BHUSA15: Gameover Zeus: Badguys and Backends

Speakers: Elliott Peterson is a Special Agent with the FBI in the Pittsburgh Field Office. Michael Sandee is a key member in the Fox-IT financial malware intelligence unit. Tillmann Werner is the Director of Technical Analysis at CrowdStrike Intelligence.

Gameover Zeus went after backend banking systems, very successfully, a botnet run by an organized crime game. It was designed to make it impossible to be subverted by the good guys.

We estimate that the losses ranged from $10,000 to $6,900,000 / attack. The criminals had knowledge of International banking laws, leveraged international wires, and used DDoS attacks against the banks to distract and prevent the victims from identifying the fraud.

Dirtjumber Command/Control was being used.

They see the $6.9 million loss, informed the bank - but the bank could not find the loss. It took a long time to find, due to the DDoS. The FBI was finally able to track down who was receiving the funds in Switzerland and put a stop to this. Now the feds can prevent the transactions and even get the money back in he end.

The first Zeus came out in 2005 as a crimeware kit. The primary developer "abandoned" the project, and turned it into a private project in 2011.

JabberZeus crew was using the kit malware then moved into Zeus 2.1.0.x, which included support for domain generation algorithm, regular expression support and a file infector.  Then, in September it was upgraded to Mapp 13, which includes peer-to-peer + traditional comms via gameover2.php.  The focus was on corporate banking, and would often drop in additional malware (like CryptoLocker).

The attack group seemed to have 5 years experience, some as many as 10. Mainly from Russia and Ukrain, with two leaders.  Included support staff and 20 affiliates.

They had "bulletproof" hosting - exclusive servers together, virtual IP addresses, new address in 2 business days - very expensive!  Additionally, proxies all over the place - like in front of the peer-to-peer network.

The network was proteted using a private RSA key.

The FBI, and their private assistants, had to watch for traffic patterns and cookie theft/removal. For example, they could remove your existing cookie to force you to login again so that they could get your password.  Once they got what they wanted, they would block (locally) access to the bank's website.

This wasn't just financial, but also political. There was espionage, targeting intelligence agencies, looking for things around the Crimea and Syrian conflicts.  Specifically looking for top secret documents, or agent names.


Why take control? If not, if the feds presence was detected, the command engine could shut down and destroy the rest of the botnet.

The botnet uses a basic p2p layer. Every infected machine stores  a list of the neighbor nodes, updated often and peers talk directly to each other - getting weekly binary updates!

They had proxy nodes, which were announced by special messages to route C2 communication (stolen data, commands). Many nodes in the cluster are not publicly accessible, so there are proxy nodes that encapsulate traffic in HTTP so they can continue to communicate with infected machines behind a firewall.

The criminals was also configured to NOT accept unsolicited responses - must match a request, so the feds (and friends) could not use a poisoning attack.

Goal: isolate bots, prevent normal operation, by turning the p2p network into a centralized network with the good guys at the controls (a sinkhole).

The good guys had to attack the proxy layer with a poisoning attack. Peers maintian a sorted list of up to 20 proxies, regular checks if still active. Had to poison that list, and the make sure none of the other proxies reply any more.  Needed to work with ISPs to get access to some active proxies.

Needed to take over the command and control node first - that's where the commands came from.  Once they were in, they killed the old centralized servers (one was in Canada and the other in the Ukraine). Took advantage to completely change the digraph and essentially took down the botnet.

Needed to watch emails exchanged with "Business Club". Helpfully, "Business Club" kept ledgers!

The FBI need to look at the seams , to find who these people were. For example, Bogachev used the same VPN servers to log into his personal/identifiable accounts as he used to control the bot net.

They are still looking for him. The FBI is offering $3 million for information leading to the capture of  Bogachev (showed us pictures of the guy - he likes his fancy boats).

Let me know if you get a piece of that bounty!

BHUSA15: Executive Women's Forum

Alta Associates hosted Black Hat's Executive Women's Forum! The discussion was led by none other than Joyce Brocaglia, CEO of Alta Associates and Founder of EWF.  This was a great opportunity to network with other women working in security and hear more about the programs of EWF (and lunch was good, too!)

