LARES BLOG

British are comming

2011-07-19T05:41:00.004-06:00

What is it about attacks that makes us forget the lessons history has taught us? I remember being in middleschool/highschool and talking about the American Revoluton. There was a particular long winded speech in HighSchool that still stands out in my mind today. The gist of it was that the British we the formal military power. They had all the money, training, weapons, technology, and they were THE DOMINANAT SUPERPOWER. The worst part about that is that “WE” (America), a band of ragtag farm boys paired up with a few educated HEROES, were being oppressed by the controls of British. The British were invading our privacy, taking our hard earned money for poor quality goods, and even forcing us into a state of servitude. This went on until every man, woman, and child was profoundly affected by their torment. When that moment came the farmers and heroes united and became one. This newly formed cadre of rebels were blessed as freedom fighters and fight they did.

We all know the “STORY” that goes along, but the part that really stuck with me was the reasons we WON the fights. It’s fascinating to look at a time in history where a MASSIVE army was trounced over and over again because of technique and not technology. As the British marched in formal lines and fired only when commanded, they strutted in majestic red coats down the road like a true POWER. Every measured action was accounted for. From the battalion leaders to the common soldier, they were stuffed full of battle tactics and plans. Commands ran through their minds like a modern day quarterback and they went into every fight KNOWING they were going to win. With all that practice, All that Planning, All the tactics, all the strategy, all the measure and approach, ALL OF THE METRICS VIEWED AND COMPENSATED FOR…. They got mauled. The streets ran red with blood. Outnumbered and fueled with the nervous rage of exercising their “LAST OPTION BEFORE BEING SLAVES” the newly found group of “AMERICANS” hid in the bushes and waited for the right moment. In battles that were often 2-3 to 1 or more…. This group of poorly trained farmers were tearing through one of the most powerful forces on earth. WHY???? Its all about technique.

The Americans did not play by “the rules.” They did not just wait in lines and fire at each other. They did not wait for the trumpets to sound or the gallop of their leader “requesting” them to FIRE. They did what animals do when backed into a corner… they fought. There were no rules or style that had to be followed. It was WIN or DIE. Failure was not an option. It was not on the battle plan. They used the element of surprise and guerrilla warfare to totally dominate the better funded, trained, planned, and universally educated opponent.

My question to all this was WHY did the Brits lose? Thought they were trained? I thought they studied war? Didn’t they have war colleges and schools and mock scenarios? Didn’t they practice for YEARS on end in the sea and on land to fight ALL enemies as they pursued global domination? Why didn’t the “standards of war” and formal protection/detection/attack/defense mechanisms work for them?

I actually asked my teacher about this and was EDUCATED on the spot. He looked me straight in the face and said “Remember how we talked about the Fall of Rome?” I nodded as he proceeded “The GAULS completely abused the Roman army with the same techniques the Americans used in the war. The super power that was England was so focused on the rules they were making and the history they were writing that they forgot about the lessons the past taught them. They began to study “new” ways of war and threw the history books aside. Kinda like some people I know.” I laughed as he made a squeaky voice “ HISTORY IS BOORING!” The class was floored. He stirred the pot even more (ps. He was my favorite teacher I have EVER had in a history class or just about any class for that matter). He said, “Did you ever think that HISTORY is the only thing that could destroy or save a country as Powerful as America… or England… or Rome or the many tribes before???” just as the class jock chimed in with … “No one can ever beat us! We have the most powerful military on the planet” he responded. “Perfect!!!! Let’s write some musings * what he called our undefined papers that we had to think on paper about a scenario that has historical relevance* tonight about America and war. Let me give you an example. And he wrote one of the most profound things I had ever seen in a history class.

America = Vietnamese
vs. vs.
British = America

I don’t know how many of us got it… but those that did were physically different. HOLY $#@%. We fought in conventional war methods just like the British. We were invading someone’s homeland. We got mauled in so many battles we had to come home.

AND

Let’s not forget the Vietnamese. They fought an unconventional war. They attacked from all angles and at any time. They had no rules. They played it to the bone and gave the world’s greatest super power a run for their money.

Sounds a bit like what we are experiencing with the recent attacks doesn’t it? From the guerrilla warfare tactics of opportunistic attack to the mass difference in force, the attacks of today are nothing more than mirrors of a battle strategy that has worked for thousands of years. The “Surprise” and “Random” nature of these attacks go a long way in effectiveness. Now, I am not saying they are random choices by the attacker, I think they are highly guided, but they are random in their execution. Take for instance the ability to scan shodan or google for a specific vulnerability. You are left with thousands of hosts and one of them may be your target. This is much different than going after a specific IP address or range for that matter. The attackers are using intelligence to their advantage and they know the rules.

When should you attack a massive army? On Christmas, when they are all partying and have a “night off.”

Where should you attack a network with millions of dollars of defense and monitoring equipment? Where ever the opportunity presents itself.

In the infosec world we tend to hold too much weight on our crusted perimeter and have a bit of a challenge when it comes to looking at the bigger picture. Not all of us can relate to war and its intricacies but we can ALL relate to Offense and Defense in some way. If our environments were all in the shape of a house, we would have a massive and fortified roof. When the rain came, we would feel safe and sound that the roof was protecting us, until the drips began. Even then, we would see them as a “small issue” or something we could just “patch.” The water on the other hand, would just find another way in. Being a homeowner, I have had this problem more times than I care to remember and it still happens today. Just last week, we had this torrential downpour in Colorado. Wind, rain and hail put my weekend patchwork to the test. As I came home from work that day I ran up to the attic to see if my efforts paid off. “YEAH!!!!” was echoed through the house as I cheerfully wiped the cobwebs off the caulked and patched over leak areas. I win….. right?

Well, I did as far as the roof was concerned…

But, then I was on the way downstairs and walked through my office. My heart sank as I could see the sagging wooden blinds. “Really?!?” Yeah, really. The window was open the entire time of the storm. The carpet was soaked, the windowsill and baseboards were trashed, the blinds were irreparable and better yet a TON of computer hardware was sitting in a nice neat container FILLED with water. But the roof was good. Actually, the roof was so good that the rain was pouring right off it into the window.

So, we do the root cause analysis (aka figure out who/what to blame) and see that my wife left the window open. *she claims that I did…. Weeks before… but that is another story* At the end of the day it was User error, better yet… it wasn’t even error. It was the daily operational tasks of my house. If it is hot, open a window. If that doesn’t work, turn on the AC. If that doesn’t work... call a tech to fix the problems. Amazing how similar that is to the IT world huh?
The part that gets me is that even if I blame her or me for leaving the window open, the real culprit is the design. Thinking of it that way I had to go into infosec mode:

If my threat was water, I should have identified what its capabilities are.

Knowing its capabilities, I could try to plan for a defense that matched.

Once implemented, I could test with water, hose, pressure washer, etc…. and replicate the threat in same capability that the threat can naturally execute.

After that, I can identify gaps and remediate or plan accordingly for ones I simply have no control over.

This is the one that allows people to get lazy. Anyone can say, “I’ll leave a hole in the roof because if it damages anything, insurance will pay for it” But as anyone who has had insurance claims knows….. it won’t REALLY pay for everything, and some things can’t ever be replaced. There are some folks on the other side as well. They respond “Well I will just waterproof my house.” I can’t say I have ever seen it done successfully, but people sure do try. It is just the nature of houses, they leak. It’s not always the end of the world but it does happen. It’s part of life and we ALL deal with it.

However, let’s not forget the people who are really “smart.” They smirk and answer the water dilemma with an over the top solution. “We will make everything in our house waterproof! Even if the roof leaks, nothing will ever get damaged.” It sounds great in theory but after a look into the cost and sideffects of its “protection” people tend to shy away from that one. They would rather just tell someone “SHUT THE WINDOW STUPID…IT’S RAINING!!!” than spend $1,000,000 waterproofing the room with the window in it.

This is where I REALLY laugh about our industry…

When we are attacked, we are begged to do MORE of the same thing. Just MORE of it. Its totally absurd.

The happy powerful British march down the road and are ambushed. They are sacked quickly by the surprise fury of the attack. So, what do they do? Walk the same road with 3x the number of soldiers. Stupid.

