What a glimpse inside the Black Hat NOC reveals about infosec pros' security habits
Basic Auth among web traffic? Possible flaw in a well-known commercial VPN product? 'Security has to watch its own things'
Black Hat The large network that materializes along with legions of infosec professionals at Black Hat every year presents the perfect opportunity to see how well the security community practices what it preaches.
Based on what this vulture learned from Black Hat Security Operations Center (SOC) lead James Pope this week, "do as I say and not as I do" appears to be the modus operandi of many attendees.
Sitting amid the darkened atmosphere, thrumming techno music, and scenes from what he said was "some hacker movie" playing on a projector screen, Pope reckons he saw lots of security mistakes on the Black Hat Wi-Fi network which the security community should know better than to commit.
Pope said he'd seen an excess of clear-text data floating around, including emails, files and even passwords. The Network Operations Center (NOC), of which Pope's SOC is a part, also noticed SASE proxy browser traffic being transmitted in the open, LDAP being exposed to the internet, non-encrypted Basic Auth among web traffic and, most critically, a potential flaw in a well-known commercial VPN product.
The unnamed VPN, Pope said, was leaking the GPS coordinates of tons of users connected to the Black Hat network - so many that he said he'll be writing a disclosure notice to the company at the conclusion of the conference.
"It's possible there's just a setting somewhere that's being commonly misconfigured," Pope noted, suggesting there might not be an actual technical issue. Either way, the Corelight director of technical marketing engineering told us, he still has a duty to disclose it just in case.
The Black Hat network this year was non-trivial: The nearly 13,000 unique wireless clients that connected to it drove traffic to a peak of 3.16Gbps, with 75 million DNS queries across the five-day event.
On a network of that size - especially one at an event called Black Hat - there could be some cyberbaddies poking around, which Pope acknowledged: "When I'm on a regular network, any positive hit is a threat," he said. "Black Hat positives are different."
People in a class could be testing malware or running traditionally suspect commands, a booth presentation could be getting tricksy, or just fill in the blank with whatever other legitimate use of illegitimate traffic at an infosec convention you can think of.
There were 2.65 million threats detected over the five days the Black Hat network was set up, data shared in the NOC wrap-up talk showed, and not all of that is down to "Black Hat positives," Pope told us.
The abyss gazes back
If there's one thing the network traffic at Black Hat tells us, particularly the non-encrypted stuff, it is that security is not always easy, not even for industry professionals.
"If we as cybersecurity firms are doing this, then so are enterprises," Pope told us of the conference's monitoring setup.
That said, modest-sized enterprises don't have the budgets to fill rooms with threat hunters, like the 20 that staffed the Black Hat NOC at any given time this past week. We don't envy the job.
- Inside the Black Hat network operations center, volunteers work in geek heaven
- Shout-out to whoever went to Black Hat and had North Korean malware on their PC
- Meet the chaps who run the Black Hat NoC and let malware roam free
- Software innovation just isn't what it used to be, and Moxie Marlinspike blames Agile
Those SOC guardians can look for the unknowns and be proactive - like when one decided to code a new rule to detect an SSH security issue discussed at the conference, Pope said. No instances of the vulnerability being exploited were detected, yet the situation where one of the SOC threat hunters had the time to build that tool would be impossible to replicate in a one- or two-person security shop.
You can't innovate when you're struggling to make it through tickets, Pope added.
When the critical eyes of dedicated threat hunters turned to look at the infosec industry this week, they saw the exact same mistakes, and plenty of them. It's not like we don't already know this is a problem - Black Hat's network traffic is just one more example of what, judging from Pope's tone when he said it, ought to be obvious:
"Security has to watch its own things." ®