You have just read a blog post written by Jason McIntosh.
If you wish, you can visit the rest of the blog, or subscribe to it via RSS. You can also find Jason on Twitter, or send him an email.
Thank you kindly for your time and attention today.
This year’s Layer 8 Conference in Providence came to my attention after my May post about my summer plans. As soon as I heard about it, I knew I had to clear a day for it. After more than twenty years as a professional software engineer, I feel quite ready to explore other paths, including specialization. Infosec has held a certain allure for me lately, and here was a one-day conference dedicated to the topic — more or less — a half-hour walk from my home.
I attended as an outsider to the community, and I learned so much. This article, then, mixes observed experiences particular to my day at the conference with more general knowledge I picked up and can’t resist describing for a larger audience.
My first discovery was that Layer 8 is itself about two particular topics within infosec:
Social engineering: tricking people to trust you, usually with the goal of accessing things or places otherwise locked away from you. I feel uneasy describing this, because when I put it that way it sounds akin to pick-up artistry or confidence scams — and probably for good reason! However, Layer 8’s speakers have made a legitimate career out of the practice, with corporations inviting them to try breaking into their secure facilities as a kind of penetration test. (“Physical pen test” being one term of art I heard a lot, in fact.)
Without exception, the stories I heard did not describe Hollywood-style crawling through air ducts, but instead just striding confidently down well-lit corridors, the intruder putting everyone at ease with a smile and a wink that they belong there — and listen, Jessica from the front desk sent me over here and said you could print out a visitor’s badge for me? Do you mind…? Oh, thank you, you’re a lifesaver. Where’s your server room? I’m supposed to meet Rahim there…
OSINT: open source intelligence, which seems kind of an awkward name since it has little to do with open-source software. Practicing OSINT means getting intel about some entity — be it person or corporation — by using both organized research tools and the myriad and utterly disorganized exposed surfaces and handles that protrude from every website and social-media presence, ready for grasping and pulling, like a thread, for anyone who knows what to look for.
Much of OSINT takes advantage of the fact that so much of the internet is built by teams working by the seat of their pants to ship features as fast as possible, delivering something that looks good on the surface, and to hell with the thumps in the closet and the lumps under the carpet — a topic of intimate and painful familiarity to me.
Besides “OSINT” itself, two new frequently used terms from Layer 8 that I’ve added to my own glossary:
Tailgating: a basic infiltration technique which, in its benign form, I have participated in countless times — and I would wager that you have as well. As the term implies, it simply and literally means following a someone with security clearance around, letting their trust envelop you and speed you on your own way like a cyclist riding in the draft of another.
The most typical tailgating action involves passing through a locked door for which one has no key by simply waiting for a key-possessor to approach, and then following them through. This strikes me as social engineering in a nutshell, really; in every such case I’ve encountered, the key-holder will hold the door open for a friendly-looking stranger who just happened to stroll around the corner at the same time. Nobody wants to be a jerk! (And even people who do like being jerks probably don’t want to put their day on hold just to challenge some stranger’s presence.) And that’s how it all starts.
Rubber Ducky: If your infiltration has proved successful enough to grant you physical access to an on-site computer, you can jam one of these specially prepared USB keys into it, and — in all likelihood — watch it crack open like a walnut under a series of automated attacks. The “ducky” identifies itself to the computer as a keyboard, you see, and it firehoses the poor machine with a script of every security exploit applicable to its OS and network environment, “typed in” at an inhuman speed.
I do not want to believe that this exists, because it does sound some something from a movie. But it’s a thing! With a brand name! You can buy one right now! And people use them all the time, apparently. I imagine it doesn’t come standard with a window that pops up to display [HACKING...]
with a progress bar, but I would totally believe that some folks have modified their duckies to have exactly that anyway.
Anyway, I attended some talks. Here are four that I enjoyed especially:
Connecting Information via User Account Recovery and Filling in the Blanks. Noel Tautges, a high-school student, provided a wondrous example on how one can get private contact information on any modern internet user through a clever, multiple-pronged OSINT approach. Say that you want to get your target’s private phone number:
After poking around and collecting valid usernames for your target on a variety of social media and other internet services, initiate a password-reset request on all of them. Collect all the “obscured” email and phone-number templates each provides for two-factor authentication (e.g. “We’ll send a text to ***-***-**89, OK?”), and then combine them to get as much of that number revealed as you can.