EWF focuses on women making decisions in security and privacy, hosting an annual conference where women can spend time with other women working in security. Women who have attended past conferences note how awesome it is to be surrounded by so many intelligent and security focused ladies. It's very inspiring to see the success stories and see how they got there and learn about their road blocks.

In addition to the major EWF conferences (this year's is October 20-22, 2015 in Scottsdale, AZ), they do local events as well.

This year's conference's theme is Big Data, big Risks, Big Opportunities, with talks on negotiating, opportunities and innovation in healthcare big data, data sovereignty, global cybersecurity policy and government control and the voice privacy conundrum. Also, includes a themed dance party!

EWF provides mentors to help junior and middle managers get to the next step, as an inspirational conference is good to get things started, but not maintain progress. They've got a program called The Leadership Journey. It's a year long program! Covering things like establishing your leadership vision, optimizing emotional and social intelligence, managing stress and cultivating resilience, work/live integration (because there is no balance).

The soft skills are actually the hard skills - lots of people are good at coding, but not any good at the truly hard stuff - the "soft skills".

This was followed by a fun Q&A with Theodora Titonis, Vice President of Mobile at Verac01de.


Recommended reading: The Confidence Code.


 

BHUSA15: Understanding and Managing Entropy Usage

Bruce Potter is a director at KEYW Corporation and was previously the Chief Technologist and cofounder of Ponte Technologies. Sasha Wood is a Senior Software Engineer at KEYW Corporation, with ten years' experience in developing and assessing software systems, and researching classical and quantum computational complexity.

Their research was funded by Whitewood Encryption Systems, with help from great interns.

Their goal was to get a better understanding of how entropy is generated and consumed in the enterprise. There were rants from Linus, but nobody seemed to be looking at the actual source code. They wanted to determine rates of Entropy Production on various systems, determine rates of Entropy Consumpitio of common operations and determine correlation etween entropy demand and supply of random data..  The theme: "No one really understands what's happening with entropy and random number generation"

What uses more entropy? Generating an RSA512 bit key or 1024? They both use the same! Surprisingly, running /bin/ls uses more entropy from the kernel than setting up a TLS connection!

How do we distinguish between entropy vs random numbers? It's a bit of a state of mind, there are several ways to think about it.  Entropy is the uncertainty of an outcome. Randomness is about the quality of that uncertainty from a historical perspective.

Full entropy is 100% random. There are tests that measure entropy, but randomness either is or is not. Entropy has a quantity and randomness has a quality. Think about the simple coin flip. A regular person flipping a coin will have random output, but someone like the magicians Penn & Teller - they can control their flip and the outcome is NOT random.

As long as we have great cryptographic primitives, the RNG will be excellent. In theory.

This is actually really hard to judge without analyzing the source code and doing actual testing. Documentation does not match what's actually in the source (common problem). This testing was done on Linux (note: I missed the version number).

On Linux, there are two PRNGs - one that feeds /dev/random and one that feeds /dev/urandom, but both leverage the same entropy source.

Entropy sources: time/date (very low entropy), Disk IO, Interrupts, and other SW things

There are Hradware RNGs - like Ivy Bridge, that uses thermal noise. There's Entropy Key (shot noise, from USB generator). Some places even use Lava Lamps! (seriously)

Linux maintains a entropy pool, data goes in and then fed out to the PRNGs. It has a maximum amount in the pool, but if you don't have HW behind this - it will never fill up.

Linux has a system call that will tell you how much entropy is in the pool.  But, beware - don't check it with a script! you'll invoke ASLR, etc, which will consume entropy from the pool.

The /dev/random and /dev/urandom is generally close to ero. Entropy is fed from the main pool when necessary.

Unloaded VMs are only generating 2 bits of entropy per second. Bare metal is a big faster. The more loaded the machine is - the more entropy you'll get.

For example, if you ping the machine every .001s, it will generate entropy at 13.92bits/s, as compared to 2.4 bits/s on an unloaded system.

RDRAND is normally unavailable in a VM, however, even on bare metal, kernel entropy estimation was not helped by RDRAND. Turns out,due to recent concerns regarding RDRAND, even though RDRAND can be used to reseed the entropy pool, the entropy estimation is NOT increased by the kerenel...on purpose.

