Hack The Planet

Because if you don't, who will?

Sunday, February 17, 2019

Everyone else knows more…

I have a theory. I believe it is shared by many others, and I have probably written on it before, but just in case, here it is. The more someone says they know, the less they do, and the opposite. This is my Imposter Syndrome thesis. There are many blogs on this phenomenon, and we discuss it regularly as a community. That is not what this post is about though.

There are also many people trying to help new people get into the information security industry despite this feeling. While we work to recruit more people, one of the things I try to make sure they understand is that this is not a static field. You can not learn something once and feel confident that it will not change as soon as tomorrow.

So how do you keep up with all of the changes and advances in Information Security and our adversaries tactics and techniques? There are many approaches to this, but here is mine.

I find that I have to use multiple technologies and communities to keep myself abreast of what is going on, and where I need to spend more time and focus. I use RSS, Twitter, online groups and in-person meetups, with each providing different things to my overall understanding of what is going on.

For those unfamiliar with RSS, it is basically a way to compile updates from websites you are interested in. There are different RSS readers or applications you can use to bring your feeds together, and after the death of Google Reader I don’t know that any one is better than another. I have everything from corporate sites/blogs, personal InfoSec blogs, to news sites, so I don’t have to go to each one to see if there is anything new for me to see. There are a ton of sites out there, so having one dashboard to view them all in saves me a lot of time.

I also use Twitter pretty heavily to find updates that aren’t on my RSS, and also for things that are more current. It is kind of like email (RSS) versus text message (Twitter). Find people that are part of the community and start following. You will find more and more people and companies to follow that can help you keep up with the latest in vulnerabilities, data breaches and adversary techniques.

I also am a big believer in IRL (In Real Life) meetups, and community sharing. As you build up your relationships and friendships you may find that you join slack or keybase groups that share your interests. These can be incredibly helpful in helping you learn and stay current in Information Security, or whatever field you are interested in.

If you have a Defcon group, or other InfoSec group near you, attend the meetups. I have not been to an InfoSec meetup yet that was full of great people who were willing to help out people they had just met. Attending conferences helps with this as well. The BSides conferences are run across the planet and we are at a point where it is harder to find conferences not to go to, because there are so many available.

To wrap this up, there are so many ways to keep yourself up to date and learning everyday that you don’t have to pick just one. Find what works for you and don’t forget to engage with the community. There is no shortage of people willing to mentor and help others grow and learn.

posted by holliday at 7:25 pm  

Monday, February 4, 2019

Where have all the good guys gone…

It wasn’t very long ago that I was reading a report from Cylance researchers that there was a new nation-state APT group that they had dubbed, White Company. The researchers commented on how the group was located in the Middle East, but had tendencies, or tactics, that led the researchers to believe they were ex-US Intel. It is concerning to think that the Tactics, Techniques and Procedures (TTPs) that have been created inside the US Intel community were being used for a foreign power.

The White Company was caught using an unwitting Belgian locksmiths website (and I am assuming other sites) to go after the Pakistani Air Force. Some of the TTPs the group use are adding anti-debugging code to their shellcode, using publicly available malware, and preprogrammed dates for discovery by antivirus software to distract analysts. All of these together show a level of sophistication not common outside of specific nation-state actors.

It was a few weeks later that Reuters published reports on Project Raven, a group of ex-US Intel operatives that worked with the UAE to engage in surveillance of militants, human rights activists, and other governments. This revelation should have been more shocking, but with the previous report from Cylance it just solidified the evidence that ex-US cyber warriors were going to work for the highest bidders. This is very sad news as Bob Anderson, exec assistant director of the FBI, is quoted in the Reuters report as saying, “There’s a moral obligation if you’re a former intelligence officer from becoming effectively a mercenary for a foreign government.”

One of the tools that Project Raven used was detail in another Reuters investigation, named Karma, helped the operatives hack into iPhones of diplomats and foreign leaders for the benefit of the UAE. This tool is special in that it did not require the targets to click on phishing links to gain access.

