Wednesday, September 2, 2015

#RSAC vs. #VMWorld Take 2

I've noticed some more things and realized I called out what I was seeing at VMWorld on the last one without calling out the difference so I'll explain a few things better too.

  1. At InfoSec Cons people want to understand how things work, why they do what they do, what happens if you do something unexpected, etc. At VMWorld no one seems to care, they want to know how to make software work not how they heck the software does what it does. Which is sad, some of this software is freaking amazing but not one talk is about how they do what they do. I keep wondering how to break into it and remotely sniff traffic on virtual switches or grab files from virtual SANs without even touching the guest OS, but I digress. 
  2. Deep Dive talks at security CONs show code typically. At VMWorld Deep Dive talks I would call high level overview and are mostly slides with video recording of someone clicking buttons on a GUI as the speaker talks over it and that is the deep dive demo. Seriously. Almost no one at VMWorld seems to care that isn't really a deep dive, I've meet one person so far who isn't happy about that other than me.
  3. The booth swag is way worse. Most booths don't give anything away it is all a chance to win something, how horrible.
  4. The wifi is just as messed up as a typical security con and I'm seeing people doing evil doing the wifi pineapple thing cloning the main wifi network, you name it. They don't give a secure option either nor do they publish the correct MAC addresses on the APs so you are just screwed and have to turn wifi off. Everyone is complaining about the wifi but they don't seem to get why it is bad and that is isn't safe and that it is slow because it is all being routed through a guys laptop. I find it a bit funny.

Tuesday, September 1, 2015

InfoSec vs. Infrastructure Communities

I've considered myself part of the InfoSec community since going to my first DEF CON 15 years ago. Back then I had already been doing security work for a while but was not aware of the community and really that this could be your 100% focus until going to DEF CON, I was a self taught Infrastructure guy but my eyes were open and I never looked back. Until recently due to the Infra leader leaving my current company and I got asked to take over part of it with security. So I find myself at VMWorld this week. It tuns out VMWorld is Infra's RSA Conference. I mean exactly, same place, same size Expo, the vendors that do both even have their booths in the same spots. I know because I was just at RSA. So I've been noticing some differences in the communities that I found interesting enough to post and see what everyone else thought.

#VMWord vs. #RSAC

  1. People at VMWord overall are older, I know the hoards of kids I'm thinking of at security cons are not as represented at RSAC as other cons like DEF CON, but still. I don't think the kids these days think Infrastructure is cool. In 20 years this may be a problem.
  2. There are way less women at VMWorld than RSAC. Way less. A working at the center asked me why there were no women, he said he worked many of these events and this one had the least amount of women. I asked him if he worked RSA and he said yes, way more at RSA. I agree. I find it interesting there is an outcry about this in InfoSec but not Infra, Infra is far more male dominated from what I can see.
  3. VMWorld didn't get the note on "booth babes" probably due to point #2. It is like going back in time on that front, not all the booths but a lot and a lot really have the appearances of let's say professional dancers and leave it at that. 
  4. The booths are even more vague! Everyone uses the same buzzwords and you can't even tell what the company does without talking to them. I figured out this is because they all appear to do the exact same thing. Which is crazy. It reminds me of the days where every other booth was an IPS vendor, Infra is in that phase right now.
  5. Speaking of everyone doing the same thing, Infra isn't even Infra anymore. Almost all the booths are software or hardware the runs special software on top of it and it is only their software that makes them different than anyone else. Oh and their software does the same thing as everyone else on the same kind of hardware but we are better because, um, ya. Today Infra folks think they are working on a server when they play with software the abstracts the whole hardware layer. When I asked hardware questions no one knows the answers. I find this totally insane and I wonder how many people will be able to make this stuff work in 20 years.
  6. The parties are in the same places but totally different. The music is way quite and no one is even thinking about dancing and people are more into the sliders than the booze. Frankly being older I kind of like these parties better than a crazy Rapid7 party where you can't hear anyone talk. Maybe this is due to point #1.

Anyone I'm starting day two at VMWorld and will see what else I notice. If anyone reading has their own observations or disagrees or whatever leave your comments. Or reply to me on twitter.  

Saturday, April 18, 2015

MS15-034 Ruby Script

I made one and it is here:

When MS15-034 hit earlier this week there was a lot of activity. A few Python scripts came out quickly. Someone used one of those to make a Metasploit module very fast, a bit later a nmap script came out. But other than the Metasploit module no one made a ruby script to check for it. And frankly that bothered me so I made one. Let me explain why it bothered me.