VMs do get starved of entropy, but even bare metal systems aren't great.

Android devices did better than Linux boxes observed.

Oddly, the accelerometer on Androids is *not* used to feed the entropy pool, although it would be a good source of entropy.

/dev/random provides output that is roughly 1:1 bits of entropy to bits of random number, access depletes the kernel entroy estimation and with block if the pool is depleted.

/dev/urandom works differently  if you ask for 64 bits, it tries to get 128, and reduce estimation doesn to 128bits. Will not reduce entropy estimation from the pool if the pool is less than 192 bits. Each read produces a hash which is immediately fed back into the pool.

get_random_bytes() just a wrapper to access /dev/urandom.

Here are somethings that are not random: C's "rand" (a linear congruential generator" - if you know two consecutive outputs, you know ALL the outputs.

Python's randompy - implements a Mersenne Twister. Better than rand(), but still not suitable for crypto operations. Need 650 outputs to break the algorithm. So, better, but not great.

When Linux spawns processes, it spawns ASLR, KCMP and other aspeces of fork/copyprocess() , consume up to 256 bits of entropy each time you start a process.

This is not consistent, though, so more research.
 
OpenSSL maintains its OWN PRNG that is seeded by data from he kernel. This PRNG is pulled from for all cryptographic operations including: generating long term keys, generating ephemeral and session keys, and generating nonces. 

OpenSSl only seeds its internal PRNG once per runtime. No problem for things like RSA 1024 it keys. It's a different situation for long running daemons that link to OpenSSL... like webservers.Apache PFS connection requires 300-800 bits of random numbers. If your application does not restrict this, you will be pulling this data from a source that is never reseeded.

OpenSSL pulls seed from /dev/urandom by default (and stirs in other data taht is basically knowable). OpenSSL does NOT check to see the quality of the entropy when it polls /dev/urandom.

mod_SSLs attempt to generate entropy is not very sophisticated. On every request , it stirs in: date/time (4 bytes), PID, and 256 bytes off the stack.  Date/time is low resolution and guessable, ID is a limited search space, and it always looks at the same place on the stack.

mod_SSL is trying really hard, but not really accomplishing much.

How much entropy goes into each random byte?  It depends...

The researches tested various common actions in OpenSSL. Different operations required different amounts of entropy. When creating keys, you need to find big numbers - there's a lot of testing that goes on to find a prime.

Attacks on PRNGs come under three umbrellas: Control/Knowledge of "enough" entropy sources (like RDRAND), knowledge of teh internal state of the PRNG, and analysis of the PRNG traffic.

By default, the Linux kernel pulls from a variety of sources to create entropy pool, so difficult to control them all. Knowledge of the state of the PRNG is very complex, but not impossible to understand.

The caveat is based on PRNGs being seeded correctly - analysis is showing this is not the case.  So, you can follow NIST's guidance on correctness, and still get this wrong.

The researchers created a WES Entropy Client as a solution to the wild west of entropy generation and distribution. Initial release is for OpenSSL.  Client allows users to select sources of entropy, how to use each source, which PRNG to use, etc.

Currently available at http;//whitewoodencryption.com/

Client is under active development, looking for feedback.

BHUSA15: Bring Back the Honey Pots

Haroon Meer is the founder of Thinkst, and Marco Slaviero is the lead researcher at Thinkst.

Honey pots are not a new concept - there are many previous talks on this. This is basic deception in warfare, another old concept. Check out : Dectpion for the cyber Defender: To Err is Humn; to Deceive, Divine.

Honey pots really got started in 1989 and 1991. In Bill Cheswick's 1989 paper wrote about effectively tracking down an attacker who had broken into his network. This was really one of the first deep dive documents for this. Next was the Cuckoo's Egg by Clifford Stoll (wait, also 1989?), which hit on the themes of vulnerability disclosure ethics and what the NSA is up to. Mr. Stoll also talked about the concept of honey pots.

In 2000, Lance Spitzner launched the Honeynet Project, where we all gained valuable information from the "Know Your Enemy" series.

