mediocrity2

PTES, remaining impartial, and insisting on high standards

The PTES (Penetration Testing Execution Standard) is standard that a small group of highly motivated and passionate practitioners have created (and yours truly). As such, it is designed to define how a penetration test should be executed – from start to finish. We tried not to skip a single element. We worked tirelessly to make sure that the standard does not reference any particular vendor or product, as we all believe that a proper penetration test is not about the tools, but more about the content and delivery.
The standard has survived several years of scrutiny and a few rounds of editing and improvements, and have never ever leaned to a specific industry player.
It has been by now adopted by the PCI council as a reference to what a penetration test is, it has been acknowledged by the British Standards Institute and placed in the same class as other standards, often receiving higher praise for its impartiality, practicality and coverage.
For some reason, in the past week or so I was approached by two different vendors, in attempts to either use their platform or writeup about how their suite of products provide “the best coverage for the PTES”. I’m sure that I’m not alone in this.
Just to be clear, I’m including the (slightly modified) answer below, which by now is also the “official” line of the core PTES founding group.

Hi [vendor],
Thanks for reaching out. Unfortunately, the PTES as a standard is not going to endorse any specific product or service. We have a guide section that offers approaches to the execution of the standard (http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines) and I’m sure that your products can fit into _SOME_ of these areas.
I’d suggest avoiding an attempt to portray any product suite as “filling the needs of penetration testing standard” as it would be bound to be criticized and proven otherwise. Additionally, as an impartial member of the standard founders, we are all committed to avoiding any endorsement or participation in a product or vendor specific writeup.
Thanks, Ian

The standard is written for us. Practitioners, customers, organization, anyone and everyone who’s dealing with penetration testing. It is not about a specific product, or even a specific approach or methodology for testing. It’s about defining expectations, and delivery bars. It’s about setting up and insisting on a high standard. Not even a “minimal bar” for delivery. It is designed so that when it is adhered to, the delivery will be well above a “minimal standard”. We do not settle for minimums.
Please don’t settle on your end either.

Infosec conferences/talks redux

Don’t mind me, just poking my head in here to make sure the cobwebs haven’t taken over this place yet 😛
So yes – I’m going to be blogging waaay less then before because of, well, life? But I recently saw a post from Daniel Meissler who discussed how (in)effective are modern security talks at conferences are.
He’s bringing up a couple of great points, and talks about what a good talk in his mind would be. Figured I’d share my 2c on this based on a couple of conferences and talks I’ve been to and delivered.

So, neither approach is useful IMHO (i.e. essay, nor entertainment).
A Dan Geer style essay-reading has zero added value for the participants. Go read it yourself in your own pace and you’ll be better equipped to take something from it.

A handwaving “look at my marketing schtick” presentation has no value without any insights to the thought process behind it. Neither is a talk focused solely on the entertainment value. Even if it seems to veil itself as “but through which you’ll get awareness/education”. Especially if it’s mostly self-serving and designed to make you look good. Go away.

Slides that are visually appealing (cat pics), but that support the narrative of what the speaker is saying would be the best experience for me personally (given that there is actual content, and not just the same regurgitated BS that a lot of talks “innovate/research” with).

So, first – get something new in place.

Ok – go and google that shit. Double time. Because most of what’s been out there recently – from “unveiling” cyber criminal tools and forums, to “new” ways to avoid data exfiltration mitigations, is OLD FUCKING NEWS. You are supposed to be this OSINT Google-foo master. Prove it by not embarrassing yourself with a re-branding of old research.

Now, realizing that you may have no idea how to present this new thing, do two things:

  1. Write a paper that describes said new thing. Keep it fairly academic or white-paper style. This is the “essay” style you keep hearing about. DO NOT TRY TO PRESENT IT. It’ll be boring as fuck, and people will go into hibernation in the crowd.
  2. Start writing the story of how you found said new thing. Take note of the following:
    1. Why did you go out to invent/find said new thing? What was the motivation? What gap does this fill?
    2. How did you go about researching and finding the new thing? What challenges did you face doing so? What didn’t work through your process (much more interesting and relevant than what did work)?
    3. How do you use this new thing? How can I use it (assuming I don’t have to sell a kidney to do so. If so, pass this along to your marketing guys so they can get ready for RSA)?
    4. Show relevant data on how this new thing improved your life (professional life included). Show the situation before, and after new thing was applied. Data is cool, and you can’t argue with it (as opposed to “hey, look at me doing this thing one time with no context and no goal and how badass I am”).
    5. Give credit. Understanding that you are probably not alone researching new thing in complete void – give some props to the people/projects who have inspired you, helped you move along your research, or have done similar things, and you have build on their things to get to your new thing. (i.e. don’t be an asshole).
  3. Take this story now, and tell it. This is your talk. Find visuals that support the narrative of this story. These don’t have to be the text verbatim of what you are saying (please, for the love of god, stop it with the bullet wars). They can be cat pictures, then can be graphs, or funny graphics. Make sure there’s some context between your slides and your story narrative.
  4. Practice going through your talk and telling your story. After a couple of tries, try turning off the slides. Can you still make it work? Do you keep trying to read out from the slides (of course not, because they should only have minimal text on them).
  5. Go talk. It’s going to be great. You are going to stumble on your words sometimes, utter an “Ummm”, and an “Ahhh” from time to time. Nobody really cares. Because they are listening to your story, which is awesome, and interesting, and not reading out of your slides before you can recite them.
    1. (oh, and of course – don’t memorize the thing. You need to be able to tell that story again and again, and never sound the same. Otherwise you could have just sent a pre-recorded and edited copy of you doing this).

