trinityFor OpenDNS, the first week of August was fun but also busy. A group of us OpenDNS researchers and engineers headed to Las Vegas for BSides Las Vegas, Black Hat, and Defcon. We gave talks, attended sessions, met with prospects and customers, and caught up with infosec friends.

This blog post details some of the insights from those who attended.

Insights from Andrew Hess

At BSides Las Vegas, Andrew Hess gave a short presentation about an internal feature the OpenDNS engineering team has constructed, and how it enables the OpenDNS Security Labs team to work more efficiently. The project, called the Threat Intelligence Database (IntelDB), is a graph database system that captures and stores all security-related data for our entire organization. The IntelDB collects data from research and based on relationships between nodes in the IntelDB graph, supplies intelligent security decisions to our products, enabling it to serve as an authoritative source for data such as whitelisting and threat attribution. In addition, our researchers are able to leverage this data source to conduct research faster and with more confidence. The recorded session can be viewed below:


Insights from Dhia Mahjoub

Black Hat hosted many inspiring and technically engaging talks worth attending. In her keynote “The lifecycle of a revolution,” Jennifer Granick reflected on the driving principles of the past 20 years that shaped the Internet of today. Internet users aspired to a world not confined by age, race, gender or stifling laws. Furthermore, and based on the current trends, Granick painted a poignant picture of what the Internet would be in the next two decades. “The freedom to tinker” she argued is a fundamental right that we should dearly preserve. The video of the talk is available here.

Then, Joshua Saxe hosted a session titled “Why Security Data Science Matters and How Its Different: Pitfalls and Promises of Data Science Based Breach Detection and Threat Intelligence.” Saxe gave an edifying talk about the experience of his research team in applying machine learning and visualization in malware detection. He pointed out that applying ML in security presents different challenges and seeks different goals than in other fields like social media, speech or image recognition.

For example, in security:

– Data science models need to deal with the presence of an adversary where attackers are deliberately trying to evade detection systems.

– False positive rates should be lower than in other disciplines.

– There is a need of interoperability in the sense that correct detection is only part of the story, the model should also provide context. In this case, presentation is often as important as the model accuracy, because that means people can actually use the results, hence the advantage of visualization.

– There is an absence or lower volume of accurately labeled data compared to other disciplines.

In threat detection patterns are constantly changing and evolving since, as mentioned above, adversaries strive to always have high evasion rates. This talk specifically struck a chord because it reinforced the ideas and principles that make up much of our daily routine at OpenDNS Security Labs.

Finally, Michael Ossmann gave an intriguing update in his session titled “The NSA Playset: A Year of Toys and Tools,” built as part of the NSA Playset project. The project was started last year as an inspiration from the contents of the leaked NSA ANT catalog.

Insights from Andree Toonk

BGP was a hot topic this year at Black Hat. It’s great to see this is now on the radar of security practitioners worldwide. Andree attended two BGP briefings on Wednesday, both were a good summary of the current state of BGP security and the potential for misuse either intentionally or by accident.

On Thursday Andree presented OpenDNS’ BGPStream work with CTO Dan Hubbard. During the presentation OpenDNS officially released the website and @bgpstream & @dnsstream Twitter feeds. The presentation was well attended and received lots of excellent questions from the audience about recent BGP incidents and RPKI.

Andree notes that it was great to work with a diverse team of developers at OpenDNS on the project. The goal for Andree and Dan was to develop a system that publishes a stream of BGP and DNS events via Twitter and to the BGPStream website. Andree especially enjoyed being able to combine different data sources such as DNS, BGP, Netflow, visualize them and allow users to re-play the event on the BGPStream website. The tweet below is an example of one of the recent large scale outages in Iraq. unnamed

Or this example, which highlights the hijack of one of the United States Marine Corps prefixes by a providers in Venezuela. We’re super excited to see the unique end-result and we’ll continue our work on these tools to make it even more useful.


Insights from Anthony Kasza

Anthony attended both Black hat and Defcon and had the opportunity to attend several talks. “The Bieber Project” was a session by Mark Ryan Talabis, the Chief Security Scientist at zVelo, discussing the basics of the Internet’s advertising ecosystem and highlighted different methods of purchasing fraudulent traffic. Fraudsters often are able to profit off the spread between the gains of displaying impressions (ads) on a site and the cost of purchasing traffic sources for the impressions. He also discussed the differences between the quality of traffic and heuristics used to determine fraudulent (bots) from real (humans) traffic sources.

