Category Archives: Security Research

Ambulance chasing or DNA research?

Posted on by
Reply

I am fortunate enough that some of the new topics that I have discusd lately have generated interest in the community and the industry. As such, there are obviously  voices that do not agree with the approach (I still like to call is SexyDefense, although the more adult part of me agreed to SDES – Strategic Defense Execution Standard).

More pointedly – there is the argument of “what would an offensive player know about defense”, and “defense is hard, we’ve done it [for our customers] forever, and people are fairly happy”. I’d like to tackle these two head on:
Yes, I’m mostly an offensive security person. I cannot deny my passion for Red-Teaming (heck – I’m good at it, and I enjoy it. Deal with it), nor my past research on finding issues with systems and organizations. Nevertheless, as we all know – practicing offensive security is done in order to boost defenses. Its main role is to find flaws in the defensive mechanisms and then amend them. Here comes the tricky part – amending them is also something that I do. I know, a shocker! But fortunately I’ve had a chance to work not only with small businesses, enterprises, and F-100 companies, but also with nation states and multi-national organizations… So yes – I know how hard defense is, and I have also practiced it and can say that I actually enjoyed it – especially since I was able to “sign off” of some great improvements in the defensive posture of such organizations. Last but not least – guess what happens after a Red-Team engagement is over? Right – a long, hard look at the systematic failures and vulnerabilities of the organization. And how to fix them, and how to prepare for another attack such as the one that the res-team simulated. (reality reminder – red-team is essentially adversarial modeling – probably the only true test of how an ACTUAL attack is going to look like on your organization. And guess what? It doesn’t look like a Nessus scan or a Metasploit autopwn…).

Second – yes, defense is hard. And this “newfangled” approach is something that has not only been tested in the real world, but it also makes sense <gasp>. Our old approaches of detection and “prevention”, using the same old tools (spell Anti-Virus, Firewall, Intrusion Detection/Prevention, DLP, and what-not) are not working. Let me say that again:

It’s not working!

Why? Simply – we keep chasing our tails with the same old issues. We are really good at Incident Response (some of us are making a nice chunk of money off it), but we really suck at actually improving the security posture over time. Hence my reference to ambulance chasing (i.e. incident response), vs. DNA research (actually changing the defensive strategy and posture to cut the number of incidents).

Personally – I have enjoyed some really tricky incident response engagements that challenged me and my customers (and sometimes led to the satisfying “gotcha” moment when coordinated with LE). Nevertheless, organizations do not really learn from such incidents. They have a short memory span, and get back to their old “look at the blinky lights on the firewall appliance” approach. However, changing the DNA is something waaay more interesting and rewarding. And that’s what we are trying to do here folks…

So – are you going to stay an ambulance chaser and keep rejecting the idea that your revenue stream may be affected if organizations take defensive security more seriously, or are you going to help the change and actually make an impact?

Vegas 2012 by the Numbers

Posted on by
1

So, I’m finally back from a very long week in Vegas. How long you ask? well, here are some numbers that start to reflect how it felt:

  • Number of days in Vegas: 6+1 (un-planned extra day due to a missed flight)
  • Number of conferences attended: 3.5 (BlackHat, BSidesLV, Defcon, and IOAsis counts as a 1/2 con…)
  • Number of talks given: 2 (in the same day… BlackHat + BSidesLV)
  • Number of shipments to my room at Caesars: 3 (shirts, phone, and locks which ended up unused due to my failure to run the lockpick sessions at IOAsis :-( )
  • Volunteer gigs: 2 (BSidesLV and Skytalks)
  • Average hours of sleep per night: 3 (and that’s really stretching it)
  • Number of nights I went to sleep after sunrise: 2
  • Average number of parties visited per night: 3 (Freakshow skewed the numbers as there was NO reason to leave that place…)
  • No. of phones I came in with: 1
  • No. of phones I left with: 3 (Thank you NinjaTel!)
  • Average no. of meals per day: 1 (I know… but Alcohol does not count as food unfortunately)
  • Gallons of booze consumed: probably illegal in some states.
  • No of friends I caught up with: not enough. And the ones I did manage to catch up with needed much more time :-(
  • Hangovers: 0 (keep drinking -> no hangover to deal with…)
  • Workouts: 2
  • Miles walked: waaaaay too many
  • Weight lost/gain: 3.5lbs lost. Guess that’s the result of adrenaline rushes, parties, Infected Mushroom, long walks in the hallways, not much food, and lots of alcohol.

Overall this was personally the best Vegas trip I’ve had. I did take up a little too much on myself that I should have (as a couple fo friends duly noted, and excused me for some fuckups due to that), and I wanted to meet so many more people that I managed to somehow miss this year.

Nevertheless, some of the experiences were priceless – like having a chat with Infected Mushroom and finding out that Erez used to run a BBS back in the days, and that (although I don’t like to mention my darker days of hacking) we “knew” the same scenes. Having the opportunity to help out with BSidesLV and being amazed again by our community and what it can achieve. Being inspired by so many people, and learning constantly. These are the things that really make up the week of BlackHat/BSides/Defcon for me. It’s not necessarily the talks, but the socializing and the opportunity to pick people’s brains on a personal basis which makes it worthwhile to get to the levels of exhaustion that this week takes you to.