We get attacked on our corporate networks because vulnerability existed in a technology we implemented. So we implement MORE technologies to fix it? Ridiculous

Yet.. if our house has rain wash in through a window we have the good sense to close the window, move the items that are underneath it so that they are not damaged again and we make a policy that says “If it is raining, shut all windows. Also, don’t put things near a window that can get damaged by water or other things outside the window.” What a BRILLIANT concept. Figure out what the issue is and actually try and avoid it.

Attackers are watching you! They know that you are too big or too busy to see them. They know that you, like everyone else, is human and will mess up. They also know that when you do, you will likely give them even more things to attack with your path of resolution.

All they have to do is wait for the right moment to attack.

Ok… enough doom and gloom… what do we do?

This is my favorite part. It is usually the reason that people will write on reviews after a talk “want more info on how to fix or what to do” or “Was entertaining but did not provide answers.” And so on… I love them because it highlights the issue at hand in its most pure form. We want a solution. We want a magic bullet. We want an applicance!!!!

“Here we have the Anti-lulz UTM DLP GRC Pro Advanced Platinum NextGen 3000. The ALUDGPAPNG 3k for short. This device uses the latest deep packet inspection technology combined with an advanced heuristic detection that makes lulz a thing of the past. No longer do you need 40 devices to deal with the issue of hackers making fun of you for poorly securing your network. This device combines the entire OSI into one wirespeed appliance that protects you from every single attack vector INCLUDING THINGS THAT HAVE NOT EVEN BEEN DISCOVERED YET!!!!”

Throw 500k at Gartner to put it in the magic quadrant, and I bet a million of those puppies will magically sell! Better yet, PROVE it works. Show demos of how you can replicate a sqli attack that lulz uses and show it crushing it with ease. Show how it can torch the clientside emails and detect that they have malicious attachments before any mail ever hits a user. Heck, show them some 0-day *maybe a juicy buffer overflow* that gives you GOD access to any device on the interweb but the ALUDGPAPNG 3k nals it on a signature AND heuristic drop rule. Do all that and EVERYONE will have to get it. If they don’t, they will be treated like a toothless hillbilly and shunned from the RSA cool kid dinners. OOOH even better…. After you do all that, and other people copy its design, and you build a “market” called ALA (Anti-lulz Appliances) get a bunch of lobbists to stuff it into a Compliance standard.

Awesome huh? Just remember to send me some $$ when you are rich from that one. Because everyone else who has used that method is rolling in cash. Yet NON of them actually protect us.

OMFG WHAT?!?!?

Yea, think about it. If have 1 device with 1 port open I have a limited number of attacks. If I protect that device with another device that has 1 port open, my number of attacks has at least doubled. Even if it is a firewall or UTM or even the insanely secure ALUDGPAPNG 3k! It is still another vector for attack that was not present before. Just like the AV on your box, It may protect against some viruses but it poens new holes for your machine to be compromised from. Look at how many boxes have been paved by a AV update, or hacked because of the AV companies flawed command and control architecture.

If we can’t add more stuff what do we do?

“Complexity reduces security. The more simple the more secure”

This is something that proves true generation after generation. The designs that last, are the most durable, most secure, and most efficient are the ones that are the simplest.

Want to defeat an internet attacker? Don’t connect to the internet. Want to be safe from adobe 0-day? Uninstall all adobe products/code. The answer is actually quite easy. The hard part is where it impacts us. We can’t all run around and turn off all of our pc’s. They make our business run. We can streamline though. We can leverage the ability to work smarter and not harder.

Lets look a few of these approaches:

Firewall rules:

We don’t NEED every port open. Pair it down to only what is essential. After that, try to trim it another 20% after you thing you are as lean as you can get.

User rights:

No one needs to be an Administrator unless they ARE the administrator. If they need that level of privilege, maybe they should investigate a career in IT Admin? If they HAVE to have it, let em have it in an area where they can’t damage/touch things that are sensitive to the business. Options are awesome, especially when both work in the favor of security and increase simplicity.

Overall protection:

We don’t need to protect everything! If the perimeter has holes that you can’t fix, throw some of that tech at it. Inspect it harder than the things you know you can protect against. Instead of blame…try education. When a user leaves a window open, let em know the damage it causes and teach em how to close it. It really isn’t that hard. They are not our biggest problem they are our biggest asset.

Effectiveness:

How do you know all that “stuff” you bought is working? TEST IT!!!! You don’t know if it works or if any of your training/policy work until you test it?!?

Can we survive an attack:

Hire someone to attack you. No I am not talking about shopping out a bid for the coolest looking penetration testing deliverable. I am talking about an ATTACK. Figure out who the top 5 adversaries of the business and how they may attack you. THEN…. Have people attack you that way. Having a pentester attack you the way they know how just doesn’t cut it. With the cut rate budget pentesting shops out there and all the tool usage, those tests are damned near worthless. Do yourself a favor and make goals and tests that replicate a real world attack…and see if your “real world” defenses can handle it. Most environments are built to survive the attack of an auditor/pentester… not of a real attacker. How can you tell? Well, an attacker reads mail spools, harvestes accounts, uses valid forms of access, doesn’t remain in interactive shells, and overall has a low to minimal footprint. Auditors have HUGE footprints, leave tools and detectable items running, use commercial or opensource binaries, run scanners, and love interactive shells like mosdef, meterpreter, and core shell.

Customer Wow Factor = 100, Customer Value Factor = 0

2011-06-27T19:15:00.010-06:00

The netragard guys have an interesting post on their blog. Due to an *extremely* limited scope they ended up creating an USB switchblade/rubber ducky/USB keyboard HID/personnel autopwner. They called it a Hacker Interface Device (HID).

I don’t want the rest of the post to take away from the coolness of them building that, its friggin cool, and I want one...so hook a brother up [1]. But why of ALL the options that exist to break into a network were they forced to go that route. Now they mentioned "a rather restricted scope" and go on to say:

"The scope included a single IP address bound to a firewall that offered no services what so ever. It also excluded the use of social attack vectors based on social networks, telephone, or email and disallowed any physical access to the campus and surrounding areas"

and:

"With all of these limitations in place, we were tasked with penetrating into the network from the perspective of a *remote threat*"

They didn’t go into detail on if the client had a class B of crap and it was just "off limits" or if they really just had 1 IP with no services acting as the company’s NAT'ing gateway. I've been there (I had one client that had their outbound proxy (offering no services) and a static html site and that was it). They also didn't go into detail on why phishing or telephone SE wasn’t allowed or why merely walking into the facility was also not possible/allowed.

Maaaaaaybe both of those options were technically or financially infeasible to the average bad guy ( or maybe just for the *remote threat* they were emulating) and spending a few hours/days building a hardware device to snail mail to users was more “feasible” or maybe the client sat around and tried to figure out the least best way to spend their security budget. I don’t know.

I do know that unless there were some extreme extenuating circumstances the role of the attacker they were forced ( but really more agreed ) to play was a flawed role. I think its unrealistic to think that someone wanting to get in to a company’s digital infrastructure will spend hours/days making a tool/device, mail it to some users, and wait undetermined amount of time to plug in and pwn users as a first course of action instead of just phishing someone (need proof?--> RSA, Aurora, Sony). I’ll leave out the GIGANTIC trail leading back to the attacker by snail mailing anything (would you send something that critical without delivery confirmation?)[2]. Again, not to downplay the coolness of the HID, its very cool, too bad the client didn’t allow them to spend that time and creativity figuring out multiple plausible attack paths to break into their site vs one really neat but not the path of least resistance (and therefore most probable) attack vector.

Attackers tend to keep as far away of physical items for use in their attack as possible. Attackers use coffee shop or hacked wifi, TOR, and multiple VPNs as a means of providing as little digital forensic evidence as possible, which isn’t hard to do, yet as law enforcement is still figuring out digital forensics. On the other hand, physical forensics is an ancient art. It’s doubtful the Netragard guys used rubber gloves while creating the device and boxing it. Did they pay cash for the items they made the device out of? Did they have their phones on them if they went to a store to purchase the items? Even if they paid cash phone records could put them at the location of purchase. Was there any sort of trail that someone with resources could use to trace back to them? These steps weren’t mentioned in the post and if they were truly trying to help the client with such an attacker (essentially the mindset of a bomb maker) there would be a lot more steps involved, vice ‘look what I can do’.

