Tag Archives: security

Breaking news: Spy agencies are spying!

Please say it ain’t so! Spy agencies are spying?

I’m actually going to go out on a limb here and present my (again – MY) opinion, which might pass as complicated by people with very deterministic views (or are being spoon-fed said views through the media of their choice).

First – I think that the Der Spiegel article that covers the “latest” NSA spying capabilities (http://www.spiegel.de/netzwelt/netzpolitik/quantumtheory-wie-die-nsa-weltweit-rechner-hackt-a-941149.html) is very important, and I applaud Jake and the crew that covered this. If you haven’t yet, go read it and go over the slides. Also make sure to read through the “product catalog” here: http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/

So you are back? Great! That being said, I do think that spy agencies should continue spying. BLAM! And yes, it makes total sense to me. Because I do think that spy agencies should keep spying in order to keep their corresponding nations safe. It’s all about the tradecraft and trying to keep a step ahead of your potential enemies.

Yes, that WILL entail walking (and falling over) a very fine line between legal implications and privacy. It means that as always – agencies will spy on foreign nationals AND citizens. Because yes – terrorists and adversaries do not have boundaries that are defined by the color of your passport. And opposed Jake’s claim in his CCC talk, “carpet bombing” is a totally legitimate way to collect and analyze data. I’m not saying that it’s nice, or legal, or ethical, but it’s effective. It’s up to the agency using this technique to justify and qualify what they do. And yes – keep it quiet – just because of this delicate nature of collection.

Now, back to the data. Yes – agencies (and I’m not picking on the NSA here, these kinds of capabilities exist with lots of other agencies), have these kinds of capabilities to wiretap, modify, exploit and persist on a lot of kinds of accounts and systems. It’s what they are tasked with doing. That’s not even news. But I think that the fact that this comes up again is critical because of something completely different: OPSEC. Operational Security.

The NSA has fallen (again) to the oldest sin of spying – getting cocky. You can see the same behavior from anyone who’s picking up a new capability – be it a script kiddie picking up Metasploit for the first time, someone getting to be decent at martial arts, or any other skill. They get cocky. And think they are unbeatable. And that’s when mistakes start to show up. Basic OPSEC. And I believe that this is an important lesson to learn. Again. Because OPSEC is not a compliance thing that you check off once and forget about it. It’s a basic practice that (should be) taught to everyone that participates in tradecraft. And practiced. And apparently the NSA isn’t that great at it (surprise!). Hence their powerpoint slides are all over the Internet now.

So that’s my little 2c on the topic. Yes – I support spy agencies continued practice, and yes – I support anonymity and privacy, and yes – I support the law and the need to keep improving it. I support the creation of free and open source software designed to enhance your anonymity and privacy. I have actually met Jacob a couple of times (and found it funny that he’s freaking out every time we do meet), and actually think he’s a great guy. Same for Moxie. Complicated? I mentioned it at the beginning. So there you have it. Deal with it.

Now go watch Jake’s talk from CCC. You have to. Because I said so. And for crying out loud – get your OPSEC together.

Seeing RED in your future? – Recap from DerbyCon 3.0

Yes, I know, It’s been a while since I updated anything here. Work, life, etc…

yin and yang

So here’s a quick update/recap on some of the latest: SecurityZone 2013 was an excellent experience. Always great to get back to Cali to meet who are now friends rather than just colleagues and conference organizers. I delivered the keynote there, where it was fun getting feedback for stating out-loud some of the things that we all (should) realize, which is our reliance on products is hurting us.

And this week was DerbyCon. Can’t stress enough how much fun it is to run the Red Team Training class with my best friend Chris, and the kind of feedback (and learning) we have a chance to get.

Speaking of DerbyCon – OMG what a conference! It’s just amazing what a small crew of dedicated individuals can come up with in such a short period of time. If you’d ask me for how long this con has been running I’d say at least 8-9 years. And this one was just the third iteration. Everything from the volunteer crew, through the hotel staff (major kudos to the Hyatt for taking DerbyCon on, and “working” with us – going well above just accommodating a conference venue).

