Wednesday, May 13, 2020

InfoSec and Overall Pandemic Observations and Predictions


I’ve been noticing many changes in InfoSec, and just overall. Which has led me to some predictions which I thought would be fun to share and come back later and see how I did.

Your feedback on mine and your own observations and predictions are most welcome.

Note: These are uncertain times (if you couldn’t tell from almost every single TV ad on air right now) so it isn’t a good time to try to predict anything therefore all or most of the predictions may be wrong.

InfoSec Observations
  1. While the InfoSec job market was on fire before this, it does not seem to be immune to the hiring freezes being put into place.
  2. Many company’s leadership don’t see InfoSec as critical for survival and is an area that can be looked at to cut costs when in survival mode.
  3. Many InfoSec people are taking on non-security IT functions and those are given a higher priority than their typical security duties.
  4. Criminals who have always in the past leveraged news cycles and disasters for attacks are going all in on this one. Many are advanced using new WFH procedures, or leadership needing to make some important decisions or announcements as attacks and not referencing COVID-19 directly. Overall phishing attacks seem way up to me, and more advanced.
  5. Vendor cold emails/calls/LinkedIn requests are through the roof! It feels like the week after RSAC every week.
  6. Virtual vendor gatherings aren’t very appealing, especially after several video conferences for work. Even if I really like the person and/or product it is still an optional evening video conference meeting after a day of them.


InfoSec Predictions
  1. Compromises are going to go way up in 2020 up due to InfoSec hire freezes, added IT duties, and layoffs.
  2. The InfoSec job market won’t be as hot at the end of this as it was before it started, but it won’t be bad either. I’m guessing closer in line with IT overall.
  3. There will be a push to ensure InfoSec is seen as more critical and can’t be taken over by non-security related IT duties again. I think moving InfoSec out of IT will become more common, and regulators will start mandating it.
  4. InfoSec software/service spend will go down in 2020 instead up and many companies in that space won’t survive.
  5. The InfoSec software/service companies that will do well are the ones with high value for the price and can be directly tied to headcount reduction.
  6. The InfoSec software/service companies that will do the worst are ones that relied on a sales approach that primarily involved steak dinners and drinks with prospects, and ones that need a team of people at the client to manage their product to get value out of it.

Overall Observations
  1. Working from home has changed for everyone, even people who worked from home often before. Video is more common and frequently expected where before conference calls were the norm.
  2. Disposable gloves are now on par with plastic bags randomly on the ground and in the weeds.
  3. Restaurants are switching over to all one-use items, and stores don’t allow reusable bags, the amount of recycling/garbage from shopping has gone way up.
  4. Kids are fishing again.
  5. Everyone is enjoying movies at home, the content we have access to is amazing and it looks great.
  6. Unsupervised kids/teenagers outside aren’t social distancing, or I’m old, or both.
  7. People in rural communities are going back to normal and see this as an urban issue.


Overall Predictions
  1. Jobs that can be done remote will continue to largely be done remote forever. The WFH genie is out of the bottle. People will pick careers based on being able to work from home and will expect it.
  2. The Internet is officially a critical service. And with the ability to remote learn and work, rural communities can attract more people and increase their property values if they have fast reliable Internet and I think many will work on that.
  3. Biodegradable is going to start taking over from recyclable and reusable. Those gloves on the ground, one use menus, bags, food containers, etc. It is simply going to be too much to recycle or put in the trash, and we aren’t allowed to use reusable items. We are going to need to figure out how to make more things biodegradable.
  4. Fishing is going to enjoy a surge in popularity long term.
  5. Kids who thought TV’s are for old people will start appreciating larger screens at home.
  6. Movie theaters are toast, people are going to expect their content at home streamed to them.
  7. I think we are going to see a spike in cases in rural areas and in kids/teenagers which will impact everyone before this is over and will likely cause schools to not open in the fall.

Tuesday, February 4, 2020

Keep Technology Away from Voting Part 2

More info has come out. The makers of the app are Shadow Inc. https://shadowinc.io.

Linked in shows them as a 2-10 person company:

All 10 people appear to be on LinkedIn:

Notices the titles. No Infrastructure (cloud or otherwise), or security in them. To be fair the CEO, COO, and CTO all appear to have very technical backgrounds and I'm guessing are smart people. In fact I bet they are all smart people. But all three have development/coding backgrounds primarily.

They are hiring, a front-end engineer and a wordpress engineer:
https://shadowinc.io/jobs/?utm_content=111269500&utm_medium=social&utm_source=twitter&hss_channel=tw-1141046691090632704

Cloud infrastructure is still infrastructure, networking is networking, and security for all is still critical and can't be left up to your cloud hosting provider to figure out for you.

So far, just wow. We will see what else we learn, too early to judge yet, but so far it doesn't look good.


Keep Technology Away from Voting

I'm posting this in middle of the "total meltdown" of reporting of the Iowa caucus 2020 (https://www.politico.com/news/2020/02/03/iowa-caucus-2020-election-110600). Still a lot is left to be seen and learned about this issue. But as both a security and technology professional for roughly 25 years I want so say this:

Stop trying to use technology for voting!

Security:
No credible cyber-security expert who doesn't have a conflict of interest thinks putting any parts of how we vote or record votes online is a good idea. Any part of our voting system that is connected to the Internet will be attacked by state actors. Protecting against state actors is really hard. The most common successful approach to defending systems against state actors when you know they will be attacked is to not connect them to the Internet! Trying to protect them while leaving them connected is likely not possible, but also adds huge complexity which brings us to the next topic.

Technology:
Technology is hard. All experienced Infrastructure and AppDev people know this. There are more things that can go wrong than you can imagine, and they all do eventually. And if Microsoft can have a major outage because of a certificate expiring (https://www.cnet.com/news/microsoft-teams-outage-due-to-expired-certificate-company-says/) what do you think the odds are the small companies working on systems for voting can do everything perfectly? The more complex a system is, the harder it is to get it right and keep it from having outages or problems. The more security you try to add to something, the more complex you make it. It is too early to tell with this issue, but I wouldn't be surprised if we eventually find out their attempt to keep this system secured helped cause the outage or problems they ran into last night in Iowa. For example, ensuring systems aren't shared in the cloud might have prevented them from being able to quickly scale out when they ran out of resources.

Summary/TL;DR:

  • Anything attached to the Internet that has anything to do with US voting will be attacked by state actors
  • Protecting from this threat is somewhere between hard and impossible, and trying will add complexity to the system
  • Complexity is the bane of all technology and makes outages and issues more likely
  • Therefore even if not successfully attacked, outages and issues should be expected due to this complexity
  • Which means we really should keep voting and vote recording systems offline, and use the least amount of technology as possible for the time being

Thursday, February 1, 2018

Cryptocurrency InfoSec Perspective

So I like Reddit. Some folks on Reddit decided to start their own Cyptocurrency for fun. I've been meaning to learn about how this works for real not just theory in part because I need to have more details to back up telling people blockchain can't fix their problems. What I learned so far was shocking as an InfoSec person. I'm still getting started and learning but I have enough to rant about. This is going to focus on the crazy InfoSec of all of this. Not the details, directions, overclocking the GPU, etc, etc. Go somewhere else if you want to learn to mine. Stay here if you want to learn how dangerous all of this is.

TL;DR:

  • Be careful what executable files you download and run, research the coin or software and if it doesn't look 100% legit don't do it.
  • Don't blow off AV warnings because other are
  • Be careful if your private key and know about any software you paste it into, that is all someone needs to empty out your wallet, if you really get into this look into hardware wallets
  • Research all software you are thinking about using. Google it with the word scam after the name. Really dig into anything that seems easy and is GUI based, the scammers appear to be targeting people who shy away from using command line tools. If you can't deal with command line, don't get into mining.

The Story:

The new currency (which is going to the moon) is Garlicoin. https://garlicoin.io/

For starters you need a wallet. Doing this what they say here https://pandawanfr.github.io/GarlicRecipes/wallet-win.html. This involves downloading a zip full of executable files and running many of them.  Sketchy, but I've been following this community for a while and I'm sure they are solid people. But people are doing this for 1000's of coins they have no involvement with, that is crazy. But OK moving on.

I need to get a miner. The official sites point me to this one. https://github.com/tpruvot/ccminer/releases. So yet another random exe from someone I don't know. Tpruvot. But he looks like a nice man from France and googling it looks like tons of people use his software to mine, it is very popular. Technically I can try to look over the code but it is a lot of code and forget it, now I'm mining coins. Probably safe, maybe.

So far I've run 3 executable files but the sources seems pretty trustworthy. Then everyone started to recommend installing a GUI wallet Garlium. So I did. https://xske.github.io/garlium/ To import the wallet I setup with the command line I have to give it my private key. Now if you don't know, that private key is all you need to steal my hard mined coins. And I need to put it into this software I know nothing about. And btw, AV pops it when you download it. I'm serious. That seems crazy but everyone is doing it and I want to be cool. But I did just give an unknown app that AV pops my private key. If this was full of bitcoin I wouldn't have done it. This is getting to be too much.

But now my hash rates aren't as good as everyone else. Well they are using this version of ccminer instead https://github.com/palginpav/ccminer/releases/tag/2.0-bitcore.v3 so I try it and it is far faster, more coins, sweet! But here is the thing. This is a github repo from some Russian I can't find much about or anyone who knows. There is no documentation and I don't know why it is faster or what was changed. Yet I'm running in on the same PC that the wallet is on and has the private key to the wallet. This is clearly a bad idea but no one is thinking twice about it. This is all getting a bit too much so I start to google around. What I found was shocking.