With the knowledge that US Intel operatives and analysts have it is no wonder that those outside the US would target them for recruitment. What is surprising is how many allow themselves to be recruited. As Tawakkol Karman said in the report, these people should “not be a tool in the hands of tyrannies to spy on activists and to enable them to oppress their peoples.”

We all need to take a look at ourselves and ask if the work we are doing is helping others, and at the very least not hurting them.

posted by holliday at 11:16 am  

Thursday, January 24, 2019

Curiosity…

As I was interviewing a candidate for a Information Security job, and helping a friend prepare for an interview at another company, I kept thinking of what attributes makes the best, and worst, security professionals. There are probably a lot of studies out there with different statistics to prove one key attribute over another, but I am just writing from my gut.

When I interview folks, I am usually looking for intangibles over current skillset. I caveat that with I normally am interviewing people for more senior positions so they have a background in Information Security or a related field. The intangibles I usually probe for are teamwork, a growth mindset and curiosity.

I think of curiosity as the desire to learn, an inquisitive mind, and a joy for discovery. Individuals who think they know everything, don’t want to learn and who aren’t passionate, are not going to last long in this ever changing field. I know that the best folks I have ever worked with had a natural curiosity around technology, and knowledge in general, and will go down the rabbit hole to find answers.

So, if you ask me what it takes to be successful in Information Security I may answer, “Are you curious enough to be a hacker?”

posted by holliday at 3:50 pm  

Thursday, November 22, 2018

Being Thankful

With all of the madness going on in the world, it is nice to have a day to sit back and practice gratitude for all of the good (and bad) things in my life. We often think of only being grateful for the good, but usually the bad is what really shapes us. Here are a few things I am thankful for today.

Being laid off twice in one year during the internet bubble burst of 2001 helped my career more than I could have known at the time. In 2000 I was sure I was going to be at a startup that was going to make me “rich”. I had shares, every company that went public went big, or at least seemed that way to me, so I was set. Then the bubble burst and reality set in. I was handed a severance package and was on my way to another startup.

With all of 14 of us in the entire company, and the economy still reeling it wasn’t a surprise when I was let go again, and then later the company folded. This could have really driven the nail into my IT career. There I was, straight off of being let go for a second time, living on a friends couch because I had burned through my severance and not knowing if things would turn around.

I was lucky to get another opportunity at a larger company that had more stability and an incredibly gifted team from a friend and mentor from a previous company. The skills I learned at this new company, and the people I worked with helped propel my career forward in ways I couldn’t imagine at the time. If I had not been let go, I would not have been open to working for a larger organization, I would have not met some of my closest friends, and I would probably not be working in the career field I am. Sometimes a little hardship opens the door to much greater rewards.

Struggle also helps reset what you are willing to do and can be a great ego check. After being let go I was willing to do whatever job was required. Overnights? Check. Overtime? Please, Sir, can I have some more? Everything and anything I could do, I would do. If I hadn’t gone through the hard times, I would have missed out on a lot.

I am also grateful for the good times. Working for and with great people throughout my career makes me feel very lucky. Many of my best friends are people who started as coworkers, and some of those coworkers started off as High School classmates, which makes me even more thankful to have had wonderful people around me throughout my life.

As you move through your career, be it Information Security or something else, surround yourself with good people and you will always be able to work through any hardship or struggle.

I hope everyone has had a Happy Thanksgiving, and a safe holiday season.

posted by holliday at 9:27 pm  

Wednesday, June 27, 2018

What is in a name?

An ongoing conversation in the Information Security community, or hacker community, or Cyber Security community, is all about what we should call things, people, etc. You can see this in the first sentence. I have written about this before I am sure, but over the last few weeks I have seen an uptick in what this or that word means and what words we should use instead. As an example we have recent LinkedIn conversations about the use of the word “hacker”.

The word “hacker” is constantly being debated, as well as if they wear black hoodies (hint: just like everyone else, some do, some don’t). I am going to try, as many others have before me, to add some context to the ongoing discussion.

