NolaCon 2019 D 11 MORE Tales From the CryptAnalyst Jeff Man

Video Statistics and Information

Video

Captions Word Cloud

Captions

started welcomes they'd be enjoying no Lacan so far I am to thank you for coming this afternoon to hear more tales from the crypt analysts my name is jeff man I am a senior information security consultant at a company called online business systems there's my contact info feel free to reach out to me Twitter email somebody did actually call me a couple weeks ago which was weird because people don't do that anymore so I feel safe putting my number up there very briefly because my company like pays my way to come speak at conferences just want to give a quick shout out to them its company called online business systems which nobody's ever heard of it's a 30 year old company mostly doing consulting IT services but we have a security practice that started about six years ago and it's ashli two people that I used to work with a long time ago and I'm back back with them again and because they know me they let me come out and do this speaking so thanks a lot to my company online business systems I've been in the information security business for about I 35 36 37 years it depends when you count it as it started my first job in the government was in 1984 so technically it's been about 35 years but I used to have a job doing loans skip-tracing in college which kind of taught me Osen skills so I kind of go back 37 years I do want to apologize right off the bat in putting together this presentation which is really a story about the last couple years that I was at the National Security Agency I very quickly realized that you know finding screenshots was going to be a little bit problematic because that's how we did screenshots back 25 26 years ago so I tried my best to find meaningful graphics to you know work with the talk but you know bear with me the technology's come a long way I'm going to try to infuse throughout the talk and especially to get you guys to interact with me a little bit every once in a while there's going to be dates pop up and when the day pops up what I am hoping to do is ask people you know what is the significance of the date so let's do a trial run real quick does anybody know the significance of this date in history you know shout it out if you want to guess shout it out anyone give up if you don't know what that means you're just gonna have to wonder for a while or google it while you're listening to me talk so anyway I was at NSA from 1986 to 1996 for about 10 years in that time I did a number of different things primarily or the most of the time I was there as a cryptologist and I worked on both sides both both the defensive side which we called InfoSec back in those days as well as on the operations of the offensive side so I technically was a Crypt analyst and a cryptologist or a cryptographer which means I designed codes and ciphers and I also tried to break codes and ciphers and I also then later on got into the things that we're going to talk about today a couple years ago I had I had met somebody at a conference and at a speaker dinner night before the conference went to his taught the next day and it turned out he was giving a talk on sort of the history of cryptography or cryptography 101 and the thought occurred to me is like wow I know everything he's talking about I used to do that stuff so I thought I would put together a talk and turned it into a talk originally that was called Tales from the Crypt analyst which I have stickers if you haven't gotten a sticker already there's some up here because I worked for a company at the time that had a graphics department and I talked them into making this cool graphic that's supposed to look like the old comic book in that I spoke mostly about the first six or seven years that I was at NSA and I always promised the sequel which was what we're going to be doing today you know so more of Tales from the Crypt analysts just very briefly I don't know if you've heard my original talk or not that I wanted to share just a couple things that sort of fit into the the topic of our discussion today I was sort of started out in what was called the manual cryptosystems branch on the InfoSec side of NSA we produce things like one-time pads which is what's up there on the left the one-time pad is the most secure system available for protecting secrets that has ever been invented because it's not breakable if you use it correctly which you know as the name implies use the key one time it simply can't be broken unlike everything we use today even though it might take tens of thousands or millions of years there's still the possibility of brute forcing and getting to that solution not so with the one-time pad one of the first assignments I had was I had a customer that came to me and said we're using these one-time pads and they're a real pain in the ass because it takes us hours to write out the messages and do the encryption but we got this thing on our desk called a PC is there any way we could use that to do the encryption I thought well yeah that makes sense it's not a complicated algorithm it's just a matter of getting the key in electronic form so I ended up you know designing a system where on one end it was still paper on the other end it was the one time pad key on a floppy disk and we produced this system that was semi automated one-time pad to my knowledge and I haven't found anybody that has come up with anything else this was the first software based cryptographic system that NSA ever produced might have been the last but it was certainly the first in doing that and this sort of ties into some of the hacker methodology or hacker mentality that I didn't realize at the time that I had but I basically was working for an engineering organization that built little black boxes and in fact that I had a chief scientist back at the time say something about well you know there's really no such thing as software it's all hardware because that's all that we did and so I had