Wednesday, May 23, 2012

Running from your Information Security Program




Running… I hate that shit. I just hate it. It is not because I can’t do it. It is not because I am too fat, or not strong enough or lazy. Mind you, I am no Adonis but I am fit for most of the tasks I must complete. So why do we run? Most of the time, it is so that we can breathe better, become stronger, have more endurance, and lose weight. We also run for an endorphin rush. Running IS pretty cool when I look at it that way. I get all these “health” benefits and get high at the same time. Not a bad way to spend time, but I still hate it. I think that I don’t like running because I have no real reason to do it. I don’t find myself having to get to the grocery store on foot or get to work faster while walking. I have never been a situation where I had to get away from an attacking human or animal.  I have never had to run from cops, parents, authority or anyone/thing else. For the most part, running is only something that I would do if I decided to take it up as a hobby. ( Well, this one time I ran for about 10 miles in the middle of Tennessee  farm land, but that’s a WHOLE different story)

Anyway, what’s the point of all this? I have been looking at my job over the last 15 years and all of the talks given, lessons learned, articles written, projects done and days gone by and they all have one thing in common. They are all some type of training. They aren’t sport and they sure as heck aren’t leisure so being categorized as training seems to fit the bill. With that in mind, I look back at running and think “Oh, running is training…. Isn’t it?” Of course! Everyone who is ‘’training” or “getting in shape” is going running. They relate it directly to how fit you are. If you can run faster and longer, you are commonly seen as “more fit” than someone else. But what does running train you for? Answer: to run. Crazy huh? Does it make you more fit overall…. Sure. If you are a UFC fighter, does it make you a better fighter? Well, there is a way to make the excuse that it does but only in a specific way. It is a cardio workout that helps you build endurance. That endurance gets translated into improved breathing and the ability to stave off lactic acid buildup as well as a few other things. But does it REALLY get you ready to roll with someone for 5 rounds? HELL NO! It sure helps, but the only thing that gets you ready to roll for 5 rounds… is ROLLING 5 ROUNDS! If you train to roll for 15 rounds, when it comes time to roll 5 you are gonna be the freshest person in the ring. I know all of you running fans are going to make excuses about why the benefits extend but the fact is, if you are training to fight….and you are running as your main source, all you will be is better at running away than the other person. This applies to other areas of life as well.

Have you ever heard people use the example of being chased by a bear? “If you are being chased by a bear, you don’t have to be faster than the bear you have to be faster than the person running with you.” Sounds good in theory and gets an acknowledging chuckle out of everyone you say it to but its BULLSHIT. How about this? “If you are running from a bear, you aren’t prepared.” Oh no! What do you say to that, me clever adage person? If I was in a situation where I thought I was going to be chased by bears on a regular basis, I sure as hell wouldn’t go running to get ready for my encounter. The fact is, a bear can outrun all of us. With that in mind, running is totally useless. So what DO you do? Well, I think that if I was in a place that had tons of bears that loved to chase and kill humans I would figure out a plan that WORKED.  Did you know that there are people all over the world (the ones I have met are in Russia and some of the wildest cats I have EVER met) that HUNT bears. Not only do the hunt them, they go out into the woods with 1 thing, a big ass knife. Seriously! I met  this dude victor when I was on a Risk Assessment. He was the head of the warehouse. He was fairly normal looking. He was  bigger guy, maybe 6.2ft and 250 or so but he was not some monster. When I first met him, you could see it in his eyes, he was broken in a very special way. We were talking about some shipping processes in his office when I noticed this string of what looked like saber tooth tiger teeth. I don’t think I looked at him more than 2x for the first 30 min because I was staring at this string. Finally he says “You like my trophy necklace?” So we got on the topic of hunting. Some of the craziest stuff I had ever heard came next. He told me about growing up as a young man and the group of hunters he has went with for years. There is a specific name for the “sport” but I am on a flight and can’t look it up. Anyway, this group of guys hunts BEARS! I thought that was pretty hardcore because there are some huge Russian bears but he went a bit more into detail. He explained the ceremony they went through and how they rolled out into the forest, shirtless with a giant knife (can’t remember the name but it was a specific type) and that was the weapon of choice. They also had another tool. Over the generations of people who hunted this way, they found that the best way to attack the bear was not to surprise them and jump from the trees but to stand directly in front of it. As the bear stands up, they place a long stick with a u shaped end under its muzzle. Once the stick is in place, the bear isn’t able to bring its body down.  Not only does the bear have to fight from a position of disadvantage, but its own weight is starting to crush them as well. This brilliant tactic leverages the knowledge of the situation, the landscape of the attack AND the strengths and weaknesses of the attacker. In a position that requires me to attack AND defend on a regular basis there is something that is so elegant in the methods simplicity. People planning to fight a bear would be likely to have a much more complex plan, but these folks have done it time and time again with a technique that just works. The more and more I imagined the act, the more I was amazed. I can’t even begin to imagine into the mental fortitude it must take to grab the knife, shed your clothes and trounce into the forest looking for a bear to kill. I wouldn’t even make it out of the house. But, what is there to be learned by this act of heroic bravery ( or insanity)?

Let’s apply this back to security. I feel like we spend a TON of time running as an industry. So many people are operating on the security principal of “We can’t be LAST but we can’t afford to be first” that the industry looks to be slowing down as a whole. Maybe it isn’t slowing down, but it feels like the gap is getting wider. I think this is shown over and over again with the growth of successful attack/loss we are having year over year. I am not trying to be all doom and gloom but it’s what I see when I take an honest look at the picture. It is no discredit to the hundreds of thousands of people working hard to fix it, but it is a comment on the overall vision (or lack thereof). If the method of outrunning the companies that were “slower” or  “less secure” than us worked, why do so many massive organizations get owned every year? The fact is, there is more than one bear and there are way more than 1 other person running. When I look at it in that context, I have to think of it less like a footrace and more like a gladiator in the coliseum. The bears come from every direction, and its every person for themselves. Run or don’t, the bear is coming after you when IT wants to. You have no choice and the more you run will only make you weaker. (Makes me think of the Sniper joke “ Don’t try and run, you will just die tired”) So why do we continue to half ass the security programs to just be a little better than the next guy?  It doesn’t matter. Your ability to defend as well as your competitors is irrelevant (unless your sales team is using it as a brand differentiator and then you are either pot committed to be a stone cold badass in security * or a liar*). What IS important is knowing how you will react when it happens. Preparation is the key to the game. If you are building the program to BE attacked, you will have some idea what you are in for. If you are building it to pass an audit and thwart the skills of the indigenous compliance auditor, you may want to put your head between your legs and pucker.       