Think about big recent attacks like at Target, where the hackers lurked for months, before actively attacking. How could that be, if we've had the concepts of honey pots for years to help folks discover when they were being attacked?

Looking at the mailing list traffic on the Honey Pot mailing list - very active in 2003, nearly dying off starting in 2007. Honey pots are just not sexy - how do you demo this?  "Um, it only makes noise when there's a problem, so it mostly does ... nothing" It's easier to sell other technology.

Honey pots have been traditionally pitched badly. They are overrepresented in academic work, doesn't seem like an industry solution.

Studying the attack after it happened doesn't seem interesting or relevant. Honey pots were looking for what was happening, but not focused on finding new attacks.

We need these, though. We can't wait to find out that our network has been exploited when the press contacts them. Verizon noted that 95% (?) of companies only find out about attacks when a 3rd party tells them. That's simply not acceptable.

As a defender - you MUST defend ALL the time. Attackers can come and go

There are a lot of arguments against honey pots:

Isn't this just an arms race?  No, an arms race is like what we saw between the US and USSR, not what we're seeing today between US and North Korea. You have to be at the table, making the attacker work for this.f

Will honey pots just introduce new risk to our organization? No, you can run python on a hardened server, support only minimal protocols. If you get even just one alert, you're better off than you were yesterday.

And, really, come on - we know you have an NT4 server floating around still on your network.  You've already got the risk there, but this is something that you can manage.

"These are painful to deploy! I already have to manage so many things!"  The speakers have solved this with Open Canary (https://canary.tools/) which can deploy in 3 minutes.

The speakers introduced their Open Canary project:

• Mixed (low + high + ?) interaction honeypot
• written in python
• produces high quality signals
• it's a sensor
• trivial to deploy and update

OpenCanary can be configured to send you lots, or a few alerts - you can control the noise level.

Watches various protocols, watching for login attempts, NTP, SIP, and Samba.

As the name implies, the code is open source. You can configure and deploy multiple feeds across the network.

You do have to worry about discoverability. You want to make sure they are referenced (like in naming service) and also deploy multiple honey pots so they are more likely to be found.


Of course, there is a problem that hackers might be able to fingerprint the honey pot.  The speakers thinks this is misguided effort. There are ways to detect when the honey pot software running on the system - look for how this system is different than it should be. Is it running a strange service or kernel module?  But we need to draw the distinction: we should not confuse what methods are successful in a lab versus what works in the real world.

Canary Tokens are not new concepts - Spafford & Kim (1994) and Spitzner (2003). People do this for map making, but putting fake cities or points of interest on maps so you can tell when someone has copied it.

Canary tokens are simple unique tags that can be embedded in a  wide number of places, like in a DNS channel.

You can learn more at canarytokens.com

How can tokens help us spot attackers on the network? You can watch a particular README file, and when it gets read - that will trigger the canary token that will send the alert.

You can even deploy a canary token into databases! You can tell if someone is querying on a table or a view. Same with PDF files.

Interesting use of bing ads, etc.  Cool talk!

(sorry if these notes are spotty, the speakers flashed through their slides REALLY fast, it was hard to catch everything).

BHUSA15: The Lifecycle of a Revolution

Jennifer Granick, Director of Civil Liberties at the Stanford Center for Internet and Society.

Jennifer and Jeff Moss (aka Dark Tangent) met at DefCon III in 1995 - they immediately connected, and she became the go-to lawyer for hackers ever since.

We’re seeing an internet that is no longer dominated by the US. This is important, as these other governments that don’t have a bill of rights will get in on making rules to regulate our Internet. Where will we be in 20 years? Will you know who is making the decisions? Computers will be deciding if you get a loan, where your car drives, etc. There will be mistakes, but as long as they are on the edge cases, that’s okay.

Technology was supposed to help us overturn oppressive regimes, but instead we’re seeing the opposite happen. The repressors are centralizing security, creating chokepoints where regulation can happen.  The backdoors and restrictions will be done by the elites and governments with local interest – not global interest.

Who is responsible for deciding who gets security, who gets access to what things on the Internet?