design specs and there was a process that you had to go through in order to produce a new system you had to come up you had to follow all these specs that were written for hardware so I sort of had to hack the specs and rewrite them to make them make sense for software and I had to sort of present the the concept to you know essentially the Board of Directors all the senior management within the InfoSec side of NSA I was a young guy in my early 20s let's say mid-20s you know months on the job and meeting a bunch of old guys that were in suits and they were all scientists and engineers and they spoke a different language and they were very serious and I had to basically convince them to do something that had never been done before and this is actually a obviously it's a Calvin and Hobbes cartoon that I redrew using some basically what would be considered today paint so I just kind of hand drew this copying a Calvin and Hobbes which is no big deal other than it just sort of talks about the fact that I I had to rewrite the specs and in doing that I I sort of broke a lot of rules when I actually got the system fielded the the management said well you met all the requirements you did what she asked us to do but please don't do this again one of the other things I did one of my customers was the US Special Forces and in working with them they used one-time pads the algorithm that they used was based on this table on the left which is called a Visionnaire square or Visionnaire table which is an offset of the alphabet 26 different offsets so you're familiar with Caesar cipher which is a single offset this is a combination of 26 different offsets in working with that it basically produces unique three-letter combinations and that was essentially the algorithm the Special Forces would memorize it I was working with them and didn't have it memorized so I was fumbling with the table but I'd just been through a bunch of a history of cryptography classes and learned about cipher wheels and I thought you know there ought to be a way to come up with a cipher wheel that does the Visionaire square so I came up with it and I was just using it for myself to make a long story short they liked it so much that we ended up producing like 15,000 of them and distributed to US Special Forces I bring this up and just sort of this isn't the main topic but it's kind of a neat thing that just happened a month or so ago I was at cipher County Milwaukee and a buddy of mine came up to me he knows I was a crypto guy at NSA and he asked me if I'd ever heard of this thing called the Diana crypto system that was used by Special Forces I said well that doesn't sound familiar so I googled it and I came up with this page some guys making him out of wood and when the guy when I saw this I asked my friend I said does that look like this other do you know go back does it look like that thing and he said yeah I said well that's because you're talking to the inventor but the guy that made these things he was approached by an instructor who was apparently ex-special forces at the military War College and I think it's Carlisle Pennsylvania and had given him a bunch of information on the history because he wanted to preserve the history there was an email on there and I got in touch with the guy and I just said that Diana cryptosystem I invented it wanna chat by the next morning I had an email back from the guy so we've exchanged a couple emails long in the short of it he sent me one of them so if you want to see it afterwards you can come up and look at it the reason and he was calling it Diana cryptosystem and it took me a little while to remember it's because all the crypto that we produced at NSA had a had a sort of a serial number it had a registration you know sort of code of what it technically was but there was also a code name just for short and paper systems were traditionally named according to Greek mythology and I remembered after you know looking at this that the one-time Bad's that special forces used were actually called diana one-time pads that's where the diana came from that was like the first question that the guy had is why he call it Diana well that's why he actually sent me a whole bunch of puzzles this guy makes crypto puzzles and and he tries to replicate crypto cryptographic items and he does it in wood it's kind of cool if you google Diana cryptosystem you'll find this guy if you want to pick up some of these things they're kind of neat my goal and that this is actually a picture that I found actually the guy that had approached me had found on Pinterest of all things and that's actually a production model of this thing that I learned that Special Forces came to call the whizz wheel anyway I got a cache Ward for it and my boss who considered me a loose cannon because I did that other thing when I was written up for this the the abstract of my award it was titled man reinvents wheel I've actually had submitted a FOIA request because I would love to get a copy of that I don't know if it exists or not second part of my NSA career which would be much quicker I was on the ops side so I was breaking codes I was there during Desert Shield Desert Storm and I was down in the buildings that you're more familiar with if you have ever seen an aerial photograph my one certification is I'm certified as a Crypt analyst from the NSA and that leads us up into what I call chapter three or part three of the NSA career which is when I went back to the InfoSec side which was actually technically my last tour as a crypt analysis intern I went to work for this group that was called fielded systems evaluations and the idea was simply NSA sort of made its living taking advantage of our adversaries sort of misusing the systems they would do things like not change default settings they wouldn't change keys as frequently as they were supposed to you're like the one time one time key the one-time pads I guess to try to save paper sometimes they might use it for a week or maybe thirty days or something like