We need to do our best as security professionals, as people that sell security services and as people who give advice to do away with asinine scope restrictions like the one mentioned above. Scopes like this one provide little value to the client because it it isn’t how 99% of the attacks against them will happen. Protecting against an attack that will happen 1% of the time just isn’t cost effective. (Perhaps all the normal paths of entry have been thoroughly tested and mitigated against and the client really needed a creative approach to breaking, but I doubt it.) If the ease of which companies have been getting owned lately has not clued everyone in to the overall lacking of testing and security posture I'm not sure what will.

However, I don’t think its the testers that are lacking, or even a lack of methodology on how to go after clients, that stuff is out there. How "APT", "determined bad guy", "buzzword term" have been breaking into these companies is WELL documented. What testers are lacking is the ~~ability~~ backbone to stand up and tell the client that testing with that type of scope is highly unrealistic to the actual risk and the threat they are facing and that their money would be better spent doing X,Y or Z instead of some silly unrealistic scenario where the client gets to control the outcome or its such an obscure scenario that its going to happen 1% of the time, if ever, and thus promptly ignored by management.

Nickerson (and others) have said it many times "Attackers don’t have scopes" and as much as possible neither should your testers.

[1] Actually Darren from Hak5 did hook me up with a demo one and its awesome:

“The HID attack is a lethal favorite as it exploits the inherent trust between man and machine. Since sharing our proof-of-concept with Irongeek at Shmoocon we have been excited to see a new era of physical attacks evolve. After months of R&D we know everyone will soon share in our excitement as we debut the Hak5 USB Rubber Ducky - the next evolution of the USB Switchblade platform. --Darren Kitchen”

[2] I had a lengthy discussion about if you’d actually insure/delivery confirmation your payload. The person said no one would do that because its “CSI Miami Dumb”, which I agree with but I cant image if you were to place your success of breaking into a company on a snail mail/user assist attack you wouldn’t find some way to know if the package even made it to the target or not. Arrived and target didn’t plug the device in is way different than device getting lost in the mail. I’m positive the boss of the guy responsible for the operation would want to know too :-)

How does your network stand up to a determined attacker?

2011-06-19T15:17:00.008-06:00

Attacks on large organizations (RSA[1][2], Google & Others [3], DuPont[4], Lockheed Martin[5]) have given us a glimpse into the underbelly of targeted attacks.

To be clear, every mom and pop shop should not live in fear of a targeted attack/industrial espionage threat but a lot of companies do face this threat. If you make something that would be cheaper to steal than reverse engineer or if beating your competitor to market means a profit for this year or not you’re in the zone for some entity to decide to come after you and take it.

Recently at BlackHat DC and Shmoocon, Sean Coyne and Ryan Kazanciyan from Mandiant gave a great talk titled “The Getaway” [6][7] and it covered some of the methodologies and tools that Mandiant felt was common enough to talk about in public. McAfee also released their “Night Dragon” paper [8] which discusses “APT” style attacks and techniques.

Image (modified) from: McAfee’s Global Energy Cyberattacks: “Night Dragon”

Step 1 is varied, typically some sort of client-side attack is involved but remote and web attacks are definitely a possibility (why waste your client-side 0day when Metasploit will get the job done).

Steps 2-5 are important as traditional penetration testing rarely delves into enough detail to adequately test detection and response once an attacker gains entry into a network or moving laterally in the network. Instead most companies focus on forcing their consultants into a guided test where they control the outcome via various scope restrictions or "goals" that don't represent things attackers typically go after.

Companies with something to lose need to sit down and ask themselves the hard questions of:

How educated are your users against social engineering and phishing attacks? (Does your program work?)

How far can an attacker go with a user level shell gained via Phishing or SE? (Do the fancy boxes and IDS analysts actually work?)

Do you know what data on your network is most important? (What makes you money?) If yes, can you identify the controls in place to protect it? When did you test those controls in real life and not just on paper?

Is that data properly protected? (Are you doing anything to protect it. Hint Windows permissions don’t count). Have you tried various exfiltration methods to see if they work?

When was the last time you allowed someone to try to get it? (Did you throw vulnerability scanner X at it and call it good or do you just laugh and say “yep if they got access we would be f**ked”?)

1.http://www.pcworld.com/businesscenter/article/222555/rsa_securid_hack_shows_danger_of_apts.html

2.http://blogs.rsa.com/rivner/anatomy-of-an-attack/

3.http://en.wikipedia.org/wiki/Operation_Aurora

4. http://www.bloomberg.com/news/2011-03-08/hacking-of-dupont-j-j-ge-were-google-type-attacks-that-weren-t-disclosed.html

5.http://www.informationweek.com/news/government/security/229700151

6.https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-Slides.pdf

7.https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-wp.pdf

8.http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf

A Passion for Protection

2011-05-26T04:05:00.004-06:00

I have seen articles that dance around the topics of “ how to hire in security, how to GET hired, who you should hire…picking a good consultant…finding the right tester...etc….” but it all looks the same. Surely, in this day and age we aren’t using the same “solution” we have used FOR EVER in the interview process? You know… The same type of interview that allows us to turn the candidates into numbers, weigh their pros and cons, and decide based on a formula that best suits the needs (pocketbook) of our company at that time. To me, this is a crock of S*it. It demoralizes and devalues the special sauce of every brand on the market. It is the antithesis of what great companies were founded on. You don’t get to be a household name without a passion, a drive, a level of innovation and an insatiable hunger to succeed at all costs. You do not get to be amazing because of the notes you took or the forms you filled out. You do not get to LEAD an industry until you have taken the beatings at the bottom and shown that you have a will to give it all for another shot. When all is said and done, you should be working for a mindset and not a “company”. You should work for a dream that YOU believe in; not because you are brainwashed but because it is YOUR dream and the company is there because there are others that share some of the same dreams. If you don’t…. pack up your bags today. You are not going to be happy. You are in your job (and probably hate it) as a slave to the money. There are other ways to be wealthy and happy, but I’ll get to all of that some other day…

Much of my thinking on this subject has been recently sparked by the last 3 years of business at LARES. What started off as leap of faith has become a way of life. We have a very unique dream that we pursue. It is not just marketing or some type of slogan; it is the way the business IS. Our dream was to have a security company that connected people. I am not just talking about the type of connection you make when someone signs off on that sales laden template Statement of Work, I am talking about true connections. We create all of our services and interactions around Connections. Our job is to reinvigorate companies through that connection. We focus on connecting people, feeling, passion, ideals, goals and most of all business “dreams.” This may sound odd due to the corporate mumbo-jumbo we have all heard over the years but I guess we still look at it with a fresh set of eyes. Almost every business I have ever had the pleasure of working for or even meeting with has had a dream. They call those dreams “mission statements” or some other catchy term that removes the playful aspiration and passion of the people that created the idea. Once those passion driven aspects are killed off, they lay on the political correctness and a heavy dose of marketing and POOF… the Corporate Mission Statement arrives. At least they are still stating their dreams. They are putting it out there for all to see and hear. “We WILL BE the best….”

Mission Statements are amazing documents that most people don’t give two thoughts about in the security industry but it is the CORE of the business. It is the single most important asset that company has ever had or will have. It is an all-encompassing look into the soul of the company from where they were to where they will go and their drive to get there. It’s not just some catchy phrase, it is the echoing voice of the passionate few who risked it all to pursue a dream. Even though the company has grown leaps and bounds, that one statement is a line in the sand. It is a promise, and our job is to help our clients KEEP that promise.

I have had the pleasure of having a business partner (Eric Smith) that was willing to go all in on a dream, and it has been the most rewarding thing I have ever done in my career. Since starting LARES, we have had our hard times, our struggle with a new business, and our successes. We have taken endless lumps and will surely take more because we WANT to learn. Every hard time has come with a new thing to learn and a realization that we haven’t even hit the tip of the iceberg yet.

