Honest review – CSI:Cyber

There seems to be a lot of chatter (at least on my highly biased Twitter and Facebook feeds) about how terrible of a show CSI:Cyber was. People seem to be extremely concerned about the fact that the show did not portray all the hacking related activities (cyber, infosec, whatever you want to call it) precisely as it is in real life. So here’s my take at it.

First – I’m not talking about the overall quality of the show. I’m not a TV critic, and I’m not going to go into the casting choices, the bad acting, the hollow and predictable script or any of the cinematographic elements. Let’s just focus for a second on what irks people the most – cyber.

So let’s talk about some (again some!) of the technical elements that show up there:

1. Hacking into baby cameras. Totally true. http://www.cnet.com/news/hacker-shouts-at-baby-through-baby-monitor/

2. Social media being a major source for intelligence. Been using it for a decade now through red teaming. Actually joined a social risk management company as it’s that big of an issue. (www.zerofox.com)

3. Social engineering – micro expressions, cold reading, etc. Legit. Again – red teaming. We even teach it on our red team classes.

4. The camera ball used to survey a site before entering it. http://bounceimaging.com/

5. Usage of malware (RAT) to spy on people. Welcome to the last 17 years of my professional career. And yes – you can buy this on the “surface web” (WTF – can’t you just say Internet?). Blackshades used to go for about $40-$50 a pop as far as I recall (and no, not going to do the homework for you and link to a live site that sells this. Google it.).

6. Companies that release products with known flaws in them? Yeah, you are probably reading this from one of those. Welcome to reality, where business decisions trump technical purity and security. Companies want to make money. Fast. If fixing all the flaws found in the software or hardware will keep them from making money, guess what – they will prioritize these to a point where they can get $ in the bank.

And yes – there where some highly amusing things where the artistic license was taken very liberally. Malware showing up in the code as red letters (vs. the traditional green on black). Fingerprints taken from a scene of a crime using an “Expensify” like app – quick snap of the phone’s camera, and within seconds you got a match with full profile and mug. Tracking every IP address to a physical location and swatting it within minutes. A teenager that needed help on a console game from a 30-something year old FBI agent. Having an online bidding that consists of basically a conference call conducted in multiple languages (nobody has time for this – it’s all going to be done through IM’ing, and on dedicated forums). And the list goes on… no regard to the judicial process, medical examinations that are beyond absurd, taking an hour to drive from DC to Baltimore, but from Baltimore to upstate New York in minutes just to get to the drowning car so that the baby can be saved.

Am I hearing my lawyer friends going crazy on the lack of judicial process? About the deal that put a convicted felon to work closely with the FBI? (they are having hard time finding good people because they smoked pot FFS)? Nope. You know why? BECAUSE IT’S TELEVISION.

It’s not a documentary.

If it would be, 90% of the show would be someone staring at a debugger on a screen, drinking coffee, eating junk food, and cursing. And then writing a report. I’m sure that’s a blockbuster – call in the writers.

So ease off. Be thankful that this isn’t another Scorpion, and that there are enough elements in the script based on reality, kick back, take a load off and watch your entertainment on TV. If you want more accuracy – feel free to watch the hundreds of videos from conferences like BlackHat, Defcon, Derbycon, etc. You’ll get educated. Can’t promise anything about entertained though ;-)

Oh. here’s a bonus for you if you thought that the image above was cool – my desk is much simpler :-P2015-03-05 10.43.43

 

Sensationalism – doing more damage than good

It took me a while to really decide to pull the trigger on this post. For several reasons:

1. I think the way that @ZeroFOX handled this was impeccable. As far as “we” are concerned this issue was to bed once the instigator (@avriette) balked out on actually having a constructive discussion when invited to.

2. Deciding to pick this up the next day showed me that @avriette blocked me on twitter. That kind’a shows the level of maturity we are dealing with here. Burying your head in the sand and refusing to deal with your provocation is not something that I can respect.