Guess it’s time to wrap up and figure out what timezone my body is on…

This one time, at Defcon… (a blast from the past)

Posted on by
Reply

Wow, there’s a blog here…

Lucky for me there are other people who write new content that somehow relates to this blog so I have a chance to point to them and say “cool stuff, look there!”.

My good friend Itzik Kotler has just written a blog post about bypassing DLP systems using some of our elements from last year’s DefCon talk (and BSides, and Hashdays, and Brucon, you get the idea…). It features some awkwardly written code (yours truly) and some wickedly useful evasion techniques (still mostly unhandled :-) ).

The post is right here: http://blog.ikotler.org/2012/07/modulation-and-data-loss-prevention-dlp.html so go check out Itzik’s blog, and feel free to fork off the code and improve (fix?) it.

See you all in a couple of weeks in Vegas! (at the SexyDefense session…)

SexyDefense comes to Vegas!

Posted on by
Reply

One of the best things that probably happened to the research on SexyDefense is that it has been accepted to BlackHat Briefings in Las Vegas!

It is truly one of the highest indicators for me that we are on the right track in making some change in the defensive paradigm, especially in light of the newly added defense track for BlackHat. An opportunity to capture the attention of a large and high-visibility audience while putting a harsh mirror in their faces is something that I have been looking forward to do for some time.

So there you go – Vegas this year is shaping up to be really interesting. With BSidesLV (in which I’m also involved as a volunteer and mentor) running along BlackHat, and the 20th DefCon, you really can’t miss it.

See you all there!

Sexy Defense

Posted on by
1

So, Source Boston proved to be a great venue for the inauguration of the Sexy Defense paper and talk that I was working on recently. Had a great time both developing the concepts, as well as discussing them before, on stage, and especially after the talk.

I really was amazed by the great feedback that people had to this, especially from some of my more respected peers. It’s always a great feeling to get an “attaboy” from people you consider experts in their fields.

For convenience, here is the slide-deck I used during the talk. Would love to get more feedback and ideas for pushing this forward into more organizations, and to hear about ways to improve both on the strategy itself, as well as on how to “sell” it, or get organizational “buy-in” internally.

Last but not least – this could not have been done without the support and the peer-review from some of my friends and colleagues: Chris Nickerson, Brian Honan, Chris John Riley, Wim Remes, and Leon van der Eijk. Thanks for going through this and providing excellent commentary and insights!

 

Sexy defense

Update: Dark Reading have posted a great article by Robert Lemos covering the topic, with a really insightful analysis and additional views.

March – April Events

Posted on by
Reply

After a quiet start for the year (and keeping up with my promise to try and cut down on travel) we are fast approaching exciting times. March will have a couple of great events I’m really looking forward to, and April packs a really great conference and training. So, without further adue:

DC9723 kicking off 2012 – March 13th

We’ve been having some issues in the local DCG with a venue, and after 3 months of delayed meetups we have finally settled into what looks like a fantastic venue. It’s called “The Library”, and true to its name it is one of the public libraries in Tel-Aviv. Renovated, and retrofitted to accommodate a shared workspace for entrepreneurs and small startups, it overlooks one of the more beautiful views of the Tel-Aviv coastline, and is located at the heart of the city – right next to tons of bars and hangouts.

Furthermore, for this inauguration meetup for 2012, we are proud to host Brad Templeton of Singularity University. I’m guessing it’s mostly kismet/karma that brought us together, but it couldn’t have been a more fitting match for this meetup. To complement Brad’s talk and discussion, we’ll have a great friend of mine – Keren Elazari who will discuss the past, present and future of the CyberPunk culture. Really can’t wait for this one to happen.

Link to The Library’s meetup for registration and more information.

Hackcon – March 26th-29th

One of the cons that were on my “hit-list” for a while. Having being recommended by close friends who already spoke there, I will be heading to lovely Oslo for the aptly named HackCon (yeah, I know… Oslo in March may not be _that_ lovely, but…).

With a great speaker lineup, and a website that absolutely refuses to be in English (google translate mandatory as my Norwegian is a bit rusty), this one is shaping up to be an experience!

Link to the program (which fortunately is mostly in English :-) )

Source Boston (Training + Conference) April 16th-19th

What can I say about Source? One of my personal favorites, with a personal “track record” of a couple of Barcelonas and soon to be a couple of Bostons. Fantastic attendance and audience, great speaker lineup, content that mixes business and technology like a fine cocktail. And this year is even more special, as I am fortunate enough to be able to bring our Red Team Training to Boston. Chris Nickerson and myself have ran this already once in Colombia last year, and the results are still resonating through Cali :-) . We got some great feedback from both business as well as technical people who attended the one-day workshop in Cali, and will be bringing an even bigger, even better 2-day training session to Boston.