I guess it’s easier to say this from where I’m standing (here’s my bias declaration: I’ve done this many times, including bad presentations, and am about to deliver my last talks by the end of the month). But trust me – do yourself a favor and think about what you’d want to see/hear at a conference. It’s that simple. Don’t think about some “rock star” researcher and look up their presentation (they might suck at public speaking), just put yourself in the crowd and think “this is what would have worked for me if I’d want to learn about something”.

Thoughts about the Apple vs FBI iPhone firmware case

Not trying to provide the full story here, just a few thoughts and directions as to security, privacy and civil rights. (for the backdrop – Apple’s Tim Cook letter explains it best: https://www.apple.com/customer-letter/)

From a technical perspective, Apple is fully capable to alleviating a lot of the barriers the FBI is currently facing with unlocking the phone (evidence) in question. It is an iPhone 5C, which does not have the enhanced security features implemented in iPhones from version 5S and above (security enclave – see Dan Guido’s technical writeup here: http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/).

Additionally, when dealing with more modern versions, it is also feasible for Apple to provide updates to the security enclave firmware without erasing the content of the phone.

But from a legal perspective we are facing not only a slippery slope, but a cliff as someone eloquently noted on twitter. Abiding by a legal claim based on an archaic law (All Writs act – originally part of the Judiciary act of 1789) coupled with just as shaky probably cause claim, basically opens up the door for further requests that will build up on the precedent set here if Apple complies with the court’s order.
One can easily imagine how “national security” (see how well that worked out in the PATRIOT ACT) will be used to trump civil rights and provide access to anyone’s private information.

We have finally reached a time where technology, which was an easy crutch for law enforcement to rely on, is no longer there to enable spying (legal, or otherwise) on citizens. We are back to a time now where actual hard work needs to be done in order to act on suspicions and real investigations have to take place. Where HUMINT is back on the table, and law enforcement (and non-LE forces) have to step up their game, and again – do proper investigative work.

Security is obviously a passion for me, and supporting (and sometimes helping) it advance in order to provide everyone with privacy and comfort has been my ethics since I can remember myself dealing with it (technology, security, and privacy). So is national security and the pursuit of anything that threatens it, and I don’t need to show any credentials for either.

This is an interesting case, where these two allegedly face each other. But it’s a clear cut from where I’m standing. I’ve said it before, and I’ll say it again: Tim Cook and Apple drew a line in the sand. A very clear line. It is a critical time now to understand which side of the line everybody stands on. Smaller companies that lack Apple’s legal and market forces, which have bent over so far to similar “requests” from the government can find solace in a market leader drawing such a clear line. Large companies (I’m looking at you Google!) should also make their stand very clear – to support that line. Crossing that line means taking a step further towards being one of the regimes we protect ourselves from. Dark and dangerous ones, who do not value life, who treat people based on their social, financial, racial, gender, or belief standing differently. That’s not where or who we want to be.

Or at least I’d like to think so.

Update: Apparently Google is standing on the right side of the line:

Update 2 (2/20/16): Seems like the story is developing more rapidly, so figured I’d add a couple more elements here.

First – a good review from a forensic perspective on the FBI’s request puts the entire thing in even shadier legal standings if the data from the phone would be used in such a way: http://www.zdziarski.com/blog/?p=5645

Second – Apple today (2/20) updated that while the phone was in the FBI’s custody, it’s iCloud ID has been reset, basically eliminating one of the easier paths to recover data from the phone (http://abcnews.go.com/US/san-bernardino-shooters-apple-id-passcode-changed-government/story?id=37066070). This would have been a major oversight by the FBI, who would have failed to establish a clear “hands-off” policy on anything related to the terrorists assets – including it’s employer’s digitally controlled assets. Later in the day, and probably after getting under scrutiny for allegedly performing the iCloud account reset “on their own accord”, the San Bernardino County’s official account notified that it essentially tampered with the evidence based on the FBI’s request.

If this indeed is the case, we are looking at a much more problematic practice that exceeds incompetence, and moves into malpractice.

line-in-the-sand1

p.s. additional reading on this, from a couple of different authors who I wholeheartedly agree with:

http://www.macworld.com/article/3034355/ios/why-the-fbis-request-to-apple-will-affect-civil-rights-for-a-generation.html

And the EFF’s stand: https://www.eff.org/deeplinks/2016/02/eff-support-apple-encryption-battle

An obituary to pentesting?