In reality, its a DR game. U prep with DR by doing testing and learning from where it does not go as planned in the test.... Same goes with security. Except, most of the people out there prep for getting hacked by filling out some silly form or running some scan. /me shakes head  It just doesn't make any sense.
 
Ill write more about prep later…. Just wanted to post this up after watching the bear comments and program commentary of @securityninja @marcwickenden @wimremes @daveshackleford  on twitter today.                                                        

Oh yea.... think this sums it up:

                                                                                                   

Tuesday, July 19, 2011

British are comming

What is it about attacks that makes us forget the lessons history has taught us? I remember being in middleschool/highschool and talking about the American Revoluton. There was a particular long winded speech in HighSchool that still stands out in my mind today. The gist of it was that the British we the formal military power. They had all the money, training, weapons, technology, and they were THE DOMINANAT SUPERPOWER. The worst part about that is that “WE” (America), a band of ragtag farm boys paired up with a few educated HEROES, were being oppressed by the controls of British. The British were invading our privacy, taking our hard earned money for poor quality goods, and even forcing us into a state of servitude. This went on until every man, woman, and child was profoundly affected by their torment. When that moment came the farmers and heroes united and became one. This newly formed cadre of rebels were blessed as freedom fighters and fight they did.

We all know the “STORY” that goes along, but the part that really stuck with me was the reasons we WON the fights. It’s fascinating to look at a time in history where a MASSIVE army was trounced over and over again because of technique and not technology. As the British marched in formal lines and fired only when commanded, they strutted in majestic red coats down the road like a true POWER. Every measured action was accounted for. From the battalion leaders to the common soldier, they were stuffed full of battle tactics and plans. Commands ran through their minds like a modern day quarterback and they went into every fight KNOWING they were going to win. With all that practice, All that Planning, All the tactics, all the strategy, all the measure and approach, ALL OF THE METRICS VIEWED AND COMPENSATED FOR…. They got mauled. The streets ran red with blood. Outnumbered and fueled with the nervous rage of exercising their “LAST OPTION BEFORE BEING SLAVES” the newly found group of “AMERICANS” hid in the bushes and waited for the right moment. In battles that were often 2-3 to 1 or more…. This group of poorly trained farmers were tearing through one of the most powerful forces on earth. WHY???? Its all about technique.

The Americans did not play by “the rules.” They did not just wait in lines and fire at each other. They did not wait for the trumpets to sound or the gallop of their leader “requesting” them to FIRE. They did what animals do when backed into a corner… they fought. There were no rules or style that had to be followed. It was WIN or DIE. Failure was not an option. It was not on the battle plan. They used the element of surprise and guerrilla warfare to totally dominate the better funded, trained, planned, and universally educated opponent.

My question to all this was WHY did the Brits lose? Thought they were trained? I thought they studied war? Didn’t they have war colleges and schools and mock scenarios? Didn’t they practice for YEARS on end in the sea and on land to fight ALL enemies as they pursued global domination? Why didn’t the “standards of war” and formal protection/detection/attack/defense mechanisms work for them?

I actually asked my teacher about this and was EDUCATED on the spot. He looked me straight in the face and said “Remember how we talked about the Fall of Rome?” I nodded as he proceeded “The GAULS completely abused the Roman army with the same techniques the Americans used in the war. The super power that was England was so focused on the rules they were making and the history they were writing that they forgot about the lessons the past taught them. They began to study “new” ways of war and threw the history books aside. Kinda like some people I know.” I laughed as he made a squeaky voice “ HISTORY IS BOORING!” The class was floored. He stirred the pot even more (ps. He was my favorite teacher I have EVER had in a history class or just about any class for that matter). He said, “Did you ever think that HISTORY is the only thing that could destroy or save a country as Powerful as America… or England… or Rome or the many tribes before???” just as the class jock chimed in with … “No one can ever beat us! We have the most powerful military on the planet” he responded. “Perfect!!!! Let’s write some musings * what he called our undefined papers that we had to think on paper about a scenario that has historical relevance* tonight about America and war. Let me give you an example. And he wrote one of the most profound things I had ever seen in a history class.

America = Vietnamese
vs. vs.
British = America

I don’t know how many of us got it… but those that did were physically different. HOLY $#@%. We fought in conventional war methods just like the British. We were invading someone’s homeland. We got mauled in so many battles we had to come home.

AND

Let’s not forget the Vietnamese. They fought an unconventional war. They attacked from all angles and at any time. They had no rules. They played it to the bone and gave the world’s greatest super power a run for their money.

Sounds a bit like what we are experiencing with the recent attacks doesn’t it? From the guerrilla warfare tactics of opportunistic attack to the mass difference in force, the attacks of today are nothing more than mirrors of a battle strategy that has worked for thousands of years. The “Surprise” and “Random” nature of these attacks go a long way in effectiveness. Now, I am not saying they are random choices by the attacker, I think they are highly guided, but they are random in their execution. Take for instance the ability to scan shodan or google for a specific vulnerability. You are left with thousands of hosts and one of them may be your target. This is much different than going after a specific IP address or range for that matter. The attackers are using intelligence to their advantage and they know the rules.

When should you attack a massive army? On Christmas, when they are all partying and have a “night off.”

Where should you attack a network with millions of dollars of defense and monitoring equipment? Where ever the opportunity presents itself.