But…

We are committed to our dream and are unreasonable in its pursuit. We have had some amazing experiences with talented engineers and technical merit that far exceeded our expectations, but the one thing that keeps us who we are IS THAT DREAM. It’s funny to think that all of these years I had it backwards. I was interviewing our teammates, testing their skills, and trying to find someone that would “Fit” the business I was in without ever really thinking about why it didn’t always work. There was always some excuse, “bad time, bad person, bad position, bad fit, not tech enough, not socially skilled enough… and on …and on” It didn’t dawn on me that I was doing it totally wrong for our business, it was how I was taught. Promote/Hire/Fire the engineers and Share your goals/solutions with the customers to find the right fit. Little did I know that all I had to do was turn it around. By having teammates that shared common goals/solutions/ and levels of comfort …the “dream” was protected. Not only was it protected it was fully supported, strengthened and totally re-imagined. They weren’t just good practitioners, they were pioneers that were pursuing THEIR dreams. But what about the other side, the customers.

Instead of playing like I knew, I asked our clients. “Why did you choose us? What did you like? What didn’t you like? Why and so much more.” The most common response I heard from them was that our PASSION was obvious. We loved what we do and every time we do it. It was a huge moment for me. It was not our deliverable, or how much we could do better or price or anything else *even though those were mentioned in a few.* The overwhelming majority told me that if it were not for our PASSION it would have never been the same. We also got another comment that threw me for a loop. “You guys are brutally honest, there is no BS, just the reality of what it is.” This one got me worried. Were we too hard on them? Were we not political enough? Did we offend them? What do we need to do to change?

Oddly enough, many of them told us it was a compliment. Sure it hurt a bit to hear from us the way we presented it, but it was also the first time that people WERE honest with them. That just broke my heart. A profession that is about testing people and using the truth as a motivator for growth was plagued with lies, sales tactics, and the sugar coating that even after the 9th hack…. SONY is still OK. These responses and feedback changed our business forever. We didn’t want to play doctor and hand out the pills our patients requested. We wanted them to get EVERYTHING they could from our time together. Whether 10 min or 10 months, we were unrelenting and would ONLY give 120%. If they wanted less… we would realize that it was just not the right fit. It was not the right “connection.” We started to expect our customers to be just as committed as we were to OUR dream and to THEIR businesses dream. We made it clear that we were there to help them keep a promise they made to protect the business' dream at all costs. Oh boy was that a rocky ride. Try being on a “sales call” where someone wants to do a multi week external pentest test because they want to know if they can get hacked…and you ask them “ have you ever had a virus?” Then when the person on the phone laughs and says “Of course” politely explain that they have proven they can get hacked quite easily… and ask why they need to spend 10’s of thousands of dollars to prove what they just told you as a truth.

The sales people come UNGLUED… but hey…. I guess that is why we don’t have any sales team =)

Now in that same scenario you may find out that the whole reason for the test is to show a connection to IMPACT and what COULD happen… or maybe you find out that they really want to create a defensible business posture and don’t know where to get started… or maybe you find out that they just need to check a box because “PCI SAYS SO.” By doing more than taking orders and getting to know their business and goals, you get to understand THEM better and you have a whole new connection. Now the interview has flipped and the asset you are trying to “bring on board” or “see if they are a right fit” is the CUSTOMER! Yep, that’s right…. We started interviewing our customers to see if our passionate approach met up with their needs. If they did, we brought them on to the team and gave it all we had. If not, we parted ways. If they were part of first group and worked with us to inspire and create…they got promoted. These customers are the cream of the crop and deserve to be treated that way. They forced us to work harder every time and the sweat we broke was attributed to the countless hours they spent on their end. The job did not have to be bigger, or more $$, or anything like that because we got to connect with the results. All of the work put in during our first encounter was reflected back to us and the real connection was proven…. Not just “signed off on”

Let’s face it, most of us have had a bad date before. We knew it was not going to work out from the moment we started talking yet we forced onward. We purposely continued on and put the other member through as much misery as we “knew” was going to be happen to prove ourselves right. How disrespectful. Everyone is different; everyone has different goals and a million ways to go about them. Rarely are any of them wrong… and even if they are… who are we to judge? The truth is, we want customers that feel just as good about us as we feel about them. We want a connection to be made that will let us get past all of the politico and get down to WORK. We never want to waste their valuable time, just to try and compete for a job that they or we will go into with serious doubts. We want to work WITH not just FOR each other.

Conventional security sales practices never delivered (why do you think more companies lose more $ and get hacked more EVERY YEAR?), the “Real World” is just a TV show, and planning is guessing. The days of menu based security services will live long in the eyes of the services giants who have 1000’s of mouths (shareholders/engineers/sales and more) to feed and an ever increasing need to grow sales. Their pockets will run flush with the spoils of their marketing campaigns and their emotionless sales team execution. The robots will trudge on to under bid, over promise, and upsell without a single reference to the fact that “SECURITY” is a feeling. They will respond to your RFP even if they can’t stand you. They will cash the check hastily as they squirm to leave your presence and come back next year for more because they can’t afford NOT to. The more they see you, the more they can hire, expand and do what every business school taught them “grow the business” *note… not grow YOUR business*

…but that’s not how this work should be done/won?!?!

Precisely! It isn’t. Then again, we don’t work. We do what we do, because if we didn’t get paid for it we would do it anyway. This is something we LOVE. This is not just a job this is a way of life for us. With every experience we share we get a new perspective and experience in return. We make connections between our company and theirs. We build bridges between teams and show them how other bridges can be burned. We trade our experience and passion for the ability to experience and protect their dream. Not for them….with them. With that in mind, we have made a commitment to “never hire again” in the conventional sense of the term.

This week, it is an honor to live up to that commitment and welcome Chris Gates to our team. We have spent YEARS talking about the industry we are in and have always shared similar goals/dreams. We have laughed together at the countless hours spent talking about how to change and never changing. Chris has many tools that he brings to this trade but his biggest asset is his passion. His passion to help customers and peers alike is something that can never be taught or interviewed for. He joins the team not just as a member, but as another passionate professional… willing to risk it all… for a shot at making it better. Eric and I may have been founders for 2 years but Chris’ addition gives the ability to once again reimagine a dream that 3 of us share instead of 2. Partner, Owner, Engineer, Expert, Sr., Jr., Janitor or whatever title he chooses will be just another name. The real job he has made for himself is the same that many of us were told to pursue when we were little “To follow a dream.” I am excited to see this new addition to LARES and echo the excitement of our customers in knowing that he will help shape the future of our business. Like watching any talented sparring partner/coach, I am even more excited to see the new heights he will bring our amazing customers too.

We are at War (part1)

2011-04-19T12:33:00.003-06:00

**So... I am sitting here at Infosec World and listening to the crowds chatter... I am preparing my talk for thursday and decided this would be a great time to ignore responsibility and puke out what was on my mind... here ya go*

In a time where times are tight, oil/gas is on the $ rise and we are in more wars then we have ever been in at one single point and time... what could we do to help ease our pain? OOOHHH I got it! MORE WAR! Yeah! That's the ticket.

Cyber War? hahah YES. In my use of that term here (which I hate) the war is with ourselves. It is not against the "hackers" or the "Country that is attacking us" or even with the generic bad guy we all have been protecting ourselves against all these years. The war we are in is against logic. It is against reason. It is against the "rules and guidelines and best practices" that we made up. This war has a doctrine called "Compliance" and it is forcing the most impressive civil war that I have ever seen. We spend our time reading the sheets, identifying all of the "stuff" we need to do and buy... then we ready the troops. We sit them on our enterprise front lines and tell them to hold fast because the enemy is on the horizon.

On the other side, armed with a mass of paperwork and generic process, dressed in $300 suits and straight out of college... the enemy amasses. The 2 forces peer down the perimeter and sweat the first shot to be fired.

BANG!!!!

The Standards committee waives the battle flag stained in corporate checkbook ink and the tears of business owners world wide while the charge in sues. Rocketing down the battlefield with the latest terminology, Arch Angel of FUD Triumphantly echoes behind them. It cries out "We are here to help you! Don't resist. We will keep you safe from the bad guys that are coming! Join us and become part of the the standards that will save your business from the fines of your compliance gods!"