I just saw a blog post in which Mike Kemp discovers the realities of 2010 (linkedin). (disclaimer – I know Mike and love him as a person, and this is my way of poking at him a bit – no disrespect here, but pretty much the opposite)

Now, go read that post (yes, I know, it’s long, but trust me).
This isn’t new (albeit very honest, direct and true),but here are a couple of comments I have:

  1. Penetration Testing is dead. Overrated, and abused by fancy vulnerability scanning, it died a few years ago. If you are still paying for one – check carefully what you are actually getting…
  2. Automation is king. I actually argue that 80% of what’s sold as a pentest by the major providers can/should be automated. All those scanner monkeys should be fired or forced to step up their game and actually do some work.
  3. Compliance? Really? Do you really want to go there? It’s got nothing to do with security, and if you thought so for a second I want to have what you were on when you did.
  4. Standards. This is where Mike touches on a sensitive topic for me (yes, PTES…). I’d actually challenge Mike to show me how PTES (which he mentions in the post – but you already know that because you read it, right?!) restricts providers by providing the engagement steps – which they should follow. There’s no restriction to scope, and I have personally used PTES in red team engagements. Full scope, no bars held. But still with a standard to follow, and something the client can also keep track of and know what to expect (and demand).
  5. I fully agree on the “pass the wealth” point where you should call in someone else who’s an expert to deal with a specific client request. Done that many times, and have never lost a customer that way.

Last but not least – yes, I do think that most pentesters can be replaced with a script. As they should. I do however have a solid advice to Mike and others who are still valuable professionals that have skills which are not replaceable by automation: demand a proper engagement model. And yes – I’m referring to the PTES again. You’d notice that threat modeling is part of it. Done properly threat modeling achieves multiple goals:

  • Forces the discussion to be around security rather than compliance, price or other factors that have nothing to do with security.
  • Scope goes out the window as threat models focus on the BUSINESS and not the TECHNOLOGY.
  • Enables the organization to test itself against its adversaries (threat actors/communities) rather than against pentesters. Much more rewarding, and correct.
  • Enables the provider (if it can muster to perform a decent threat model with the client) to charge decent rates for its services. You can clearly show how this isn’t some automated software running and spitting out reports, but skills and experience playing. It’s then your responsibility to follow through on it and make sure the final deliverable also looks like that (otherwise you are looking at a very short success rate for trying to adopt only part of this approach).

I actually welcome the hordes of scanner monkeys and tool-jockeys. They make the real professionals look even better. And although professionals don’t often have the marketing/sales power of the big-[number], trust me – they are busy, and doing work that the “big” and “trusted” suppliers can’t even start to put on their canned proposal templates.

Amazonian Trojans and Marketing Fear-Mongering

Hello there, welcome back to our scheduled programming on how to drum up clicks and views on your website “Powered by Fear Uncertainty and Doubt”.

As most marketing organizations know, sometimes you need to be a little creative when coming up with news and research. You draw a target for your security researchers to hit, and hope they come back with meaningful data that’ll make it to the next news cycle. And sometimes it actually works.

This time it didn’t. Recently, when reviewing my Twitter/Facebook feeds, I ran across “news” that state that Amazon (OMG – our trusted Amazon) are selling Rooted Android tablets, preinstalled with Trojans. Most of the public probably goes: “Hide your Nexus and shoot your Kindles!” in response. How dare Amazon sell us trojaned tablets?

But worry not, only after actually reading the details of the article (http://www.net-security.org/malware_news.php?id=3152) and the original research report (http://www.cmcm.com/blog/en/security/2015-11-09/842.html) you’ll understand that:

  1. Amazon has nothing to do with this. Just like you and I can set up shop on Amazon and start selling backdoored laptops, Amazon wouldn’t have anything to do with said backdoored laptops.
  2. It’s not about your usual tablet. So you can pull back your Nexus, brush up your Kindle, and keep using your Asus/Samsung/LG/[brand] Android tablet.
  3. It’s not even really an Android issue. One could have jailbroken an iPad, install a backdoor/trojan on it, and sell it online. The Android part is relates more to the price point and the ability to sell really cheap tablets.
  4. I dare you to recognize any of the “brands” of tablets sold with these trojans. Funny, the top “brand” is actually, wait for it, “NO BRAND”. I kid you not.

brands

So after sorting out the FUD, we are left with no much of a scare. Suspiciously cheap tablets, marketed mostly as “no brand” (or other brands which at least I’ve never heard of), are filled with questionable software. Kind’a reminds me of even “big name” manufacturers who load their phones/tablets/laptops with assorted unwanted software (officially dubbed “bloatware”). Wow. How did this not make headline news across the nation?

Bottom line – it’s pretty sad that we end up running research on the fringe areas of consumer devices and shopping behaviors. Yes, there’s a technical merit to analyzing a Chinese backdoor, but marketing it as “OMGWTFBBQ!” by sprinkling in Amazon and Android in the headline is pure marketing alchemy. Let’s get back to two things:

  1. Educating that when the deal seems too good, it probably is.
  2. Focusing our research efforts on more meaningful things. Yes, this also applies to stunt hacking, or junk hacking of sorts. There’s a lot of brainpower that could be diverted to solving problems that we have been dealing with for ages, yet would probably yield less media buzz.