In the infosec world we tend to hold too much weight on our crusted perimeter and have a bit of a challenge when it comes to looking at the bigger picture. Not all of us can relate to war and its intricacies but we can ALL relate to Offense and Defense in some way. If our environments were all in the shape of a house, we would have a massive and fortified roof. When the rain came, we would feel safe and sound that the roof was protecting us, until the drips began. Even then, we would see them as a “small issue” or something we could just “patch.” The water on the other hand, would just find another way in. Being a homeowner, I have had this problem more times than I care to remember and it still happens today. Just last week, we had this torrential downpour in Colorado. Wind, rain and hail put my weekend patchwork to the test. As I came home from work that day I ran up to the attic to see if my efforts paid off. “YEAH!!!!” was echoed through the house as I cheerfully wiped the cobwebs off the caulked and patched over leak areas. I win….. right?

Well, I did as far as the roof was concerned…

But, then I was on the way downstairs and walked through my office. My heart sank as I could see the sagging wooden blinds. “Really?!?” Yeah, really. The window was open the entire time of the storm. The carpet was soaked, the windowsill and baseboards were trashed, the blinds were irreparable and better yet a TON of computer hardware was sitting in a nice neat container FILLED with water. But the roof was good. Actually, the roof was so good that the rain was pouring right off it into the window.

So, we do the root cause analysis (aka figure out who/what to blame) and see that my wife left the window open. *she claims that I did…. Weeks before… but that is another story* At the end of the day it was User error, better yet… it wasn’t even error. It was the daily operational tasks of my house. If it is hot, open a window. If that doesn’t work, turn on the AC. If that doesn’t work... call a tech to fix the problems. Amazing how similar that is to the IT world huh?
The part that gets me is that even if I blame her or me for leaving the window open, the real culprit is the design. Thinking of it that way I had to go into infosec mode:

If my threat was water, I should have identified what its capabilities are.

Knowing its capabilities, I could try to plan for a defense that matched.

Once implemented, I could test with water, hose, pressure washer, etc…. and replicate the threat in same capability that the threat can naturally execute.

After that, I can identify gaps and remediate or plan accordingly for ones I simply have no control over.

This is the one that allows people to get lazy. Anyone can say, “I’ll leave a hole in the roof because if it damages anything, insurance will pay for it” But as anyone who has had insurance claims knows….. it won’t REALLY pay for everything, and some things can’t ever be replaced. There are some folks on the other side as well. They respond “Well I will just waterproof my house.” I can’t say I have ever seen it done successfully, but people sure do try. It is just the nature of houses, they leak. It’s not always the end of the world but it does happen. It’s part of life and we ALL deal with it.

However, let’s not forget the people who are really “smart.” They smirk and answer the water dilemma with an over the top solution. “We will make everything in our house waterproof! Even if the roof leaks, nothing will ever get damaged.” It sounds great in theory but after a look into the cost and sideffects of its “protection” people tend to shy away from that one. They would rather just tell someone “SHUT THE WINDOW STUPID…IT’S RAINING!!!” than spend $1,000,000 waterproofing the room with the window in it.

This is where I REALLY laugh about our industry…

When we are attacked, we are begged to do MORE of the same thing. Just MORE of it. Its totally absurd.

The happy powerful British march down the road and are ambushed. They are sacked quickly by the surprise fury of the attack. So, what do they do? Walk the same road with 3x the number of soldiers. Stupid.

We get attacked on our corporate networks because vulnerability existed in a technology we implemented. So we implement MORE technologies to fix it? Ridiculous

Yet.. if our house has rain wash in through a window we have the good sense to close the window, move the items that are underneath it so that they are not damaged again and we make a policy that says “If it is raining, shut all windows. Also, don’t put things near a window that can get damaged by water or other things outside the window.” What a BRILLIANT concept. Figure out what the issue is and actually try and avoid it.

Attackers are watching you! They know that you are too big or too busy to see them. They know that you, like everyone else, is human and will mess up. They also know that when you do, you will likely give them even more things to attack with your path of resolution.

All they have to do is wait for the right moment to attack.


Ok… enough doom and gloom… what do we do?

This is my favorite part. It is usually the reason that people will write on reviews after a talk “want more info on how to fix or what to do” or “Was entertaining but did not provide answers.” And so on… I love them because it highlights the issue at hand in its most pure form. We want a solution. We want a magic bullet. We want an applicance!!!!

“Here we have the Anti-lulz UTM DLP GRC Pro Advanced Platinum NextGen 3000. The ALUDGPAPNG 3k for short. This device uses the latest deep packet inspection technology combined with an advanced heuristic detection that makes lulz a thing of the past. No longer do you need 40 devices to deal with the issue of hackers making fun of you for poorly securing your network. This device combines the entire OSI into one wirespeed appliance that protects you from every single attack vector INCLUDING THINGS THAT HAVE NOT EVEN BEEN DISCOVERED YET!!!!”

Throw 500k at Gartner to put it in the magic quadrant, and I bet a million of those puppies will magically sell! Better yet, PROVE it works. Show demos of how you can replicate a sqli attack that lulz uses and show it crushing it with ease. Show how it can torch the clientside emails and detect that they have malicious attachments before any mail ever hits a user. Heck, show them some 0-day *maybe a juicy buffer overflow* that gives you GOD access to any device on the interweb but the ALUDGPAPNG 3k nals it on a signature AND heuristic drop rule. Do all that and EVERYONE will have to get it. If they don’t, they will be treated like a toothless hillbilly and shunned from the RSA cool kid dinners. OOOH even better…. After you do all that, and other people copy its design, and you build a “market” called ALA (Anti-lulz Appliances) get a bunch of lobbists to stuff it into a Compliance standard.

Awesome huh? Just remember to send me some $$ when you are rich from that one. Because everyone else who has used that method is rolling in cash. Yet NON of them actually protect us.

OMFG WHAT?!?!?

Yea, think about it. If have 1 device with 1 port open I have a limited number of attacks. If I protect that device with another device that has 1 port open, my number of attacks has at least doubled. Even if it is a firewall or UTM or even the insanely secure ALUDGPAPNG 3k! It is still another vector for attack that was not present before. Just like the AV on your box, It may protect against some viruses but it poens new holes for your machine to be compromised from. Look at how many boxes have been paved by a AV update, or hacked because of the AV companies flawed command and control architecture.

If we can’t add more stuff what do we do?