An early reference to the word “hacker” comes from gnu.org, and says that a hacker is someone that enjoys playful cleverness. It doesn’t call out computers, networks or any technology. You can be a food hacker, or a film hacker, or anything else. I think this use of the word was behind the movie Hackers from 1995. The characters were playful, creative, and just wanted to have fun.

Another reference to hackers comes from the “The Conscience of a Hacker”, or as it is commonly known “The Hacker Manifesto”. In it, Loyd Blankenship, aka The Mentor, explains what it means to him to be a hacker. He describes the freedom, curiosity, connections and unity of being a hacker, “after all, we’re all alike.” I find it still relevant today.

Bugcrowd put out a blog this week in which they try to define the word hacker. I think they do a good job of summing up a lot of the issues, and I appreciate their Burglar/Locksmith == Cybercriminal/Hacker analogy. We as an industry and community have tried to find alternatives to the word “hacker” for the media and others to use when describing cybercriminals. Sadly, hacker is sexier than cracker and will always get more clicks.

To add more to our naming crisis, we run into hurdles describing what we do as hackers. In a recent Paul’s Security Weekly there was a discussion about pentesting, red teaming and others and what they all actually mean. When engaging with customers I also find that not all of them understand the differences between penetration testing and red teaming. Because the industry is always evolving we see new companies coming out claiming to do one thing, but really it is something else but because they can sell off of the misunderstanding they do.

We see the same confusion over EDR, Threat Intelligence, Machine Learning and Artificial Intelligence. It is no wonder that people outside our industry have no idea what we do, when those of us inside it can’t agree on what to call our solutions or even ourselves. I am not even going to get into the issue with our job titles because the “Am I an Engineer? Am I an Architect? Senior? Principal? Staff?” debate, which leaves our customers and peers with no idea of what we do drives me crazy.

In the end, what is in a name? A lot! Use your words carefully, because they can mean many different things to many different people.

Updated: Motherboard has also commented on the word “hacker” and wants to change the definition of it. From their glossary:

“Hackers can now be used to refer to both the good guys, also known as white hat hackers, who play and tinker with systems with no malicious intent (and actually often with the intent of finding flaws so they can be fixed), and cybercriminals, or “black hat” hackers, or “crackers.””

I have a feeling this won’t be the last article we read about the definition of hacker.

posted by holliday at 4:00 pm  

Sunday, June 3, 2018

A few thoughts on hacker culture (or cultures)

Over the last few weeks I have read a few different threads on hacker culture. As I was reading them a lot of things crossed my mind, and it made me think about what someone who was just starting their career or hobby in Information Security, Cyber Security, or hacking for fun and profit, would think about the world they were entering. Here are a few of the discussions and my thoughts and feelings on them.

What is appropriate to wear to a conference?

This is a good example of multiple competing cultures within the hacker community. Some folks in the community want to try to shock people with what they wear, or how their hair is cut. Others in the community are more on the business side of things and expect a certain level of professionalism. Which side of the fence you sit on, I would guess but have no metrics to prove it, comes down to how you came into the community, or your lifestyle outside of it.

It also reflects a feeling I have seen in the community over who is actually part of the community and who isn’t. There is an incredible amount of “Imposter Syndrome” in hacker land, and it is only exacerbated by the divisiveness between groups/cultures. If you don’t have a mohawk, you aren’t really a hacker. If you don’t drink, you aren’t real. If you wear a shirt with buttons, then you aren’t “1337”. In the end, the only thing that should matter is whether you want to be part of the dysfunctional family that is our community or not. How you look, talk, drink or act doesn’t determine it. Sadly, we don’t all agree on that.

One I have enjoyed is what does the DEFCON conference mean to you.

I have been attending Defcon for over a decade, which funny enough still makes me a bit of a n00b. Saying that, I have always loved attending and find new people to hang out with and learn from every year. A large part of our community, I would even say the vast majority, are very welcoming of everyone. The ability to learn many different skills, from lock picking to car hacking, in one location is incredible. Defcon to me is like Summer Camp. A place to reconnect with friends and learn some new skills.

