Like any other HackerCon there are good and bad things, so I will jump right into the interesting stuff. The start of the conference was a little slow taking less of an attacker security approach, which I prefer. In any event around midafternoon was a talk called “Wipe the Drive!!! Techniques for Malware Persistence”. Mark Baggett and Jake Williams discussed some amazing techniques used by attackers. I mean things that even memory forensics don’t catch. They were discussing persistence tactics like:
- You remove malware and later your computer scans for a wireless access point as a part of normal activity and that scan releases the malware again.
- Your remove malware and later you plug in a standard clean USB key. At this point the trigger of the key being plugged in releases the malware and infects the system.
Again their entire suggestion on the talk was to suggest wiping the drive is again the only safe way to possibly remove malware and to think otherwise might be foolish.
Day 2 and More
On the second day I ended up attending a few different sessions. There was a talk on running a CTF that went through some of the tactics but mostly explained the amount of time it takes to setup and run a CTF. Several of the other talks I went to were less than technical in my opinion and I felt everything could be Googled in about the same time I was in the presentation. There was one exception, Carson Zimmerman packed the room (seriously no sitting space) with his talk on “Ten Strategies of World Class Computer Security Incident Response Team”. I came in late, but what I saw was good.
Other activities at the Con were always entertaining. The Lockpick village always provides a good time filler in-between sessions. I enjoyed spending some time handing out a few Hacker&Agent card decks to kids. Also, there was plenty of hacker and security speak in the evenings at the hotel bar. Otherwise if you like games there were some contests on the Xbox or I would suggest testing your skills by taking a stab at Shmooganography. If you get a chance and get into the 2014 conference its worth at least taking a look. Below is a preview of the 2013 contest.
Again overall a good Con, but I think some of the talks need to be more technical and in-depth next year.
What to buy and why? What pick set is required?
Before you start Lockpicking what type of set and locks should you get. Is an 18 pick set or an 8 pick set better? After traveling to several different Lockpick villages and engaging in research about different types of locks there are a few things to understand.
I recently co-wrote up a blog that was posted on Open Security Research: Getting Started with Lockpicking about this topic.
Check it out!
Hackers & Agents the card game is in full swing. The game is continuing to evolve with several add on packs coming out soon. If you like encryption puzzles there is a new encryption card in the deck with added difficulty. Check out the Facebook page for any new updates. Also there are several tutorials and graphics posted to help with normal game play.
On another note I will be hanging out at the Hacker-Maker conference in Rhode Island this weekend doing more locking picking and handing out a few decks.
I ran into a Schalge Everest lock giving me a challenge so if you are into lock picking I think its important to have a tension wrench that enters from the top. I’m hoping the lockpick village at the Brain tank has some good practice locks.
Lock picking has long been a method of access to information. Professionals engaged in physical security reviews or social engineering assessments currently are the main security professionals using these methods. We’ve all picked the weak file cabinet lock at work or maybe even jiggled a key of a similar type to get access through a door, but how important is it really for security professionals to know this skill.
Recently having purchased a lock pick set and several training locks I found it was extremely easy to pick the locks. I went through a 6 set training lock package in just a few minutes and then an advanced 4 set in even less time. I’ve read a lot prior to the purchase and even have made picks out of street cleaner bristles, but very little practical knowledge. After moving on to master locks, etc. I found it was a little more difficult initially, but if you just sit down watching TV and practice picking the lock it becomes easy after a while. Now there are some very complex locks and I continue to learn and understand more about these locks. In any event, unless the lock implements very strong controls, picking the lock is done easily.
It is important that security professionals understand lock picking to grasp the risk. Many professionals really only talk security and don’t really practice it. The auditor comes in and says you need to put in badge readers because there is no accountability, etc. These people really don’t understand the simplicity of lock picking or the real weakness. Not that I’m anywhere near a professional at it.
- How many locks at your work environment are key locks?
- Is there sensitive information in these areas?
As professionals we should not underestimate the simplicity of lock picking. If you are serious about security you really need to get some lock picking practice and understand the risks associated with standard locks.
If you are interested in learning more you can learn lock picking at Defcon and ShmooCon
In addition, if you continue as a hobby I would recommend becoming a member of the following site.