that when you do that you introduce cryptographic vulnerabilities to make the messages breakable so somebody have the great ideas you know we we produced the best little boxes and the best cryptographic systems in the world but how do we know our own people use them correctly so we had this office that did fielded systems evaluations of our own systems this is one of the devices that I worked on this is a I don't know if anybody's in the military's ever use this but this was a device that would take a voice and digitize it and then encrypt the digital stream send it to the other end decrypt it and hopefully take the digital back to analog so you could hear the voice usually it made you sound like Donald Duck if anybody's ever used one of these it was it wasn't perfect but you usually got the messages so here's another date anybody know what this date is this date really changed history and this date is really why we're all here anybody ever guess not a clue this is the date that not the first web browser but the basically the first commercially available web browser was released to the public it was a browser called mosaic and like I said rudimentary but this is what it looked like this is what got everybody interested in the internet and doing everything on the Internet it got it's what got us all online the internet existed before that but this is what changed thing a combination of this and this back in those days and I'm talking you know obviously 1993 and I was in this office at the time we had reference materials and if you notice back then everything was all internet security because it was all about how do we take our existing computers and networks and tap into this global bat backbone that's called the Internet so these are some of the books that I use this sort of reference materials back in the day within the fielded systems evaluation branch I was in a little subgroup that was focused on network systems and back before the internet was a thing at least you know in terms of web browsing what was mostly connected to each other on the internet was universities and research organizations mostly with mainframes and and most of the information that was available was on databases and it was it was very rudimentary and it wasn't very easy to get to you but hacking was a thing anybody ever read this book or heard of this book this is actually a very inspirational book and it was a book that was inspirational to us back in our office and I bring this up because I had few fanboy moments but about a month ago I was at a conference where there's gentleman that wrote this book named cliff Stoll he was actually the keynote basically what happened to him was and this was back and I think 1986 he was an astronomer astronomer and I think it was at Berkeley I might get the the details wrong but basically back in those days you had to pay for your time on the mainframe and so his group you know he was going through the bill that he had gotten for like the monthly charges for doing work on the mainframe and he noticed something like a 70 cent discrepancy something really small and in digging up why is there this discrepancy he slowly realized that their mainframe had been a attacked there was somebody on it and you know nothing like forensics existed back then there was very little known about computer hacking in any way shape or form and he kind of took it upon itself to figure out you know what had happened long story short it was tied back to back in those days it was the Soviet Union and it was spies it was breaking into the university computers because what's a lot of the research they did at that time government stuff DoD stuff military stuff anyway I bring this up because I got a chance to meet the guy so that's me getting the picture a picture with cliff Stoll just about a month ago anyway so our branch the this the couple group guys that I worked with we started learning about hacking what what little there was and and we started applying that to the network systems and of course you know hacking started to become sort of popular more well-known and management as it were they decided to take over you know if anybody's ever worked for a bureaucracy but you know management has a way of reorganizing especially in the DoD so they in a short amount of time reorganized us into what was called a Center of Excellence known as the systems and network attack center the purpose of the system and network attack center as I said was to be the center of excellence and the group that I was involved with you know focused on networks we were essentially learning how to hack computers learning how to hack networks and that's kind of what we focused on we didn't have a lot to work with there there wasn't lots of conferences to go to there weren't training courses there weren't certifications there weren't even really documented methodologies we were just kind of coming up with it as we went along we put a team together the the deputy director at the time his vision was we need as a bunch of those long hair you know really smart kids and we'll get a bunch of that and we'll beat the world and of course as you know hopefully you know when there's thousands if not millions of people that are out there doing the same kind of thing know one small set of people no matter how good they are is going to be able to compete against the world so even in the very early stages we were sort of running into the the political bureaucratic well this is what we want you to do versus what we were learning about in terms of hacking and and and what we thought was the hacker methodology or the hacker mentality and how do you do this thing called we called it ethical hacking back then we called it pentesting penetration testing at the time the Air Force basically owned the network yeah I don't know if they still do or not but back then they did at least and they were sort of ahead of the of everybody else in terms of they had a Network Operations Center and they were the first at least DoD