Earlier in February, a few of us from Security Research at Cisco Umbrella and Sarah Brown (from Security Links, based in Delft, The Netherlands) headed to Oakland for the 2nd annual Enigma Security Conference (Jan 30-Feb 1). Enigma is a 3-day conference that focuses on threats and defenses in the growing intersection of society and technology. There were a great number of fascinating talks and opportunities to network with the security community. We also gave a talk on “Behaviors and Patterns of Bulletproof and Anonymous Hosting Providers”: research that Dhia Mahjoub and Sarah Brown had been working on for several months.


Here are some insights from those who attended.


Overall, I found Enigma to incorporate an excellent blend of technical and high-level presentations with ample time for Q&A sessions and a healthy dose of intermissions to socialize with colleagues. Enigma’s reputation for providing a premier level of quality talks was exemplified through its various speakers, who are experts and leaders in the public sector, academia, and industry, including our own Dhia Mahjoub.

One of the most compelling presentations was Matt Jones’ session on reducing spam in WhatsApp while implementing e2e messaging encryption for 1 billion users – this illustrated the immense power of user metadata in tracking and blocking abusers of the platform. Content is important – no arguments there – but metadata serves as a ripe treasure trove for researchers to sculpt algorithms aimed to block spam and/or malicious content.

Another interesting, albeit frightening, presentation was Yongdae Kim’s hacking sensors session where he demonstrated that spoofing, disrupting, and blocking sensor data was relatively easy. A basic understanding of a device’s internal components, coupled with a simple over-the-counter piece of hardware such as an infrared laser or speaker, can empower a nefarious person to cause serious damage to institutions and other individuals. The most interesting segment of Kim’s presentation occurred when he used an external speaker plugged into his laptop to disrupt a drone’s gyroscope and caused it to crash in the auditorium – theatrical, but point taken.


One of Sarah’s favorite aspects of Enigma is the requirement for all speakers to work with their session chair and colleagues in the session to give three practice talks in advance of the conference. The emphasis on speaker training comes from the TEDx conference approach, where speaker coaches are provided to all presenters, to ensure succinct, high quality talks and accessibility to the audience. This requirement had clear benefits during the event. The conference contained one excellent talk after another, with a clear desire from the speakers to connect with their audience.

Highlights included:

  •      Susan Mernit (Hack-the-Hood) on cyber security and IT education for underprivileged San Francisco youth. http://www.hackthehood.org/
  •      Yongdae Kim (Professor, Korea Advanced Institute of Science and Technology (KAIST) on IoT sensor attacks
  •      Hudson Thrift (Uber) on engaging with early stage startups to bring new product features, and cause slight roadmap pivots, to address Uber’s security needs
  •     Tom Lowenthal (Committee to Protect Journalists) work to support journalists across the world.
  •      Daniela Oliveira (University of Florida) on the susceptibility of older adults to spear-fishing emails.
  •      Nathaniel Gleicher (Illumio) on methods used by the US secret service to physically protect their key asset (the president) in their service environment (public places where the president speaks).
  •      Matt Jones (WhatsApp) on preventing spam without access to message content
  •      Damian Menscher (Google) on metrics and recovery against DDoS attacks at Google.
  •      Ian Levy (UK NCSC) on the UK’s new central organization for all things cyber security in the UK.


Our talk at Enigma was about bulletproof hosting patterns in the Netherlands and it showcased the joint research between Dhia and Sarah.

The premise of the talk was that there are legit needs for hosting providers as they offer outsourced IT services to ordinary businesses, but for all the legitimate uses, abuse of hosting providers is widespread. This abuse is significant, despite efforts from registrars, LE, and researchers to combat the problem. The challenge is similar to ideas like: criminals abuse encryption, but we cannot get rid of encryption. How do we manage it?

We approached our research from both a technical perspective and a field intelligence perspective, using large scale network data mining, OSINT research, and on the ground HUMINT investigative work. We came away with investigative analysis to understand how these hosting providers operate and what can be done to fight against them more effectively.

As a use case, we focused on the Dutch IP space and its use/abuse for bulletproof hosting and anonymous offshore hosting. The Netherlands is a great use case from a technical and cultural perspective because:

  •      NL is one of the top internet transit and hosting countries with an advanced infrastructure and the presence of major internet exchange points for the European and global internet.
  •      NL IP space has been abused for distributing malware, sending spam as well as hosting of phishing sites, illegal hacker forums, stolen credentials dump shops and other toxic content.
  •      NL places a high value for privacy, tech/IT
  •      NL places a high value on entrepreneurs/small businesses

The talk combined the long-standing technical experience we have at Cisco Umbrella in investigating bulletproof hosting [1] [2] [3] [4] [5] [6] with interviews we conducted with local law enforcement, lawyers and subject matter experts. We supplemented that with OSINT research using social networks, government records, and open web information. As a result, we were able to provide a technical overview of detection methods of bulletproof hosting, identified patterns and behaviors as well as a synthesis of the legal climate, processes for reporting abuse and take downs and we concluded with some promising perspectives for the future.



The videos and decks for all the talks have been posted and can be found here: https://www.usenix.org/conference/enigma2017/conference-program

This post is categorized in: