Hack The Planet

Because if you don't, who will?

Monday, August 3, 2015

Off we go to camp!

Another summer is starting to come to a close and that means the largest gathering of hackers on the planet is about to go down. With three conferences all going on this week it won’t matter if you are at BSidesLV, BlackHat or Defcon, you are going to see something cool. With presentations on hacking cars, hacking guns, and hacking anything that isn’t tied down (and some things that are), there is always something new to learn.

My advice for the first timers, enjoy it. Don’t worry about seeing everything because there is just not enough time. Mostly, just have a good time and meet new people.

And remember, Hack the Planet!

posted by holliday at 9:45 pm  

Friday, June 19, 2015

OPM or Other People’s Mess

I have been reading a lot of the posts that have been written about the OPM (Office of Personnel Management) breach and watched the hearing, and think that we are getting stuck on whichever flavor of security we lean towards. “Well, if they had encryption, this wouldn’t have happened.” “Well encryption wouldn’t have helped in this case.” “If only they used Linux then they would be fine.” If only X, Y, Z. The issue is we (I say we, but if there are any non-US citizens reading this, I mean the US) have adversaries that don’t care what security tools we use, they will find a way in. Maybe even through non-technical means, like human agents. Discussing the OPM breach like it was just another company being breached is a mistake. The adversaries they are facing are very smart, and very persistent. Now, saying that, there were a bunch of big screw ups that left them wide open to the breach.

I was reading a post about the OPM hack on Bromium’s site and I found a statement at the end interesting. “If a security vendor tells you that you will be breached, what are they even selling you?” They are trying to sell you awareness that a persistent, and aggressive adversary will find a way into your environment, and that you should make it as difficult as possible for them and shorten the time to detection. Telling someone that they will always be protected from a breach as long as they use a specific solution is silly. I do like that the author mentions breaking through the status quo, but I think that is what admitting you have a serious adversary and the likelihood of them getting past whatever security you put in place is doing. Through that awareness you can start focusing on making it more difficult, so that your adversary has to spend more resources to gain entry, and focusing on detection, so that your adversary is in your environment for as little time as possible.

“If you know the enemy and know yourself you need not fear the results of a hundred battles” – Sun Tzu

“Know your enemy!” – Rage against the Machine

posted by holliday at 4:42 pm  

Monday, August 25, 2014

Does a “Cybersecurity Czar” need to be coder?

This was the question introduced last week when Michael Daniel, the White House Cybersecurity Czar, made comments that his lack of technical skills was an asset to his job. This, of course, caused a lot of debate about whether Mr. Daniel needed to be a “coder” to be effective at his job.

Here is my take. A CC (Cybersecurity Czar), CISO, CIO, etc., does not have to be a coder or developer to be able to function efficiently in their jobs. They do, however, have to have an understanding of how the technology that they are managing, purchasing, or building national policy around, works. If a CC does not have a proper (read: real world, not read from a book) understanding of how a firewall works, how can we expect them to make good strategic policy around how we should use them? One of the points Caitlyn Hayden, National Security Counsel spokesperson, makes is that from the POTUS on down, they rely on Mr. Daniel’s “expertise”. How can Mr. Daniel have any expertise in a field he doesn’t understand?

If you have not done heart surgery, you can’t claim to be a heart surgeon. The same holds true for technology. If you have not been in a “cyber” role before, how can we believe that you have any understanding of the risks involved in different cyber scenarios? If you are building policy around DDoS attacks and you don’t understand how they work, or what tools you would use to counter them, then what good is your policy?

One of the truly frightening things is any policy that is created that allows for a kinetic response to a cyber attack. Our ability to properly attribute attacks to countries or groups is pretty poor at this point. We can make assumptions but they are just that, assumptions. If Mr. Daniel does not understand how the technology works, we can get policy built that is based on false assumptions that could lead to escalations and violence in the real world.

I, for one, prefer my strategies and policies based on actual expertise, not the assumptions of an amateur.

posted by holliday at 9:34 pm  

Friday, June 20, 2014

The Week in Review 06/20/2014

It is never dull in The Industry. Here are some of the more interesting stories/happenings from this week.

When you are shopping online it is always a good idea to keep your wits about you. If a deal seems to good to be true, it most likely is. Brian Krebs wrote this week about a scheme that sells name brand products at 30% off, only, they don’t. Sure, they take your credit card information and charge you, but if you receive anything at all, it is a cheap knock off.

In other news, AT&T has confirmed that they were the victim of malicious insiders during a two week period in April. AT&T has stated that three employees of one of their service providers were accessing customer information without permission, including Social Security numbers and DOBs. The perpetrators were apparently trying to obtain unlock codes to remove devices from AT&T’s network.

It is interesting the number of breaches that are coming from vendors/service providers. The Target breach last December, and now AT&T. Enterprises may want to start really vetting who is allowed to connect to their networks because it is an obvious route for compromise.

Surprising no one in The Industry, an Android phone has been shipped that contains malware by default. The malware, disguised as the Google Play Store, gives the criminals full access to the phone and all of the personal information on it. The malware cannot be removed as it is integrated into the devices firmware.

Where does the purloined data go you ask? Why, to an anonymous server in China of course. The only surprise in this story is that it took this long to happen and that the devices are still for sale at large online retailers.

