Tag Archives: red team

Phishing/Threatening done wrong

It’s been a long time since I posted here since life and work really got in the way (in a very good way!) to publishing here. But I just had to share this as it has some relevance to security…

So, woke up this morning to an email claiming to be from FARC (yes – the Colombian militant underground rebel thingy).
In preparation to our visit to Colombia next week, they welcome us “experts” and expect us to cooperate with them and help them. Something about being passed a note with a phone number when going through immigration, and calling them to coordinate a meeting. Sprinkled with a little threat that if we choose to ignore it, we are considered cooperating and supporting of the government and as such we are a target.

Now, I won’t go through all the mistakes, but seriously?

First – using a stupid “fake mailer” domain to send it (emkei.cz), is just very low.

Second – the attached PDF has no exploits, no trojans, nothing. At least TRY to humor me.

Last – come on, all of the speakers are “foreign”. None of us really speaks/reads spanish that well. Putting a note “Whether you need translation go google” at the top isn’t really showing a lot of investment from your end. The least you could do is get someone who speaks English to help you a bit.

I mean – this is what I do for a living. Next time – ping me before so we can at least get a decent domain, set up a nice mail service on it, get some content on it, generate some plausible background data, something…
Although we won’t have the red-team class next week, I highly suggest whoever tried this to spring up the money and fly to The Hague for the NCSC  Conference in January for our red-team class.
I personally promise free drinks from Chris Nickerson and myself if you can prove that you sent the email. And you know what – the class is on me. Just show up! 🙂
Here’s the PDF if you are so inclined to have a laugh: Invitacion_FARC-EP
Update – December 1st, 2012: The Colombia National Police and Ministry of Defense have issued a letter stating that after investigating the issue, and working with the intelligence group, they have reached the same conclusion – this is NOT a letter that FARC has produced (duh – FARC would have done a much better job!), and is a fake. There is obviously no risk to the recipients of the letter. See you all in Colombia in a couple of days!
Update – December 10th, 2012: Well, we obviously made it back. No one handing any of us a piece of paper at the airport (and I’ve been through two, and trust me I tried ;-)). No one threatening, or suggesting we should work for them (other than a great business dinner we had). Overall, this is the stuff that hoaxes and prejudice are made of. I guess that for laypersons this would be a big deterrent to showing up in a country that had its name smeared as much over a long time. For someone who has already experienced Colombia and knows something about security – not so much.
Just as an anecdote – attaching the letter that the national police has sent the organizers following the threat.
Oh, by the way – no one owned up to sending the letter so far, our invitation is still open for the Red-Team Training in January. You guys really need it, so here’s our community outreach to help out 🙂

Ambulance chasing or DNA research?

I am fortunate enough that some of the new topics that I have discusd lately have generated interest in the community and the industry. As such, there are obviously  voices that do not agree with the approach (I still like to call is SexyDefense, although the more adult part of me agreed to SDES – Strategic Defense Execution Standard).

More pointedly – there is the argument of “what would an offensive player know about defense”, and “defense is hard, we’ve done it [for our customers] forever, and people are fairly happy”. I’d like to tackle these two head on:
Yes, I’m mostly an offensive security person. I cannot deny my passion for Red-Teaming (heck – I’m good at it, and I enjoy it. Deal with it), nor my past research on finding issues with systems and organizations. Nevertheless, as we all know – practicing offensive security is done in order to boost defenses. Its main role is to find flaws in the defensive mechanisms and then amend them. Here comes the tricky part – amending them is also something that I do. I know, a shocker! But fortunately I’ve had a chance to work not only with small businesses, enterprises, and F-100 companies, but also with nation states and multi-national organizations… So yes – I know how hard defense is, and I have also practiced it and can say that I actually enjoyed it – especially since I was able to “sign off” of some great improvements in the defensive posture of such organizations. Last but not least – guess what happens after a Red-Team engagement is over? Right – a long, hard look at the systematic failures and vulnerabilities of the organization. And how to fix them, and how to prepare for another attack such as the one that the res-team simulated. (reality reminder – red-team is essentially adversarial modeling – probably the only true test of how an ACTUAL attack is going to look like on your organization. And guess what? It doesn’t look like a Nessus scan or a Metasploit autopwn…).

Second – yes, defense is hard. And this “newfangled” approach is something that has not only been tested in the real world, but it also makes sense <gasp>. Our old approaches of detection and “prevention”, using the same old tools (spell Anti-Virus, Firewall, Intrusion Detection/Prevention, DLP, and what-not) are not working. Let me say that again:

It’s not working!