The corporate soldiers tremble in fear, knowing that the only option they have left is a life of compliance based indentured servitude or...even worse..... they face an attack... SO GREAT... SO POWERFULL... SO ENCOMPASSING... that it will crush them like an egg shell. The CxO's and managers tone the lines for impact. Letting them know that if they "pass" the initial attack.... they wont have to fight for another year. They will reap the spoils and the pride of victory and they will eternally live in the light/favor of the compliance gods. Teeth grit, eyes squinted and fingers ready... they slam together for the first real fight they have ever been in. They revert to survival mode. Lie,cheat,steal,kick,scratch,punch,gouge and even RUN.... they fight to survive. They endure more pain and instantaneous financial then they ever have in the history of their company.

Mopping their tears and bandaging their wounds with the pounds of report paper delivered in the report, they rejoyce. They have survived the battle but the war was long from over. Their reward: a small lull in externally forced work and allowed to go back to their day job... working 60 hour days turning the cogs of the infrastructure and protecting reliability of the paychecks the company.

So, what did they gain from this epic contest? A little stamp to let them know that the attack will occur again. Same time, same place, same channel.

But wait, theres more....

The executives get a special perk. The sales team on the opposing side promised them the spoils and they delivered. They get a report, a shield of honor and security, they become a shining beacon of light in an industry of companies that are non compliant and getting hacked on a regular basis.

But wait... theres more...

The biggest benefit of all. the safety blanket provided by the reams of paper trucked in at the end of the battle have given the most powerful gift of all time.

"THE ABILITY TO NO LONGER OWN SECURITY AND SHUN THEIR RESPONSIBILITY FOR THE BUSINESS"

They wont go to jail for negligence. The industry won';t mock them IF they get hacked... because THEY were compliant... THEY survived the war... THEY WERE PROVEN SECURE by

THAT FIRM -> as they swiftly point out their auditor post breach.

It's their fault.

Wait... its not? WELL THEN...

ITS COMPLIANCE's fault!?

Wait... its not? WELL THEN...

Its "Tim or Sally's fault!" YEAH!!!! Those terrible employees who forgot to install the patch.. or clicked the email that allowed our technology to be leaked all over the planet and invalidate security for millions of users world wide.... BASTARDS.... THEY DID THIS TO US....

*good thing we can fire them to revitalize our stock prices and get back to were we were* Whew.

But what about the real attacker? Lurking in the shadows. A gorilla warfare expert that does not hold the line of a charge. An adversary that does not announce them selves with a fanfare of clanging calculators and a blinding array of merit badge adorned bright red coats? What about them?

All that compliance, all that strife, all that training we did to get READY for their attack will surely help us... wont it? We did that because they told us the bad guys were coming... that they were attacking businesses all around us... that they were pillaging the weak and laying waste to the "insecure."

What will we do when their evil eye turns to us? Will we be ready? Will we fight with bravery and honor..... or will we perish like others so many have in the past..... or ....have they already won?

We all know or are getting to know how to fight an auditor. Compliance is TRAINING us to fight an auditor. Frankly, we are getting good at it.

We are at war people, and we are paying the very attackers that keep us up all night with worry.. because without that badge they provide.... we don't have any idea what will happen.

So saddle up the troops for the yearly audit and get ready for the lines to crash again, because by god(s) we inflict this pain because WE LOVE YOU. WE CARE...

While the sweat sheds and the tickmark legends are frantically checked... the real threat lies in wait. Reading the reports and laughing... analyzing the compliance regulations like an opposing team would analyze the the other teams "defense play book" and waiting for the opportune time to launch an attack. They may be small but the element of intelligent surprise is so powerful it will allow a small group to fight their wealthy adversary and take over a city, a state, a colony, and even the world.

Knowing that, where do we go from here?

Why can't I just buy a motorcycle without WORK interfering?

2011-04-05T09:13:00.003-06:00

It seems that Information Security is something that is not only my profession but ingrained into every little thing that I do. Not to say that I am conscious of it or even attempt to CLAIM that I am secure but it pops it ugly head up in the most conspicuous places.

This past friday (April 1st 2011) I decided that I would go test drive a 2011 Ducati Diavel.

This is the motorcycle I have been looking for. It fits the silly criteria I have put forth to restrict myself from buying such toys. Leave it to Ducati to come out with what I was dreaming as a hybrid "Cruiser/Sport Bike." Well, they did it and it drug me straight into the dealership a few days after its release to the public. The bike is a muscle bound sprinter that is dripping with technology. It has a FULL Light sensitive TFT screen, multiple different riding modes (changes the bikes stance,compression,engine tune,shocks,and even shift points), and just about every other gadget you could throw on a stock bike (ABS, Trac Control, and MORE). This is the Geek Muscle bike of my dreams...and I was in awe.

So, after an extended stare at it I decided to take the bike for a much anticipated test drive. The salesman gladly handed me a few papers to sign and off I went. The bike was AMAZING. Not only does it have enough tech to make an ADD security guy like me completely enamored, but it will quickly bring you back to riding with its 162 horsepower roar. I was in pure motorcycle bliss. Crushing speed-limits in 2ond gear with a smile stamped on my face and 87 degree Denver air wisping by. I was sold. On my way back to the dealership I stopped by one of my good friends house to get a second opinion before I put down the deposit. After turning the bike off (via the On/Off electronic button)I went to grab him from the house but he wasn't home. So, I hopped back on the bike and was headed back to the dealership. Except it wasn't that easy.

I got on the bike and hit the start button. The pretty screens fired back up with an electronic buzz and the TFT read "password" and showed 4 spaces. (was located where teh "riding mode" is on the pic below:

"Great...a password...arrgh... just like work" was the first thing that rolled through my head. I call the dealership to see if they can help me out and hand over the password. Just my luck, it was the end of the day and their phones had already rolled over to voice mail. Needless to say, my message was not very pleasant.

So, like any InfoSec type.. I start my assessment. ( the work in PTES recently has kept me on the method side of practice)

#1 Find the key (looked all over... no key... damnit... must be one of those proximity keys... maybe it is under the seat.)

#2 try and open existing areas that require key ( well, jiggleers are not much use on side dimpled lock/key... but i felt around a bit to see if there was anything obvious I could spring it with... no dice)

#3 Guess the PW " Hrm, these arent security people.. lets try the standards. 0000,1234,4321,1111,9999.. nope... maybe some that are bike or location specific... 0303,3030,0720,7200, 0666,6660,9990,0999... and so on... trying other ducati model #'s and things that may represent my location or even the bike *hence 666-Diavel..) STILL NO LUCK

#4 Bypass (I rooted around the bike for about 20 min trying to see how the ignition worked. Of course... I could trace the mess of wires back to an area that required tools not present at the time... so no luck there

Stuck and unable to do much more, I called in some backup. My wife was on the way to the dealership and Ryan was on the keys trying to ask the interwebs for the password. There was nothing out there in a quick search that he could find. *Oh yea.... I didn't have my phone with me so I was doing this all through a neighbors cell*

Finally after almost 2 hours, the phone rings. It's the dealership. In haste I say " what is the password" and they walk me through it. the password is 1375... a number that seemed familiar. The bike fires back up and I am back on the road towards the dealer. As I arrive the salesman is standing out front with a long face. He calls out

Sales Guy(SG):" Man, I am sooooo sorry. I should have told you about that password. One of our tech's lost the key so we have had to run it with the password instead of the key."

Great... now I care more about the security of the bike...than the discount I could have negotiated from being a pissed off customer. I respond

Me:"So, you run this without the key?"

SG:"Yep, if you have the key the password screen just doesn't show up.. but its an awesome feature if you ever lose a key or something. It is set up that way from the factory."

Me: "Um, yea... or if someone wants to steal your bike and guesses your password"

SG: "I supposed thats true"

Me: *relooking over the bike and seeing why 1375 is familiar* "Huh, the code is the last 4 of the VIN"

SG: "Well, lemme tell ya something *as he shields his mouth like he is telling a secret* ALL OF THESE BIKES USE THE LAST 4 OF THE VIN AS THE PASSWORD. THAT IS HOW THEY COME FROM THE FACTORY"

Just then, you can see my wife's face drop and look at me... as if to say.. " I CAN'T believe that you just told HIM that!!!"

ME: " Can you change the password"

SG: "We have a call in to them on that, but as of right now there is no option"

Me: " Holy $#it, that is horrible."

I was blown away. Now I sit there with the bike of my dreams and it is tainted with a trivial flaw which could allow for its theft. What to do? Well, sad to say, I walked away. I needed to feel out mitigation options for this fundamental flaw.

