Hack The Planet

As I prepare for another year of BlackHat and Defcon, this being the 15th year or so that I have attended, it has a completely different feeling than previous years. Last year, when the COVID pandemic was still in full swing, the conferences went virtual and I was relieved that both conferences were taking it seriously. I wanted to be onsite with my friends and hacker family, but it was the right thing to do to remain virtual and wait for the next year when we could be together.

Now we are in another upswing of the COVID pandemic, after it has started to tail off, and both conferences are in a hybrid mode. I scheduled myself to be onsite, after being vaccinated and taking extreme precautions for the last 18 months. I keep telling myself, I am taking the precautions necessary to attend and be safe. I am vaccinated, wear a mask, and have plenty of hand sanitizer. I still have concerns, but my desire to see my hacker family is overriding my fear.

With the time I have had to prepare, I think that I will be safe, but understand the number of folks that are cancelling their trips. Everyone needs to do what they feel is right, and with the COVID numbers spiking around the country, it is hard to feel safe anywhere.

So, this year at Defcon, will be like no other year, and hopefully like no future year. I will be in person, meeting up with the folks that are still going to be in person, and giving elbow bumps when appropriate and missing the folks that aren’t there with us in person, though I know they are there in spirit.

Hopefully next year we will be through the spikes of this pandemic and can all be together in person. Until then, Hack the Planet!

As the clock struck 00:00 on January 1st, 2021, I felt a sense of hope. The year 2020 will be in our history books as one that tested the human spirit, and saw the best and worst of mankind. From a global pandemic, to some of the largest, and most high profile hacks, how could 2021 not be better? Well, I guess this is where the hold my beer meme should go.

Within a week we are not just talking about hacks, or politics, but full blown insurrection in the USA. When the armed mob of right wing domestic terrorists stormed the Capitol, it put an end to the idea that 2021 would be the gentler year that the previous. There continues to be more and more information being released on this attack on democracy, so we will see what these next few weeks bring.

One of the threads on this attack that has received attention on the InfoSec Twittersphere is that there were many unlocked workstations in pictures taken by the insurrectionists, and a laptop was stolen that may have included sensitive information. While there were a lot of takes on this, Jack Daniel made the most important one, pointing out that the safety of the people was the priority. We can sit back behind our keyboards thinking, “If an angry mob was storming my building I would definitely lock my workstation”, but let’s not kid ourselves, we would be fleeing.

There are measures that can be taken to get the human out of the loop, and with our threat model severely modified after the Capitol attack, here are a few to think about. Faster inactivity locks, so that if you aren’t actively working on the computer it will lock itself in a shorter time frame. This isn’t perfect, but it is easy and low impact. There is also proximity devices, that automatically lock a computer once the device is out of range. There are other options as well, and I am sure we are going to see them becoming more normal after Jan 6th.

When we look forward to the rest of the year, I think it is important to make sure we are trying to find ways to make security easier, to make it a default state.

Stay safe out there.

I have not kept up with my writing as much as I would have liked, and I thought maybe with a world changing pandemic I would finally find the time. Well a few months into social distancing and I am just now sitting down to write. #covidlife

It seems like a long time ago, but it was just March when I had my wings clipped and was no longer traveling. At the time admittedly I didn’t think it would be too long until I was back in the air and to business as usual. Now I see that we will won’t be going back to “usual”. It is good though, because we can find a better way to move forward and not rely on doing things a certain way “because that is how it has always been done.”

There have been many blogs and write-ups on how to work in our new, fully remote environments. We weren’t great at defending our networks when they were within our walls. Just looking at all of the breaches we’ve suffered tells us that much. How were we going to handle going remote?

Well, luckily George at Splunk put together a nice list of things we can do today to help protect our workers and our organizations while we adjust to this brave, new world of work. From monitoring our endpoints, to monitoring who is moving data they shouldn’t, it is a good guide for those that are looking for something that they can start doing today.

Dark Reading also put out an article on patching in a pandemic. Many of the ideas, like making sure you have a solid asset inventory, and patch prioritization are things that I think we should have been doing before we were thrust into this remote world world. Sadly, I think this has shown many that the IT Emperor had no clothes, and we are being forced to change our behavior and really start protecting our orgs because the light has been shined on us.

As we all work together on this journey, let’s remember that this is a trying time for everyone. So be kind, be safe, and Hack the Planet!

I have helped with many sales opportunities where there are Request For Proposals (RFP), or other types of questionnaires that are supposedly written to let the purchaser find out which products can meet the projects, or programs requirements. If you have been through this yourself, you know these are rarely written by the people that will actually be operating the tools. It is a very similar experience to reading job requirements written by an HR team that doesn’t know what they are really hiring for, but they have a template and a passion for filling it out.

