Archive

Archive for the ‘InfoSec’ Category

A Northern Geek’s trip South West

2019/06/30 Comments off

June has been a busy month, hot on the heels from BSides London (review here), I again found myself on a train BSides-bound, this time heading for Liverpool.

Before getting to the tech, I’ll point out that this was my first time in Liverpool. After a very brief visit I found the city to be beautiful, conference location in the docklands certainly didn’t hurt; and I’ll be intending a return visit to hit the tourist spots as soon as I can manage it.

As I’m currently more response than I was with my London wrap, I’m not currently able to link to the talks’ recordings. But after watching Cooper and team run around diligently manning cameras and audio equipment I’m sure that they’ll be available shortly, and I’ll endeavour to update once they are,

The day got off to a bang courtesy of the welcome address, without repeating verbatim, it was an excellent sermon reading from the (un?)Holy Book of Cyber….

From there, I was fortunate enough to attend the (mostly) excellent talks below.

Key Note – Omri Segev Moyal

Reading Omri‘s talk abstract prior to the event, I was unsure I was going to agree with the premise “Focus on malware, not Infrastructure”. Thankfully it seemed I’d gotten the wrong impression, and instead of focusing on corporate infrastructure (as I’d expected), Omri covered malware analysis without focusing on the infrastructure required to do so.

Any long time reader may be aware that malware analysis was the initial goal that kicked off this humble blog (though I got distracted along the way); and those readers may also tie a link between the drop in post volume and me leaving access to a datacentre. Migrating to alternative models is something I’ve been working on in the background – but oh boy did Omri provide a firehose laden crash course to jumpstart that journey

I’ll not go too deep into technical detail of material covered, largely as I hope to implement some of the ideas in the coming weeks, covering in more detail once I’ve actually gotten my hands dirty myself. I will just say that the demo quickly spinning up a DNS sinkhole without (your own) infrastructure got the creative juices flowing – and was very in keeping with other talks of the day (but I’ll get to that later).

<update> Omri’s presentation deck can now be found here, with some associated code examples on GitHub </update>

Martin King – This is not the career you are looking for

It pains me to say it, as I’m not sure I can trust anyone who doesn’t like cheese; Martin dropped plenty of wisdom and advice for those contemplating a career in infosec, advice that I wish I’d had (and paid attention to) when I was starting out. I’m paraphrasing as my notes from the talk aren’t the best (Martin, please correct any point that’s been misquoted), but Martin’s top 10 tips:

  1. Today, Every company is an IT company.
  2. Never stop learning, and always be eager for more knowledge.
  3. You are the asset, your brain is more important than your muscles ability to mechanically tick boxes without impact.
  4. There’s MANY great free resources available, leaving no excuse for point 2.
  5. Learn to Google, knowing the answer is less important that always being able to find the answer.
  6. Don’t be the stereotypical infosec tech that hates people. People skills are more important that technical skills when it comes to being able to make an impact in an organisation.
  7. “Failure is the best teacher”
  8. Question everything; and automate everything else
  9. There’s as many paths into an infosec career as there are people with infosec careers: Being you is the best option.
  10. The industry is INCREDIBLE. Ask for support and you’ll (likely) get it.

Sean Lord – Deception Technology

With the topic being deception technology I was understandably looking forward to this talk. As Sean stated at the very beginning of the talk “this is not a vendor pitch”…..

Andrew Costis – LOL-Bins

For those unaware, LOL-Bins are nothing to laugh at: Living Of the Land Binaries are those tools that come (mostly) pre-installed on targeted operating systems that a hacker can leverage to achieve their goals without requiring additional software (which may trigger AV alerts).

Andrew did a good job of explaining the core concepts, the LOLBAS Project, Mitre ATT&CK framework, and most importantly; how it can all be brought together to strengthen resilience against intrusions.

Panel – How to submit a CFP

Takeaway from this session was simple, and invoked a certain brand: JUST DO IT!

