Privacy Please

S5, E220 - DEFCON and Black Hat Highlights: AWS Takeovers, Industry Insights, and much more!

Cameron Ivey

Send us a text

Curious about the latest buzz from DEFCON and Black Hat? We promise you'll gain fresh insights into the world of cybersecurity, including a behind-the-scenes look at Palo Alto's marketing mishap that set the industry ablaze. Join Cameron Ivey and Gabe Gumbs as they shed light on the evolving landscape of cybersecurity, celebrating the growing contributions of diversity while acknowledging the industry's ongoing challenges.

But that's not all—we dive into the nitty-gritty of AWS account takeovers, uncovering the risks and misconceptions that many IT professionals face. From shadow accounts to AWS's dominance over Google Cloud and Microsoft Azure, we've covered you with the latest research and conference highlights. Plus, we share some fun moments and upcoming events like PSR and IAPP in LA, sprinkled with a bit of autograph signing and fan interactions. Tune in for an engaging episode that combines technical deep dives with thoughtful industry reflections and a touch of humor!

Support the show

Speaker 1:

All righty, then. Ladies and gentlemen, welcome back to another episode of Privacy, please. I'm here with Gabe Gumbs. This is Cameron Ivey speaking to you in your ear holes, if that's what you listen out.

Speaker 2:

They have one of those microphones that like the jaw bones and they're listening to us through the reverberations in their jaw.

Speaker 1:

Is that for people that are deaf, deaf?

Speaker 2:

I don't know if that works for like if you're completely deaf. But, like some of the old school military silent comms work that way. I'm certain they have better things than that. Now I would know. And then there was a company literally called Jawbone that came out with a microphone product like that. Yeah, no affiliation no.

Speaker 1:

Affiliation I don't even know if the product works or not.

Speaker 2:

So don't, don't, don't listen to me was that?

Speaker 1:

like, was that a headset with us?

Speaker 2:

like was a headset, yeah, yeah, yeah yeah, plug the camera kind of ran down along your jaw and then they moved to just like a regular headset and just kept the brand name Interesting. Yeah, that's not what we're here for, though.

Speaker 1:

What are we here for? Well, welcome back to the show guys. Thanks for being here. Gabe, how are things going on? Your end? Everything good. I know that there was a pretty big couple of events that just passed us this last couple of weeks in the security realm.

Speaker 2:

Yeah, yeah, I'm decent, no complaints here. I did not get to make it to Hacker Summer Camp, which is what I assume you're referring to, aka DEFCON, aka Black Hat. Black Hat yeah, they're not the same, but they happened same week. Black hat. They're not the same, um, but they happen same week defcon first leading into the I'm sorry black hat, first leading into the defcon weekend.

Speaker 1:

So, uh, we're not referring to def comedy jam. No, no better, probably much well depends.

Speaker 2:

I mean a lot of hilarity definitely ensues at defcon, make no mistake about it. Some Some very amusing things happen during the show, during the conference in general. But I did not get to make it to the desert this year, but, man, it looks like a lot of fun was had in the desert, as usual. There's a number of things that happened right.

Speaker 1:

Yes, there actually are. Well, I'll let you. There's one in particular that comes to mind. I mean I wasn't there, but I think it was Black Hat. There was a. There was this big thing that I saw on LinkedIn, that kind of blew up where Palo Alto. Oh that thing. Yeah, the marketing mishap with the women in the dresses or the nightgown or the gowns I think it was the lampshades that did it yeah, well, that was the. That was the degrading part about it, I presume so I guess, yeah, it's um, it's interesting.

Speaker 1:

I the thing that I'll tell you one thing that I loved about it. I loved how so many women and like men and in the industry actually spoke up about it. And defense, because obviously you've been in security a lot longer than I have, and we're going to pull up in three decades. So yeah, it's been. It's been a very masculine run industry so dominantly. Yeah, male indeed.

Speaker 2:

Still true of IT in general but yeah no, yeah, no, it still very much is there's. Yeah, it has changed a lot since then and I'm very, very happy and proud to see the countless number of ridiculously talented individuals, both male and female, but the women in this industry in particular incredible, incredible, absolutely incredible.

Speaker 1:

Incredible. I mean, I think that there's still a lack of women and diversity. We've been to local seminars about this kind of stuff and security. True, it's obviously evident. I think there's a lot of things that factor in and why the industry is still dominantly men and usually white men, but it's definitely changing, it's getting better. I think it just depends on you know people in the industry and local areas that are pushing others to get in the industry and just being voicing their. You know, yeah, there's a lot of it, but there is, there is so do you?

Speaker 1:

think? Do you think that it would have been as as demeaning if it were just mannequins and not real people, not real women, um, or does that even matter? That's a great question.

Speaker 2:

That's a darn good question. I'm not certain I know the answer. I think the easy answer is yes, it may have still raised an eyebrow to like what, why? But that they were actual humans creates a different problem too. Right, those are two people that needed a job, took a job, and this is I presume they didn't do it because they wanted to. I'm not knocking people not to do it because they wanted to. True, there are those. Yes, there's absolutely nothing wrong with that. No shame, no kink shaming whatsoever on privacy policing.