organization to set up a security operation center so they they knew what they were doing so we went on a field trip to learn about what they were doing because you know resources were scarce there wasn't a lot of there wasn't a lot to go to but we knew that they were doing stuff so we went to visit them we met a couple guys that were Air Force captains gentleman on the left captain's eyes gentleman on the right right captain Liddell captain's eyes on the left he unfortunately passed away about two years ago now I think the guy on the right captain Waddell I actually found him on LinkedIn and actually as I was putting this talk together had a chance to get on the phone with you know reminisce cuz we went to visit them and then later on they came to visit us if you're older you may remember one of the first security companies that was formed was a company called Wheel group and like any good security company after about 1215 months that got acquired by Cisco Cisco has been acquiring security companies ever since and people still don't think of Cisco as a security company but that's another talk for another day we we took a trip they were located in San Antonio and one of the cool things about being in San Antonio is they had this sort of Air Force Museum as it were that was the YouTube spy plane it had only recently been sort of declassified so that you could actually go out and look at one the a-10 warthog that was a plan that was instrumental in in winning the the first skirmish in the desert Desert Storm those guys in the picture there are actually people that I used to work with its small enough hopefully that they're not identifiable plus it was about 24 years ago so we've changed a little bit of course we did all the cool stuff at the alla' you know in San Antonio like visit the Alamo we done to the river Riverwalk and that's where we discovered which is probably one of the most important aspects of hacking trust me the 46 ounce margarita we only had one drink that night so you can't say we didn't over over drink but it did most of us in our biggest takeaway really from San Antonio was sort of the way that they operated in terms of the team back in those days it was very common to have cubicles and have everybody isolated in their physical office space but what they had done they had pushed all the desks to the corners of the space and literally put a round table in the middle of their space and if somebody was working on a research project or somebody had a question or somebody would just wanted to bounce ideas off of everybody else they would call round tables spin the chairs and everybody would come to the middle and huddle up so we adopted that so in forming this thing called the snack they moved us to a new building and they put us in an office and we designed our office much like this so we had we a bigger roundtable like I said was hard to find graphics that fit this talk but it's best I could do our office we nickname because we were trying to be cool hacker kids we nicknamed it the pit and the pit is a is an office that exists this is buildings that are outside of the BWI Airport in Maryland and the pit was actually an office that was in this building here and pretty much in that corner of the building I bring that up because a couple years ago there's a book came out called dark territories anybody seen this book read this book a couple people in this book in the fourth chapter which is titled eligible receiver there's this following paragraph and and I like to read dramatically to you if you allow me in the middle of kinda it says during its most sensitive drills the red team worked out of a chamber called the pit which was so secret that few people at NSA knew it existed and even they couldn't enter without first passing through to combination lock doors so somehow the first group of people that were doing pen testing and and learning how to do red teaming at NSA and we were just a bunch of guys working together trying to learn this this this hacker craft and we called our office the pit somehow that transcended in the folklore they made it into a book so we've got our little 15 minutes of fame there go hooah now at that point it was exciting because the when the book came out one of the members of the pit got a copy of the book and when he read that paragraph he took pictures of it and emailed it to all of us and said guys we're in a book we're in a book was very exciting for us but to move on because methodologies didn't exist we worked on developing a methodology we we had to sort of work within we were basically an unchartered territory the the existing rules of engagement didn't really apply so we were sort of pressing the envelope as a good hacker would you wouldn't stay within the boundaries one of the most important rules was that we came to learn later on sort of twofold one was there's this thing called the NSA Charter and the NSS NSA Charter which is still classified so I can't kind of quote it to you but it basically says NSA should only do what NSA does to our two foreign entities and as they should not do what NSA does to u.s. citizens we can talk about Snowden later but in combination with that what we were really really were encountering more on a day to day basis was the bureaucracy of well if you're gonna do all these attacks and everything you need to have permission to do it and permission in a bureaucracy means lots and lots of levels of Management having a say which means you know it was paper back in those days we'd have to write up what we were going to do and it had to be signed off by all sorts of levels of Management and all the way up to the Deputy Director and which man had had to be passed from desk to desk to DES and would sit on the desks for days if not weeks where very often it might be a month before we got permission to do what we wanted to do of course where hackers we knew what we were going to do we knew it was going to work and we wanted to do it right away so that was very frustrating but you know we