The whole cryptocurrency mining community seems to be built on people simply running compiled code, either GUI apps or command line exe files, from dubious sources. AV popping them is a common problem which everyone ignores. It is common to put your private key in random software, and I saw many people give advice on their website or in directions saying to save it in a text file on your computer. And people are installing these apps and running these programs from coins they know nothing about hoping to get in early in the next bitcoin. If anyone ever decided to be evil in rolling out a new coin they could easily make one decided to empty your wallets of your other coins, or worse. This makes me wonder if hardware wallets are really in wide use, but I don't know. So many people seems to keep tons of their coins on websites that get hacked and use online wallets, I kind of doubt it.

Finally people appear to clearly be making easy to use GUI mining tools for people that are just plan out scams. There are tons of scams, of clearly malicious software people are using to mine.

So this is all crazy. Now that I have some coins I get to figure out how horrible the markets are. More to come. :-)

Monday, February 6, 2017

InfoSec Fundamentals, Spoiler: AV is not dead

I've been thinking about this a lot, and I asked about it and got an answer I didn't expect on twitter, here:
This tweet which took mere to this article.

So here is a blog post about it.

First, I think a lot of what InfoSec teams do as "fundamentals" is a lot of time with little value in security the organization. And this is obvious to many people outside of InfoSec and make them not believe the threats, which are real and we know it, but still they don't believe them because they see us spin our wheels. Here is an example:

Patching:

Dear god we spend a lot of time patching and telling people to patch. A lot of it. And lord knows our scanners mark all kinds of stuff as Critical and High. But you know what, most successful attacks don't take advantage of missing patches. Most take advantage of configuration issues (system and application) and human error. There is a very small number of issues that are actively exploited. Ask a pentester. They know them, they will say things like MS08-067 (yes you still find it all the time, often on physical security boxes, I love that), jboss auth bypass, MySQL auth bypass, maybe they will say Heart Bleed, maybe a few others. Done. Yet you patch 1000's of things. And spend a ton of time doing it. Then after everything is all patched up an attacker or pentester gets in on a jboss server with no authentication, or finds default creds, or phishes one user and snags your local admin and that hash works EVERYWHERE, or you reuse your domain admin password on IPMI and it was easily crackable, or you have unencrypted and reused passwords in a DB exposed in a nice SQLi attack, etc. But by all means, our scanner said this local priv escalation issue on a server is critical, lets patch it.

Prioritize patching issues people can use, and focus on configuration and application issues and be brave enough to re-classify issues even if a scanner said it was critical.

Back to the point:

Anyway, that article did talk about that, which is what I was expecting. Instead it did the AV is dead thing. Which annoys me so I'm writing a blog post.

Here is the deal, AV isn't dead. But many big AV names sell garbage. And InfoSec people don't test it and buy it anyway. InfoSec people don't test most thing. I can tell this because I've testing security software that simply is fake, and they still are selling it. Seriously, our industry has serious issues right now and all things any vendor claims needs to be tested in detail. Tons of them simply fake their product. Some big names rely on market share and have been phoning it in for years now. This brings me back to AV.

Yes, bypass techniques work. But they work far better and easier on some AV products than others. Again as a pentester. Some AV companies (with really big market shares) make pentesters very happy. Some smaller ones drive them nuts. Other smaller ones are 100% fake, so don't just pick a small one. You have to literally test them, for real. Collect viruses. Learn AV bypassing, use the Veil Framework for one but learn others too and role as many evil payloads as you can and bypass your current AV as much as you can in as many different ways as you can. Then test other products. If you do you will quickly come to one or two that kicks your ass and you will know the one you are using is garbage (assuming you are using a bad one like most companies are). If you then are brave enough to switch to one your own testing proves is better than what you have, you will start seeing a ton of generic backdoor alerts popping that you never saw before, as the legit AV program is popping targeted phishing emails that made it past everything else. When this starts happening you will wonder why anyone is saying AV is dead and wondering why they aren't testing the crap out of AV vendors and realizing some are far, far better than others catching real attacks and not going after signature counts.

Does that make your endpoints hack proof? Hell no. It makes them a lot more secure than they were, for a small amount of money and little effort. You need to do more of course. But all things alone have issues. App white listing is great until you get owned by powershell. Frankly, detection has become as important as prevention if not more so in my opinion. So all the effort you put in preventing attacks from working, if you aren't putting that much effort in detecting attacks that get through, you are in trouble imho. Centralized logging for example has become as important as AV or app whitelisting. Network Forensics is as important as firewalls. Etc.