Speaker 2:

However, I have to ask myself I just don't, I don't understand like I could sit and say things like it's 2024, but here's the real thing. It's like I don't get it. Like what was the? What was the draws, the connection? Like what was, I guess? Was it just like it's vegas? Like I don't fucking get it.

Speaker 1:

I don't get it. I don't know. I mean I'm not sure if they have had. I mean I know the ceo had a response to it. Sounded like it was a mistake and it wasn't what you know. The CEO had a response to it. It sounded like it was a mistake and it wasn't what the company represents and all that kind of stuff.

Speaker 2:

All right, that's cool.

Speaker 1:

Mistakes are forgivable. Yeah, I don't know. I think sometimes this stuff can get definitely blown out of proportion too. There's two sides to it, for sure, yeah well, it's easy.

Speaker 2:

I mean, every industry loves some drama. And'll tell you, infosec is no different. Boy, do we love some drama? We love crowd strike there was crowd strike drama, right like that was a few weeks ago. So, speaking of black hat, also um or defcon, they won the uh the pony award, for you know, biggest fuck up. Um. Crowd strike proudly earned that pony. Yeah, again, we love some drama so much so we give, we give out an entire award for it every year, like who's deserving of the most amount of drama.

Speaker 2:

But a lot of other fun things happen in the desert, like all the really good stuff, like all of the beautiful red teamers, blue teamers, purple teamers, just straight up, hackers and hackresses. Hackresses, hackresses I shouldn't try and gender the word, but I was having fun with it Either way. There was a lot happening in the desert last week. That was pretty cool. Everything from security researchers unveiling more flaws they discovered in a lot of IoT devices floating around in everyone's home, right. So they hacked a couple of vacuum cleaners and some other things via their Bluetooth and used their cameras and microphones to spy on them.

Speaker 2:

Suggestion If you have a wireless modem that you've bought in the last couple of years, you probably can create multiple different, if not straight networks, like at least virtual LANs. You should totally separate those things. Take your IoT devices and if you don't actually need to have them connected to the internet, just don't. Just don't, right, just don't. And second, if you're going to put them on their own damn network and that probably wouldn't stop all of the things because, like in this case, you know, hacking it via bluetooth means that within proximity, somebody might still be able to, and just from being on the other side of your wall, and that's the problem with these devices right Like being on the other side of the wall that you just gave that outside world an immediate camera right into your house right, crazy talk, crazy talk.

Speaker 2:

Some other fun stuff. The Lockman Ransom Group got infiltrated. That was pretty awesome, right. So John DiMaggio researcher. He'd used just some kind of OSINT activities to try to identify members of that ransom gang ransomware, of course, being ever-present at Black Hat right. Some of the other cool ones I saw related to ransomware or tangentially related to ransomware. There were some talks from some of the researchers at Northwestern. They wanted to test their backup solutions. They were like huh, is it actually immutable? The answer nope. Honed. I've been for those of you that follow my grumpiness online, but like a few months ago I posted that meme. It's like prove to me your mutability isn't just an access control the guy sitting at the table, because I have yet to find other mutability capabilities that are a little other than an access control man. There was so much fun stuff happening, so so many fun things. A lot of stuff, a lot of stuff.

Speaker 1:

Laser microphone deavesdropping. Yeah, these are just some of the highlights. What's this? Prompt injection on Microsoft Copilot.

Speaker 2:

So it was a new vector of attack against Copilot that allowed you, based on the prompts that you put in, to have the system return sensitive information, which was I didn't get a chance to see that one.

Speaker 2:

So the presentation materials and the videos are starting to trickle in online, as well as all of the other information as people get back home. So I haven't I haven't had a chance to pour through it all, but uh, but it looks, looks fascinating. I'm. I'm slightly disappointed now that I didn't get a chance to make this year, so looks like it was a good time I've yet to experience a black hat.

Speaker 1:

Yeah Well.

Speaker 2:

I would say you definitely got to do it at least once in your life. You absolutely must.

Speaker 1:

Wait, maybe I did go to one.

Speaker 2:

I don't know.

Speaker 1:

They all start to mesh together.

Speaker 2:

They do Trust me, they do.

Speaker 1:

Maybe it was DEF CON is the one I've never been to.

Speaker 2:

Okay, that's possible. A lot of folks, especially if you're in the solution side of the industry, so to speak, will typically attend just Black Hat. That's the more commercially oriented part of it. Def CON predates Black Hat. I don't know, by about five, six years, maybe I don't remember how long now. That is the hacker gathering. That is the hacker gathering. It's still a cash-only event. You don't need to tell anyone who you are, you just show up, put some money on the table, go participate.

Speaker 1:

That's cool.

Speaker 2:

Walking Village, some satellite hacking villages, all kinds of cool stuff.

Speaker 1:

Yeah, I remember you were pretty excited. I think it was a few years ago when you got to take I think you took your son.

Speaker 2:

Yeah.

Speaker 1:

Which must have been a pretty fun experience.