gradually came up with a methodology and it shouldn't come as a surprise to you it's it's fairly similar to what we use today in terms of methodology we call things different things these days but you know essentially we started out by doing what we call the reconnaissance or recon because there's a military term or a military organization you know find your target determine what your target environment is you know which was a network segment or a you know a Class C Network or something like that and figure out what was on it you know doing things that we now know of in terms of you know we use nmap these days and map didn't actually exist back then you know identify our targets find out what they're talking and what what ports and services are open figure out our attack strategies do the attacks write it up not a whole lot different from what we do today except for we had to figure this out because nobody never done it before at least not within our organization I want to show you yeah I mentioned nmap we didn't have I tried to write down some of the things that I know of that are common tools these days just to sort of you know help to illustrate what we were working with back then you know basically we had to hack you know uphill ten miles both directions and the snow type of thing a lot of the things that are taken for granted these days in terms of tools we just didn't have or we had very rudimentary versions of what now are these tools I even put that in the slide about going uphill in the snow look at that so what did we have I want to talk a little bit about the tradecraft and and this is where it gets a little bit tricky so I sort of tongue-in-cheek I gave this this talk at besides Baltimore a couple weeks ago there's a kid in the audience that got freaked out because he thought I was about to you know divulge a bunch of secrets but bear with me the the problem we had was when we as NSA were targeting a system anything that we did to try to target that system had to be classified at the level of the system that we were targeting which kind of makes sense sort of but if we were going after a top-secret Network anything we did was top-secret so in sharing with you what some of the things that were available back then might have been what would be might have been what we were using I'm not saying we did use it I'm just saying this is what was available at the time there's no wink wink your with okay so we had network sniffers they were devices they weighed 30 or 40 pounds and we had them on carts and would wheel them around to plug him into the network equipment in big machine rooms and data data centers so those are the things that we had in terms of network sniffers we did have access to you know what now would be considered a vulnerability assessment tools and I remember Satan anybody ever heard of Satan this is one of the first tools this and another tool called ISS internet security scanner were sort of the first vulnerability scanning tools that were made available open source tools even back then I'll mention it later but I do a security webcast called Paul security weekly and we actually had a chance to interview the authors of Satan last November I think it was feats of enema and Dan farmer I actually coincidentally met Dan farmer for the first time don't even ask me what year it was but it was here in New Orleans I spent an evening with man farmer on Bourbon Street that's a story for a bar sometime Dan way I got a chance to meet these so another fanboy moment I've had in the last year so another date anyone I'm gonna go quickly because nobody's guessing at all November 5th 1993 is word and something called bug Trac came out bug track back in the day was sort of a digest I think essentially was an email list where people would talk about vulnerabilities that they discovered so when you were trying to track vulnerabilities back then one of the best sources was to go to bug track and search to see if anybody's talking about XYZ that you're using and have had they had have they had any problems with it how have they fixed the problems and a lot of it was just more focused on troubleshooting and trying to make things work but it was a wealth of information for learning about targets and what they might be using what they might be having difficulties with and so on so forth so bug track was one of those cool tools that we had this is an example of what a bug track write-up was if somebody would basically write an email and it was organized in such a way that if you replied to the email it would sort of keep a digest so in very rudimentary but you can kind of sort of search it there were several many people over the years that took bug track and put it into a more digestible searchable form but this is what we had to work with back then there was organizations like cert computer emergency response teams there was various ones they would put out notifications of incidents and you know either vulnerabilities that were discovered most of the time it was hackers doing their thing that was that was being discovered you probably couldn't read it's because it's the small print this was a real certain visor II that was put out on July 4th 19 1996 which was the release of a movie called Independence Day that talked about the the vulnerabilities associated with alien operating systems so it was kind of a tongue-in-cheek thing but we you know we had senses of humor back then we did things what's called ascent these days we call it kind of open source again we mostly call it a recon there are rudimentary searchable databases or rudimental rudimentary search tools that were used to tap into what was mostly these mainframe databases things like archie things like gopher if you wanted to look up you know what at IP addresses or network spaces of organizations of your target you could go to places and look them up back in those days we didn't have private address and everything had a publicly addressable address so you you'd buy a chunk you buy a class-c buy a piece