“Complexity reduces security. The more simple the more secure”

This is something that proves true generation after generation. The designs that last, are the most durable, most secure, and most efficient are the ones that are the simplest.

Want to defeat an internet attacker? Don’t connect to the internet. Want to be safe from adobe 0-day? Uninstall all adobe products/code. The answer is actually quite easy. The hard part is where it impacts us. We can’t all run around and turn off all of our pc’s. They make our business run. We can streamline though. We can leverage the ability to work smarter and not harder.

Lets look a few of these approaches:

Firewall rules:

We don’t NEED every port open. Pair it down to only what is essential. After that, try to trim it another 20% after you thing you are as lean as you can get.

User rights:

No one needs to be an Administrator unless they ARE the administrator. If they need that level of privilege, maybe they should investigate a career in IT Admin? If they HAVE to have it, let em have it in an area where they can’t damage/touch things that are sensitive to the business. Options are awesome, especially when both work in the favor of security and increase simplicity.

Overall protection:

We don’t need to protect everything! If the perimeter has holes that you can’t fix, throw some of that tech at it. Inspect it harder than the things you know you can protect against. Instead of blame…try education. When a user leaves a window open, let em know the damage it causes and teach em how to close it. It really isn’t that hard. They are not our biggest problem they are our biggest asset.

Effectiveness:

How do you know all that “stuff” you bought is working? TEST IT!!!! You don’t know if it works or if any of your training/policy work until you test it?!?

Can we survive an attack:

Hire someone to attack you. No I am not talking about shopping out a bid for the coolest looking penetration testing deliverable. I am talking about an ATTACK. Figure out who the top 5 adversaries of the business and how they may attack you. THEN…. Have people attack you that way. Having a pentester attack you the way they know how just doesn’t cut it. With the cut rate budget pentesting shops out there and all the tool usage, those tests are damned near worthless. Do yourself a favor and make goals and tests that replicate a real world attack…and see if your “real world” defenses can handle it. Most environments are built to survive the attack of an auditor/pentester… not of a real attacker. How can you tell? Well, an attacker reads mail spools, harvestes accounts, uses valid forms of access, doesn’t remain in interactive shells, and overall has a low to minimal footprint. Auditors have HUGE footprints, leave tools and detectable items running, use commercial or opensource binaries, run scanners, and love interactive shells like mosdef, meterpreter, and core shell.

Monday, June 27, 2011

Customer Wow Factor = 100, Customer Value Factor = 0

The netragard guys have an interesting post on their blog. Due to an *extremely* limited scope they ended up creating an USB switchblade/rubber ducky/USB keyboard HID/personnel autopwner. They called it a Hacker Interface Device (HID).

I don’t want the rest of the post to take away from the coolness of them building that, its friggin cool, and I want one...so hook a brother up [1]. But why of ALL the options that exist to break into a network were they forced to go that route. Now they mentioned "a rather restricted scope" and go on to say:

"The scope included a single IP address bound to a firewall that offered no services what so ever. It also excluded the use of social attack vectors based on social networks, telephone, or email and disallowed any physical access to the campus and surrounding areas"

and:

"With all of these limitations in place, we were tasked with penetrating into the network from the perspective of a *remote threat*"

They didn’t go into detail on if the client had a class B of crap and it was just "off limits" or if they really just had 1 IP with no services acting as the company’s NAT'ing gateway. I've been there (I had one client that had their outbound proxy (offering no services) and a static html site and that was it). They also didn't go into detail on why phishing or telephone SE wasn’t allowed or why merely walking into the facility was also not possible/allowed.

Maaaaaaybe both of those options were technically or financially infeasible to the average bad guy ( or maybe just for the *remote threat* they were emulating) and spending a few hours/days building a hardware device to snail mail to users was more “feasible” or maybe the client sat around and tried to figure out the least best way to spend their security budget. I don’t know.

I do know that unless there were some extreme extenuating circumstances the role of the attacker they were forced ( but really more agreed ) to play was a flawed role. I think its unrealistic to think that someone wanting to get in to a company’s digital infrastructure will spend hours/days making a tool/device, mail it to some users, and wait undetermined amount of time to plug in and pwn users as a first course of action instead of just phishing someone (need proof?--> RSA, Aurora, Sony). I’ll leave out the GIGANTIC trail leading back to the attacker by snail mailing anything (would you send something that critical without delivery confirmation?)[2]. Again, not to downplay the coolness of the HID, its very cool, too bad the client didn’t allow them to spend that time and creativity figuring out multiple plausible attack paths to break into their site vs one really neat but not the path of least resistance (and therefore most probable) attack vector.

Attackers tend to keep as far away of physical items for use in their attack as possible. Attackers use coffee shop or hacked wifi, TOR, and multiple VPNs as a means of providing as little digital forensic evidence as possible, which isn’t hard to do, yet as law enforcement is still figuring out digital forensics. On the other hand, physical forensics is an ancient art. It’s doubtful the Netragard guys used rubber gloves while creating the device and boxing it. Did they pay cash for the items they made the device out of? Did they have their phones on them if they went to a store to purchase the items? Even if they paid cash phone records could put them at the location of purchase. Was there any sort of trail that someone with resources could use to trace back to them? These steps weren’t mentioned in the post and if they were truly trying to help the client with such an attacker (essentially the mindset of a bomb maker) there would be a lot more steps involved, vice ‘look what I can do’.

We need to do our best as security professionals, as people that sell security services and as people who give advice to do away with asinine scope restrictions like the one mentioned above. Scopes like this one provide little value to the client because it it isn’t how 99% of the attacks against them will happen. Protecting against an attack that will happen 1% of the time just isn’t cost effective. (Perhaps all the normal paths of entry have been thoroughly tested and mitigated against and the client really needed a creative approach to breaking, but I doubt it.) If the ease of which companies have been getting owned lately has not clued everyone in to the overall lacking of testing and security posture I'm not sure what will.