TL;DR:
Priorities issues with patches and just because your scanner said it is critical doesn't mean it is
Test everything, many products are poor or ourright fake
Detection is as important as prevention

But that is enough for now, it was just one tweet after all.








Monday, February 22, 2016

RSA Vendor Comps and You

With RSA coming up I've been thinking about this because it seems many people on both sides of this don't appear to understand the rules. Which is crazy annoying at best, at worst it makes our industry more scummy if that is possible. I had a vendor who comped me tickets to a conference once literally forward the 6 month old email to me showing it explaining that I had to buy things from him still, after I told him I switched vendors months before. I switched for a very good reason and he made a ton of money from the company before the switch, and I told him all about it, it was all on the up and up but I got this scummy email anyway. I had to reply telling him that wasn't a kickback and no, I don't have to buy anything from him. If the sales guys don't know the difference between a comp and a kickback then we are in trouble. So here goes:

Buyer Rules:

  1. If a vendor offers you RSA tickets (or anything else like dinner or a ballgame for that matter), they want to spend time with you. You should go if you say yes, don't say you are going and no show or send an employee. If you don't want to go just say no thank you. If you want to send an employee tell them and see what they say.
  2. Never lie and say you are interested when you aren't or you can buy something when you know you can't. The vendors don't care just be honest, they will work on the relationship for the long term but hate being lied to.
  3. If a vendor comps you RSA tickets for example, you owe them some of your time, stop by their booth, talk to whoever they want you to talk to. 30 minutes or less should do it.
  4. You don't have to do a long dinner with them if you don't want to, if they offer switch it to a meeting maybe coffee or a beer during happy hour.
  5. Free stuff from booths requires some amount of listening to their pitch but not a lot and if they are taking too much of your time say so and if they won't stop walk away. You are selling your time and if it isn't worth it bail.
  6. You don't owe anyone anything other than some of your time. After that it is done and if they try to guilt you into anything block them and move on.
  7. You can sign up for as many parties as you want and only show up to some, no worries. You are selling your email and they will spam the hell out of you.

Vendor Rules:

  1. If you pay for someone to go to RSA you are buying some of their time while they are there, nothing more, nothing less.
  2. Gifts at booths is to get people to listen to your pitch and get leads, if they get bored you are taking too long or you are selling something they aren't in the market for. That isn't their fault.
  3. No matter how much you give away to someone, they owe you nothing! None of this is a kickback. If they take your free stuff and buy another product or use another vendor, bringing up you bought them a nice dinner or paid for their Expo pass is scummy. 
  4. If you are lied too, simply note that and remember that about that person, there is nothing else you can do.
Buyer Tips:
  1. Sales folks get crazy desperate the last day of the Expo especially the area around the edges where the small booths are and they get way out into the hall and stop you from moving on. Hit the small booth areas early on and avoid them later on.
  2. Stay away from long sales pitch dinners at RSA, there is more fun to be had and you can get those anytime.

Vendor Tips:
  1. Don't give away Expo tickets if you will have no one to talk to the person there, all you are buying is their time.
  2. Don't try to force them into a long dinner, offer coffee or a quick beer in the afternoon instead.
  3. Drawings suck IMHO.
  4. Small useful items are the best.
  5. You don't have to email us and tell us you have a booth at RSA, we know! Seriously. Email us about talks your people are giving or parties you are putting on. But if the email just says visit us at booth #123, then stop and don't send it.

Wednesday, September 2, 2015

#RSAC vs. #VMWorld Take 2

I've noticed some more things and realized I called out what I was seeing at VMWorld on the last one without calling out the difference so I'll explain a few things better too.


  1. At InfoSec Cons people want to understand how things work, why they do what they do, what happens if you do something unexpected, etc. At VMWorld no one seems to care, they want to know how to make software work not how they heck the software does what it does. Which is sad, some of this software is freaking amazing but not one talk is about how they do what they do. I keep wondering how to break into it and remotely sniff traffic on virtual switches or grab files from virtual SANs without even touching the guest OS, but I digress. 
  2. Deep Dive talks at security CONs show code typically. At VMWorld Deep Dive talks I would call high level overview and are mostly slides with video recording of someone clicking buttons on a GUI as the speaker talks over it and that is the deep dive demo. Seriously. Almost no one at VMWorld seems to care that isn't really a deep dive, I've meet one person so far who isn't happy about that other than me.
  3. The booth swag is way worse. Most booths don't give anything away it is all a chance to win something, how horrible.
  4. The wifi is just as messed up as a typical security con and I'm seeing people doing evil doing the wifi pineapple thing cloning the main wifi network, you name it. They don't give a secure option either nor do they publish the correct MAC addresses on the APs so you are just screwed and have to turn wifi off. Everyone is complaining about the wifi but they don't seem to get why it is bad and that is isn't safe and that it is slow because it is all being routed through a guys laptop. I find it a bit funny.