Tag Archives: Information security

Debunking the “8200”, “81” and other #### ex-Israeli Army Intelligence myth

I’m a known and pretty vocal advocate of self learning, self starting, and inquisitive entrepreneurial spirit. As such, I’ve witnessed over my years in the security industry, a lot of occasions where the halo or myth surrounding some so-called “elite” units in the Israeli Army Intelligence has blinded people.
Such blindness comes from a very small percentage of people who capitalized on what used to be highly selective knowledge and experience in a narrow field of practice. But that was almost 20 years ago. Companies like Checkpoint, Nice, and Amdocs, were all started by alumni of such intelligence units, who basically applied their specific experience from the army signals intelligence unites to building firewall systems, telecom and spy/monitoring technologies.

Nowadays, the reality could not be further from this. What used to be a very specific skill-set and knowledge, is mostly open, and freely accessible to anyone with the right aptitude to pick up and master. Back in the days you had to earn your “hacker cred” in order to get access to the forums where people were sharing knowledge, today most of that “exclusive/unique” knowledge is wide open and available.

And today I ran across an article that infuriated me because of its ignorance. Enter: “The cyber labor market in Israel, the cyber guild“. In this article, the author claims, again, that the “ex-#” alumni phenomenon is filling the Israeli market and basically owning it to a point where non-guild members are shunned out. It claims that whereas information and knowledge should (or is?) open, in the guild market it matters more where you came from than what you actually know and have experience with.

I respectfully call BS on this. It’s just not the reality anymore. Yes, there is an obvious alumni network effect, but such that is just as common with other alumni organizations (think Ivy-league Universities, local schools, or any other melting-pot where people get to know one another). But the “guild” part is just wrong. It’s actually the complete opposite. After the initial success of the early founders, the “Ex-#” units basked in the glow and enjoyed a fairly long streak of alumni that only had to mention their unit’s name (or even not that – just to keep things more hush-hush) in order to nail a high-paying job. However, with such high expectations, the failures became more apparent. And then the realization – that 8200, which is the largest unit (people-wise) in the Army, does not actually employ thousands of talented programmers and hackers. That a huge percentage of it are grunt workers, pushing papers, poring over analyst reports, and operating the collection and dissemination processes and technologies. Glorified IT support in most cases. And with that, the sham evolved. The “friend brings friend” system worked most of the time when the initial friend was one of the actually few talented alumni, who brought their few talented friends. The rest ended up blowing the bubble out of proportion, and infusing the industry with the glorified IT technicians. And the industry balked fairly quickly. I have personally witnessed companies hurting and buckling under the cost of incompetent alumni recruitment, and eventually realize their mistake and quietly ditch those. I have personally interviewed tens (if not hundreds) of people, and very quickly realized (again – after making a few trust mistakes myself) that my gut feeling and personal assessment of ones personality is more consistent than their alleged history in a “famous” unit.

I have personally mentored extremely talented people who had to fight for their place, had to learn programming languages and platforms, gain their experience in the real world, and become some of the more sought after talents out there. At the same time I’ve seen the “ex-#” alumni stagnate at dead-end jobs because they could not scale beyond their alleged field of expertise. The market is highly capitalistic out there. It won’t tolerate too much of the halo effect, and albeit huge efforts in fueling that effect through several alumni organizations, and alumnus in executive positions, this doesn’t really hold. If you are looking for innovation and “thinking outside the box” maybe try to look for people who have not been indoctrinated in a very strict environment to perform a very narrow task. Look for people with broad experience, from different paths of life, who share core traits – curiosity, innovation, drive, and the ability to say “I don’t know”. That’s how the modern market operates. There is no guild. And if you are led to believe so – try to see who/what is it that gave you that impression. You’ll be quick to learn that it is mostly self-serving marketing created to favor the less talented who need to rely on riding the coattails of the successful few. Who by the way – were mostly self-taught and would have made it without having the “ex-#” experience 😉

ISTS12 Keynote and Red Team

I’ve had the pleasure and the honor to keynote this year’s ISTS (Information Security Talent Search) that ran at the Rochester Institute of Technology (RIT). Additionally I was also fortunate to get a seat with the Red Team during the event itself and work closely with some of my friends and colleagues.

It has been a while since I had the chance to work with students (mostly with my Alma Mater from the IDC during freshmen orientation, and the “CS for Real” series for CS students). And I honestly didn’t know how to address this initially. Thankfully, Jared and the ISTS team were pretty open to my suggestion of combining a “here’s how I got here” rant with some technical examples of challenges and engagements.

The keynote wasn’t recorded (thankfully?) but here are the slides that were used as the backdrop for it. I ended up coming back with some insights from the keynote (as I usually try not just to provide information, but also learn new things), and thanks to some awesome questions from the audience (students, red teamers, and apparently faculty which I haven’t realized were also there…) it ended up a really great session for me!

The next day was spent with the red team, which was a great opportunity to catch up on some skills that I left behind (always pick the task that you are less familiar with!), and really kick some ass with the team. Chris Gates has written a great wrap-up blog on it here: http://carnal0wnage.attackresearch.com/2015/03/ists12-thoughts-notes-feedback.html

Really looking forward to working more closely with people who are just starting their way in the industry – if the feedback doesn’t lie, it seemed to be somewhat beneficial to them, and from a completely selfish perspective, I had a chance to learn a few things myself too!

Honest review – CSI:Cyber

There seems to be a lot of chatter (at least on my highly biased Twitter and Facebook feeds) about how terrible of a show CSI:Cyber was. People seem to be extremely concerned about the fact that the show did not portray all the hacking related activities (cyber, infosec, whatever you want to call it) precisely as it is in real life. So here’s my take at it.