My talk at DerbyCon focused on the “receiving end” of a red-team, which articulates what an organization should do in order to thoroughly prepare for such an engagement, and maximize the impact from it and the returns in the form of improving the organizational efficiency and security posture. Had a lot of great feedback on it, and some excellent conversations with people who have been struggling to get to that “buy-in” point in their organizations. Really hoped that I managed to help a bit in figuring out how to more accurately convey the advantages and ROI of such an engagement to the different internal groups.

Following are the video and slides. Have fun!

Do as I say, not as I do. RSA, Bit9, Adobe, and others…

So you thought you had everything nailed down. You might have even gone past the “best practice” (which would have driven you to compliance, and your security to the gutter), and focused on protecting your assets by applying the right controls in a risk-focused way.

You had your processes, technologies, and logs all figured out.

But you still got owned. Want to know why? Because you are still a little naïve.

You put your trust in big name vendors that preached for you to get your stuff together. You listened to them, were convinced by their pitch, and you might have even put their products through rigorous testing to make sure they deliver. But you forgot one thing. Big ticket vendors are no much different from a zealot church.

They will preach, and guide you through to the righteous passage. But when you look behind the curtain, well, you know what I mean…

The latest Bit9 compromise isn’t that surprising. Bit9’s customers are obviously very security aware as they opted to use a whitelisting product to protect their computing assets. As such, these customers are most probably high value targets to adversaries. It also means that with such an awareness to security, these customers probably have more measures and practices to mitigate and protect themselves from attackers. That means, that if I were to scope such a target for an attack, I would have focused on supply chain elements that were weaker than the target itself (much like the way we teach at out Red-Team Testing classes…).

RSA was such a target. Adobe is a similar one. Bit9 just was for some of its customers.

Color me surprised.

And yes – if you are a vendor that gloats over the latest compromise – please don’t. If you haven’t gone through a similar threat model your products are either not good enough (hence your customers aren’t high value targets. How does that make you feel now?), or your own security isn’t up to speed and you haven’t realized you have been breached yet. Now go clean your own mess.

If you are a security consumer (hence – care a bit more for your information than just getting compliant and tabling it), make sure not to make any assumptions about your providers. Especially about your providers. They aren’t the target. You are. As such, they are the vehicle, and they have a more generalized security practice than yours. Account for it in your security strategy, and never fully trust anything outside of your control span. It is your responsibility to hold them to at least their own standard, and demand oversight and proof that they do so.

Phishing/Threatening done wrong

It’s been a long time since I posted here since life and work really got in the way (in a very good way!) to publishing here. But I just had to share this as it has some relevance to security…

So, woke up this morning to an email claiming to be from FARC (yes – the Colombian militant underground rebel thingy).
In preparation to our visit to Colombia next week, they welcome us “experts” and expect us to cooperate with them and help them. Something about being passed a note with a phone number when going through immigration, and calling them to coordinate a meeting. Sprinkled with a little threat that if we choose to ignore it, we are considered cooperating and supporting of the government and as such we are a target.

Now, I won’t go through all the mistakes, but seriously?

First – using a stupid “fake mailer” domain to send it (emkei.cz), is just very low.

Second – the attached PDF has no exploits, no trojans, nothing. At least TRY to humor me.

Last – come on, all of the speakers are “foreign”. None of us really speaks/reads spanish that well. Putting a note “Whether you need translation go google” at the top isn’t really showing a lot of investment from your end. The least you could do is get someone who speaks English to help you a bit.