Why? Simply – we keep chasing our tails with the same old issues. We are really good at Incident Response (some of us are making a nice chunk of money off it), but we really suck at actually improving the security posture over time. Hence my reference to ambulance chasing (i.e. incident response), vs. DNA research (actually changing the defensive strategy and posture to cut the number of incidents).

Personally – I have enjoyed some really tricky incident response engagements that challenged me and my customers (and sometimes led to the satisfying “gotcha” moment when coordinated with LE). Nevertheless, organizations do not really learn from such incidents. They have a short memory span, and get back to their old “look at the blinky lights on the firewall appliance” approach. However, changing the DNA is something waaay more interesting and rewarding. And that’s what we are trying to do here folks…

So – are you going to stay an ambulance chaser and keep rejecting the idea that your revenue stream may be affected if organizations take defensive security more seriously, or are you going to help the change and actually make an impact?

Security Awareness and Security Context – Aitel and Krypt3ia are both wrong?

It was pretty obvious that after an Information Security persona such as Dave Aitel has posted his “Why you shouldn’t train employees for security awareness” article, there would be a lot of flak from the industry. A lot has been said about training employees to be somewhat more savvy users when dealing with corporate equipment and data (i.e. “stop clicking shit”). And even one of my favorite and outspoken Information Security personal had a great rebuttal on the matter – Krypt3ia’s “Throwing out the baby with the bathwater: Dave Aitel’s approach to INFOSEC“.

While I really appreciate both opinions, and while Dave’s might have been a little self-serving (aren’t all of our statements online?), I find myself in a very “Zen” place – saying, yes – you are both right, and wrong at the same time.

Krypt3ia points out that dismissing the human factor is going to lead to failures beyond what we can imagine as an industry. The reason here lies back in the fact that when we approach “Information Security” we focus too much on the “Information” part, and less on the more holistic meaning of the “Security” part. Trying to solve infosec issues through technological means is a guaranteed recipe for failure. No one, no technology, or software can account for every threat scenario possible, and this is exactly why we layer our defenses. And layering shouldn’t just be done from a network or software perspective – security layers also include access control, monitoring, tracking, analysis, and yes – human awareness. Without the human factor you are doomed. And that’s a personal promise from someone who’s been abusing the lack of layering and dismissal of such human factor for quite some time now running red-team engagements with high-profile, high-security clients (see – I can be self-serving too!).

On the other hand, Dave is also right – you can’t just throw everything on the employee and expect them to magically turn into “APT detectors” just because they clicked through some CBT program for a few minutes (or hours for that matter). You have to get the basics first, and Dave’s list is just as good as anyone else’s:

  • Audit periphery
  • Perimeter defense and monitoring
  • Isolate & protect critical data
  • Network segmentation
  • Access creep
  • Incident response
  • Strong security leadership

In no particular order, one should establish a consistent and solid implementation of all of these aspects for their organization.

Having said that, saying that employee awareness should be out of this list is where Dave went a little too far. Strong security leadership, access creep, and data protection are not technical feats by themselves. These are exactly the areas where employee awareness turns what could be useless (but very expensive) pieces of software or appliances to something that would actually work under an attack on your information assets. The point is not to _divert_ the spending on awareness, but to _combine_ them into your security strategy.

Which brings me back to my first (and only) point – stop thinking of information security as an industry of blinkenlights and snazzy software solutions. It’s about hacking, and hacking as we all know never stops at gadgets and code. Think of information security like an ATTACKER. Think about _their_ scope, and realize how your organization looks from that perspective. Now, take your budget and spend it on the areas where attackers could have compromised your informational integrity (HEY! Don’t touch that Nessus scan result! I told you to THINK goddamnit!).

And with that, I’ll leave you to your wonderful weekend before Vegas (one last self-serving statement – go check out “Sexy Defense” if you are really interested in an effective defensive strategy that goes beyond blogging and writing articles 🙂 ).

Happy hacking!

 

March – April Events

After a quiet start for the year (and keeping up with my promise to try and cut down on travel) we are fast approaching exciting times. March will have a couple of great events I’m really looking forward to, and April packs a really great conference and training. So, without further adue:

DC9723 kicking off 2012 – March 13th

We’ve been having some issues in the local DCG with a venue, and after 3 months of delayed meetups we have finally settled into what looks like a fantastic venue. It’s called “The Library”, and true to its name it is one of the public libraries in Tel-Aviv. Renovated, and retrofitted to accommodate a shared workspace for entrepreneurs and small startups, it overlooks one of the more beautiful views of the Tel-Aviv coastline, and is located at the heart of the city – right next to tons of bars and hangouts.