of a Class C which is 256 255 addresses and you have to register your domain so a lot of information was sort of out there freely available gopher is another search engine before Google there was a kickass search engine called Alta Vista I remember Alta Vista lots of thing is there that was our go-to search engine and of course there was Netscape you know just the regular type of web browsing the original Yahoo they may remember the original Yahoo I should have found a screenshot when you when yo who first came out one of the features on the first page of Yahoo was sort of what they called roulette you could click on it and would just take you to a random website because back in those days there was only like a hundred websites and you know they wanted you to experience the Internet so they would just let you go out to random place we did target acquisition before nmap there was a program called strobe strobe did TCP port scanning primarily as I doing this talk and I was looking up you know when did things come out because I wanted to make sure I was being accurate I I had the interesting discovery and I'll ask it in the form of a trivia question anybody know who wrote stroke Assange Julian Assange I looked at I was like that's why I know the guys name when you used to launch straw Stroeve it would it would come up in a shell it would scroll up and say this is stro version whatever written by Julian Assange like I always knew his name sounded familiar I can't read what that was it's another search engine nslookup it was a way to look up addresses the names of systems the IP addresses of systems we had rudimentary network mapping tools open another date anyone I got a speeded-up here I think I'm blathering too much I'm doing okay crack one of the first password cracking tools actually I found not too long ago on YouTube like in the last week or two apparently Alec Moffat did a presentation somewhere where he kind of talked about the history of an evolution of crack very interesting if you if you search I should update this and get the link but Alec mafia talking about the history of crack it's like a 45 minute presentation really cool back in those days it was all UNIX systems passwords were contained as hashes and what was called the Etsy password file they weren't hidden they weren't protected in other files they were pretty much and this was a world readable file so anybody that was on the system could look at this file and of course you could grab the hashes and try to break them one of the common techniques of how we would get root on UNIX systems was using something called set UID set yeah I set UID basically was a flag that was set on the on the on the profile information of a file that would execute the file as the owner or the creator of the file so if it was written by root it would run as root and the trick was if you you get a program to hiccup and and and halt execution very often it would just kind of dump out into a shell but because the state it was running in route when it launched the shell and say who we just crashed the shell would be a route very common method for getting Route back in those days I mentioned earlier we had the bureaucratic problems we had that charter problem this is sort of a summary of the Charter but again and you know the actual Charter is so classified so I couldn't show it to you but you know we were having the issues of you know not only the bureaucracy but also you know it came later and I'll get to it but also this issue of why is the NSA doing this stuff quickly another date anybody remember pretty good privacy do we still use PGP another fanboy a moment I'm gonna skip this story we had we had a we had a crisis within our office at one point that had to do with PGP but I don't think I have time to tell that story buy me a drink later and I'll tell the story for you but again last fall last October I got to meet Phil Zimmerman at a conference so I've had a lot of fambly movements meeting a lot of my idols in this industry just in the last year it's been kind of cool I am going to reveal one top secret tradecraft attack method that we used and please don't let it leave this room you don't have to pause the tape this was our primary attack tool when we were doing our reconnaissance you ready for it you laughed but quite literally if we wanted to follow the rules in issue a ping command just to see if there was a target out there not yet alone whether it was responding it would take us having to write it up and wait 30 days to get permission to do it and the reason was as we were we ended up talking to the lawyers we called a general counsel and their belief was well you know if you're going to attack a system you got to follow all these rules you got to get all these permissions and they interpreted ping because it elicited a response from the target they classified it based on the definitions of the day as an active attack and if it was an active attack it had to go through the 30-day approval process that wasn't working for us so we decided we were going to try to educate the lawyers the general counsel and for some reason I took it upon myself to sort of lead this spearhead this effort I think I was a business major so I kind of knew how to talk plain English to people I didn't always do the technical stuff and I actually have a brother that's a lawyer so I think for better for worse I took it upon myself to to try to talk to the lawyers to explain our methodologies to explain that was an imprecise science to explain that a lot of what we did was dependent on what we saw we didn't know going into it without looking at anything exactly what our attack methodology was going to be so I set out to try to teach them more of the methodologies and more the concepts and in the way of thinking about things their thought was well just demonstrate all the 50 hundred attack tools that you have techniques that you have and you know let us understand them so when a new job comes in who's kind of like in this this ala carte