Talabis highlighted a very interesting Chinese traffic generator named JingLing. Similar to peer-to-peer file sharing, JingLing operates as an opt-in distributed traffic exchange. A user enters a page they would like to send traffic to and the URL is distributed to other JingLing users, who then generate traffic toward that URL. JingLing then receives sites from other JingLing users and visits those sites. What’s interesting is the way the traffic is generated. JingLing traffic looks very similar to the default browser installed on the end user’s system. This makes it much more difficult for ad exchanges to detect the fraudulent traffic. For example, techniques like checking to see if the browser has plugins installed cease being effective.

Insights from Kevin Bottomley

Of the talks and villages Kevin attended that really drew his attention was on Friday simply dubbed, “Hacking the Tesla Model S,” presented by Marc Rogers and Kevin Mahaffey. As the name implies, the researchers dissected the inner workings of a $100,000 automobile to show that it was possible, even on a automobile system that had been designed with security at the forefront. One of the major differences between hacking the Model S, and a previous publicized automobile hack, was that the researchers needed physical access to exploit the system.

The pair spent the better part of the talk explaining the issues they ran into along the way, and how in the end they basically used tape and an Ethernet cable to get access to the internal workings of the system, as Tesla had already applied several patches to known vulnerabilities, including to the Qt WebKit browser. The researchers were able to spoof a connection to a Tesla service center, which the car automatically connects to when in range, and, by doing this, were able to control the starting and stopping of the vehicle, door locks, and the entertainment system. While this may not have been a all-in-one take-over of the vehicle, it does show that even vehicles with a security-first approach are still susceptible to compromise.

Insights from Thibault Reuille

From the large quantity of talks at Defcon 23 this year, a couple of talks really caught Thibault’s attention, most notably for their originality and quality of the content.

The first one was “How to Hack a Tesla Model S” presented by Marc Rogers (CloudFlare) and Kevin Mahaffey (Lookout, Inc.). The two unveiled many aspects of the car telemetry system and exposed a few ways to hack it. This presentation was truly interesting because in that it raised critical security concerns as the new generation of highly connected cars emerges in the IoT landscape.

Thibault also attended a talk titled “Detecting Randomly Generated Strings; A Language Based Approach” by Mahdi Namazifar of the Talos Team at Cisco Systems. Obviously, DGA domain analysis is important at OpenDNS, and the comparison of different approaches to the same problem is truly interesting.

Finally, Thibault enjoyed the Q&A session with Bruce Schneier. It was a high-level view of the modern security world and the one we are going to experience tomorrow. As usual, Schneier delivered insights and answered questions brillantly. From biometric passports to voting machines, and protection of privacy to core elements of state-of-the-art cryptography. It was a true eye-opening and lively session.

Insights from Andrew Hay


The team wrapped up a successful week at Black Hat 2015 where we had a huge number of security professionals stop by our booth, talk with our team, and learn about our products and research. Many visitors also snagged one of our fantastic, limited edition GameOver Zeus T-shirts.


A new addition this year, our VIP limo drove more than 250 people between the airport and the venue. If you were lucky enough to fly in at 8am on Wednesday, you probably had the chance to to talk to Andrew Hay and OpenDNS Social Manager, Kara Drapala. The limo gave Kara and Andrew a great opportunity for conversations with other security professionals, including suggestions on which sessions to look forward to — and perhaps more importantly, what parties to attend.


As is typical of security conferences, there was no shortage of vendor sponsored events to attend. Andrew split his time between OpenDNS held events, such as the OpenDNS customer dinner — his only sit down dinner of the week — and other events like the Talos Researcher Party, which was a wonderful chance for the OpenDNS Security Labs team to casually chat with some soon-to-be peers on the Cisco side. A few people from the team also attended the Urbane Security party and the Nike party on the Wednesday night — with one being small, intimate, low key, and related to security… and the other being the Nike party.

On a related note, Andrew quickly learned that he is not young anymore.

In Closing…

Another Las Vegas Security Summer Camp completed. Next year OpenDNS will be part of the Cisco family so the traffic to the booth, scheduled meetings, and organized formal events will grow exponentially. We can’t help but smile when we think about the types of talks that we can submit to all three conferences next year with our new research peers.

Expect great things!

This post is categorized in: