mr. Lincoln, although I do drive one," I began. "A Lincoln, that is, for I am a milliner. I design hats."

"Oh?" said the man, clearly falling for my ruse.

"Yes, my father was a haberdasher from Cornwall. But I never had the generalist's touch," I said, enriching my story with impeccable detail. "I knew from a young age that designing hats was my calling. No slinging silly bespoke buttons and frivolous silk ties from a fading red-bricked storefront in Cheshire for me. I would design hats!"

"So you make hats?" he replied, obviously impressed.

"Not so to speak. A hat-maker makes hats," I replied with confidence. "I am a milliner. I design hats."

"What's the difference?"

Cornered! Clearly this tourist in disguise was an expert hacker with full marks in social engineering. I had inadvertently walked into one of those infamous "capture the flag" contests, so I shifted strategy to earn his confidence with the hacker's secret handshake.

"I, er… I specialize in a certain kind of hat," I said, regaining my balance. "A black hat, if you get my meaning."

"You only make black hats? Like for hipsters or something?"

Oh, he was a wily one, clearly skilled in the dark arts. I was merely an amateur learning the ropes.

Thinking quickly I feigned a fit of narcolepsy, closing my eyes and going limp -- apart from the hand that still clutched my cocktail, the aid of which allowed my ruse to lapse into a real sleep that lasted until the plane descended on to the tarmac.

Avoiding eye contact with the flag bearer beside me, I rang my contact on the ground, a Mr. Hoff, who assured me that my cover was still good, but that it would be best to head for my hotel posthaste. Things were afoot. Wheels were in motion. Balls were in the air, and other such clichés of the trade.

Upon my arrival at Mandalay Bay, Mr. Hoff administered a brief Turing test of sorts, asking me to identify mine among a scroll of 1.2 billion passwords. Fortunately, the list was alphabetized, so I was able to find FlyingColours123 in no time. With the smug satisfaction of a test well passed, I was spirited away to a cocktail party, whereupon Mr. Hoff had me hobnobbing and rubbing elbows with various information security luminaries.

Honest Abe was once again fully engaged. With the aid of conversation's finest lubricants, my charade knew no bounds. I discussed iOS jail breaks, Faustian USB accessories, and the cuts of attendees' jibs (or hats, as it were). You see, through cunning interrogation, I learned that, though this tradeshow is called "Black Hat," it is about more than mere variations of the quintessential Chapeau Noir.

I met one sober bloke by the name of Jeremiah Grossman, crowned by a white hat, which I wrongly presumed to be in defiance of the status quo. He kindly stood me corrected. His hat was white, he explained, because he and his compatriots protected companies from black hatters who meant them ill. I also met chaps from Microsoft whose hats were blue, the explanation of which became lost in a hazy fog of disconnected memories aswirl in tinkling glasses, and perhaps a jester cap and bells.

The next morning, I awoke on the carpet facing the exhibit hall, my head resting on a makeshift pillow of ATM receipts. I had danced toe to toe with the infosec royalty I'd come to study and, like a butterfly out of metamorphosis, emerged as one of them. But what great epiphany could be drawn from this cyber transformation? Only this:

Heavy hangs the head that wears a black hat.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5