Lessons from Black Hat - It's Easier to be the Bad Guy

Monday, August 08, 2011

Rafal Los


I read a good interview with Charlie Miller on the TomsHardware.com, and it reminded me of that quote from the IRA that I had forgotten.  I'm quoting the author here -

After the Brighton Bombing in ’84, the IRA released a statement that included the line "... remember we only have to be lucky once. You have to be lucky always."

Lesson #1: As the defender, your job is at least an order of magnitude harder than the hacker.

That's absolutely correct. As the attacker, you typically have the luxury of time and resources.  You can avoid the well-fortified front gate and go around back and jiggle the handles on the doors no one thinks to lock.  

This is real-life attacking. Attackers have time on their side, and know that it is human nature to over-protect the things we value, but to forget to protect those things that we feel are not-so-important... even though they are often connected to those super-critical things.

Lesson #2: You have to understand how things are connected together to understand risks, form a defensive strategy.

This year's Black Hat conference, and Defcon 19 reminded me of this quite well.  There was no shortage of hacking things such as insulin pumps, automobile remote start/open systems over SMS, and other random stuff that proves that breaking in, is harder than keeping the bad guys out.

Then, a friend sent me this: http://twitpic.com/61jqgu which is basically someone asking "do I get points for getting the diagnostic screen on a poker machine??  " ... proving that amongst the many things compromised at the Rio Hotel & Casino - the PA system, elevators, light/sound, registration system, ATMs, poker machines and pretty much every other thing that was electronic - there was no shortage of breaking... and the defenders clearly lost, big.

What sort of advice can I offer, then?  If being a defender is so much harder, what's the strategy?  I really would really like to see a lot of the breakers turn into defenders, or at least try it.  

I'm not saying hacking is easy - but let's face it, after attending Black Hat, Defcon, and BSides LV ...you start to lose hope just a little.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Attacks SMS Security BSides Charlie Miller Black Hat Conference DEFCON
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.