mentality just tell us you're gonna do a little of this one and a few of these and a couple of those and we know what they are will streamline streamline the process and improve it rather quickly so I would meet with them once a week there was a popular show on at the time called home improvement so I call it a tool time and we spent once a week I'd spend like an hour hour and a half with the general counsel just trying to go through and teach them what it meant to do hacking what it meant to do and how you did reconnaissance and how you did discovery and the whole nine yards we were so good at what we were doing that word got out I mean we started out kind of doing you know our own internal networks and and obviously you know DoD and military which is all secret and top secret networks but somehow and I don't really honestly know how it happened but you know word got out in other military or other government organizations non-military this is sort of a summary of an article that actually was written a few years after I left I'll make these slides available so you can read the small print but essentially we were approached by the Department of Justice and the Department of Justice wanted to have their website their internet presence assessed by us we what we ended up doing we called vulnerability and threat assessment vta and so we had a vulnerability and threat assessment methodology vtm you got to have acronyms in the military and of course the lawyers got involved in this and the problem was NSA was responsible for classified networks who was responsible for unclassified networks at the time was NIST NIST at the time didn't really have any capability so NIST very routinely would sort of you know passed the pass that pass it along back to NSA with this convoluted bureaucratic political process we had to embark on this convoluted bureaucratic political process to be able to do what we weren't supposed to be doing but it was kind of understood that we could do it if we followed the rules you with me so far what we had to do is we had to get the the Attorney General who at the time was Janet Reno she had to write a letter to the basically was to the person that was responsible for this InfoSec stuff asking basically asking a favor saying hey can you do this for us we know it's not really you that's supposed to do it but we'd really like you to do it so there's the the letter it's in two parts but it was actually signed by Janet Reno we came up with a response and the response came from the director back to the DDI I'm sorry to the guy on the previous letter to go back to the Attorney General if you can read the small print you know it's from the director at the time the very last line there I was actually named as the point of contact so we're again this was a couple months process to try to get going to be able to go do a vulnerability and threat assessment of the DOJ web presence we're all up to 21 August the letter had been signed it just hadn't been delivered and right before it was supposed to get delivered this happened we got it I got a call on a Monday morning from my contact at the DOJ saying oh my gosh our website was hacked help please help us does anybody remember this this was like the first hack of a government DoD web site so it was kind of a big deal and not only was there no methodologies back then on doing vulnerability threat assessment pen testing there was also no methodologies or procedures back then for doing forensics and back in those days if you had a website you are hosting it on your own server and your own network hopefully outside of firewall so it was internet facing and when they realized that they were breached the first thing they did was pull the plug and then what was the second thing they did rebuilt the system so whatever forensic evidence might have been there wasn't there but we didn't know that at the time I assembled a team mostly people from our little office in the pit and we went down to the DOJ for a couple days and set out to try to figure out what we could do to help them three or four days into it we actually got a phone call from the Home Office and the message I got from one of the guys that was left behind was the shit's hit the fan you guys got to drop what you're doing now and come back no drop what you're doing and come back so to make a long story short somebody somewhere in in in the bureaucracy had gotten wind of the fact that NSA was at a non secret top secret site doing things that are outside of the Charter which was when I became very familiar with the Charter because I was the ringleader they put me under investigation they essentially tried to fire me if not prosecute me a long story short I was absolved because I had to be interviewed by all sorts of security people and I said you know we just were trying to help I like it what's the big deal it was a political mess we did learn a few things about forensics I actually was one of the contributing editors to I think was the first document that the SANS Institute put out about incident like you know preserve evidence don't wipe everything immediately try to start doing logging and put the log stuff stuff that we now understand it wasn't written down back then we were basically just you know slapped on the wrist reprimanded and told look you know we like what you guys do but if you're gonna do what you do here you got to do by you got to play by our rules and we kind of said most of us said okay it's a lot of us left there are technically six of us and the sound is working four of us have left and gone out into the private sector two of them are still at NSA the only one that I'm allowed to say publicly who was part of the pit is Ron gula he's the founder of tenable network security nessus let me see if I can turn that off very good we used to play that we had it on our laptops and when we were doing our thing we were we were geeks so we would play the Mission Impossible music anyway so the aftermath is another date and I think that is going back