Just to be sure, I checked this out with a few other ducati/security fans. It seems it is true. Ducati in ATL 1 of 1 bikes started. Ducati Dallas 2 of 2 started. Ducati London 1 of 1 started. Boy oh boy, were the salespeople and others surprised to see them fire up.

With the righ mindset this could be an AWESOME feature. 2Factor auth to start my BIKE!!!! HELL YES!

BUT...

In the name of convenience, like most other failed security controls, we are left with a 4 digit password between the criminal and the 162HP prize.

Confessions of a SecAddict

2010-04-05T10:56:00.002-06:00

“GOD,

grant me the serenity to accept people that will not secure their networks, the courage to face them when they blame me for their problems, and the wisdom go out drinkin’ afterwards!”

-A.P.Delchi

I am over it! I am over all of the BS. I am over all of the compliance posturing. I am over all of the “NEW AGE” High tech hipster ways to get a hold on a problem that is created “FOR THE PEOPLE BY THE PEOPLE.” I am over “We can’t.” I am over the cutting of the security budget to the bone. I am over having to use FUD to get attention. (Which is nothing more than promoting the stereotype of security professionals being cry baby premadonna’s.) I am over having to try and use corporate politics, back handed practice and overall impossible tactics just to create “something to REACT to.” I am just plain sick and tired of the loss of money, the incessant security breach headlines, the constant increase of security theater, and the train wreck life of a typical security posture.

Have you ever felt this way? Do you feel this way now? Are you “too tired” or “powerless” with regards to the security battle? Do you feel “under control, hands tied, and have an overall lack of drive.” Do you see a pattern?

./Big_Giant_Breath

These are the signs you would see in a person with an extreme addiction. Yep! Change the words and context around just a little bit and you have a classic addict. Its hard to choke down. I get it. It’s not conventional… I know. But, it’s real.

As with the history of alcohol and drug abuse, there have been decades of quick fixes. There has been millions of “get fixed quick” type programs. There have been high tech treatments and “silver bullet” pills that cure this horrible disease but none of them was/is a real solution. The reason for this is that fighting an addiction takes a lifetime of practice and will only end when you die. Until then, you will have to take it one day at a time and step by step. Around every corner will be a reason to slip back into your “old ways.” Sound familiar yet?

With all of these factors above sharing a frightening parallel and a quite common theme I think there is something to learn. I started thinking about this quite a long time ago when I was first exposed to the 12 step program. I was studying conjoint family therapy with the hopes that it would seriously up my Social Engineering game. I was taking the cross training approach to my career. I wanted to get into all of the classes, books, seminars and groups that were focused on “fixing” the bad behaviors of humans. I figured that by learning the fix I would better learn how to break them. Holy $h1T was I surprised. Here I am, sitting in the room, playing my role and absorbing as much as I could when it hit me. I am really screwed up. ( I know, shocking.. haha) Seriously though… I was able to identify things in my life what were superpower road blocks. Things that were so serious that I was sitting in the room, on the verge of tears and feeling completely helpless. A man named Stephen Young, who was teaching this class, came over to me and knew I was in a bad way. He knew this because under my supercool H4x0r exterior I was falling apart. He read my psychosomatic posture, he analyzed my every move and breath, he even was taking my pulse and temperature. This extraordinary man came up to me and put me on the spot. With his relentless pursuit of the truth and his unreasonable stance for my resolve he broke me in half. He exposed me. It took a long time. To me it felt like an eternity but in the end I opened up like a box that didn’t install the patch for MS08-067. From my session in this class I learned about something very important in my life. I learned the difference between being HELPLESS and being POWERLESS. On the surface this may be a no brainer or it may look like the 2 words can be interchanged. Underneath the hood of the human experience, this is one of the tipping points of eternal happiness. I won’t go into detail on the many facets of how humans treat themselves based on their perception of the situation or the vast and complex punishments we invoke on ourselves. You are a human, you have done it…. Like it or not… we all do. It is a common thread in our psychological makeup. Due to that fact, we all have a struggle with these powerless and helpless concepts. To set the record straight in the most raw definition of the words:

Powerless: Without POWER

This feeling comes with an overwhelming feeling of being weak. When we are powerless we do not have control. We are not the driver and we have no way to decide whether the car is going to crash into the wall or not. The brakes are out, the steering wheel is broken, and all the doors are locking you in. You are not without help or a solution, but you just have no real choice on what comes next (this concept took about 3 years for me to really get, so if it is confusing in this short burst… you are not alone!) When the car hits the wall… there is no reason to be mad… it was out of your control. What freedom. No reason to beat yourself up…. It was simply out of your hands at that very moment.

Helpless: Without HELP

Now, we really gotta dig in to where that puts us mentally. When you do not have power, you feel weak. You feel like you can not take on something alone. You feel abandoned and in a state where all is lost. The confusion here commonly comes from the target of your abandoned feeling. In you mind it means that you are alone and not equipped to handle the job. You don’t have the manpower to overcome the odds at hand. In reality you are abandoned. Not by other people. You abandon yourself. You punish yourself by making all these crazy meanings that you extrapolate from mounds of “evidence” to support your claim. You are not without friends. You are not without HELP. You are not alone at all. Your perception is your jail and its security controls are unable to be compromised (after all… you built em ;).

I know, I know you are saying..“ Geez hippie… hug a tree or something….” But this is an important thing to understand with relevance to InfoSec. Take those definitions above and apply them to your daily life. Apply them to your job. Apply them to all of the frustration that you had agreed with in the beginning of this post.

What did you find?

Well, because we are all humans, and because we all have a TON in common. We are all likely to experience the same feelings at some point or another. Maybe for you this is not the time.. Maybe this is the one… Regardless, it is a part of life. We have all been happy or sad, or indifferent. For this simple trend, we all have had common issues.

This brings us back to our fuzzy little InfoSec lives. The revolving world of compliance drives companies to scope and de scope assets like fashion trends. They inspire a momentary response which is more motivated by negative incent than anything else. Now, I am not saying compliance is bad or useless or whatever you make it. I am saying that the feeling that causes action still leaves you in that helpless state. It never addresses the human anchored problem that we all face. It never addresses the helpless feeling which overwhelms so much of the industry. Compliance has created amazing action and movement in InfoSec but it usually doesn’t provide a wholistic and cultural human change. It is kind of like taking an alcoholic and saying “Well, we will consider you recovered if you don’t drink Vodka any more. All of the other alcohol isn’t IN SCOPE.” This is just an insane statement but it is how I see many compliance programs dealt with. For this reason I started thinking about how addicts are treated. Sure, there are pills, programs, and fixes all over. There are Detox centers that claim to “Get you clean,” but all the successful ones have a common thread. They have a common goal and a common roadmap to get there.

This roadmap is called the “12 Step” program. It has stood the test of time as a repeatable and trend able mechanism for recovery. As I looked at the steps in depth from many perspectives I realized that this may be a good place for us to start our own recovery. We have a million ways to lock down an organization. We have more to implement and even more technologies to support it. What we don’t have is a real way to get started. We don’t own our own recovery, we usually act like it is forced upon us. Because of the lack of ownership, it allows us to “cheat” in our own program. It allows us to blame a scapegoat (whether that’s compliance or an infosec savvy employee). There is always someone else to blame and at the root of it, it is the reason we have rarely succeeded with our insecurity “recovery.”

Taking all of that into account, I decided to modify the steps just slightly to see if they would work to aid in our business recovery efforts. After a long hard look (and a few flights) I wanted to present this back out to the community to see what we could do with it.

12 Steps (of insecurity recovery)

1. We admitted we were powerless over security – that our environments had become unmanageable.

2. Came to believe that a power greater than ourselves could restore us to being secure

3. Made a decision to turn our will and our lives over to the care of best practice as we understand them.

4. Made a searching and fearless inventory of our environments and its assets, both information and physical.

5. Admitted to ourselves and those assisting us in our recovery the exact natures of our wrongs

6. Were entirely ready to have an independent assessment of our environment and accept the recommendations suggested to remove the flaws identified.