First – I’m not talking about the overall quality of the show. I’m not a TV critic, and I’m not going to go into the casting choices, the bad acting, the hollow and predictable script or any of the cinematographic elements. Let’s just focus for a second on what irks people the most – cyber.

So let’s talk about some (again some!) of the technical elements that show up there:

1. Hacking into baby cameras. Totally true. http://www.cnet.com/news/hacker-shouts-at-baby-through-baby-monitor/

2. Social media being a major source for intelligence. Been using it for a decade now through red teaming. Actually joined a social risk management company as it’s that big of an issue. (www.zerofox.com)

3. Social engineering – micro expressions, cold reading, etc. Legit. Again – red teaming. We even teach it on our red team classes.

4. The camera ball used to survey a site before entering it. http://bounceimaging.com/

5. Usage of malware (RAT) to spy on people. Welcome to the last 17 years of my professional career. And yes – you can buy this on the “surface web” (WTF – can’t you just say Internet?). Blackshades used to go for about $40-$50 a pop as far as I recall (and no, not going to do the homework for you and link to a live site that sells this. Google it.).

6. Companies that release products with known flaws in them? Yeah, you are probably reading this from one of those. Welcome to reality, where business decisions trump technical purity and security. Companies want to make money. Fast. If fixing all the flaws found in the software or hardware will keep them from making money, guess what – they will prioritize these to a point where they can get $ in the bank.

And yes – there where some highly amusing things where the artistic license was taken very liberally. Malware showing up in the code as red letters (vs. the traditional green on black). Fingerprints taken from a scene of a crime using an “Expensify” like app – quick snap of the phone’s camera, and within seconds you got a match with full profile and mug. Tracking every IP address to a physical location and swatting it within minutes. A teenager that needed help on a console game from a 30-something year old FBI agent. Having an online bidding that consists of basically a conference call conducted in multiple languages (nobody has time for this – it’s all going to be done through IM’ing, and on dedicated forums). And the list goes on… no regard to the judicial process, medical examinations that are beyond absurd, taking an hour to drive from DC to Baltimore, but from Baltimore to upstate New York in minutes just to get to the drowning car so that the baby can be saved.

Am I hearing my lawyer friends going crazy on the lack of judicial process? About the deal that put a convicted felon to work closely with the FBI? (they are having hard time finding good people because they smoked pot FFS)? Nope. You know why? BECAUSE IT’S TELEVISION.

It’s not a documentary.

If it would be, 90% of the show would be someone staring at a debugger on a screen, drinking coffee, eating junk food, and cursing. And then writing a report. I’m sure that’s a blockbuster – call in the writers.

So ease off. Be thankful that this isn’t another Scorpion, and that there are enough elements in the script based on reality, kick back, take a load off and watch your entertainment on TV. If you want more accuracy – feel free to watch the hundreds of videos from conferences like BlackHat, Defcon, Derbycon, etc. You’ll get educated. Can’t promise anything about entertained though 😉

Oh. here’s a bonus for you if you thought that the image above was cool – my desk is much simpler 😛2015-03-05 10.43.43

 

So, There’s this new (for me) LinkedIn “publishing” thing, that prompted me to try it as I was posting a semi-rant there.

Let’s see how well that works out:

https://www.linkedin.com/today/post/article/20140531211959-1510435-security-and-maturity-beating-the-averages?trk=prof-post

Getting things right goes a long way when you are bleeding

I’m starting to see a trend here with the weekend posts. I can stomach most of the FUD during the work days, but things get to me through the weekend. Oh well. There goes a “mandatory” heartbleed post:

Yes, it’s a bad one. No it’s not the worst one. And no – the sky isn’t falling, and the Internet isn’t about to go away.

Heartbleed was one of the most media driven (and ready) bugs in a few years. Logo, website, clear message, and two XKCD strips. The last of which is probably the best explanation to laypersons of what it’s all about.

And did the media catch up on it. Oh yeah… The usual naysayers, FUD-spreading evangelists had their 3.5 minutes of fame. And everyone started recommending that users immediately change their password.

Or maybe not. No! Wait until the site fixes their SSL implementation. Or yes? Ummm, what to do?… That’s where things get interesting.

The real issue here is this: sites affected by heartbleed could potentially be leaking information. And by leaking I mean that anyone with intimate knowledge of the bug could have been, in the past two years, pulling data from those sites. That includes session information, usernames, passwords, and even the private keys used to secure said SSL connections.

Which means that if you think that you were targeted by someone in the past two years, or that your information could have meant something to someone in the past two years with the capability to snoop on those credentials, yes, you should probably do something about it. BUT, and it’s a bug but (yeah, yeah, yeah), you need to remember that it’s not as simple as checking that the website in question has applied the fix. Not even close. If (and again – IF) you believe you need to change your password, you also need to remember that whoever had the knowledge and capability to syphon all that information, was pretty certainly also stealing the server private keys. Initially pundits were skeptical that private encryption keys would be compromised through heartbleed. But as always – if it’s hackable, it will be hacked, and the proof came in pretty quickly.

So yes, there are online tools that will allow you to check whether a certain site had the issue fixed. But these aren’t enough, as you would need to verify somehow (and that’s not easy) that the site also generated a new private encryption key, and got a new server certificate to go with it in to be used AFTER patching the SSL implementation.

Tricky, isn’t it? Yeah, welcome to security…

Anyways – don’t just blatantly go updating your passwords nilly-nelly. First figure whether you really need to, then consider the entire picture: were you exposed just during the time from when heartbleed was announced until the site was fixed? are you concerned about three-letter-agencies that had knowledge of heartbleed and were dumping gigabytes of server RAM so they can get everyone’s data? Then figure whether that site’s private keys and certificates were updated. Then act.

Good luck with that. I’ll leave you with a bleeding heart punch so you won’t need to see that logo AGAIN on a security blog 😛