NocserV was able to attend the Houston Cyber Summit for the second year thanks to our generous partner Network Box. This year’s summit was held on February 28th at the George R. Brown and built on last years success. Umesh Verma and the rest of the team from Cyber Houston brought together the right blend of experts from both the public and private sectors. There was a robust vendor showcase which grew from last year. We saw the return of many speakers, plus some new additions to the format that makes this a must-go-to event every year for all Information technology professionals, not just security specialists. The underlying tone of the event was consistent with last year: we need to build more public awareness about cybercrime.
Everyone in attendance seemed to be in agreement that cybercrime awareness is higher than ever, however, the threats are getting more complex. We saw this theme on multiple panels throughout the day. Although I was unable to attend the entire event, I was able to see at least part of every session except for lunch and the closing remarks from Ed Gonzalez, Harris County Sheriff (Luckily I was able to catch him at last year’s summit and I would think the message hasn’t changed many years over year, see my blog from last years event) Although the venue didn’t have the curb appeal it had last year at Federal Reserve building, I understand the move to George R Brown will allow for the event to scale as this will surely grow in the coming years.
The opening speaker was Kim Ogg, the Harris County District Attorney. Although I was only able to catch the tail end of her opening, the message at the end was that her office is very active with cyber. She said they have a caseload of over 1,700 cyber cases and gave a few examples of where they have prosecuted and won in Harris County. The crowd seemed fully engaged with Kim Ogg and continued focus even with the event’s lead sponsor next on the agenda. I fully prepared myself for an HPE product-centric presentation but was delightfully surprised with Bob Moore, Director, HPE Product Management Software & Security.
Bob started with his background in US Army Special Forces by sharing the war stories of his time served in Afghanistan and Iraq. His responsibilities of protecting the servers and data when their bases were raided commanded the respect of everyone in the room before he went into his content. During his presentation, he made interesting points about what he referred to as the “Silicon Route of Trust” which really went into the vulnerabilities of the firmware, hardware, and supply chain that lie beneath the traditional software threat vectors where nearly all cybercrime occurs today. His content made a compelling case as to why you would want to use a reliable hardware vendor that was obviously favorable information towards buying HPE hardware, but he made very valid points to do so well-positioned sales presentation.
The segment after HPE stood out on the agenda as the most unique and promising part of the programming and did not disappoint. Titled “Live Hack Demonstration” with Jon Villanti VP, Information Security Officer Allegiance Bank and instructor for the SANS Technical Institute.
Jon started by reminding us the global implications and impacts of cybercrime by displaying the all-too-familiar FireEye threat map. I immediately started to shell up because I have seen all too many sales presentations start here. But his take was still different enough to keep my attention. Jon then moved into how we think about information frameworks, "It’s hearing, saying, telling versus understanding." Jon explained. He was starting to earn the trust of the audience that he was going to help us understand with his live hack and that he did. But not without continuing to set the stage, he continued to draw us in.
"It’s important to understand who is shooting the bullets,” Jon said as he dove into the profiles of the villains of his narrative. He started with the truth that nation-states pose our biggest threats and continued by explaining their motives. China for intellectual property, Russia for politics, Iran for banking, North Korea for military secrets, entertainment, and a scary adversary because they are less predictable.
Jon then moved into the next tier of villains, organized crime syndicates that want money. He explained the benefits outway the costs as with cybercrime as opposed to traditional crime because the punishments for being caught don’t fit the crime (and then paused and emphasized yet.)
Finally, we moved into our third tier of villains who would be the main character of Jon’s Live Hack story. It’s who Jon refers to as "Script Kiddies" which is a blanket term for the tech-savvy coders that are self-taught hackers. They learn by being consumers of information on the internet with sources like youtube videos. They use free hacking tools like Kali Linux that have a Graphical User Interface (GUI) to make hacking drag and drop-down. They can be motivated by a number of things, the character in Jon’s story is money motivated.
We watched Jon as he transformed himself into a script kiddie. He sat in front of his laptop, alone, center stage of a stage-long table designed for panels of 8 people. To each side of him, he courageously displayed his screen in real-time where he would do his live hack. You could hear him pounding away on his keyboard through his mic, at times it was so quiet in the room his breathing, and assured us when made minor goofs in his typing, “if its uncomfortable for you, believe me, it’s way worse for me.” At one point when he took a pause on a lost train of thought as an opportunity to connect with the audience, “Anyone else catches Garth Brooks last night?” Although only a few of the two hundred or so in the audience appeared to have attended, everyone in audience instantly cut him some more slack. Garth Brooks opening the Annual Houston Livestock and Rodeo meant he saw a show of a lifetime followed by the logistical nightmare of trying to leave a sold-out show at NRG Stadium. At that point, you could tell that the audience both trusted and liked Jon and we’re going to join him all in on the ride.