However, I don’t think its the testers that are lacking, or even a lack of methodology on how to go after clients, that stuff is out there. How "APT", "determined bad guy", "buzzword term" have been breaking into these companies is WELL documented. What testers are lacking is the ability backbone to stand up and tell the client that testing with that type of scope is highly unrealistic to the actual risk and the threat they are facing and that their money would be better spent doing X,Y or Z instead of some silly unrealistic scenario where the client gets to control the outcome or its such an obscure scenario that its going to happen 1% of the time, if ever, and thus promptly ignored by management.

Nickerson (and others) have said it many times "Attackers don’t have scopes" and as much as possible neither should your testers.


[1] Actually Darren from Hak5 did hook me up with a demo one and its awesome:

“The HID attack is a lethal favorite as it exploits the inherent trust between man and machine. Since sharing our proof-of-concept with Irongeek at Shmoocon we have been excited to see a new era of physical attacks evolve. After months of R&D we know everyone will soon share in our excitement as we debut the Hak5 USB Rubber Ducky - the next evolution of the USB Switchblade platform. --Darren Kitchen”


[2] I had a lengthy discussion about if you’d actually insure/delivery confirmation your payload. The person said no one would do that because its “CSI Miami Dumb”, which I agree with but I cant image if you were to place your success of breaking into a company on a snail mail/user assist attack you wouldn’t find some way to know if the package even made it to the target or not. Arrived and target didn’t plug the device in is way different than device getting lost in the mail. I’m positive the boss of the guy responsible for the operation would want to know too :-)

Sunday, June 19, 2011

How does your network stand up to a determined attacker?

Attacks on large organizations (RSA[1][2], Google & Others [3], DuPont[4], Lockheed Martin[5]) have given us a glimpse into the underbelly of targeted attacks.

To be clear, every mom and pop shop should not live in fear of a targeted attack/industrial espionage threat but a lot of companies do face this threat. If you make something that would be cheaper to steal than reverse engineer or if beating your competitor to market means a profit for this year or not you’re in the zone for some entity to decide to come after you and take it.

Recently at BlackHat DC and Shmoocon, Sean Coyne and Ryan Kazanciyan from Mandiant gave a great talk titled “The Getaway” [6][7] and it covered some of the methodologies and tools that Mandiant felt was common enough to talk about in public. McAfee also released their “Night Dragon” paper [8] which discusses “APT” style attacks and techniques.







Image (modified) from: McAfee’s Global Energy Cyberattacks: “Night Dragon”

Step 1 is varied, typically some sort of client-side attack is involved but remote and web attacks are definitely a possibility (why waste your client-side 0day when Metasploit will get the job done).

Steps 2-5 are important as traditional penetration testing rarely delves into enough detail to adequately test detection and response once an attacker gains entry into a network or moving laterally in the network. Instead most companies focus on forcing their consultants into a guided test where they control the outcome via various scope restrictions or "goals" that don't represent things attackers typically go after.

Companies with something to lose need to sit down and ask themselves the hard questions of:

How educated are your users against social engineering and phishing attacks? (Does your program work?)

How far can an attacker go with a user level shell gained via Phishing or SE? (Do the fancy boxes and IDS analysts actually work?)

Do you know what data on your network is most important? (What makes you money?) If yes, can you identify the controls in place to protect it? When did you test those controls in real life and not just on paper?

Is that data properly protected? (Are you doing anything to protect it. Hint Windows permissions don’t count). Have you tried various exfiltration methods to see if they work?

When was the last time you allowed someone to try to get it? (Did you throw vulnerability scanner X at it and call it good or do you just laugh and say “yep if they got access we would be f**ked”?)



1.http://www.pcworld.com/businesscenter/article/222555/rsa_securid_hack_shows_danger_of_apts.html

2.http://blogs.rsa.com/rivner/anatomy-of-an-attack/

3.http://en.wikipedia.org/wiki/Operation_Aurora

4. http://www.bloomberg.com/news/2011-03-08/hacking-of-dupont-j-j-ge-were-google-type-attacks-that-weren-t-disclosed.html

5.http://www.informationweek.com/news/government/security/229700151

6.https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-Slides.pdf

7.https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-wp.pdf

8.http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf




Thursday, May 26, 2011

A Passion for Protection

I have seen articles that dance around the topics of “ how to hire in security, how to GET hired, who you should hire…picking a good consultant…finding the right tester...etc….” but it all looks the same. Surely, in this day and age we aren’t using the same “solution” we have used FOR EVER in the interview process? You know… The same type of interview that allows us to turn the candidates into numbers, weigh their pros and cons, and decide based on a formula that best suits the needs (pocketbook) of our company at that time. To me, this is a crock of S*it. It demoralizes and devalues the special sauce of every brand on the market. It is the antithesis of what great companies were founded on. You don’t get to be a household name without a passion, a drive, a level of innovation and an insatiable hunger to succeed at all costs. You do not get to be amazing because of the notes you took or the forms you filled out. You do not get to LEAD an industry until you have taken the beatings at the bottom and shown that you have a will to give it all for another shot. When all is said and done, you should be working for a mindset and not a “company”. You should work for a dream that YOU believe in; not because you are brainwashed but because it is YOUR dream and the company is there because there are others that share some of the same dreams. If you don’t…. pack up your bags today. You are not going to be happy. You are in your job (and probably hate it) as a slave to the money. There are other ways to be wealthy and happy, but I’ll get to all of that some other day…

Much of my thinking on this subject has been recently sparked by the last 3 years of business at LARES. What started off as leap of faith has become a way of life. We have a very unique dream that we pursue. It is not just marketing or some type of slogan; it is the way the business IS. Our dream was to have a security company that connected people. I am not just talking about the type of connection you make when someone signs off on that sales laden template Statement of Work, I am talking about true connections. We create all of our services and interactions around Connections. Our job is to reinvigorate companies through that connection. We focus on connecting people, feeling, passion, ideals, goals and most of all business “dreams.” This may sound odd due to the corporate mumbo-jumbo we have all heard over the years but I guess we still look at it with a fresh set of eyes. Almost every business I have ever had the pleasure of working for or even meeting with has had a dream. They call those dreams “mission statements” or some other catchy term that removes the playful aspiration and passion of the people that created the idea. Once those passion driven aspects are killed off, they lay on the political correctness and a heavy dose of marketing and POOF… the Corporate Mission Statement arrives. At least they are still stating their dreams. They are putting it out there for all to see and hear. “We WILL BE the best….”

