Tag Archives: hacking

Seeing RED in your future? – Recap from DerbyCon 3.0

Yes, I know, It’s been a while since I updated anything here. Work, life, etc…

yin and yang

So here’s a quick update/recap on some of the latest: SecurityZone 2013 was an excellent experience. Always great to get back to Cali to meet who are now friends rather than just colleagues and conference organizers. I delivered the keynote there, where it was fun getting feedback for stating out-loud some of the things that we all (should) realize, which is our reliance on products is hurting us.

And this week was DerbyCon. Can’t stress enough how much fun it is to run the Red Team Training class with my best friend Chris, and the kind of feedback (and learning) we have a chance to get.

Speaking of DerbyCon – OMG what a conference! It’s just amazing what a small crew of dedicated individuals can come up with in such a short period of time. If you’d ask me for how long this con has been running I’d say at least 8-9 years. And this one was just the third iteration. Everything from the volunteer crew, through the hotel staff (major kudos to the Hyatt for taking DerbyCon on, and “working” with us – going well above just accommodating a conference venue).

My talk at DerbyCon focused on the “receiving end” of a red-team, which articulates what an organization should do in order to thoroughly prepare for such an engagement, and maximize the impact from it and the returns in the form of improving the organizational efficiency and security posture. Had a lot of great feedback on it, and some excellent conversations with people who have been struggling to get to that “buy-in” point in their organizations. Really hoped that I managed to help a bit in figuring out how to more accurately convey the advantages and ROI of such an engagement to the different internal groups.

Following are the video and slides. Have fun!

Do as I say, not as I do. RSA, Bit9, Adobe, and others…

So you thought you had everything nailed down. You might have even gone past the “best practice” (which would have driven you to compliance, and your security to the gutter), and focused on protecting your assets by applying the right controls in a risk-focused way.

You had your processes, technologies, and logs all figured out.

But you still got owned. Want to know why? Because you are still a little naïve.

You put your trust in big name vendors that preached for you to get your stuff together. You listened to them, were convinced by their pitch, and you might have even put their products through rigorous testing to make sure they deliver. But you forgot one thing. Big ticket vendors are no much different from a zealot church.

They will preach, and guide you through to the righteous passage. But when you look behind the curtain, well, you know what I mean…

The latest Bit9 compromise isn’t that surprising. Bit9’s customers are obviously very security aware as they opted to use a whitelisting product to protect their computing assets. As such, these customers are most probably high value targets to adversaries. It also means that with such an awareness to security, these customers probably have more measures and practices to mitigate and protect themselves from attackers. That means, that if I were to scope such a target for an attack, I would have focused on supply chain elements that were weaker than the target itself (much like the way we teach at out Red-Team Testing classes…).

RSA was such a target. Adobe is a similar one. Bit9 just was for some of its customers.

Color me surprised.

And yes – if you are a vendor that gloats over the latest compromise – please don’t. If you haven’t gone through a similar threat model your products are either not good enough (hence your customers aren’t high value targets. How does that make you feel now?), or your own security isn’t up to speed and you haven’t realized you have been breached yet. Now go clean your own mess.

If you are a security consumer (hence – care a bit more for your information than just getting compliant and tabling it), make sure not to make any assumptions about your providers. Especially about your providers. They aren’t the target. You are. As such, they are the vehicle, and they have a more generalized security practice than yours. Account for it in your security strategy, and never fully trust anything outside of your control span. It is your responsibility to hold them to at least their own standard, and demand oversight and proof that they do so.

Phishing/Threatening done wrong

It’s been a long time since I posted here since life and work really got in the way (in a very good way!) to publishing here. But I just had to share this as it has some relevance to security…

So, woke up this morning to an email claiming to be from FARC (yes – the Colombian militant underground rebel thingy).
In preparation to our visit to Colombia next week, they welcome us “experts” and expect us to cooperate with them and help them. Something about being passed a note with a phone number when going through immigration, and calling them to coordinate a meeting. Sprinkled with a little threat that if we choose to ignore it, we are considered cooperating and supporting of the government and as such we are a target.

Now, I won’t go through all the mistakes, but seriously?

First – using a stupid “fake mailer” domain to send it (emkei.cz), is just very low.

Second – the attached PDF has no exploits, no trojans, nothing. At least TRY to humor me.

Last – come on, all of the speakers are “foreign”. None of us really speaks/reads spanish that well. Putting a note “Whether you need translation go google” at the top isn’t really showing a lot of investment from your end. The least you could do is get someone who speaks English to help you a bit.