“Wanted, a Junior Software Developer. Must have a Master’s Degree in Computer Science, 10 years experience in the newest technologies, and be a champion Samba dancer.”

When you read a lot of these you start to recognize what is really being asked for, or at least which direction you need to go. At this point you buckle down, answer the questions to pass the first set of eyes that is only looking for any “no” responses, but you also add clarifying terms to make sure the folks that originally requested the information or proposal get the depth they need to make a decision.

At this point you may be thinking, that’s great. You answered their questions. But hold on. It isn’t about being able to actually do the thing that was originally requested. It is about being able to almost do it, and also be cheaper than any other solution out there, even solutions that don’t actually meet the requirements but that made it through the first set of eyes, so it must work because they said yes to everything. As in, “Yes, we would like to be able to solve this problem someday.”

The saying, “Lowest Cost, Technically Acceptable” (LC;TA) may be the cause of more failures and breaches than any other accepted practice in Information Security. This lines up with compliance being the bar to hit, and not the bare minimum. When you build out an environment to check a box, but not to perform the actual task required, you will inevitably fail. If you build a fighter jet with the LC;TA mentality, you will have them falling out of the sky, unable to complete their mission. The same holds true for Information Security.

Let’s stop building things to fail by default. Let’s stop accepting that “Technically Acceptable” is…well, acceptable. Let’s push back on the powers that be, and let them know if they want to truly secure their environments against adversaries that are motivated, highly skilled and have time on their side, we need the right tools, the right people and freedom to build them. If they don’t, we may need to start walking away from the keyboard and find organizations that will.

/rant

I have a theory. I believe it is shared by many others, and I have probably written on it before, but just in case, here it is. The more someone says they know, the less they do, and the opposite. This is my Imposter Syndrome thesis. There are many blogs on this phenomenon, and we discuss it regularly as a community. That is not what this post is about though.

There are also many people trying to help new people get into the information security industry despite this feeling. While we work to recruit more people, one of the things I try to make sure they understand is that this is not a static field. You can not learn something once and feel confident that it will not change as soon as tomorrow.

So how do you keep up with all of the changes and advances in Information Security and our adversaries tactics and techniques? There are many approaches to this, but here is mine.

I find that I have to use multiple technologies and communities to keep myself abreast of what is going on, and where I need to spend more time and focus. I use RSS, Twitter, online groups and in-person meetups, with each providing different things to my overall understanding of what is going on.

For those unfamiliar with RSS, it is basically a way to compile updates from websites you are interested in. There are different RSS readers or applications you can use to bring your feeds together, and after the death of Google Reader I don’t know that any one is better than another. I have everything from corporate sites/blogs, personal InfoSec blogs, to news sites, so I don’t have to go to each one to see if there is anything new for me to see. There are a ton of sites out there, so having one dashboard to view them all in saves me a lot of time.

I also use Twitter pretty heavily to find updates that aren’t on my RSS, and also for things that are more current. It is kind of like email (RSS) versus text message (Twitter). Find people that are part of the community and start following. You will find more and more people and companies to follow that can help you keep up with the latest in vulnerabilities, data breaches and adversary techniques.

I also am a big believer in IRL (In Real Life) meetups, and community sharing. As you build up your relationships and friendships you may find that you join slack or keybase groups that share your interests. These can be incredibly helpful in helping you learn and stay current in Information Security, or whatever field you are interested in.

If you have a Defcon group, or other InfoSec group near you, attend the meetups. I have not been to an InfoSec meetup yet that was full of great people who were willing to help out people they had just met. Attending conferences helps with this as well. The BSides conferences are run across the planet and we are at a point where it is harder to find conferences not to go to, because there are so many available.

To wrap this up, there are so many ways to keep yourself up to date and learning everyday that you don’t have to pick just one. Find what works for you and don’t forget to engage with the community. There is no shortage of people willing to mentor and help others grow and learn.

It wasn’t very long ago that I was reading a report from Cylance researchers that there was a new nation-state APT group that they had dubbed, White Company. The researchers commented on how the group was located in the Middle East, but had tendencies, or tactics, that led the researchers to believe they were ex-US Intel. It is concerning to think that the Tactics, Techniques and Procedures (TTPs) that have been created inside the US Intel community were being used for a foreign power.

The White Company was caught using an unwitting Belgian locksmiths website (and I am assuming other sites) to go after the Pakistani Air Force. Some of the TTPs the group use are adding anti-debugging code to their shellcode, using publicly available malware, and preprogrammed dates for discovery by antivirus software to distract analysts. All of these together show a level of sophistication not common outside of specific nation-state actors.