All of you world cup fans need to make sure you are being very careful, whether you are there in person or you are trying to stream the games. From fake wifi hotspots, malicious downloads, or compromised ATMs, criminals are as excited for the games as you are.

For those in Brazil, there are protests going on throughout the country in both the physical and digital world. Keep your wits about you and stay safe.

The FBI has arrested a 20 year old man, Timothy Justin French, also known as Orbit or crisis, for his alleged hacking attacks as part of the NullCrew team. Timothy was tracked down using the same technique the FBI has used to capture other hackers, a snitch. If we have learned anything from the case. It is that snitches don’t get stitches. They get time served.

Some of the other members of the NullCrew team are not sympathetic to Timothy’s arrest. Calling out his poor Opsec and inability to shed old identities. The saying goes, there is no honor among thieves, and apparently that is true for hackers as well.

Illegal Bitcoin mining is becoming more profitable. One enterprising hacker has earned a cool $620,000 by compromising Synology machines. This is not the first time a non-standard system had been used to mine digital currency and it won’t be the last. Remember to look for updates for your systems, even the ones that “just sit there”.

Code Spaces was forced to close their doors after a hacker gained access to their Amazon EC2 control panel. The hacker, in a growing trend of extortion, left Code Spaces a message asking for a large sum of money to fix the issue. When Code Spaces tried to regain access the hacker started deleting data, backups and offsite backups. The cost, both financial and to reputation, is more than Code Spaces could recover from, making them another small business taken out by hackers.

These are just a few of the hacks, breaches and attacks that caught my eye this week.

posted by holliday at 9:30 am  

Tuesday, March 25, 2014

An aging Internet…

In an interesting post from Ars, we read about the dangers of an aging Internet. With over 640,000,000 websites on the internet it is not a great leap to think that many of these sites are running on older, vulnerable software with little chance of being upgraded. I would even guess that many of these sites aren’t even managed anymore, so that if they were compromised there would be no one to notice the intrusion. It’s a good thing our ATMs aren’t running old software or operating systems that can be easily compromised. Then we might really be in trouble.

posted by holliday at 9:41 pm  

Tuesday, June 11, 2013

You are being watched…

Those words are from a “fictional” television show (Person of Interest) but they are so accurate. We are being watched. If we aren’t careful, we will fall even closer to the dystopian future Orwell wrote about…or are we already there…

“There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to.”

George Orwell in “1984”

posted by holliday at 10:59 pm  

Tuesday, January 24, 2012

Sykipot trojan steals US Military ID card data

A bit of old news, the Sykipot trojan has been modified by Chinese hackers to steal sensitive information off DoD networks by stealing the authentication information from DoD smart cards. The cards are commonly used to allow access to DoD networks using certificates and PIN’s for a more secure authentication. This Sykipot variant has been upgraded with a keylogger to steal the PIN’s, then use the certificate associated with the card to access protected networks. The hackers used a spearphishing campaign to deliver the trojan.

posted by holliday at 5:40 pm  

Monday, January 23, 2012

Full disk encryption may not save you from the law

A Colorado woman has been ordered by a judge to decrypt her laptop so that prosecutors can use the files on it against her. Judge Robert Blackburn said “I conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer.”

Apparently the fact that there was a jailhouse recording of the defendant, Ramona Fricosu, led the judge to believe there was evidence that there was information on the laptop that the prosecution was looking for. I understand that Assistant U.S. Attorney Patricia Davies, says that if the judge did not force her to give up her password that the terrorists would win. She didn’t actually say that. She said, “a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.”

I just think that it is a leap to say that if the judge does not require Fricosu to give up her password that all of the bad people would immediately encrypt all of their information and that it would thwart our ability to prosecute them. Would it make it more difficult in some cases? Sure. But that is why it is the prosecutions job to have enough evidence to convict and not the defendants job to hand over any proof of wrong doing.

This is what the 5th Amendment was geared for and the judge is making a huge mistake. A mistake that favors the prosecution and government. How strange?

I would still encrypt your drives. Most OS’s now make it easy and if you don’t want to use the built-in tools you can always use TrueCrypt.

posted by holliday at 11:34 pm  

Tuesday, January 17, 2012

Cyberwar in the Middle East or Cyberslap-fight?

Hackers who claim to be from Israel, and Saudi Arabia have been taking swings at the stock exchange and financial hubs of each others countries. In the most recent hack pro-Israel hackers took the stock exchanges of Saudi Arabia and UAE offline for hours. The cyberattacks continue to escalate and it will be interesting to see where this ends, whether in more severe hacks or more tit for tat.

posted by holliday at 2:06 pm  

Tuesday, August 23, 2011

McAfee reacts to industry questioning

Well it was only a matter of time but after members of the security community questioned McAfee’s reaction to Operation Shady Rat (what marketing person came up with that?), McAfee has responded.

I find it interesting that after sitting on the information until the Black Hat USA conference to get as much marketing splash as possible that they were shocked when the industry didn’t find the attack that surprising or new. It was a persistant attack by an organized group, possibly a nation-state, that utilized a botnet (Yes, McAfee, Kaminsky was right in calling it a botnet).

There was nothing new in the report and that is why the industry responded. Calling everything an APT may make national news but it doesn’t make the attack new or different. If you want industry collaboration then don’t make it all about the marketing, make it about the information.

posted by holliday at 7:15 am  
« Previous PageNext Page »

Powered by WordPress