Peter Blecksley – On the hunt

Yes, that, Peter Blecksley. This was the first talk that I was disappointed wasn’t recorded; but given the content of the session it’s not too surprising. Peter was an EXCELLENT speaker, detailing some of his former life undercover with Scotland Yard, in witness protection as a result, Hunted TV show and, most importantly, the particulars of his current man-hunt for “Britian’s most wanted fugitive” (head here to see if you can help).

Kashish Mittal – One Man Person Army

Kashish discussed his experiences building up several SOC teams, and the tips he’s learnt along the way.

One of the key pointers I took from the talk was the importance making an impact early, and building a reputation for getting results. Starting a new function within an organisation can be daunting, primarily because a complete version of that function has a laundry of capabilities you eventually need to be able to perform, but prioritise your goals and:

Secure > Document > Repeat

Ian Murphy – The logs don’t work

Like Omri’s keynote, I was dubious of Ian’s premise; but I found the talk far less provocative than the abstract suggested, and I found myself agreeing with all (most?) points made. Briefly:

  • Alert fatigue eventually mean even critical alerts end up being ignored. If an alert isn’t actionable, why are you alerting on it?
  • There’s not enough innovation in InfoSec. When Gartner claimed “IDS is Dead”, as an industry we changed the D to a P, and moved the same device in-line.
  • Assume breach; both already and will be in the future
  • Humans are always the weakest link.
  • Unless you’re a LARGE company, attempting to build a dedicated, fully functional SOC is nothing more than “a CISOs ego-trip”. Leverage the skillsets of specialists.

Jamie Hankins – WannaCry

I must start with a confession: Prior to this talk I don’t think I was aware of Jamie, or his proximity to the events of the WannaCry/NHS saga. That was a failing on my part, and one I’ll attempt to redress in the future.

I was also sat in the room early before the session, and was aware Jamie’s immense nervousness prior to his talk, being a first timer; I was genuinely worried that Jamie may truly bottle the session and run.

So, with all that said; what was the outcome when Jamie started? Best. Session. Of. The. Day. Seriously, I’ve no idea why Jamie was nervous, and judging by the rest of the audience shares my opinion.

Unfortunately, the session wasn’t recorded; for reasons that make sense when you consider the current ‘experiences’ of Jamie’s partner in (not) crime after getting some media attention.

Keeping with the above, and honouring the request for no pictures (which was brilliantly ignored by an attendee in the front row, despite the bouncing “no photos” screensaver projected on stage); I’ll refrain from covering most of the talk, but will share a couple of notes covering the wider.

  • NCSC’s CiSP platform and team are amazing – As a user of the platform during the incident in question I must concur. Seeing the industry come together and collaborate during an incident as ALWAYS amazing.
  • Doesn’t matter what is going on, everything gets dropped 12mins before Starbucks closes
  • The effort to prevent damage from Wannacry infections is continuing long after the media circus has subsided.

Beer Farmers

What can you say about a Beer Farmers’ talk? It was entertaining, engaging, and spoke a LOT of truth. But I wonder at the value of such a talk as it’s mostly preaching to the converted; and given the delivery style, I doubt it would be overly well received outside of the echo chamber.

Finux – Machiavelli’s guide to InfoSec!

Arron has come a long way since I was fortunate enough to listen to him speak nearly 10 years ago at an OWASP meet; But one thing that hasn’t changed is Finux’s enthusiasm for telling a story, getting a point across, and making an audience want to listen.

When audience were asked to raise their hands if they’d read Machiavelli’s work, mine remained down. So I was a little surprised to discover how well some of the teachings could be transcribed to the modern world, and InfoSec in particular. Especially as it would give speakers someone to quote other than SunTzu, I wonder if Arron will start a trend after pointing out the options.

Summing Up

Many, many thanks to BSidesLiverpool organisers, crew, goons, speakers and attendees. I wish I could have spent more time with all of you, thoroughly enjoyed the time we did share, and I hope to do it all again soon.