7. Humbly ask for help remediating our flaws.

8. Made a list of all the persons we ignored and became willing to make amends to them all

9. Made direct amends to such people wherever possible, except when to do so would injure the brand or the company.

10. Continue to take corporate inventory and when we were find flaws promptly admitted it

11. Sought through policy, process and procedure to improve our conscious understanding of best practices as we understand them and only for knowledge of his will for us and the power to carry that out

12. Having had a corporate awakening as the result of these steps, we tried to carry this message to other organizations and to practice these principles in all our affairs

I know that there is no silver bullet. There is no magic diet pill that will make me thin, healthy, and perfect. There are some things we can do about it. There are things we can accept in life and leverage the experience to live a life that is extraordinary. The quick fixes are rarely responsible for major breakthroughs.

The tech won’t save us. The regulations will never be good enough. The cloud won’t be the silver lining.

Sorry to say it, but security is hard work. It takes blood, sweat, tears and good ole fashion work to make headway. We can use the fads and toss around millions of dollars on a quick fix, or we can just get to work. Do you want to put in the work to admit you have a problem or do you want to continue blaming someone else for the problems? There is a way out. You have help. All you have to do, is take “The first step.”

Why NOT to pick padlocks on a Flight

2009-04-06T00:52:00.002-06:00

This is an OOLD post but due to some stories told this weekend I thought I would put it back out there for the public to see once again.

enjoy

Monday, April 30, 2007

I was "A Terrorist" on United Flight 5829 last weekend
Current mood: cynical
Category: Life

Wow... Where to start..

For those of you who don't know me as well... I must first set the stage. What I do for a living:: For the last 10+ years I have been working for Organizations like Navy Intelligence, Sprint, KPMG, and hundreds of other fortune 500 companies to help grow how secure they are. I conduct risk assessments, Compliance Assessments, Ethical Hacking, Vulnerability Assessment, and Physical security assessment as well as Physical Security Penetration testing.

That being said... here we go.

Last weekend ( on Thursday ) I started the most intense flight to another city that I have ever had.

I decided to go to Pittsburgh with my girlfriend to attend her Grandfathers 80th birthday. A relatively normal task. Fly from Colorado, quick stop over in O'Hell airport in Chicago ** i hate that place.. no way to EVER be on time if you go through there*.... and then bam... chi- Pittsburgh.

Thursday Am, I wakeup promptly at 4:00 am for my 6am departure. Lucky me, I got a whole hour of sleep. After a quick cold water shower and shaking off the drinks from the night before I throw on some jeans and toss on this t-shirt, then throw my crap into the Audi and buzz off to the airport. Nice drive at 4am. Not a soul on the road and took about 20 min to get to the Pikes Peak parking area. I bet I waited 35 min on that bus.... freezing my ass off... just so that some low rent bus driver could fill EVERY seat on the bus. 4 others shuttles went by... but this committed lil worker bee stayed fast.. Till the bitter end.

Great Success!! He fills the bus by about 4:55. We slowly troll up to the United Airlines stop and I get off the bus. Lucky for me, I had my entire ticket schedule and ticket book pre printed. I scooted around the line (due to my Exec Premier Status) and went through the Airport Security Checkpoint. As always.. I unpack my Boblbee Backpack, take off my shoes, strip my belt and all other possible metal. I look like a Sherpa when I travel, because god knows united couldn't keep track of ANY of the bags i have EVER flown with . None the less, I also took out my SouthOrd lock pick roll and handed it over to TSA. ( I do this every flight ahead of time, instead of them stopping me to inspect my bag) "All good! Nice to see you again Mr. Nickerson" they exclaim. Hooray! I am through and ready to begin my much needed vacation. I finally stroll up to the gate, just as last call is being made to get on the flight to O'Hare (or O'Hell, as so many of my coworkers affectionately refer to it). I settle in to seat 9b on flight United 360 from DEN->ORD @ 6:35 I crack open some light reading. Hacking exposed VOIP by our friend Dave Endler. Great read btw...It was an easy flight, as always. (I take this route at least 2-4x a month). I had a quick lay over and was off to Pittsburgh.

We board the plane and I promptly get into my seat 3a on flight 5829 from ORD->PIT @ 11:53am on April 26, 2007. This flight will go down as my Magnum opus. I have Premier Status (50k miles per year) on 3 airlines...and this.. my friends...was the strangest flight I have EVER taken.

As I was sitting in my seat I made a single serving friend with my seat mate. I guy in his late 20's early 30's that was in the Military. He was just on his way back from Afghanistan. We waxed lowbrow about jobs and military life and how the secrecy is an interesting and well needed thing. We got into a small conversation about what I do and the book I was reading. Shortly after, we prepare for takeoff. I set down my book and other flight toys (pad locks, pick set, iPod, headphones, and pc) to prepare for liftoff. Shortly after a Flight attendant stops by. Linda, I think was her name... it was hard to tell over all the shouting. "WHAT ARE YOU DOING,, WHY DO YOU HAVE THOSE? < WHAT IS THAT???" she blasts into my seat. I was sitting quietly at my seat practicing picking open 3 different locks. I like to do this on flights to stay relaxes and meditate. It also keeps*the feel* in my fingers so that I can stay sharp.

In a total panic i drop the picks and lock and yelp. She scared the living daylights out of me! " I am picking open these padlocks that I brought to practice. I am a security professional and one of the facets of our job is Physical security. Lock picking is an art... you have to practice it to feel it. This is something that we have to do much more than the reading for risk assessment or hacking a vulnerability we have exploited 10000times." She was perplexed. She runs to the front of the plane. After a few frantic and muffled phone calls she comes back for round 2.

atendant: Why DO YOU HAVE THOSE?

Me: Um... I told you... I am in security. I use them as tools for work.

attendant: YOU CAN'T HAVE THOSE, THAT's ILLEGAL

Me: Maam, they are not illegal, I fly with them all the time. You are more than welcome to hold on to them for the remainder of the flight if that will make you feel more comfortable.

Attendant: I DONT UNDERSTAND! YOU CAN'T DO THAT. WHO DO YOU WORK FOR.

Me: Maam, I am a consultant. I do work for large businesses, prominent security firms and other government organizations such as the FBI, NSA, and Various Department Agencies.

She snatches the pick roll from my hands and runs to the front of the plane.

Attendant:We have to land. There is a major security issue. There is a passenger with little knives and these steel things. (As said to the captain so EVERYONE ON THE FLIGHT COULD HEAR)

Great!! Now the whole plane starts freaking out. People are clamoring about guns, knives, bombs, and the best….. How I am some sort of terrorist. Yep, ME… working all my life to secure this country and the businesses within it…. A TERRORIST! The next was my favorite.

Attendant: (to the other attendant as well as the pilot… but loud enough for the first 10 rows to hear) : I think he may be some sort of terrorist. He says he works for the government, but I just don't know. I don't believe him.

Fantastic. I am going out of my way to go to Pittsburgh to see my girlfriend and attend her Grand Fathers 80^th Birthday, meeting the ENTIRE family and ALL of her old friends from growing up there. I thought that was stressful.. HAHA.. Now I have to worry about the passengers, crew, and whatever is waiting back at the gate. Maybe I will be meeting Grandpa from a pretty urn or conference call from the hospital.

Finally the pilot chimes in

Pilot: One of our attendants has identified a major security risk on the flight and we will be going back to the O'hare gate to further investigate.

Whew…. Least we aren't gonna fly around so one of these 9/11 scared maniac sheep of American society, back in the bowels of the plane can try and be a hero and toss me out. I may have a shot at living through the ignorance of this stress addled icon of customer service flight attendant. We arrive to the gate… flashing lights all over…and I stand up to get my cell phone. Fortunately I know a lot of government and TSA contacts that I have done work for. I spam every person I know that can vouch for who I am and what I can do. I am met mid ascent to the overhead baggage by our first hero in the back

Hero: SIT DOWN!!!!

ME: (obviously this guy is gonna save this freshly docked plane from the bad terrorist before the cops do… his one big shot at TV glory, oh man… what now?) Hey man, I am just getting my phone… there is a huge misunderstanding… Its all ok.