Speaker 2:

Yeah, it's good stuff. It's good stuff. A rite of passage. I tell you A rite of passage. See if you can figure out how to get around the parental controls. If you can do it, you've earned it. You can keep it. If you can't, that's it. You're back to watching just barney. Sorry, but I'm a teenager, I don't care that's right, that's right. Watch barney until you can get around the exit well, is there anything else that stood out?

Speaker 2:

that was pretty major um that people should know about that you I think one of the other significant ones was there was some research around hacking AWS accounts using shadow accounts, which is huge.

Speaker 2:

Huge, absolutely huge. Some topics that we haven't spent a ton of time talking about on this show, but I've been researching offline. There's just so much assumptions made about how AWS works by a lot of people leveraging the platform, and this platform isn't necessarily inherently secure, although it has its issues, like anything else. A large part of the problem is just how people assume it works.

Speaker 2:

And it is complicated is the other side of that coin. It's really difficult to know all of the inner workings and even if you knew many of the inner workings, you'd be far from ever knowing enough to really feel comfortable, in my opinion, that you know it all. And yeah, these researchers they demonstrated how you could take over AWS accounts using ShadowGap. It was interesting, it was very good. Again, that's another one I want to dive into a little bit further. But AWS has become another place where folks are starting to leverage it more, not even just for all of its many capabilities to automate infrastructure and things of that nature, but for simple cloud storage. Even. It has become a very significant part of a lot of people's infrastructure, even in the very uncommon even as just an archival place for them to put data.

Speaker 2:

And I hear on a daily basis statements made about how AWS works that always.

Speaker 2:

I spend not less than an hour a day educating people on what they think happens when you do certain things in AWS and how they think it otherwise keeps them protected. For example, you know, keeping their data immutable in an object storage bucket by simply turning on object locked inversion control. Like the first thing they don't realize is, their cost starts going up like tremendously. And the second thing they don't realize is it's an access control right. And so then you walk them through any number access control right like it and, and so then you walk them through any number of ways to bypass it and or poison it first, and they're like huh, I didn't think you could do any of that. It's like. It's not that I'm a magical unicorn I mean, this pretty little horn in my head might suggest that, but there is so much to be learned and to understand about how the infrastructure works. And so, yeah, there was some great talks. That was probably for me, one of the bigger ones too was the AWS account takeover stuff.

Speaker 2:

Just think of how much AWS rules the world from IT infrastructures.

Speaker 1:

How many SaaS products are built on top of it.

Speaker 2:

How many individual organizations are using it as part of their overall IT strategy?

Speaker 1:

How much?

Speaker 2:

just relies on it. How much of the internet period relies on it. These days it's a fairly high number.

Speaker 1:

Is it more I don't even know what I'm trying to say here compared to google?

Speaker 2:

is it more important to our oh, definitely they have way more, way more market share from an from an infrastructure perspective, than google. I'd say, you know, in if you were stack ranking the three hyperscalers as they get referred to the three hyperscale cloud vendors, it would definitely be, you know, aws, then microsoft, then google wow, yeah, google was used to be.

Speaker 1:

Did google not used to be one of the tops before, or?

Speaker 2:

they never really got their cloud platform to take off quite the same way it's I mean it's, it's in use, it's, it's a solid platform. It has its pros, like anything else. It has its cons, yeah, but it's never quite gotten the same kind of adoption that aws has.

Speaker 2:

Why there's a number of different reasons, but the number one thing that everyone points to is the truth is they were kind of late to that game. They were a little late to to the, the uh, cloud infrastructure as a service, platform, as a service. You know the is has all that stuff game. So interesting.

Speaker 1:

Okay, well, um any other highlights um from black hat that we didn't touch on.

Speaker 2:

Maybe there's so many, I think we should probably uh, probably hit a little blog, cast the action up, maybe on it. We'll see, um, we'll decide if we want to post some more. We'll drop some links and chat to some other resources, though, uh, I'll definitely drop some of my the talks that I thought were were really worth noteworthy they certainly all make the list, but there are a few that really floated to the top of my list that I want to highlight for folks. So, um, yeah, otherwise, I was it another year in the desert, glad everyone made it back safe. I may try and get there next year. It's hard to say knowing this far.

Speaker 1:

Yeah, we'll see. I know, Trinson. We made an appearance at Black Hat for the first time, so maybe I'll get a chance to be there next year. But some notable events that are coming up PSR, iapp in LA in September, nice, I'll be there. So if anybody's going to be there, let me know. Right on you signing shirts? Yeah.

Speaker 1:

I'll sign some shirts, ball caps, whatever babies whatever you got, babies, you know man boobs, shirt, sleeves, yeah, shoes, yeah. I'll take some pictures with you, righteous, if I'm feeling you know friendly enough. Security, security. Who is this guy?

Speaker 2:

Move this man. Tell him to stop tugging at my hem.

Speaker 1:

This guy's trying to sign me. I don't like it. All right, gabe. Well, thanks, man, and thanks for everyone. If you guys got questions or anything that we missed, it was big that we weren't there. You were there, shoot it our way, love to highlight it and all that kind of stuff. So love you guys, until next week. Until next week, toodles.

People on this episode