Andrew

Advertisements
Categories: Event, InfoSec

A Northern Geek’s Trip South – 2019 edition

2019/06/28 1 comment

How time flies; and with it, another BSides London is a long distant memory.

My itinerary for the pilgrimage South was familiar, mostly following a well worn pattern

  • InfoSec Europe Tuesday
  • BSides itself Wednesday
  • Thursday? Recovery time in the capital, before heading for the train back to (my) civilised society.

And throughout: a generous smattering of catching up with ex-colleagues as the whole industry descends on the capital. I’ll not embarrass (or incriminate) those by name, but you know who you are, was good to see you all, and must do it all again soon

Tuesday – InfoSec Europe

InfoSec is what it is; was a good excuse to meet contacts at various vendors and partners for the first time, and catching up with some old contacts.

The conference hall felt like it had been hit by austerity; less crowded than previous years, fewer ‘booth babes’ (not a bad thing, maybe vendors are finally getting the message, and vendor swag? still available, but the good stuff seemed to be under the table, given out at discretion rather than just a free-for-all grab as attendees did the rounds.

Wednesday – BSides London

What’s not to like? This year topics were as varied as ever, with all sessions I attended being top-draw. Very briefly:

PowerGrid Insecurities
for reasons that make sense if you were there, this talk wasn’t recorded but WAS very informative. I now know to be more wary of squirrels than terrorists when it comes to outages on the power grid. And I may, unfortunately, now be able to explain the random tape from old-school cassettes I found around the local substation…..
A Safer Way to Pay – Card Payment Infrastructure
Chester provided a great overview of both the current, and future, state of card payment infrastructure. If you’re involved in financial transactions, PCI audits or similar this talk covered some of the background tech and networks involved.
Fixing the Internet’s Auto-Immune Problem – BugBountys and Responsible Disclosure
Debates and topics around disclosure, responsible or otherwise; are always interesting. Chloe’s take on the current legalities, and more importantly what is going to be needed in the future to provide a safe and stable foundation for non-contracted testers definitely did a good job of expressing the views of one side of the debate, and kickstarting some interesting conversations in LobbyCon.
When the Magic wears off – ML
Firstly, an admission: I ended up in this talk by accident after getting my track numbers confused. That said, the talk was interesting; but it confirmed my reasoning for not originally having it on my agenda – I simply didn’t have enough background knowledge in ML to fully understand the content; which was interesting to follow along to, but you’re going to need the analysis for someone in this world to fully explain it to you.
Build to Hack, Hack to Build – Docker (in)security
Docker (and Kubernetes) isn’t something I’ve much real world exposure with (yet: as with everything, it’s on a growing list of side projects I’ve not found time for). Session was a great introduction into the world of container (in)security, and I left with some frameworks and tooling to help bootstrap my future efforts in area – watch this space
They are the Champions – Security Champions
There’s always more security projects, than InfoSec resources in any org; so tips for leveraging the wider business never hurt. Jess always provides a thorough, professional and powerful presentation, but personally I think this was almost to it’s detriment this year, feeling too polished and sales-pitchy for a BSides. Not necessarily a criticism, but I’d prefer a return to singing in Klingon for a memorable talk.
Closed for Business – Taking down Dark Markets
I’ve always found the real-life war-stories of LEA’s taking on various dark marketplaces fascninating, so getting the chance to hear some modern examples in person was definitely high up on my priority list for this year’s sessions. John didn’t disappoint, if you’ve got an hour to kill, be prepared for an interesting journey.
Inside MageCart – Web skimming tactics revealed
This session was one of those talks that manage to bridge the gap between fascinating to me personally, and relevant professionally (helping to convince $employer to fund the trip). Left the talk with a better understanding of the techniques and incidents behind the headlines, as well as some interesting tid-bits around what could be the next evolution of the campaigns. Hopefully enough so to stay one-step ahead of the curve, and avoid being front-page news myself.