She was inspired by Steven Levy's book, Hackers, which espoused freedom of information and decentralization of information. This empowered people to make decisions on what was right and wrong. The global network would allow us to communicate with anyone, anywhere, any time.

Jennifer attended New College - where students were responsible for their own education. They wanted information to be free, and they wanted to use their freedom of thought to change the world.

She started her career as a lawyer with a deep love of technology, and was upset seeing hackers getting prosecuted for things she considered “pretty neat tricks”. She met a prisoner who was at risk of losing his “time credit” after it was discovered he was hacking the pay phone to get himself and his friends free phone calls. She wanted this to stop. That was in 1995, and she started paying more attention to what was happening.

Meet “Cyberporn” – A Time Magazine expose about what you could find on the Internet. Congress wanted this to stop (nothing gets government more excited than porn) – and they wanted to create an online decency act.  Of course, doing so required assuming that there were no first amendment rights available on the Internet.

John Perry Barlow, founder of the EFF and lyricist for the Grateful Dead wrote:

Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You’re not welcome among us. You have no sovereignty where we gather.

The Supreme Court, fortunately, turned over most of the provisions of CDA, except the one provision which specified that the provider did not have to be the police.

The Internet was supposed to make us more free – but that’s not what’s happening anymore out there.

Race, gender and class discrimination seems resilient to change on the Internet.  While Jennifer has always felt welcome, there is too much evidence  to ignore.  Look at our big tech companies, which have 17, 15, or 10% female engineers.

How  is that equality?

There are talented people on all parts of the autism spectrum, with different college (or no college) backgrounds, and at any age – from the very young to the elderly.  Given that, could we lead in equality?

What about Freedom to Tinker?

For example, Mike Lynn was coming to present on new vulnerabilities in Cisco routers at Blackhat. His employer, ISS (Inernet Security Systems), and Cisco decided he should not do the talk and threatened Black Hat Conference to remove the pages from the program referencing Mike’s talk and redo the CDROMs with conference proceedings on them.  Jennifer was his lawyer. Mike gave the talk anyways, but the first thing he did in his talk was resign from ISS.
 
What looks more like censorship than ripping out pages out of a book?

Jennifer also represented Aaron Swartz, who ended up killing himself while being prosecuted.

How do we stop this?

Congress has to stop the “tough on cybercrime” hand waving and actually do something about cyber security.  They have made big prison sentences for violators of this, but when another country like China is behind the attack – nothing is done. China does not go to jail. It’s the little guys that are really hurt by DMCA and CFFAA. We need to get rid of them.

 Already now, algorithms are making decisions about our lives, our money, our jobs – and we do not understand these algorithms.  How do we take advantage of AI and machine learning, without ending up completely out of control.

Who is responsible when software fails?  For the most part, nobody. People are sick and tired of this.

Think about this; what happens when your self driving car crashes?  When your internet connected toaster catches on fire? When hackers can control your car remotely using your OnStar device?

We will end up with software liability. Once we are suing Tesla and GM for their software issues, it will be a small step to start suing software companies.

Jennifer recommends reading the Master Switch, by Tim Wu, which studies the cycle of major technologies. History shows a typical progression of information technologies from somebody’s hobby to somebody’s industry; from jury-rigged contraption to slick production marvel; from a freely accessible channel to one strictly controlled by a single corporation or cartel – from open to closed system.

If we don’t do things differently, the Internet will end up like TV, strongly regulated.

Sadly, there are people on the Internet that suck – 4chan, Nazis, jihadists.  Freedom of speech allows those – if you try to regulate them, you will end up impacting everyone. We must tread carefully.

Jennifer asks: who has ever had a blog? Lots of hands go up. Who still blogs? A few hands go up. She noted, “I used to blog, I don’t anymore, I use the centralized service – Facebook”. Nobody, well, except people in this room, still run their own mail server – they all use gmail.com.  We are giving up the control, we are doing this to ourselves.

When we talk about the “cloud” - is it all happy and free? No, it is actually controlled by a small handful of companies, subject to government regulations (US or otherwise). This creates a centralized point for control and eavesdropping.