to that book dark territory chapter 4 was called eligible receiver eligible receiver was the first joint joint services wide coordinated pentest Red Team exercise that was performed by NSA it was done in 1997 in June it was originally supposed to be like a 14 day exercise and they had to pull the plug after 3 or 4 days because they broken everything at that point it's interesting they did they did a symposium I guess it was on the 20th anniversary I think it was back in 2017 where they invited a bunch of people and I think to the University of Maryland University College and they put some of it you know these were all the bureaucrats and the political people got together to talk about all the cool thing that they did and that they coordinated and that's you can read more about it in the book I think the website is still active they actually for a little while had a 20-minute video that had been put together back in like 97 or 98 kind of recapping the story they redacted it so it's about eight minutes out of the 20 minute video it was up there for a while I watched it I didn't grab it and then later they took it down but they had like an hour 90 minute you know roundtable discussion which again I think they pulled the video on but I think if you go and ask them for it they might share it with interesting history lesson another date in history September 1st 1997 that's when an map came out we loved that map I used n map in the commercial world all the time it was wonderful those of us that are from the pit we still get together every once in a while and the guys who still work there they they bring us gifts sometimes so one of our meetings about two years ago so they brought us NSA secret sauce you can get this all at the National Cryptologic Museum by the way and a little pen that actually has a sort of like a bat warning light so that mug is the the projection of the NSA seal which is coming from the pen cool stuff you can get it at the National Cryptologic Museum so that's sort of this story and I apologize for going quickly there are more stories to tell obviously if you're interested in intrigue it occasionally comes up I mentioned on one of the hosts and Paul's security weekly so you can hear me off in there and very often I will tell stories of old because it comes up in conversation pack for kids is going on in Chicago right now hackers kids is teaching hacking skills to young people they put together a card game last year and sort of like one of these fantasy card trading games I'm not a young person I don't do it but they have face cards and I got to be one of the face cards and this is the majority of the face cards we were down I think two people Leslie Carr Hart and Josh Corman were not present for that photo they just they've actually released a second deck and there's five more face cards that they call in Hakman ism so if you want to do a fundraiser go to go to that and buy the deck it's it's educational because the whole game is all about the history of hacking and freaking in more detail but kind of the stuff I've been glossing over today I was recently included in a book that came out in January called tribe of hackers and they got tribe of hackers if you have it with you I'm happy to sign it if you don't have it I encourage you to go to Amazon and order it or just go to tribal Packard's that'll get you there it's like 15 20 bucks and it's an all proceeds go to charities I also was escorted one time to a talk by a bunch of storm troopers I consider myself a Jedi Master and probably what's most special to me is I am part of a group that's essentially a bunch of old people that get together once a year at RSA with Jean Stafford to go back early on in my presentation one of those books that we considered the Bible Jean Stafford's one of the authors he's been doing this for like 75 years he's amazing and I was invited to join this group it's invitation only you have to be sponsored and you get voted in or out and in an interesting twist the the person that I have my arm around there the guy in the red sweater that's actually the the lawyer that I used to deal with back at NSA we didn't get along too well right after that incident that I told you about and I didn't really speak to him for about 20 years but we've gotten reacquainted and he was the one that sort of introduced me and got me into this group so we're buds now turns out he took more knives in the back and was protecting us from even more trouble than I did get in so I thank him for that I don't know what we're doing on time but anybody have any questions comments maybe like 30 seconds if anybody has any question comment if you want to take me to a bar I can ask I can talk to Snowden yes uh-huh okay not in the commercial world and they still don't yep yeah and that's true yeah it's actually one of the things I've thought about you know like I showed the button you know the the book you know practical UNIX and Internet Security and hunting the wily hacker internet security the belief back then was let's just build a firewall let's just protect us from the evil internet and we'll be fine whatever goes on on the inside it doesn't matter because all we have to do is protect ourselves from the outside and then that that mentality was flawed somewhat as we've figured out and it still continues very often today so it's interesting you know what we used to call Internet security we now cost I'm not gonna say the word you know what I'm getting at any other questions or comments I appreciate your time I've got these stickers up here the Tales from the Crypt analyst I've had a few security weekly stickers too if you'd like help yourself anybody wants to buy me a drink downstairs I'm happy to talk snow thank you very much [Applause]

Info

Channel: Adrian Crenshaw

Views: 1,006

Rating: 4.5294118 out of 5

Keywords: irongeek, security, hacking, infosec, New, Orleans, NolaCon

Id: ohQy7i9ruWs

Channel Id: undefined

Length: 51min 42sec (3102 seconds)

Published: Sat May 18 2019

Reddit Comments