CyberRange – OpenSource Offensive Security Lab in AWS
This talk introduced a newly released toolkit for rapidly spinning up, and tearing down, offensive, defensive and vulnerable lab environments in AWS. And who doesn’t like having a packed toolkit of toys to play with, and a safe environment to use them on? – project here
Closing Remarks
This years closing remarks were bitter-sweet: capping off a great and successful day is always good, but came with a new (to me) announcement of a changing of the guard for the team behind BSidesLDN. This inevitable resulted in reminiscing back to events gone by, and as one of the handful at the first BSides London, it is remarkable to see how far the event and community around it has come since the first event in the Skills Exchange.
Thursday – recovery^W PCI Council
I’ve already said my usual itinerary uses Thursday as recovery (I love BSides but it’s one intense day), whilst catching some of the tourist spots on a meander back to KingsX. This year? “your trip to London? You said Thursday was free?” I did…. Off to a half day with the PCI Acquirers group it is.
Will admit I wasn’t looking for to this (the terms PCI, QSAs and auditors trigger my PTSD….), and getting to the (very fancy) venue in jeans, conference tee-shirt and backpacks stuffed for the full weeks trip I was feeling out of place with every other attendee suited and booted. That said, I was pleasantly surprised. All sessions (bar one, will mention no names, but I think the hostess wanted a shepard’s crook to hoist the overrunning speaker of stage) were excellent. So much so, I came back to the office with the suggest that we send colleagues to future events whenever we’re able.
Highlight of the event for me was John Elliot discussing MageCart. As I’d been in a BSides session covering the topic the day before, comparing the perspective of industry with that of those closer to the internals of PCI it self was fascinating. Unfortunately, unlike BSides, the event wasn’t recorded for later consumption; but as luck would have it, John had provided the same talk (in longer form) for a webinar session the week prior, which was recorded – enjoy
Another BSides in the can, until next year
Andrew
Categories: Event, InfoSec

Google Glass: New threat or business as usual?

2014/06/03 Comments off

Woke this morning to find several articles covering the release of a short script designed to locate and ultimately block wearers of Google Glass from accessing a wireless network. This was apparently released in response to someone else’s discomfort from knowing there was a wearer of Google Glass in an audience, mostly due to the recording/stream capabilities.

My immediate thoughts are three-fold:

  1. Like it or not, wearable tech will become more common; control and guide rather than trying to hold back the tide.
  2. Blocking from the wireless won’t, necessarily, stop the recording or streaming. (I’m assuming) a wearer could connect to a 3/4g AP (using a mobile) and stream over a private network.
  3. Why is this news worthy? Shouldn’t all network owners and admins be monitoring and restricting unauthorised/undesired devices from connecting to their network in the first place?

I think we’ll see similar stories in the future as the move to wearable tech becomes more widespread.

–Andrew

Categories: InfoSec

Stupidity, begets stupidity – and no security

2013/12/13 Comments off

I realised whilst at work today that my credit card wasn’t in my wallet, after hoping against hope that it would be in yesterday’s trouser pocket when I got home I had to accept that it was lost. Far from the brightest thing I’ve done today, especially given the time of year. So I did the sensible thing and called the card provider to cancel the card.

The number I called was listed as being for (admittedly amongst other things) reporting lost or stolen cards; first question the automated ask was my card number, which I didn’t have; regardless I quickly got through to a person who (I’ll be fair) handled my problem with speed and minimal fuss.

Whilst finding my account without the card number I was asked to confirm my date of birth; once the correct account was identified I was asked a couple of security questions to confirm I was me; all very normal and acceptable. However the second question asked how old I will be come my next birthday; apart from the fact that this is hardly the most protected of information, had I been a fraudulent caller trying to maliciously access someone else’s account I had already correctly provided D.o.B. not 2 minutes earlier; not exactly difficult to extrapolate one from the other.

To be honest, I didn’t worry too much; some of the other security questions were likely sufficiently detailed to limit the chance of someone else getting past the gatekeepers. But being a sarcastic and (hopefully) helpful sort of bloke I jumped on twitter to suggest that asking a ‘security’ question based off a wildly known and shared piece of unchangeable information probably wasn’t the best of ideas.