The law is not protecting us here – in fact, quite the opposite. For example, we have laws that allow surveillance on foreigners, but loopholes in those laws are being used to spy on US Citizens. Laws are passing to give corporations protection from lawsuits if they turn over information to the US Government.

There is not a lot of case law here, oddly, considering the Internet has been around for awhile.

When there is no warrant requirement, searches can be massive and arbitrary.

The myth is that security and privacy are opposites. Not true! Think about how the putting a lock on a cockpit door provides security, but doesn’t mean privacy is exposed. A gay man in another country needs to keep that information private in order to be secure in his own health and happiness.

The current situation is leading to the security haves and have nots. It’s increasingly about power – and once that happens, the people will lose will be the minorities (religious, ethnic, etc) – those who need security most! In the US, we have the Bill of Rights, so we don’t care enough about this. But, other countries do not have those protections. We need to be the leader to protect the world, but we’re not doing that.

We’re already scanning for terrorist threats, and it’s broadening now into monitoring people that seem to be becoming radicalized. What does that mean? There is no agreement, even from the FBI and psychologists, on what it means to be “becoming radicalized”.  So, now more people are getting observed.

People don’t even realize what the Internet is. In a national survey, more people say that they are using Facebook than reported using the Internet. Of course, Facebook is on the Internet – but it is NOT the Internet. So who is correct their?  Facebook decides what to show you based on some algorithm, the freedom is not there...  The further this goes, the less we will know about the world.

We need to start thinking about decentralizing technology again. We need end to end encryption. We need to be afraid of the right things. People are terrible at assessing risk. People are more afraid of sharks than of cows, but EIGHT times more people die at the hoofs of cows every year than are killed by sharks. (note: WHAT?!?! Now I’m more afraid of cows, I knew they were after me!)

We can use law to provide safeguards where technology doesn’t, but we don’t. Congress is simply not protecting our privacy. We need to push them.

We need to get ready to smash it apart and make something new and better.

GHC15: I Can't Wait!

I am so excited to be co-chairing the Communities Committee for the Grace Hopper Celebration of Women in Computing again this year, seeing Houston, attending as a team member from a sponsoring company, and interspersing technical conversations with discussions of work/life issues without feeling exposed.

What's the Communities Committee?  We're a group of volunteers that ties all of the social media aspects of the conference together.  We seek out volunteers to take notes of sessions, write blogs about their experiences, share on Facebook, LinkedIn, Twitter and Instagram, and even create their own video blogs.  We coordinate the hash tags, process incoming volunteer applications, help the volunteers get onto our aggregate sites and retweet and share things like crazy during the conference.  This year, our committee has expanded - you'll be hearing from other committee members soon - as we're going to be adding several more exciting interactive elements to the conference itself.

Through the committee, I learn about many new technologies (like the tools we use to collaborate: Google Drive, Trello, Blogger and Slack - plus about the interesting work my colleagues are doing). My co-chair, Charna Parkey, works at a fascinating start up that lets you check your job listings for unintentional bias! They will get you the best applications, then it's up to you to make the sale.

As for Houston - I've only ever spent one night there before a cruise.  It'll be hot and humid, I'm sure (though it will be October), and I'll be staying near a giant shopping mall - but I'm sure there'll be more to see!  Space stuff - at the very least!  Any other suggestions?!

And Oracle is sponsoring the conference again this year! Please do stop by our recruitment booth - we're looking for smart new college grads and experienced folks. Bring your resume!

Finally - last but certainly not least - there is something so refreshing, so recharging about talking about cool technology with other women.  Women in tech are a special kind of breed - we've all worked hard to get where we are (even if that's just our senior year in college): overcoming unintentional  (and sadly sometimes intentional) bias, constantly having to explain why we are where we are ("why are you studying computer science?" - yep, got that a lot in college), and always working to get over Imposter Syndrome.

Technical women are different - we can be honest with each other when we are frustrated, or do not understand what the other is talking about. We are passionate and still patient.  We understand that not everyone is up on the lingo of our profession, and will take a moment to explain things to a "newbie".  We empathize with each other on our tough life situations and understand nobody is perfect.

I know I will learn a ton - about security, career and life balance, and how to be a better manager and still keep my engineer brain going.