Use what you know about your target’s geographical location, plus the published rules about how phone numbers are distributed in that area, to narrow down the possible space of unknown numbers. With luck, this can turn an unbounded list of a million numbers down to a thousand or so.
Prepare an “address book” containing a thousand of so of your close personal friends, who all have oddly similar phone numbers. Upload that mother to a social network that you yourself have an account on, along with your target. Wait and see which ones turn into valid accounts — and then which one has your target’s avatar attached to it.
And now you have your target’s phone number, and you didn’t do anything other than use some APIs designed to do your target a favor.
Understanding the Web to Achieve Your OSINT Goals. A more novice-friendly and less ethically murky complement to Noel’s talk, this presentation by Micah Hoffman laid out an excellent overview of tools and techniques available to anyone curious about sniffing around the edges of a company’s online presence, looking underneath the veneer of rendered web pages to find all the other interesting less-public tidbits a typical public website leaves scattered around.
Micah, who founded the OSINTCurio.us project, didn’t describe any concept that I wasn’t already well-acquainted with as an autodidact web developer of 20 years: viewing page source, for example, or poking at JSON APIs. But I loved seeing them presented in the context of snoopy OSINT research tools instead of hammers to try swinging around when the damn web application stops working again.
View the page’s source code and look for commented-out code or links. Do they still work if you try manually visiting them? Try to bring up a website’s robots.txt file: can we visit those addresses by hand? Why doesn’t the website want web crawlers to index those pages? Any interesting inferences we can make from that? (In one amusing case, Micah showed one service’s live robots.txt that forbade the indexing of one particular user, whose page remained browsable to manual requests. Therein lay a tale!)
I can’t escape thinking that this talk, or some version of it, would be especially appropriate for kids! Children in particular should learn that the web is not only not magical, it’s not even television; they can look under the surface and see how it works, using tools they already own. They can explore the edges, look for seams, experiment, and — maybe — get inspired.
Everything Old is New Again. Presented by Snow, one of several infiltration experts present at Layer 8 with an affinity for both storytelling and going in public by a cinematic hackerly nom de guerre. Snow identifies herself on her Twitter profile as a “ConWoman”, and this talk drew on this identity, illustrating the direct lines of heritage between pre-digital confidence-scams and their modern descendants. We see the pigeon drop reborn as the Nigerian-perfected 419 attack today. Enterprising folks still practice one of the oldest con games in recorded history, pig in a poke, except with bogus Bitcoins rather than bricks sewn into a sack.
Snow acknowledged that an ever-popular target for trust-scams, then and now, is the elderly. The digital era has made some scams far more effective on their targets, especially older folks; one example is “the grandchild who wasn’t”, where a “long-lost relative” contacts a kindly oldster, seeming to know quite a lot about the family (there’s that OSINT again), and immediately leans on this happy new connection for a little financial help. Snow advises setting up, with one’s older relations, a technique that I wrote down as “Human 2FA”: have your honored elders agree to check in with you before forging new digital relationships with anyone who might come knocking.
Petitioners during the talk’s Q&A seemed more interested in Snow’s own experiences as professional trickster and infiltrator; I got the impression that she holds some celebrity status in the community, and she seemed happy to tell a few war stories. And this led quite neatly into the next talk I attended.
Transitive Trust. Tinker unspooled an amazing, energetic, and thoroughly entertaining monologue based on a “red-team” exploit he had related that same day in a long Twitter thread. Re-reading that thread now, I must admit, the story as a whole smells a bit fishy — especially given how Tinker overtly introduced himself to the room as a professional liar! However, I find every individual piece of the story quite believable, even if the whole thing doesn’t seem to hang together quite right, and it presented a clear and entirely credible take-home message about how trust is softest at the seams.