It was a few weeks later that Reuters published reports on Project Raven, a group of ex-US Intel operatives that worked with the UAE to engage in surveillance of militants, human rights activists, and other governments. This revelation should have been more shocking, but with the previous report from Cylance it just solidified the evidence that ex-US cyber warriors were going to work for the highest bidders. This is very sad news as Bob Anderson, exec assistant director of the FBI, is quoted in the Reuters report as saying, “There’s a moral obligation if you’re a former intelligence officer from becoming effectively a mercenary for a foreign government.”

One of the tools that Project Raven used was detail in another Reuters investigation, named Karma, helped the operatives hack into iPhones of diplomats and foreign leaders for the benefit of the UAE. This tool is special in that it did not require the targets to click on phishing links to gain access.

With the knowledge that US Intel operatives and analysts have it is no wonder that those outside the US would target them for recruitment. What is surprising is how many allow themselves to be recruited. As Tawakkol Karman said in the report, these people should “not be a tool in the hands of tyrannies to spy on activists and to enable them to oppress their peoples.”

We all need to take a look at ourselves and ask if the work we are doing is helping others, and at the very least not hurting them.

As I was interviewing a candidate for a Information Security job, and helping a friend prepare for an interview at another company, I kept thinking of what attributes makes the best, and worst, security professionals. There are probably a lot of studies out there with different statistics to prove one key attribute over another, but I am just writing from my gut.

When I interview folks, I am usually looking for intangibles over current skillset. I caveat that with I normally am interviewing people for more senior positions so they have a background in Information Security or a related field. The intangibles I usually probe for are teamwork, a growth mindset and curiosity.

I think of curiosity as the desire to learn, an inquisitive mind, and a joy for discovery. Individuals who think they know everything, don’t want to learn and who aren’t passionate, are not going to last long in this ever changing field. I know that the best folks I have ever worked with had a natural curiosity around technology, and knowledge in general, and will go down the rabbit hole to find answers.

So, if you ask me what it takes to be successful in Information Security I may answer, “Are you curious enough to be a hacker?”

With all of the madness going on in the world, it is nice to have a day to sit back and practice gratitude for all of the good (and bad) things in my life. We often think of only being grateful for the good, but usually the bad is what really shapes us. Here are a few things I am thankful for today.

Being laid off twice in one year during the internet bubble burst of 2001 helped my career more than I could have known at the time. In 2000 I was sure I was going to be at a startup that was going to make me “rich”. I had shares, every company that went public went big, or at least seemed that way to me, so I was set. Then the bubble burst and reality set in. I was handed a severance package and was on my way to another startup.

With all of 14 of us in the entire company, and the economy still reeling it wasn’t a surprise when I was let go again, and then later the company folded. This could have really driven the nail into my IT career. There I was, straight off of being let go for a second time, living on a friends couch because I had burned through my severance and not knowing if things would turn around.

I was lucky to get another opportunity at a larger company that had more stability and an incredibly gifted team from a friend and mentor from a previous company. The skills I learned at this new company, and the people I worked with helped propel my career forward in ways I couldn’t imagine at the time. If I had not been let go, I would not have been open to working for a larger organization, I would have not met some of my closest friends, and I would probably not be working in the career field I am. Sometimes a little hardship opens the door to much greater rewards.

Struggle also helps reset what you are willing to do and can be a great ego check. After being let go I was willing to do whatever job was required. Overnights? Check. Overtime? Please, Sir, can I have some more? Everything and anything I could do, I would do. If I hadn’t gone through the hard times, I would have missed out on a lot.

I am also grateful for the good times. Working for and with great people throughout my career makes me feel very lucky. Many of my best friends are people who started as coworkers, and some of those coworkers started off as High School classmates, which makes me even more thankful to have had wonderful people around me throughout my life.

As you move through your career, be it Information Security or something else, surround yourself with good people and you will always be able to work through any hardship or struggle.

I hope everyone has had a Happy Thanksgiving, and a safe holiday season.

An ongoing conversation in the Information Security community, or hacker community, or Cyber Security community, is all about what we should call things, people, etc. You can see this in the first sentence. I have written about this before I am sure, but over the last few weeks I have seen an uptick in what this or that word means and what words we should use instead. As an example we have recent LinkedIn conversations about the use of the word “hacker”.

The word “hacker” is constantly being debated, as well as if they wear black hoodies (hint: just like everyone else, some do, some don’t). I am going to try, as many others have before me, to add some context to the ongoing discussion.

An early reference to the word “hacker” comes from gnu.org, and says that a hacker is someone that enjoys playful cleverness. It doesn’t call out computers, networks or any technology. You can be a food hacker, or a film hacker, or anything else. I think this use of the word was behind the movie Hackers from 1995. The characters were playful, creative, and just wanted to have fun.

Another reference to hackers comes from the “The Conscience of a Hacker”, or as it is commonly known “The Hacker Manifesto”. In it, Loyd Blankenship, aka The Mentor, explains what it means to him to be a hacker. He describes the freedom, curiosity, connections and unity of being a hacker, “after all, we’re all alike.” I find it still relevant today.