Mission Statements are amazing documents that most people don’t give two thoughts about in the security industry but it is the CORE of the business. It is the single most important asset that company has ever had or will have. It is an all-encompassing look into the soul of the company from where they were to where they will go and their drive to get there. It’s not just some catchy phrase, it is the echoing voice of the passionate few who risked it all to pursue a dream. Even though the company has grown leaps and bounds, that one statement is a line in the sand. It is a promise, and our job is to help our clients KEEP that promise.

I have had the pleasure of having a business partner (Eric Smith) that was willing to go all in on a dream, and it has been the most rewarding thing I have ever done in my career. Since starting LARES, we have had our hard times, our struggle with a new business, and our successes. We have taken endless lumps and will surely take more because we WANT to learn. Every hard time has come with a new thing to learn and a realization that we haven’t even hit the tip of the iceberg yet.

But…

We are committed to our dream and are unreasonable in its pursuit. We have had some amazing experiences with talented engineers and technical merit that far exceeded our expectations, but the one thing that keeps us who we are IS THAT DREAM. It’s funny to think that all of these years I had it backwards. I was interviewing our teammates, testing their skills, and trying to find someone that would “Fit” the business I was in without ever really thinking about why it didn’t always work. There was always some excuse, “bad time, bad person, bad position, bad fit, not tech enough, not socially skilled enough… and on …and on” It didn’t dawn on me that I was doing it totally wrong for our business, it was how I was taught. Promote/Hire/Fire the engineers and Share your goals/solutions with the customers to find the right fit. Little did I know that all I had to do was turn it around. By having teammates that shared common goals/solutions/ and levels of comfort …the “dream” was protected. Not only was it protected it was fully supported, strengthened and totally re-imagined. They weren’t just good practitioners, they were pioneers that were pursuing THEIR dreams. But what about the other side, the customers.

Instead of playing like I knew, I asked our clients. “Why did you choose us? What did you like? What didn’t you like? Why and so much more.” The most common response I heard from them was that our PASSION was obvious. We loved what we do and every time we do it. It was a huge moment for me. It was not our deliverable, or how much we could do better or price or anything else *even though those were mentioned in a few.* The overwhelming majority told me that if it were not for our PASSION it would have never been the same. We also got another comment that threw me for a loop. “You guys are brutally honest, there is no BS, just the reality of what it is.” This one got me worried. Were we too hard on them? Were we not political enough? Did we offend them? What do we need to do to change?

Oddly enough, many of them told us it was a compliment. Sure it hurt a bit to hear from us the way we presented it, but it was also the first time that people WERE honest with them. That just broke my heart. A profession that is about testing people and using the truth as a motivator for growth was plagued with lies, sales tactics, and the sugar coating that even after the 9th hack…. SONY is still OK. These responses and feedback changed our business forever. We didn’t want to play doctor and hand out the pills our patients requested. We wanted them to get EVERYTHING they could from our time together. Whether 10 min or 10 months, we were unrelenting and would ONLY give 120%. If they wanted less… we would realize that it was just not the right fit. It was not the right “connection.” We started to expect our customers to be just as committed as we were to OUR dream and to THEIR businesses dream. We made it clear that we were there to help them keep a promise they made to protect the business' dream at all costs. Oh boy was that a rocky ride. Try being on a “sales call” where someone wants to do a multi week external pentest test because they want to know if they can get hacked…and you ask them “ have you ever had a virus?” Then when the person on the phone laughs and says “Of course” politely explain that they have proven they can get hacked quite easily… and ask why they need to spend 10’s of thousands of dollars to prove what they just told you as a truth.

The sales people come UNGLUED… but hey…. I guess that is why we don’t have any sales team =)

Now in that same scenario you may find out that the whole reason for the test is to show a connection to IMPACT and what COULD happen… or maybe you find out that they really want to create a defensible business posture and don’t know where to get started… or maybe you find out that they just need to check a box because “PCI SAYS SO.” By doing more than taking orders and getting to know their business and goals, you get to understand THEM better and you have a whole new connection. Now the interview has flipped and the asset you are trying to “bring on board” or “see if they are a right fit” is the CUSTOMER! Yep, that’s right…. We started interviewing our customers to see if our passionate approach met up with their needs. If they did, we brought them on to the team and gave it all we had. If not, we parted ways. If they were part of first group and worked with us to inspire and create…they got promoted. These customers are the cream of the crop and deserve to be treated that way. They forced us to work harder every time and the sweat we broke was attributed to the countless hours they spent on their end. The job did not have to be bigger, or more $$, or anything like that because we got to connect with the results. All of the work put in during our first encounter was reflected back to us and the real connection was proven…. Not just “signed off on”

Let’s face it, most of us have had a bad date before. We knew it was not going to work out from the moment we started talking yet we forced onward. We purposely continued on and put the other member through as much misery as we “knew” was going to be happen to prove ourselves right. How disrespectful. Everyone is different; everyone has different goals and a million ways to go about them. Rarely are any of them wrong… and even if they are… who are we to judge? The truth is, we want customers that feel just as good about us as we feel about them. We want a connection to be made that will let us get past all of the politico and get down to WORK. We never want to waste their valuable time, just to try and compete for a job that they or we will go into with serious doubts. We want to work WITH not just FOR each other.

Conventional security sales practices never delivered (why do you think more companies lose more $ and get hacked more EVERY YEAR?), the “Real World” is just a TV show, and planning is guessing. The days of menu based security services will live long in the eyes of the services giants who have 1000’s of mouths (shareholders/engineers/sales and more) to feed and an ever increasing need to grow sales. Their pockets will run flush with the spoils of their marketing campaigns and their emotionless sales team execution. The robots will trudge on to under bid, over promise, and upsell without a single reference to the fact that “SECURITY” is a feeling. They will respond to your RFP even if they can’t stand you. They will cash the check hastily as they squirm to leave your presence and come back next year for more because they can’t afford NOT to. The more they see you, the more they can hire, expand and do what every business school taught them “grow the business” *note… not grow YOUR business*

…but that’s not how this work should be done/won?!?!