Ruby isn't just a good high level language, it is what Metasploit uses. Metasploit is by far the most useful offensive tool in the InfoSec toolbox. And everyone in InfoSec should know how to use it, defensive people simply must understand how attacks work and how attackers think to defend well. If you don't agree or understand why buy me a drink at a con and I'll talk your ear off until you get it or are out of drink money. I'll be at RSA next week. :-) Anyway, Metasploit is a framework and sometimes you need to tweak a module to get it to work against the computer you are attacking. Knowing Ruby allows you to do that. Not being able to do that can mean the difference between getting in or falsely thinking the computer is secure.

Python is good and all but Ruby is a perfectly fine scripting language and your scripts don't have to look like a Metasploit module or part of a large object oriented program.

So my fellow InfoSec folks with various degrees of Ruby skills, keep the dust off them. Check out the script. Make another one that is better with half the lines of code for fun, or not using the gem I used, or whatever. Keep sharp out there, the skills will come in handy and you don't have to learn Python to do this kind of thing if you already know some Ruby.

Tuesday, January 20, 2015

Educating non-InfoSec People

EA was hacked and isn't admitting, in my opinion. Let me explain. EA has an application used to buy games and in game things called Origin. I have an Origin account I almost never use, I used it to buy some single player games in the past. I got a your password was reset email and thought, that isn't good. So I tried and failed to login. I had a new password reset email sent to me and logged on to see many, many game purchase I didn't do, and lucky got me, they had all failed. I tried to turn on a security feature to alert me when the account logged in from another IP but couldn't because the answer to my secret password was changed. So I opened up a ticket. It turns out it was changed to a long string of text and not all english characters, joy. So I'm good now. But keep in mind a few things. One, I'm reasonably sure my home PC is not infected or owned in any way. Two, I use an email address for this I don't use for normal emails and is a domain I own not gmail, etc. Three, the password was strong and not reused other places. Four, to get the answer to the secret question from my PC they would have had to owned my PC since I opened the account back in 2013. All of this points to EA was the leak of my data not me, and they stored all of this in clear text or hashed or encrypted with poor key security but in any way stored it in a way that didn't keep the data private when stollen, clear text is my guess. The person on the phone that helped me was nice and said they are dealing with a lot of these and they are forwarding them all to their fraud department who is trying to figure out what is going on.

So I looked it up and found things like this: So based on my experience and that is lines up with many others it seems to me that: EA was hacked, they store this info in the clear, they don't have the logging capabilities to determine they were hacked for sure but they suspect it, EA leadership has made the stance that without 100% positive confirmation of a breach they will just deal with it and tell people they have found no evidence of a breach. This is where it gets interesting.

I'm a member of a large online gaming community. So I warned them to change their EA Origin password AND their secret question/answer combo. The overwhelming response I got was disbelief a "large company" such as EA would have been hacked without telling everyone about it and that they wouldn't have been properly encrypting this information and instead the people kept trying to tell me how to scan my PC for malware. I finally gave up trying to explain this to them and they get what they get I warned them. But I found it rather shocking that a group of tech savvy but non-InfoSec people put so much faith in companies doing InfoSec correctly. If you are reading this you are probably in InfoSec and are probably saying the same thing I am. Almost no company does this correctly. It is totally believable EA doesn't encrypt this data. It is even more believable than they decide not to report a breach unless they have to and they have a hard time finding evidence of it. These aren't just believable they are likely based on all I've seen over the years. Yet the average person thinks so highly in the tech capabilities of these large companies it comes off as conspiracy theory craziness and you can't even explain it.

This struck me as very bad. If more people knew how poorly their data was secured people would be mad about it and things would change for the better. But I'm not sure what to do about it. I'm interested in what you all think on the topic, if anyone made it this far. How do you convince people how poorly most companies do InfoSec without them dismissing you as crazy?

Monday, January 5, 2015

Told you so...Almost

From my last post you can see I had serious doubts about the FBI claim that North Korea is involved int he Sony hack and I'm deeply concerned that the FBI is being used as a propaganda arm of the Executive branch of government. Here is an update:

Norse Corp took on the investigation and figured it out in more detail and shared their findings with the FBI. The FBI rejected it and still has not shared why they rejected it or what if any evidence they have against North Korea:

The US Govt sanctioned North Korea while admitting no real evidence exists and no one seems to care but NK:

The stalled Cyber Security bill now has support of Republicans in the senate and will likely pass given the NK Sony hack link:

That bill is deeply flawed and shouldn't pass:

As far as I can tell the Sony hack happened, an insider working with some Russians to extort money as far as I can tell. The White House used the FBI to blame NK to get an unpopular cyber security bill passed. When the story lost it's legs over the holidays they sanctioned NK to keep it alive to try to keep momentum on the bill they want. Once the bill passes I bet they drop the NK story and arrest the insider. Time will tell though.