I mean – this is what I do for a living. Next time – ping me before so we can at least get a decent domain, set up a nice mail service on it, get some content on it, generate some plausible background data, something…
Although we won’t have the red-team class next week, I highly suggest whoever tried this to spring up the money and fly to The Hague for the NCSC  Conference in January for our red-team class.
I personally promise free drinks from Chris Nickerson and myself if you can prove that you sent the email. And you know what – the class is on me. Just show up! :-)
Here’s the PDF if you are so inclined to have a laugh: Invitacion_FARC-EP
Update – December 1st, 2012: The Colombia National Police and Ministry of Defense have issued a letter stating that after investigating the issue, and working with the intelligence group, they have reached the same conclusion – this is NOT a letter that FARC has produced (duh – FARC would have done a much better job!), and is a fake. There is obviously no risk to the recipients of the letter. See you all in Colombia in a couple of days!
Update – December 10th, 2012: Well, we obviously made it back. No one handing any of us a piece of paper at the airport (and I’ve been through two, and trust me I tried ;-)). No one threatening, or suggesting we should work for them (other than a great business dinner we had). Overall, this is the stuff that hoaxes and prejudice are made of. I guess that for laypersons this would be a big deterrent to showing up in a country that had its name smeared as much over a long time. For someone who has already experienced Colombia and knows something about security – not so much.
Just as an anecdote – attaching the letter that the national police has sent the organizers following the threat.
Oh, by the way – no one owned up to sending the letter so far, our invitation is still open for the Red-Team Training in January. You guys really need it, so here’s our community outreach to help out :-)

Security Awareness and Security Context – Aitel and Krypt3ia are both wrong?

It was pretty obvious that after an Information Security persona such as Dave Aitel has posted his “Why you shouldn’t train employees for security awareness” article, there would be a lot of flak from the industry. A lot has been said about training employees to be somewhat more savvy users when dealing with corporate equipment and data (i.e. “stop clicking shit”). And even one of my favorite and outspoken Information Security personal had a great rebuttal on the matter – Krypt3ia’s “Throwing out the baby with the bathwater: Dave Aitel’s approach to INFOSEC“.

While I really appreciate both opinions, and while Dave’s might have been a little self-serving (aren’t all of our statements online?), I find myself in a very “Zen” place – saying, yes – you are both right, and wrong at the same time.

Krypt3ia points out that dismissing the human factor is going to lead to failures beyond what we can imagine as an industry. The reason here lies back in the fact that when we approach “Information Security” we focus too much on the “Information” part, and less on the more holistic meaning of the “Security” part. Trying to solve infosec issues through technological means is a guaranteed recipe for failure. No one, no technology, or software can account for every threat scenario possible, and this is exactly why we layer our defenses. And layering shouldn’t just be done from a network or software perspective – security layers also include access control, monitoring, tracking, analysis, and yes – human awareness. Without the human factor you are doomed. And that’s a personal promise from someone who’s been abusing the lack of layering and dismissal of such human factor for quite some time now running red-team engagements with high-profile, high-security clients (see – I can be self-serving too!).

On the other hand, Dave is also right – you can’t just throw everything on the employee and expect them to magically turn into “APT detectors” just because they clicked through some CBT program for a few minutes (or hours for that matter). You have to get the basics first, and Dave’s list is just as good as anyone else’s:

  • Audit periphery
  • Perimeter defense and monitoring
  • Isolate & protect critical data
  • Network segmentation
  • Access creep
  • Incident response
  • Strong security leadership

In no particular order, one should establish a consistent and solid implementation of all of these aspects for their organization.

Having said that, saying that employee awareness should be out of this list is where Dave went a little too far. Strong security leadership, access creep, and data protection are not technical feats by themselves. These are exactly the areas where employee awareness turns what could be useless (but very expensive) pieces of software or appliances to something that would actually work under an attack on your information assets. The point is not to _divert_ the spending on awareness, but to _combine_ them into your security strategy.

Which brings me back to my first (and only) point – stop thinking of information security as an industry of blinkenlights and snazzy software solutions. It’s about hacking, and hacking as we all know never stops at gadgets and code. Think of information security like an ATTACKER. Think about _their_ scope, and realize how your organization looks from that perspective. Now, take your budget and spend it on the areas where attackers could have compromised your informational integrity (HEY! Don’t touch that Nessus scan result! I told you to THINK goddamnit!).

And with that, I’ll leave you to your wonderful weekend before Vegas (one last self-serving statement – go check out “Sexy Defense” if you are really interested in an effective defensive strategy that goes beyond blogging and writing articles :-) ).

Happy hacking!