He had the audience captivated, excited, and then to ensure he had the attention of every last person in the room he pulled up the target website for his presentation: A clinic that is a part of the largest not-for-profit health system in southeast Texas, Memorial Hermann. Was he really going to do this in front of all of us at the conference? Yes, he was. The room fell silent, the last few people that were on their cell phones put them down and wouldn’t pick them back up. Jon meant business, and no one could look away while Jon the script kiddie was going to infiltrate Memorial Hermann.
He opened up Kali Linux and showed us around a little bit. Although he bosted that he was more of a command line interface (CLI) guy, he had to go through and learn the simpler drop downs to play his role as script kiddie today – a subtle credibility dab to the real hackers in the room. He also explained his motive: Why Memorial Hermann? On the dark web, medical records are worth up to $1,000 each so he explained, "If I could do a data dump of 1,000 – 5,000 records, I’m retired.” At this point we have the tools, we have the motive, and now the next thirty minutes the audience is invested to see if this script kiddie has the skills. Jon went to work, narrating as he hacked.
He first went to a web server that he assumed and confirmed had File Transfer Protocol (FTP) to upload new content. He also confirmed that it had HTTP and Secure Shell Protocol (SSH.) So he knew he could talk to the server. Using Kali Linux, he was able to use the drop down to get to a root directory on the server and was able to search and find a password file. Let that sink in: He selected a computer hack from a drop-down menu using the widely available free software. From there he needed to crack the password and assured us that Youtube has videos that give our script kiddies all that info. A tool called John The Ripper could crack this password in seconds if it was a typical password of dictionary words, a number, and a character. While his passwords were being cracked he went onto the website to validate all his information on the users simply by using his web browser and confirming the staff and their email addresses to give him a few guesses at usernames on the server.
He had hacked the web server, but he was still sitting in the DMZ. For this script kiddie to get to his retirement payday, he needed to get into the private side of the network. To do so he created some malware to pirate through the host to see how the server communicates with the private host through FTP. Now he wanted to create some malware that would allow him to pivot into information about the private servers on the network. He built and tested his malware in front of us that forces our web server to call out to an open outbound port on the network to get it back info. He was able to get a file and then set up a listener, which is to take the output when a client connects and feed him back malware we created after we force it to connect and stick it on the hard drive. The first time he tried to connect we were refused, I believe at this point someone from the audience chimed in with a fat finger typo in the code, humbly Jon admitted “hackers make mistakes too, but they keep trying.” The malware set to redirect only to route and need to turn it into an executable. He needed a listen to catch it. He was finally able to get a session started on an Oracle Virtual Machine
He found a private IP and went to a terminal and tested to see if he could ping the server. Confirmed. He tried using Remote Desktop Protocol (RDP) and was able to enter his stolen username and password he found earlier and started snooping. He found himself a file that contained a list of medical records and then closed out his role as Script Kiddie by simply saying “I’m retired.”
He summarized what we had just witnessed in his Live Hack suggesting that this is all too common and all too preventable. He spouted out a number of issues that lead to his script kiddies payday: Poor security architecture, improperly setup DMZ, manually synchronizing passwords, ports that shouldn’t be open, password policies that aren’t strong enough. All things that everyone in the room agrees in theory should be better, but all too often in practice are overlooked.
Jon then moved into solutions. For passwords, Multi-Factor Authentication (MFA) helps but still isn’t unbeatable. You should be using Google auth Microsoft auth, use your phone, use Last Pass or Key Pass at home. Double down on endpoint protection. And then Jon provided four things that mitigate 85% of attacks:
Application Whitelisting (Bit9, Parody)Patch Applications (Flash, Web Browers, Microsoft Office, Java, PDF)Patch Operating SystemsRestrict Administrative Access.
As he closed out his masterfully designed and executed demo Jon humbly brought himself back down to earth. One person, presumably a college student, asked him on the online questions forum if he was a part of a Red Team (the attacker opposite the blue team defender in a cybersecurity testing event.) To answer, Jon quickly went over his past adventures with the National Security Agency (NSA) of breaking into buildings but then professed, “I am a boring person, that drives an SUV who works and a bank, and is not for hire!” Well said, Jon.
When asked "Did you really just hack into Memorial Hermann." Jon finally admitted that he had spent hours recreating the website he hacked on a virtual machine and setting up the DMZ, the FTP, the open port, the private network, the desktop session, he staged everything. But even when he revealed himself as the man behind the curtain, there was no loss of respect. Afterall he explained to us that he wanted to maintain his top secret security clearance and doing something criminal like hacking Memorial Hermann in front of a few hundred people would be way to not only lose his clearance but result in other consequences. Well done, Jon, you had me the whole time.
Although I was unable to attend the lunch session and the afternoon panels were interesting, however, the panelists and the content was effectively exactly what we saw at last years summit which I wrote about in my blog last year. Overall this was a great event, I plan to attend next year and I hope everyone takes time to understand the implications and impact that cybercrime continues to have on our world. The underlying theme of the conference seemed to be around general awareness of the issues, and there was optimism that as an industry the cybersecurity community continues to make progress.
Source: New feed