Nevertheless, I did want to put my personal thoughts on this out there (specifically since I don’t think that ZeroFOX needs to handle this anymore, and since I have already voiced my thoughts about this before: http://www.iamit.org/blog/2014/02/women-in-infosec-that-thing-again/).

So here goes: During a presentation at Shmoocon, that discussed research conducted with John’s Hopkins University about a red team / blue team exercise over social media. As such, the students have learned about attack vectors that were effective, and have engaged in launching those against their fellow students in other universities. As the talk title implied, the obvious attack methods online were ones that appealed to the target demography: “Mascots, March Madness & #yogapants”. It should have been pretty obvious, that when discussing any attack vectors on social media (and social engineering), anything related to sex, sports, food, free/discounted stuff, will all show up with varying degrees of effectiveness.

powersAnd yes – Tinder showed up there as an effective method (yes, it’s a sex-as-a-service app) to target people. I can admit to using Tinder (and Grindr, and happn, and okcupid, and others) as highly effective means of social engineering my targets on red team engagements. I also admit that I have totally stereotyped my female targets and used discounts on Manolo Blahnik shoes, LV bags, and high-end wine. And it was very effective. I’ve used free hot cocoa offers in the winter, and beach getaways in the summer, and iTunes cards, and free food samples, and court side tickets for Knicks games (yes, people actually still go there), and a gazillion other “objectifying” methods of appealing to my targets. Because these things work. And as such, I have presented my experience and research about it, just like this one (and I have been passing along that knowledge very successfully on our Red Team Trainings in the past as well).

During the presentation, it was brought to my attention that someone is tweeting about how the talk is objectifying women and making women in the audience feel uncomfortable. Mike (@theprez98) posted a short blog about this here: http://theprez98.blogspot.com/2015/01/hacker-cons-and-speech-codes.html.

The funny thing is that while I was sitting at the talk, I had two women who I highly respect, tell me how they fail to see whether the content or presentation would make them feel uncomfortable, nor that it was objectifying women in any way. Anecdotally, one of these women also runs the @ZeroFOX account, which “Jane the destroyer” was tweeting to, probably thinking that a man was running it (can you say stereotyping?).

I can’t put myself in anyone else’ shoes, so there is no way for me to debate the “making me feel uncomfortable” claim. Should have been a trigger warning at the beginning of the talk? Probably not. Especially if you bothered to read the talk title, or the short abstract. But going out, and just for the sake of making a potential scene, and then to bail out when offered to discuss things in more details shows me the true nature of the instigation.

And that’s where it gets me – it’s doing more damage than good. Like I have said before – my personal experience in the industry is not of “holding back women”. It’s of a very equal approach that puts women and men in the same position: professional. Just like another person that I highly respect in the industry put it in the past: “Calling bullshit on women in infosec” (thanks again Jennifer), and then Amanda’s post about the BSidesLV “incident” – these instigators are just doing more damage.

Yes, just like in any large enough group of people, you’ll find the assholes who are sexist. You’ll also find bigots, racists, trolls, anti-social people, douchebags (bro’s), etc… You cannot expect that since this environment is “yours” (i.e. infosec), it would be devoid of your run-of-the-mill social miscreants. Just like you deal with it on your non-infosec life, deal with it here. I’m dealing with it because I’m bald, and Israeli, and am often associated with Jews (no – I don’t care for kosher food. I like GOOD food, which usually excludes kosher. Stop stereotyping!). And I’ve dealt with it when I saw other people out of line when it comes to my friends or the hacker family. Whether it was a cop picking on a black person, or a women being harassed at a bar or a conference (not that they need it – they stood up for themselves just fine…).

So here goes. You got your 15 minutes of fame, I hope you enjoy them. I wouldn’t want mine to be about stuff like this. I’d like it to be about things that I’m passionate about, and that can actually make a difference.

Like hacking.

Think about it.

 

Update: This pretty much puts it to bed.

Screen Shot 2015-01-23 at 11.08.21 AM

Killing (innovation) in the name of the law

I am not a lawyer. Nor I want to be one.

But fortunately I have enough education and practice around legal systems – domestic and international to be “dangerous” enough so I can actually get my job done wherever I need to.