Tinker’s tale follows him as he makes his way from his target’s parking lot and, through a series of quantum trust-jumps, into its server room, rubber ducky at the ready. He begins with no infiltration tools other than a couple changes of clothes in his car. He wears the aspect of a construction manager to breeze past door-security, and then fishes around the hallways to gain the trust of a random office-dweller. Here he presents himself as a “sprinkler inspector” as a ruse to be shown around the building, openly taking pictures of its infrastructure (and its whiteboards, with everything written on them).
People want to follow the rules, and a successful social engineer will help their human obstacles in finding the shortest path to getting those rules followed — which, invariably, also allows the engineer to continue their work. In Tinker’s story, when a supervisor does confront him for snooping around in a secure area with no badge, he manipulates the situation to move his challenger from “You have no badge, and I’m going to eject you” to “You have no badge, so I’ll help you get a badge.” That puts everything in a state of rules-compliance that satisfies everyone, and is so much easier to accomplish for a building supervisor on a late Friday afternoon than forcing someone to leave the premises.
The talk’s title refers, specifically, to how an infiltrator’s earned trust sticks to them, and can snowball: If Alice trusts Bob (perhaps because she is his boss), and I earn Bob’s trust, then that makes it easier for me to have Alice trust me too — and now I can go everywhere Alice chooses to let me. In the end, the supervisor left Tinker with another authority able to print out badges, but neglected to say why he needed one. Tinker pounced on this oversight and identified himself as an IT contractor, here to “upgrade the servers”. And that was the end of that. As he summarized on Twitter, no single person that he interacted with failed at their job. Everyone diligently followed all the rules that applied to them. The failure lay in the false assumptions inherent in the handoff between each authority.
This talk ended with a flourish unlike anything I’d seen at a conference before. Instead of having a Q&A, Tinker invited Snow to approach the lectern and tell a story from her own career that he assured us was relevant. While she spoke, he faded to one corner of the room, pulled off his white shirt to reveal a black one, peeled off his wig of graying and sensibly mid-length hair that I had given no conscious thought about, and left the room without another word. Snow spoke calmly through all this, then led a round of applause when the door shut — and then finished her story. I myself caught only part of his transformation, as if a gorilla had strolled through a basketball game. I noticed what I did only when people around me started gasping. So… that happened.
A few scattered final notes about Layer 8 Conference in particular:
There were lots of women, among both speakers and audience. So long as we remain in an era where a technical (or technically adjacent) conference attracts a greater-than-dismal proportion of female attendees, I’ll continue making note of it when it happens. I’m not familiar enough with the security industry to know the gender balance of its own population, but seeing the relatively high ratio of women sitting all around me diring the morning welcome-address made me feel very good about attending Layer 8.
The “village” side-activites were varied and nice. Along with the ubiquitous hallway of swag-laden vendor tables, Layer 8 offered a number of “villages” in side rooms that ran day-long workshops and other activities, welcoming folks to drop in and out as desired. Mental Health Hackers had presence, offering a room with low lighting, peaceful music, and free massages. Those with still-restless fingers could visit a rolling lockpicking workshop run by TOOOL, who piled tables high with padlocks and supplied expert advice for a bit of recreational tumbler-popping.
Finally, one all-day event invited people to form ad-hoc teams and use OSINT strategies to find leads on actual Rhode Island missing-persons cases. According to the conference’s closing remarks, one team did verifiably find a very recent social-media post — containing a single emoji, but enough to read as an “I’m alive” ping — from one weeks-missing teenager.
Too much candy. Trivial but real: Multiple vendor-tables enticed vistors by offering candy, ranging from M&Ms to fancy chocolate bars with company-branded wrappers. Zero of them had anything that wasn’t candy and I would have been so thankful for a packet of peanuts or a granola bar or something with even a trace of protein content.
Will I attend Layer 8 next year? I honestly have no idea! I had a great time this year, and while I didn’t exactly emerge from the convention center with new life goals, I did get exposed to so much valuable new knowledge and perspective. My thanks to all its organizers and presenters for making it happen.
Recordings for many of this year’s Layer 8 talks are now on the conference’s YouTube channel. This article was also posted to the “Security” section of Indieweb.xyz.
To share a response that links to this page from somewhere else on the web, paste its URL here.