Hero: SIT THE F*%& DOWN BEFORE I COME UP THERE AND MAKE YOU SIT (**Cheered on by a few other passengers chours'n in**)

I sit down and disengage..right as the plane stops and attaches to the catwalk. As soon as the door of the jet flings open, the crew quickly scoots outside. No announcement to the passengers… nothing… Gotta love that?!? I would have been terrified if I was in the back of that flight. They are off the plane for almost 20 min when an agent from TSA Sticks his badge laden hat through the door. I nod and walk out. I am met By Chicago Police officials, TSA Chief, TSA Lieutenant, Captain /Co Cap of the flight. The first thing I am met with is the Captain of the flight with his hand extended. Naturally I bounce out of the plane and say " Hey guys, what's up?" I was as American as baseball and apple pie. I walk up to the captain and shake his hand

Captain: " Mr. Nickerson…. We are REALLY sorry about this mess. Our flight attendant did not know that you are allowed to have these and she really handled the situation inappropriately! We are so sorry!"

Me: " Right on… I understand, but that was really crazy. I tried to give them to her and explain, but she wouldn't stop yelling at me."

Chicago Police: " We are sorry Chris…. We understand that these are tools of your trade and appreciate what you guys do. This is not something we have ever run into before here."

TSA: "We apologize for the situation; did you bring those through our checkpoints?"

Me: "NO, but I have many times. Every time I fly I hand them to TSA before screening my bags. This way they can approve and check them out."

TSA: "Oh, well you shouldn't have those but we…"

Chicago Police "Give Him Back his TOOLS!!" As they snatch it from his hands and toss at me

I tell the clan thanks…etc… and start making my way back on the jet. The captain calls out

Captain: "So.. I have to ask… how long would it take to get through the lock on that door?"

Me: "What???? Um…. * Blown away by the question, I walk on the plane… look at the lock n come back** Prolly 30+ min if ever… it's a Medco… those kick ass"

Captain: "Great, I never knew.." ** as he puts an hand on my back like I was his frat buddy and marches up the catwalk with me

He proceeds to make an announcement to the passengers about how I was a security professional and WAS supposed to have what I did and that they were totally safe and to know worry.

Had to write this, because i was stick of tellin the story..and also let people know to be carefull of those flight attendants still living in the paranoia of 9/11. Often time fear outweighs common sense

Beware.... Please....

SE Webcast

2009-03-11T17:08:00.002-06:00

This was a really fun webcast I had the pleasure of doing with Mike Murry and Don from EH.NET. I am pumped about working on the SE Masterclass with Mike. He is a huge resource in the SE community and we are setting the bar impossibly high for this class.

The info:

In this 1-hour webcast, you'll be taken on a whirlwind adventure back to the days of the first charlatan, forward to the dawn of the Internet and smack dab into the present where these two topics are merging to form the most effective attacks to date.

Topics include:

Brief history
How do I utilize recon data in a SE attack
Highly effective client-side attacks combining SE with exploit frameworks like Core IMPACT & Metasploit
Business value in adding SE to your pen testing efforts
How to learn what they know

It has become imperative to assemble a world-class team of experts to train professionals on the technologies and methods of the most dangerous and costly attackers, social engineers. ChicagoCon has responded with the first ever offering of the Social Engineering Master Class, developed and taught by Mike and Chris from May 4 - 8, 2009. For more information, please visit www.chicagocon.com/2009s/semasterclass.html.

If you are looking for a class to show you a new way to ask for a password or silly parlor tricks to mess with someone's head, then this course is not for you! If, however, you desire to uncover advanced level material of both a technical and psychological manner, and learn the repeatable methods to gather intelligence, execute attacks, manipulate situations, and formally track a company's susceptibility to social engineering... and be able to mess with someone's head, then there simply is no other course like this in the world.

Two additional announcements:

- After the live event, come right back to this thread to talk to Chris and Mike.
- A coupon code for a huge discount to the Social Engineering Master Class at ChicagoCon 2009s will be shown during the webcast. Don't miss it!!

HERE IT IS!

http://www.ethicalhacker.net/content/view/242/2/

If you want to ask questions or make comments about the class, we have opened up a thread on EH net to keep the interaction going.

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,3616.0/

Webcast: Modern Social Engineering - A Vital Component of Pen Testing

2009-03-09T20:33:00.002-06:00

I was torn away from teh blog just as soon as I started it. In turn, I have decided to schedule a post every weds to keep some of my rants on track.

I though I would post this one a bit off to let you know about a webcast I am hosting on Social Engineering.

Info Below. PS!! the REAL reason to go ** there is a $1000 coupon to our SE Master Class during ChicagoCON!

The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?

To find out, we must do as Sun Tzu taught. "Think like our enemy!" That is, after all, the primary tenet of penetration testing AKA ethical hacking, isn't it? After years of hardening physical systems, networks, OSs, and applications, we have now come full circle to a new dawn of attack. People are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads... literally. It is only a matter of time before corporations feel the pain of wetware hacking requiring a new approach to testing and defense.

Join world-renowned social engineers, Chris Nickerson of TruTV's Tiger Team and noted expert and international speaker, Mike Murray, as they prepare you for the future of pen testing. This webcast on Tuesday March 10, 2009 at 11:00 CST is your primer to the world of "Modern Social Engineering."

https://www2.gotomeeting.com/register/627910728

What's to come?!

2009-02-23T16:58:00.006-07:00

Well as a first post to this blog I will likely look back on today and ask "Why did I get into this?" In order to quell that thought and give you a taste of whats going on in my head I'd like to give all some of the essays and articles that are floating around on my HDD's.

GENERAL TOPICS

What the hell is going on this year? There are attacks getting posted every day and no one cares? No news? No action? *I plan on taking on this issue and talking about the modern spin doctors of security and the ways to start firing up community and business alike to stop the bleeding sieve.
Security Testing/Services companies. Are there any good shops out there? How can you tell, what questions to ask of them, and what is the difference between security value and slick marketing. I'm gonna rant for awhile here because this one drives me crazy
PAPER TIGERS and the fall of consulting. I want to explore the new era of security engineers. I think that the testing/services shops are just as much to blame OR EVEN MORE to blame than the companies getting hacked. Come on, lets hire a $50/hr fighter who's never been in the ring to train us for our PayPerView Main event.
Training Security engineers. Too much tech and not enough business makes Mr. Engineer a worthless commodity.
How to spend your security dollar and get free testing towards your compliance initiatives. This will detail the use of techniques to review the business objectives, long/sort term security strategy, and the pertinent risk to how they interact. There is a way to spend FAR less and gain exponential protection. * I'll do this one sooner than later, as everyone is sweating the budget crunch.
Where to get started. How to drink the ocean of security and protection strategies one sip at a time. This will come from the perspective of the many engagements we have done as VIRTUAL CSO's for large and small organizations. The meat of this will be how to stay calm under fire and create a reasonable goal oriented security program founded on ROI not just fear. ** after all.. I don't see a lot of people scared right now after 2 major processors got hit?!?
Social Engineering
The modern Social engineer and the talents needed to ACTUALLY provide value. This will go over the skills needed in the SE space to truly provide value from a service provider perspective. How to integrate into testing methodologies and find results that clients can take action on.
THE METHOD: SE in 5 distinct phases (Intelligence Collection, Vulnerability Analysis, Planning, Exploitation, and Digging for the gold). If I hear one more person rant to me about how SE is not repeatable and it is a service that lies only on the skill of the engineer I am going to lose it. SE is a method, It has distinct steps, Intel, Vulns, exploits and *shells*. I will start to outline what those are and how to make it something that can be Tracked and trended EVERY time.
Information gathering. The most important skill. If you didn't get in... its probably because of poor Intel work, lets take another look at how and what we need to collect in Intel and Recon.
Exploitation tech. the real technology in SE. This one will probably be a few posts.
Client side attacking in SE projects and how/why you MUST be doing it
Phishing in Pen-tests and how/why you MUST be doing it.
Revisiting google for SE. Tips and tricks on getting the information you need in a Red Team/SE event are very different than the gdork that you are used to.
Random others:
War stories: entertaining tales from the front line of Red Team/SE and other Risk assessments.
The security sales game.
Behind the scenes. The really fun stuff that happened during Tiger Team ( not safe for TV)
and more..

I hope to provide an outlet to vent research,sleepless nights, 10 hour introspective flights, experiences, and what I have learned about security thus far. I also make this disclaimer... I'm not an expert... I just play one on TV =o)

On we go.