Precisely! It isn’t. Then again, we don’t work. We do what we do, because if we didn’t get paid for it we would do it anyway. This is something we LOVE. This is not just a job this is a way of life for us. With every experience we share we get a new perspective and experience in return. We make connections between our company and theirs. We build bridges between teams and show them how other bridges can be burned. We trade our experience and passion for the ability to experience and protect their dream. Not for them….with them. With that in mind, we have made a commitment to “never hire again” in the conventional sense of the term.

This week, it is an honor to live up to that commitment and welcome Chris Gates to our team. We have spent YEARS talking about the industry we are in and have always shared similar goals/dreams. We have laughed together at the countless hours spent talking about how to change and never changing. Chris has many tools that he brings to this trade but his biggest asset is his passion. His passion to help customers and peers alike is something that can never be taught or interviewed for. He joins the team not just as a member, but as another passionate professional… willing to risk it all… for a shot at making it better. Eric and I may have been founders for 2 years but Chris’ addition gives the ability to once again reimagine a dream that 3 of us share instead of 2. Partner, Owner, Engineer, Expert, Sr., Jr., Janitor or whatever title he chooses will be just another name. The real job he has made for himself is the same that many of us were told to pursue when we were little “To follow a dream.” I am excited to see this new addition to LARES and echo the excitement of our customers in knowing that he will help shape the future of our business. Like watching any talented sparring partner/coach, I am even more excited to see the new heights he will bring our amazing customers too.

Tuesday, April 19, 2011

We are at War (part1)

**So... I am sitting here at Infosec World and listening to the crowds chatter... I am preparing my talk for thursday and decided this would be a great time to ignore responsibility and puke out what was on my mind... here ya go*

In a time where times are tight, oil/gas is on the $ rise and we are in more wars then we have ever been in at one single point and time... what could we do to help ease our pain? OOOHHH I got it! MORE WAR! Yeah! That's the ticket.

Cyber War? hahah YES. In my use of that term here (which I hate) the war is with ourselves. It is not against the "hackers" or the "Country that is attacking us" or even with the generic bad guy we all have been protecting ourselves against all these years. The war we are in is against logic. It is against reason. It is against the "rules and guidelines and best practices" that we made up. This war has a doctrine called "Compliance" and it is forcing the most impressive civil war that I have ever seen. We spend our time reading the sheets, identifying all of the "stuff" we need to do and buy... then we ready the troops. We sit them on our enterprise front lines and tell them to hold fast because the enemy is on the horizon.

On the other side, armed with a mass of paperwork and generic process, dressed in $300 suits and straight out of college... the enemy amasses. The 2 forces peer down the perimeter and sweat the first shot to be fired.

BANG!!!!

The Standards committee waives the battle flag stained in corporate checkbook ink and the tears of business owners world wide while the charge in sues. Rocketing down the battlefield with the latest terminology, Arch Angel of FUD Triumphantly echoes behind them. It cries out "We are here to help you! Don't resist. We will keep you safe from the bad guys that are coming! Join us and become part of the the standards that will save your business from the fines of your compliance gods!"

The corporate soldiers tremble in fear, knowing that the only option they have left is a life of compliance based indentured servitude or...even worse..... they face an attack... SO GREAT... SO POWERFULL... SO ENCOMPASSING... that it will crush them like an egg shell. The CxO's and managers tone the lines for impact. Letting them know that if they "pass" the initial attack.... they wont have to fight for another year. They will reap the spoils and the pride of victory and they will eternally live in the light/favor of the compliance gods. Teeth grit, eyes squinted and fingers ready... they slam together for the first real fight they have ever been in. They revert to survival mode. Lie,cheat,steal,kick,scratch,punch,gouge and even RUN.... they fight to survive. They endure more pain and instantaneous financial then they ever have in the history of their company.

Mopping their tears and bandaging their wounds with the pounds of report paper delivered in the report, they rejoyce. They have survived the battle but the war was long from over. Their reward: a small lull in externally forced work and allowed to go back to their day job... working 60 hour days turning the cogs of the infrastructure and protecting reliability of the paychecks the company.

So, what did they gain from this epic contest? A little stamp to let them know that the attack will occur again. Same time, same place, same channel.

But wait, theres more....

The executives get a special perk. The sales team on the opposing side promised them the spoils and they delivered. They get a report, a shield of honor and security, they become a shining beacon of light in an industry of companies that are non compliant and getting hacked on a regular basis.

But wait... theres more...

The biggest benefit of all. the safety blanket provided by the reams of paper trucked in at the end of the battle have given the most powerful gift of all time.

"THE ABILITY TO NO LONGER OWN SECURITY AND SHUN THEIR RESPONSIBILITY FOR THE BUSINESS"

They wont go to jail for negligence. The industry won';t mock them IF they get hacked... because THEY were compliant... THEY survived the war... THEY WERE PROVEN SECURE by

THAT FIRM -> as they swiftly point out their auditor post breach.

It's their fault.

Wait... its not? WELL THEN...

ITS COMPLIANCE's fault!?

Wait... its not? WELL THEN...

Its "Tim or Sally's fault!" YEAH!!!! Those terrible employees who forgot to install the patch.. or clicked the email that allowed our technology to be leaked all over the planet and invalidate security for millions of users world wide.... BASTARDS.... THEY DID THIS TO US....

*good thing we can fire them to revitalize our stock prices and get back to were we were* Whew.

But what about the real attacker? Lurking in the shadows. A gorilla warfare expert that does not hold the line of a charge. An adversary that does not announce them selves with a fanfare of clanging calculators and a blinding array of merit badge adorned bright red coats? What about them?

All that compliance, all that strife, all that training we did to get READY for their attack will surely help us... wont it? We did that because they told us the bad guys were coming... that they were attacking businesses all around us... that they were pillaging the weak and laying waste to the "insecure."

What will we do when their evil eye turns to us? Will we be ready? Will we fight with bravery and honor..... or will we perish like others so many have in the past..... or ....have they already won?

We all know or are getting to know how to fight an auditor. Compliance is TRAINING us to fight an auditor. Frankly, we are getting good at it.