I mean – this is what I do for a living. Next time – ping me before so we can at least get a decent domain, set up a nice mail service on it, get some content on it, generate some plausible background data, something…
Although we won’t have the red-team class next week, I highly suggest whoever tried this to spring up the money and fly to The Hague for the NCSC  Conference in January for our red-team class.
I personally promise free drinks from Chris Nickerson and myself if you can prove that you sent the email. And you know what – the class is on me. Just show up! 🙂
Here’s the PDF if you are so inclined to have a laugh: Invitacion_FARC-EP
Update – December 1st, 2012: The Colombia National Police and Ministry of Defense have issued a letter stating that after investigating the issue, and working with the intelligence group, they have reached the same conclusion – this is NOT a letter that FARC has produced (duh – FARC would have done a much better job!), and is a fake. There is obviously no risk to the recipients of the letter. See you all in Colombia in a couple of days!
Update – December 10th, 2012: Well, we obviously made it back. No one handing any of us a piece of paper at the airport (and I’ve been through two, and trust me I tried ;-)). No one threatening, or suggesting we should work for them (other than a great business dinner we had). Overall, this is the stuff that hoaxes and prejudice are made of. I guess that for laypersons this would be a big deterrent to showing up in a country that had its name smeared as much over a long time. For someone who has already experienced Colombia and knows something about security – not so much.
Just as an anecdote – attaching the letter that the national police has sent the organizers following the threat.
Oh, by the way – no one owned up to sending the letter so far, our invitation is still open for the Red-Team Training in January. You guys really need it, so here’s our community outreach to help out 🙂

Vegas 2012 by the Numbers

So, I’m finally back from a very long week in Vegas. How long you ask? well, here are some numbers that start to reflect how it felt:

  • Number of days in Vegas: 6+1 (un-planned extra day due to a missed flight)
  • Number of conferences attended: 3.5 (BlackHat, BSidesLV, Defcon, and IOAsis counts as a 1/2 con…)
  • Number of talks given: 2 (in the same day… BlackHat + BSidesLV)
  • Number of shipments to my room at Caesars: 3 (shirts, phone, and locks which ended up unused due to my failure to run the lockpick sessions at IOAsis 🙁 )
  • Volunteer gigs: 2 (BSidesLV and Skytalks)
  • Average hours of sleep per night: 3 (and that’s really stretching it)
  • Number of nights I went to sleep after sunrise: 2
  • Average number of parties visited per night: 3 (Freakshow skewed the numbers as there was NO reason to leave that place…)
  • No. of phones I came in with: 1
  • No. of phones I left with: 3 (Thank you NinjaTel!)
  • Average no. of meals per day: 1 (I know… but Alcohol does not count as food unfortunately)
  • Gallons of booze consumed: probably illegal in some states.
  • No of friends I caught up with: not enough. And the ones I did manage to catch up with needed much more time 🙁
  • Hangovers: 0 (keep drinking -> no hangover to deal with…)
  • Workouts: 2
  • Miles walked: waaaaay too many
  • Weight lost/gain: 3.5lbs lost. Guess that’s the result of adrenaline rushes, parties, Infected Mushroom, long walks in the hallways, not much food, and lots of alcohol.

Overall this was personally the best Vegas trip I’ve had. I did take up a little too much on myself that I should have (as a couple fo friends duly noted, and excused me for some fuckups due to that), and I wanted to meet so many more people that I managed to somehow miss this year.

Nevertheless, some of the experiences were priceless – like having a chat with Infected Mushroom and finding out that Erez used to run a BBS back in the days, and that (although I don’t like to mention my darker days of hacking) we “knew” the same scenes. Having the opportunity to help out with BSidesLV and being amazed again by our community and what it can achieve. Being inspired by so many people, and learning constantly. These are the things that really make up the week of BlackHat/BSides/Defcon for me. It’s not necessarily the talks, but the socializing and the opportunity to pick people’s brains on a personal basis which makes it worthwhile to get to the levels of exhaustion that this week takes you to.

Guess it’s time to wrap up and figure out what timezone my body is on…

This one time, at Defcon… (a blast from the past)

Wow, there’s a blog here…

Lucky for me there are other people who write new content that somehow relates to this blog so I have a chance to point to them and say “cool stuff, look there!”.

My good friend Itzik Kotler has just written a blog post about bypassing DLP systems using some of our elements from last year’s DefCon talk (and BSides, and Hashdays, and Brucon, you get the idea…). It features some awkwardly written code (yours truly) and some wickedly useful evasion techniques (still mostly unhandled :-)).

The post is right here: http://blog.ikotler.org/2012/07/modulation-and-data-loss-prevention-dlp.html so go check out Itzik’s blog, and feel free to fork off the code and improve (fix?) it.

See you all in a couple of weeks in Vegas! (at the SexyDefense session…)