Expect a hands-on, no-bullshit couple of days. Expect to be able to pick locks (EVERYONE who is in our class will end up picking at least a 4-pin lock), gather intelligence, social engineer, build threat models, understand surveillance and counter-surveillance, and much more. Expect this not to be just a dull “click-click-click” classroom session. Do not expect us to be gentle on you – the people who attack your company won’t be either. Ready to take the plunge and move up from pentesting to the real-thing? Go register: http://www.sourceconference.com/boston/training.asp

And after having “fun” with friends (don’t ask what happens when I get to spend more than 10 mintes with Nickerson…), it will be off to the conference itself. Another rock-star lineup, from Dan Geer to Michelle Klinger, from Ally Miller to Chris Gates and Zack Lanier, and many more that I apologize in advance for missing here. This is the ultimate AppSec-Tech-Business throw-down in the east coast.

Full schedule is here.

Hackers, Credit Cards, and the Media

Posted on by
1

In the past couple of weeks there has been an interesting “hacking” trend going on in Israel. It started from the publication of a few thousand credit card records (out of an alleged 400,000). Continued with the publication of “SCADA” systems with default credentials, and a handful of gov.il email addresses and passwords, and more recently with the DDoS on the public site of the Tel-Aviv Stock Exchange, and ElAl Arilines.

We call these events “hacking” (quotes) on purpose. Following is a basic analysis of what has been done, some impact analysis on it, and an outlook for the continuation of such events and their escalation.

Analysis of past events

First things first – the credit card leak that started it all wasn’t real news. All the records pertain to older attacks on some poorly secured internet merchants (mostly coupon deals) which stored credit card records (illegal) in an insecure way (malpractice). The “news” about the leak was the aggregation of these records, and the publication in a media context of “Cyberwar against Israel”. What made this fairly insignificant event into newsworthy was… the news. The media attention thrown on it was unprecedented, and the number of “cyber consultants” (I’m not making this up) who provided content-less interviews gave the impression that the infosec industry in Israel is 10 times bigger than it really is.

For the person/s (0xOmar) who published the regurgitated information this was pure win – exactly what they were looking for. This would have ended with that unless two things happened:

  • Danny Ayalon – the vice-minister of foreign affairs has been quoted saying that this attack should be regarded as an act of terror
  • Several groups of script kiddies from Israel started working on a vengeance against Saudi credit card holders.

Both actions are regarded as knee-jerk responses, and there is no way to look at them in any productive means (strategic nor tactical). Nevertheless, the combination of said actions, and the continued excessive media coverage basically led the way to an escalation in the activities.

The next action, although not a real escalation yet, showed how 0xOmar turned essentially into a brand much like Anonymous, where information on alleged Israeli “SCADA” systems logins and gov.il email addresses was made public. This leak, now not directly associated with 0xOmar turned the attention of some Anonymous twitter accounts into supporting the newly tagged “#fuckIsrael” activities.

When looking at the “SCADA” leak, it is easy to see that none of the systems quoted are actually SCADA related, but mostly content management systems, some wireless routers installed at residential locations, and a car booking system. The email addresses and passwords (and hashes) are all from the STRATFOR leak which happened a couple of weeks beforehand (and even there it didn’t contain the hundreds of really interesting Israeli related information).

Nevertheless – media attention was at full force, and the attempts to “out” who 0xOmar only fueled the ego behind the alias more. Combined with the newfound attention from the Anonymous brand as well, additional groups started to join the party, and the last escalation in activities showed for the first time an actual activity against Israeli associated facilities – the DDoS on the stock exchange and ElAl’s websites. Again – the choice of targets is not coincidental: both sites are well known and are strongly associated with Israeli media around the world (financial, and the national airline). These are not strategic targets of a classic “cyberwar” but more of a “media-war”.

This latest attack, while inflicting minimal (if at all) damage to the targets, should raise a lot of hard questions for the relevant CISOs who failed to recognize the threat communities they are facing (especially in light of the media attention), and the defenses put in place to greet such communities. Additionally, mitigation tactics of such attacks has been out there for quite a while, and even a simple CDN solution would have easily coped with them.

Escalation and Triggers

The escalation has already started from the attacking side. We see more groups that were previously unassociated with 0xOmar join into the game – especially now when its has been expanded to include more media support from some anon factions. These groups widen the threat communities that are now part of the threat model which Israeli organizations have to deal with, along with their associated threat capabilities.

We expect that the attacks would continue – especially is media coverage of this will continue to be provided in prime-time. Additionally, groups that are currently in holding pattern on whether to join the action will be more keen to do so if a direct retaliation will be launched from the Israeli side. Such a retaliation could be additional attempts to “out” 0xOmar using diplomatic ties, attacks on hacker forums associated with the recent activities or anything that would be portrayed as a violation of rights in international eyes.

An escalation in the attacks would mean that additional groups, who also bring additional capabilities to the table, would be able to launch much more targeted attacks against more strategic targets. If the attacks so far focused on the media value, further attacks would escalate to (in order): financials, defense contractors, government, and finally high-value individuals.

We hope that this analysis sheds some light on the motivations and the actual impact of the recent events, and would prevent any escalation – both in the response from the local hacking groups, from the media as well as from the assorted groups that were ad-hoc strung together to form this chain of events.