We are at war people, and we are paying the very attackers that keep us up all night with worry.. because without that badge they provide.... we don't have any idea what will happen.

So saddle up the troops for the yearly audit and get ready for the lines to crash again, because by god(s) we inflict this pain because WE LOVE YOU. WE CARE...

While the sweat sheds and the tickmark legends are frantically checked... the real threat lies in wait. Reading the reports and laughing... analyzing the compliance regulations like an opposing team would analyze the the other teams "defense play book" and waiting for the opportune time to launch an attack. They may be small but the element of intelligent surprise is so powerful it will allow a small group to fight their wealthy adversary and take over a city, a state, a colony, and even the world.

Knowing that, where do we go from here?

Tuesday, April 5, 2011

Why can't I just buy a motorcycle without WORK interfering?

It seems that Information Security is something that is not only my profession but ingrained into every little thing that I do. Not to say that I am conscious of it or even attempt to CLAIM that I am secure but it pops it ugly head up in the most conspicuous places.

This past friday (April 1st 2011) I decided that I would go test drive a 2011 Ducati Diavel.



This is the motorcycle I have been looking for. It fits the silly criteria I have put forth to restrict myself from buying such toys. Leave it to Ducati to come out with what I was dreaming as a hybrid "Cruiser/Sport Bike." Well, they did it and it drug me straight into the dealership a few days after its release to the public. The bike is a muscle bound sprinter that is dripping with technology. It has a FULL Light sensitive TFT screen, multiple different riding modes (changes the bikes stance,compression,engine tune,shocks,and even shift points), and just about every other gadget you could throw on a stock bike (ABS, Trac Control, and MORE). This is the Geek Muscle bike of my dreams...and I was in awe.

So, after an extended stare at it I decided to take the bike for a much anticipated test drive. The salesman gladly handed me a few papers to sign and off I went. The bike was AMAZING. Not only does it have enough tech to make an ADD security guy like me completely enamored, but it will quickly bring you back to riding with its 162 horsepower roar. I was in pure motorcycle bliss. Crushing speed-limits in 2ond gear with a smile stamped on my face and 87 degree Denver air wisping by. I was sold. On my way back to the dealership I stopped by one of my good friends house to get a second opinion before I put down the deposit. After turning the bike off (via the On/Off electronic button)I went to grab him from the house but he wasn't home. So, I hopped back on the bike and was headed back to the dealership. Except it wasn't that easy.

I got on the bike and hit the start button. The pretty screens fired back up with an electronic buzz and the TFT read "password" and showed 4 spaces. (was located where teh "riding mode" is on the pic below:



"Great...a password...arrgh... just like work" was the first thing that rolled through my head. I call the dealership to see if they can help me out and hand over the password. Just my luck, it was the end of the day and their phones had already rolled over to voice mail. Needless to say, my message was not very pleasant.

So, like any InfoSec type.. I start my assessment. ( the work in PTES recently has kept me on the method side of practice)

#1 Find the key (looked all over... no key... damnit... must be one of those proximity keys... maybe it is under the seat.)

#2 try and open existing areas that require key ( well, jiggleers are not much use on side dimpled lock/key... but i felt around a bit to see if there was anything obvious I could spring it with... no dice)

#3 Guess the PW " Hrm, these arent security people.. lets try the standards. 0000,1234,4321,1111,9999.. nope... maybe some that are bike or location specific... 0303,3030,0720,7200, 0666,6660,9990,0999... and so on... trying other ducati model #'s and things that may represent my location or even the bike *hence 666-Diavel..) STILL NO LUCK

#4 Bypass (I rooted around the bike for about 20 min trying to see how the ignition worked. Of course... I could trace the mess of wires back to an area that required tools not present at the time... so no luck there

Stuck and unable to do much more, I called in some backup. My wife was on the way to the dealership and Ryan was on the keys trying to ask the interwebs for the password. There was nothing out there in a quick search that he could find. *Oh yea.... I didn't have my phone with me so I was doing this all through a neighbors cell*

Finally after almost 2 hours, the phone rings. It's the dealership. In haste I say " what is the password" and they walk me through it. the password is 1375... a number that seemed familiar. The bike fires back up and I am back on the road towards the dealer. As I arrive the salesman is standing out front with a long face. He calls out

Sales Guy(SG):" Man, I am sooooo sorry. I should have told you about that password. One of our tech's lost the key so we have had to run it with the password instead of the key."

Great... now I care more about the security of the bike...than the discount I could have negotiated from being a pissed off customer. I respond

Me:"So, you run this without the key?"

SG:"Yep, if you have the key the password screen just doesn't show up.. but its an awesome feature if you ever lose a key or something. It is set up that way from the factory."

Me: "Um, yea... or if someone wants to steal your bike and guesses your password"

SG: "I supposed thats true"

Me: *relooking over the bike and seeing why 1375 is familiar* "Huh, the code is the last 4 of the VIN"

SG: "Well, lemme tell ya something *as he shields his mouth like he is telling a secret* ALL OF THESE BIKES USE THE LAST 4 OF THE VIN AS THE PASSWORD. THAT IS HOW THEY COME FROM THE FACTORY"

Just then, you can see my wife's face drop and look at me... as if to say.. " I CAN'T believe that you just told HIM that!!!"

ME: " Can you change the password"

SG: "We have a call in to them on that, but as of right now there is no option"

Me: " Holy $#it, that is horrible."

I was blown away. Now I sit there with the bike of my dreams and it is tainted with a trivial flaw which could allow for its theft. What to do? Well, sad to say, I walked away. I needed to feel out mitigation options for this fundamental flaw.

Just to be sure, I checked this out with a few other ducati/security fans. It seems it is true. Ducati in ATL 1 of 1 bikes started. Ducati Dallas 2 of 2 started. Ducati London 1 of 1 started. Boy oh boy, were the salespeople and others surprised to see them fire up.

With the righ mindset this could be an AWESOME feature. 2Factor auth to start my BIKE!!!! HELL YES!

BUT...

In the name of convenience, like most other failed security controls, we are left with a 4 digit password between the criminal and the 162HP prize.