One of the biggest differences I have seen among the different cultures in the hacker family tree is the word “cyber”. Some people love it, some people hate it, and it seems that most people like to argue about it. There was a recent post by Lenny Zeltser on this, and I appreciated the explanation from Jessica Barker:

“The media have embraced cyber. The board has embraced cyber. The public have embraced cyber. Far from being meaningless, it resonates far more effectively than ‘information’ or ‘data’. So, for me, the use of cyber comes down to one question: what is our goal? If our goal is to engage with and educate as broad a range of people as possible, using ‘cyber’ will help us do that. A bridge has been built, and I suggest we use it.”

While I may be partial because I use the word “cyber”, I also agree with this thinking. When I tell someone what I do, or want them to know I am an expert and am there to help, I have to use language they will understand. If I start using jargon they are not familiar or comfortable with, then their understanding is limited and I won’t be as affective. If we are not confident enough in ourselves, that we want to be cool and not use words we feel are just marketing buzzwords, then we are not helping our customers, our fellow citizens or ourselves.

In the end, being part of this community, or extended nerd family, means dealing with many different, often competing, cultures and being able to figure out where (or if) you want to fit in.

posted by holliday at 9:40 pm  

Monday, May 14, 2018

Why find the Unknown Unknowns…

Humans like to solve problems that are readily known or are easy, and ignore ones that take some digging or are difficult. We are lazy animals, but that is a good thing. System Administrators create scripts to eliminate repetitive tasks. This is good. We should work smarter not harder. The issue is when we disregard tasks, or threats because they take time and research. We in Information Security often fix the “known knowns” and hope that we aren’t impacted by the “unknown unknowns (UUs)”. We need to start bringing our unknown threats into the light of day, or a nice dashboard, so that we can act on them and protect our environments from them.

When we think of securing our information and our networks, we often start with our knowns. We know we need to defend our digital borders so we install firewalls. We know we need to protect our endpoints so we install anti-malware software. We may even know that we need to protect our data and we deploy a Data Loss Prevention solution, but I rarely see folks do this intentionally, and if they even have a solution it isn’t tuned and is a check box on some compliance form more than anything else. Admittedly that last one kills me because there are a number of solutions you can get that would have stopped any number of the breaches we have read about, and some we haven’t even heard about yet, but we don’t put the energy or budget into solving this one.

As we move to the more mature security environments you will find vulnerability scanning, looking for those known vulnerabilities, though an incredible 26% of companies said they didn’t have time to patch. Then you may introduce a Network Access Control solution, possibly from your network equipment vendor or one of the few remaining stand alone solutions, but again, I don’t see organizations actually utilizing the investments they have made in NAC. The list of solutions keeps growing as your organization matures, but often times the investment in tools does not mean that they are being deployed or tuned, and that your staff is being trained on them.

With more tools, comes more alerts, and with more alerts comes alert fatigue. I have walked into many a SOC (Security Operations Center) and found alerts all over the screens and analysts just sitting at their desks ignoring them. Like the boy who cries wolf, the alerts had trained the analysts to ignore them. The scary thing is any of those alerts could have been critical and truly important, but because of all the noise it would have been ignored with all of the others.

This is where have a good solution to monitor all of your tools, endpoints, logs and network data is necessary. If done right it will lower your alerts, so that your analysts can spend time on the most critical events, and it will also give you visibility into your environment so you can find those UUs. I have mentioned the NCTOC Top 5 SOC Principles before, and want to point out that number 2 on that list is visibility. We must build visibility into our environments, not just for the UU’s, but to alleviate alert fatigue and give your team their best chance at stopping a breach or other organization impacting event.

posted by holliday at 12:36 pm  

Saturday, May 5, 2018

The Art of Best Practices…

In Information Security “Best Practices” are commonly referred to, but rarely practiced. This is the cause of most of the breaches and hacks that plague us today.