Furthermore, for this inauguration meetup for 2012, we are proud to host Brad Templeton of Singularity University. I’m guessing it’s mostly kismet/karma that brought us together, but it couldn’t have been a more fitting match for this meetup. To complement Brad’s talk and discussion, we’ll have a great friend of mine – Keren Elazari who will discuss the past, present and future of the CyberPunk culture. Really can’t wait for this one to happen.

Link to The Library’s meetup for registration and more information.

Hackcon – March 26th-29th

One of the cons that were on my “hit-list” for a while. Having being recommended by close friends who already spoke there, I will be heading to lovely Oslo for the aptly named HackCon (yeah, I know… Oslo in March may not be _that_ lovely, but…).

With a great speaker lineup, and a website that absolutely refuses to be in English (google translate mandatory as my Norwegian is a bit rusty), this one is shaping up to be an experience!

Link to the program (which fortunately is mostly in English 🙂 )

Source Boston (Training + Conference) April 16th-19th

What can I say about Source? One of my personal favorites, with a personal “track record” of a couple of Barcelonas and soon to be a couple of Bostons. Fantastic attendance and audience, great speaker lineup, content that mixes business and technology like a fine cocktail. And this year is even more special, as I am fortunate enough to be able to bring our Red Team Training to Boston. Chris Nickerson and myself have ran this already once in Colombia last year, and the results are still resonating through Cali :-). We got some great feedback from both business as well as technical people who attended the one-day workshop in Cali, and will be bringing an even bigger, even better 2-day training session to Boston.

Expect a hands-on, no-bullshit couple of days. Expect to be able to pick locks (EVERYONE who is in our class will end up picking at least a 4-pin lock), gather intelligence, social engineer, build threat models, understand surveillance and counter-surveillance, and much more. Expect this not to be just a dull “click-click-click” classroom session. Do not expect us to be gentle on you – the people who attack your company won’t be either. Ready to take the plunge and move up from pentesting to the real-thing? Go register: http://www.sourceconference.com/boston/training.asp

And after having “fun” with friends (don’t ask what happens when I get to spend more than 10 mintes with Nickerson…), it will be off to the conference itself. Another rock-star lineup, from Dan Geer to Michelle Klinger, from Ally Miller to Chris Gates and Zack Lanier, and many more that I apologize in advance for missing here. This is the ultimate AppSec-Tech-Business throw-down in the east coast.

Full schedule is here.

SecurityZone – to finish this year with a bang!

So, some of you have heard of SecurityZone, some are skeptical and some just jealous. Here’s the gist of it from my view:

Professional:

  • Awesome lineup. We managed (and I allow myself to say we as I might have had some help with getting some of the speakers) to get some of the coolest names in the industry with cutting edge security content. To think that this is a first time conference, I would have cut off a kidney to get a lineup like that. Yet it’s on!
  • Workshops – I’m super excited to be part of the workshops. For some reason (don’t ask me how) the notorious Chris Nickerson and yours truly will have a chance to basically go all-out on a red-team testing workshop. I cannot guarantee the sanity of participants at the end of the day, but I’ll be damned if they won’t at least enjoy it. Subtle hint – buy us drinks and more fun is guaranteed ;-). Now take a look at the other workshops. I know… tough choice!

Venue:

  • Come on, it’s Cali, Colombia! What can go wrong in a city that calls itself the capital of Salsa. That sits in one of the more beautiful places in northern south America, and that brings the warmth and hospitality of the locals to tourism. Haven’t been there yet, and I’m already sold – just based on reading some online, working with the relentless SecurityZone organizers (huge shout-outs!), and talking to people who already visited the place.

Personal:

  • My roots actually go back to south america. My dad managed to visit Argentine just this year for the first time since he was a kid, and for me an opportunity to get a little closer to the culture was something I just couldn’t pass on…
So, bottom line – this looks like just the perfect grand finale to an awesome year of the Dirty Security World Tour 2011. Very excited to meet everyone from the crew, and especially to meet new people – locals and whoever makes the smart choice and picks this as an international security conference to attend.
Ciao!