This, however, is a constant balancing act, especially in light of the proposed cybersecurity bill. The proposed legislation basically expands the CFAA (Computer Fraud and Abuse Act), and not in the right directions. As-is, the CFAA is draconian, and has been repeatedly abused to prosecute people who have for a lack of better terms, pissed off someone. Notable examples like Barrett Brown, Aaron Swartz and Andrew Auernheimer (‘weev’) have been subjected to government prosecutors who leaned on the ambiguity and far-reaching implications of the CFAA.

Extending the law, and subjecting it to elements such as RICO (Racketeer Influenced and Corrupt Organizations Act) furthers it’s reach, and along with the proposed amendments basically criminalizes most of the work done by hackers (i.e. good guys). It stifles innovation and the ability to “play around” with computers, software and hardware, and would have put most hi-tech founders in jail for a long time if the law would have existed back then. Heck, I’d be serving decades in jail if it would.

And to think, even for a moment, that any of this have, or would deter real criminals is absurd. Other than holding back legitimate research and innovation that is put to use to thwart cybersecurity threats, this does nothing good.

I truly hope that legislators would wake up and rise above the political forces that managed to push this bill in its current form, and perhaps even take action to correct the already crooked CFAA in a way that would make it more relevant to computer crime and fraud.

Until then, I guess that we would have to keep tiptoeing between the raindrops to make sure that we can keep pushing the envelope as always. Much like a lot of organizations (private, as well as government, that I have had a chance to work with) have done by offshoring and distancing their more aggressive/proactive activities to avoid jurisdiction issues.

A couple of good reads on this are here for your background: Orin Kerr and a shameless plug of my comments on this on CSO Online.

When a door is not a door

This is going to be a short one, because so much has been written on this, and the level of (in)competence exhibited by so many people around this has almost driven me crazy.

Yes, the Sony hack. Not going to comment on what has been done, what should have been done, the sophistication of the attack, the ability to detect tens of terrabytes leaving a network, or the way to handle this (technically, politically, diplomatically, business, ugh – you name it…).

But I do find it ironic that this post comes right after my previous one, now aptly titled “To the full extent of their capabilities” by Dave Aitel (who’s also had his share of commenting on the Sony hack).

I was vocal enough around this, especially (and weirdly I must say) as someone who suddenly sounds like the responsible adult, urging for deeper and more comprehensive forensic work and not knee-jerk attribution. Attribution, as we all (should) know, is difficult. Especially in the “cyber” realm, where fingerprints are more difficult to link to actors, who are in turn difficult to link to aggressors.

dognetOn the Internet, everyone can be anyone, and planting false flags is common practice among even the less capable threat actors. Acting on such red herrings is not only irresponsible, it can also be dangerous (an “unnamed official” at the Pentagon responded as such to the DDoS attacks on July 4th 2009). And it looks like we are facing the same weak evidence again. I highly recommend reading Fauxtribution by Krypt3ia, who really lays out the evidence, and the highly speculative nature of the attribution from the FBI on this one.

Looking at TTPs (Tools, Tactics, and Procedures) only in order to derive attribution is not enough. Without being to link real activities to a human actor, and follow up with a more “traditional” investigation (motivation, funding, accessibility, relationships), TTPs and other forensic evidence leaves us with a highly biased view of what’s going on. More worryingly, this view is almost entirely controlled by the real attacker, who had the time and opportunity to choose who would they like to appear as at the end of the day when the attack is discovered. Having clear documentation on TTPs for almost any major actor, with highly accessible online resources such as proxies, compromised hosts, and for-rent bots/servers, and finally throw in some foreign language references, and we have ourselves a perfectly guised threat actor.

Unless the investigation ends up with a multi-national cooperative law enforcement effort, enforced by the legal systems, and commercial capabilities, this goose chase isn’t going to end well. We can (gulp) take a hint from Microsoft’s playbook and their recent endeavors in hunting down the true sources of mass botnets and malware attacks. One can only hope…