I will continue my journey to grow as a leader in my community and at work.

It is, after all, "Our Time to Lead".

Will I see you there?

OWL: Understanding the Hidden Language of the Subsconcious

Oracle Women's Leadership group brought in Master Hypnotherapist/Three in One Behaviorist Dylan Rumley on June 18 to help us learn how to shift negative experiences into positive ones by harnessing the hidden language of the subconscious to our favor.

The evening started out with drinks and hors-d'oeuvres and networking with other women from Oracle. As it was held at our headquarters, I had the opportunity to meet many women I normally would never cross paths with. Everyone I talked to was so interesting, and friendly. A fantastic environment!

Dylan was an energetic and thoughtful speaker, who is focused on one goal: She wants to bring peace and calm to as many people as possible, using a whole brain approach, for adults and children.

Dylan spoke of her work with adults and children alike, and her discoveries she's made through her training and work with clients.  The brain loves to play! Without stress, learning can be easy for anyone. Think about how much fun you have and how relaxed you can become when looking through a kaleidoscope.

Dylan spoke of three brain states: the brain we know, the heart and brain together (coherence), and the psoas muscle. Wait, what? Yes, the psoas muscle - the one that many of us work on relaxing through yoga and tension release exercises.  Dylan believes all of these things should be used and taken care of to use your "whole brain".

There is a myth that some people are right brained and some are left, as we all need both hemispheres for executive functions and creativity. Sure, some people may find more inspiration from one side or the other - but if you can learn to use both, you can do more with your life.

Confusing, right? Let Iain McGilchrist explain it all to you:

Both hemispheres of our brain need to work together, but as we've evolved, the connections have been broken or shrunk.  The focus of the right hemisphere is broad, the left is narrow.

Dylan reminded us that it takes 21 days to change a pattern.  She had to remind her client, Wesley, as well. He came to her with extreme panic attacks when he tried to get on an airplane, bus or train. He was convinced that his claustrophobia was incurable. After exhausting doctors, medication and conventional therapists, he thought he had nothing to lose by seeing Dylan. She told him that if he could get himself into a true whole brain state, he would not be able to panic.

Dylan and Wesley worked together in an intense schedule for 21 days - and at the end of that 21 days, they got onto a plane together. Wesley was able to then fly across country to see his child's college graduation. :-)

One way to get your brain hemispheres to communicate more effectively is from doing cross patterning exercises.  Doing this helps the subconscious disconnect from your conscious and complete filing away emotions and events that are blocking you. It doesn't mean that you will forget these events, but that they will no longer stop you from moving forward with your life.

Dylan taught us a handful of cross patterning exercises and recommended we do them every day for 21 days - to create new brain habits.  All of these exercises involve keeping the body moving in some fashion (hands or eyes in the two we learned), which will help you from getting into the "freeze" mode in an uncomfortable situation.

Dylan additionally talked about the Behavior Barometer - how to manage your feeling words. For example, Anger is a really important emotion. When harnessed correctly, it can help you discover things.

She stressed how important it was for us to feel fully, or warned us that we could get stuck. Boy, that's happened to me before - playing conversations over and over in my head, re-reading emails, thinking about a car accident I witnessed, etc.

We need to work with our subconscious, get those emotions and events filed away properly so we can move forward.

Looking at the Behavior Barometer, find your emotion. Look up the definition of your emotion in the dictionary. Look up the meaning of its Latin roots. Truly understand what you are feeling.

Take the Resentment section, for example, and imagine your consciousness is feeling offended. Find the word in the same position under the subconscious section: ruined. See where that is leaving your body: no choice. Stuck.

If you can own your feelings ("Yes, I am offended"), then your subconscious can let go.  the subconscious loves completeness, so give it to your brain.  Don't ignore feelings, acknowledge them - but stay there for less time.

Dylan noted that our subconscious also loves to heal. To help move this process forward, she recommends guided imagery, meditation, and cross pattern activities.

She ended the evening by taking us through her 20 minute guided imagery meditation, called "The Theater". Dylan recommends listening to this as you fall asleep at night. I found I left very relaxed and happy - so maybe that means I need to start meditating again!