Bugcrowd put out a blog this week in which they try to define the word hacker. I think they do a good job of summing up a lot of the issues, and I appreciate their Burglar/Locksmith == Cybercriminal/Hacker analogy. We as an industry and community have tried to find alternatives to the word “hacker” for the media and others to use when describing cybercriminals. Sadly, hacker is sexier than cracker and will always get more clicks.

To add more to our naming crisis, we run into hurdles describing what we do as hackers. In a recent Paul’s Security Weekly there was a discussion about pentesting, red teaming and others and what they all actually mean. When engaging with customers I also find that not all of them understand the differences between penetration testing and red teaming. Because the industry is always evolving we see new companies coming out claiming to do one thing, but really it is something else but because they can sell off of the misunderstanding they do.

We see the same confusion over EDR, Threat Intelligence, Machine Learning and Artificial Intelligence. It is no wonder that people outside our industry have no idea what we do, when those of us inside it can’t agree on what to call our solutions or even ourselves. I am not even going to get into the issue with our job titles because the “Am I an Engineer? Am I an Architect? Senior? Principal? Staff?” debate, which leaves our customers and peers with no idea of what we do drives me crazy.

In the end, what is in a name? A lot! Use your words carefully, because they can mean many different things to many different people.

Updated: Motherboard has also commented on the word “hacker” and wants to change the definition of it. From their glossary:

“Hackers can now be used to refer to both the good guys, also known as white hat hackers, who play and tinker with systems with no malicious intent (and actually often with the intent of finding flaws so they can be fixed), and cybercriminals, or “black hat” hackers, or “crackers.””

I have a feeling this won’t be the last article we read about the definition of hacker.

Over the last few weeks I have read a few different threads on hacker culture. As I was reading them a lot of things crossed my mind, and it made me think about what someone who was just starting their career or hobby in Information Security, Cyber Security, or hacking for fun and profit, would think about the world they were entering. Here are a few of the discussions and my thoughts and feelings on them.

What is appropriate to wear to a conference?

Not mine, this one https://t.co/7LYRBbIHeC

— Wants To Be Infosec's Robert A. Heinlein (@irongeek_adc) May 28, 2018

This is a good example of multiple competing cultures within the hacker community. Some folks in the community want to try to shock people with what they wear, or how their hair is cut. Others in the community are more on the business side of things and expect a certain level of professionalism. Which side of the fence you sit on, I would guess but have no metrics to prove it, comes down to how you came into the community, or your lifestyle outside of it.

It also reflects a feeling I have seen in the community over who is actually part of the community and who isn’t. There is an incredible amount of “Imposter Syndrome” in hacker land, and it is only exacerbated by the divisiveness between groups/cultures. If you don’t have a mohawk, you aren’t really a hacker. If you don’t drink, you aren’t real. If you wear a shirt with buttons, then you aren’t “1337”. In the end, the only thing that should matter is whether you want to be part of the dysfunctional family that is our community or not. How you look, talk, drink or act doesn’t determine it. Sadly, we don’t all agree on that.

One I have enjoyed is what does the DEFCON conference mean to you.

What does #DEFCON mean to you?

— Nikita Kronenberg (@Niki7a) June 2, 2018

I have been attending Defcon for over a decade, which funny enough still makes me a bit of a n00b. Saying that, I have always loved attending and find new people to hang out with and learn from every year. A large part of our community, I would even say the vast majority, are very welcoming of everyone. The ability to learn many different skills, from lock picking to car hacking, in one location is incredible. Defcon to me is like Summer Camp. A place to reconnect with friends and learn some new skills.

One of the biggest differences I have seen among the different cultures in the hacker family tree is the word “cyber”. Some people love it, some people hate it, and it seems that most people like to argue about it. There was a recent post by Lenny Zeltser on this, and I appreciated the explanation from Jessica Barker:

“The media have embraced cyber. The board has embraced cyber. The public have embraced cyber. Far from being meaningless, it resonates far more effectively than ‘information’ or ‘data’. So, for me, the use of cyber comes down to one question: what is our goal? If our goal is to engage with and educate as broad a range of people as possible, using ‘cyber’ will help us do that. A bridge has been built, and I suggest we use it.”

While I may be partial because I use the word “cyber”, I also agree with this thinking. When I tell someone what I do, or want them to know I am an expert and am there to help, I have to use language they will understand. If I start using jargon they are not familiar or comfortable with, then their understanding is limited and I won’t be as affective. If we are not confident enough in ourselves, that we want to be cool and not use words we feel are just marketing buzzwords, then we are not helping our customers, our fellow citizens or ourselves.

In the end, being part of this community, or extended nerd family, means dealing with many different, often competing, cultures and being able to figure out where (or if) you want to fit in.