One best practice that isn’t sexy, but is incredibly necessary is updating. This is often a battle with different business units, which means a breach is inevitable. Possibly the hardest part about being an information security professional is convincing the business to do what is best for it. This is where understanding the business, and being able to speak the same language as the executives is key. It also helps if you have the data to back you up, but that is another topic.

At RSA 2018, Dave Hogue, Technical Director for the NSA, discussed how they secure themselves from 0-days using their own principles, including hardening to best practices. We live in a world where our adversaries are able to engineer attacks for disclosed vulnerabilities faster than most organizations are able, or willing, to patch. If you would like to keep your organization secure, you will need to find a way to convince it to keep up with patches and follow as many other best practices as possible.

And if you need a list of best practices, there are plenty out there to choose from.

posted by holliday at 4:27 pm  

Thursday, April 26, 2018

When your adversary makes a mistake…

There is a perception that cyber criminals and nation state hackers are untouchable, and that hacking or cybercrime is low risk to the attacker. While this may be true in some cases, we have seen more and more hackers caught and sentenced for their digital crimes. It has become very apparent that if you commit a digital crime, you have a pretty good chance of ending up in a physical prison cell.

How do we capture these criminals? Just like in real life, we look for their mistakes. Whether it is sharing pictures on Facebook, or forgetting to login to an anonymizing service, these digital desperados are just people, and eventually everyone will have a slip up.

Napoleon said it well, “Never interrupt an enemy making a mistake.” We need to be patient and vigilant, because eventually our adversaries will make a mistake and we need to be ready for it.

That is all for now. Happy hacking!

posted by holliday at 8:57 pm  

Thursday, April 19, 2018

When the lights go out…

For years, information security researchers have warned about attacks on ICS (Industrial Control System) infrastructure at power and water facilities but this year we may finally start seeing some executives taking it seriously…or are they?

In 2010, the world became aware of Stuxnet, an elegantly designed piece of malware targeted at SCADA (Supervisory Control and Data Acquisition) systems at Iran’s Natanz nuclear facilities. The goal of the malware was to cause the centrifuges at the facility to fail, and by all accounts it was very successful. Stuxnet woke up the information security world to the risk of what malware targeted against ICS/SCADA systems could do, and the risks we all faced. Sadly, many people in the C-Suite believed, as many people do, that attacks only happen to other people.

In 2017, the Triton\Trisis malware was discovered to be targeting a vulnerability in Schneider Electric’s Triconex firmware. One victim was reportedly in the Middle East, but how many organizations have been truly impacted is unknown. This RAT (Remote Access Trojan) triggered an emergency systems shutdown before it could deploy its payload, or we may have never have discovered it.

One of the interesting functions in both of these different malware samples is their ability to collect information from the systems they have infected. Stuxnet used this capability to replay information to the monitoring systems to show that everything was okay, while in reality the centrifuges were failing. Advanced, and motivated adversaries build these carefully crafted attacks to not only cause destruction, but to hide themselves and what is truly going on in the environment to extend their ability to cause damage. It is both impressive, and terrifying.

In a recent survey by Tripwire, people from the energy sector were asked about their concerns, the classic “What keeps you up at night?”. The answers were interesting if not expected.

91% responded that they were worried about cyber attacks against their ICS systems. It makes sense that they would be concerned, but I wonder if the other 9% didn’t understand the question. If you are in the energy sector and are not worried about this, then you should be replaced because you don’t understand your threat model and what you are up against.

70% responded that they were concerned that an attack would result in a catastrophic event. With the capabilities that Stuxnet, Industroyer, and Triton have at their disposal, the likelihood of an incident that causes massive loss of life is growing.

The one statistic that I really want to share, is that 56% of respondents stated that they will only see more security investment “Once there is a significant attack” against them. This is incredibly telling. This comes from the idea that it is cheaper to fail or be breached, than to properly secure your environment. Sadly this has proved out to some degree, and even more sadly shareholders are valued over lives.

I am sure we will see even more attacks moving forward, and I can only hope that we learn how to properly invest, and protect our energy and water facilities before it’s too late.

posted by holliday at 1:08 pm  
Next Page »

Powered by WordPress