THIS is where I really started getting concerned, the whole conversation can be read here (Barclays twitter people, I have screengrabs for prosperity if you feel like deleting any of the responses…..).

Some of my favourites:

Unfortunately, we’re unable to confirm what security questions will be asked when you call one of our teams

I wasn’t asking what questions I would need the answers to, but pointing out the questions I was asked weren’t exactly the most robust. Either way, security via obscurity isn’t security, and if knowing the types of questions to be asked really does make accounts vulnerable and I was a fraudster; I’d simply have a number of like minded miscreants call up several times until the pool of potential questions was exhausted….

We only ask questions in which the genuine account holder should know the answer to.

This is the point that tipped me over the edge, if I need to explain to anyone why believing only the genuine account holder knows their date of birth, I’ve got a bridge I want to sell you. (hint if needed: Do you get cards/presents from those that know you the same time every year?).

Admittedly, at this point I got a bit ‘unprofessional’ and suggested I was either being fobbed off, or Barclays (twitter handler)’ security knowledge is inept, I’m assuming this ‘abuse’ may be the reason I’ve had no further response.

I really hope that this incident is the result of the individual handling the conversation being out of their depth and having an inadequate script to follow. If not, and this is indicative of Barclays security provisions (and someone, somewhere had to OK the question being used in the first place) I need to reconsider where I bank….

–Andrew Waite

P.S. I have no evidence, but I’m getting a creeping felling of deja vu that I’ve had a similar telephone authentication process, and a similar discussion on twitter as to whether this is a good idea

Categories: InfoSec, Privacy

Online Bank Cards

The reaction most people have when you point out people are naive enough to post pictures of credit and debit cards online is to laugh, surely no one could be that unaware of the risks. But the fact is that the situation has become that common place that a number of Twitter accounts have been set-up to automatically identify and repost the images.

Some, like @CancelThatCard/http://cancelthat.cc/ attempt to show the posters the error of their ways, while others merely highlight the posts and request that people “Please quit posting pictures of your debit cards”.

As an example (and as proof for those that don’t believe me), the latest image in the @needadebitcard feed at time of writing:

https://twitter.com/Nestorghh/status/331793025019813888/photo/1

Yes, people do post their cards online…..

As a side note, it looks like Twitter is stamping down on the practice of highlighting these posts, the last message posted by @cancel thatcard on April 14th indicate that the service has essentially been censored. I hope Twitter reverse this, providing security information to end-users is not something that should be prevented.

I’ve been following both accounts for sometime; at first my reaction to that I’ve discussed above, having a laugh at the expense of those who don’t recognise the security implications of their actions. As time went by I started messaging the accounts posting their cards to further highlight the error; this didn’t have the impact I was expecting, instead of thanks for providing free advice it more regularly resulted in insults, abuse and full denial that there was any risk imposed.

Recently I came across an image of a card where the owner had attempted to obscure part of the card number and name; smart. Not so smart was that it was the first 5 digits of the 16 digit card number that was obscured. It’s little known, and wasn’t to me until I started following these cards in more depth, is that the first 6 digits don’t identify the account or card holder, but the bank that issued the card. In this case the poster was so helpful to identify the card as a personalised BarclayCard. A quick Google search lead to this page, which knowing the 6th digit of the card lead to the fact that the missing digits could only be one of two possibilities, reducing the potential entropy gained from obscuring part of the card from ~10k possible numbers to two possible card numbers, effectively posting the entire 16 digits online.

In the above example, which is far from uncommon, when suggesting the owner may want to remove the image and cancel the card the response was one of confusion, with no understanding of the risk. Despite further information and links, the image is still online (I have no way of knowing if the card has been cancelled).

To end I’ll echo the plea from @needadebit card: Please quit posting pictures of your cards people.

— Andrew Waite

P.S. I’ve not identified any of the examples directly in this post, but I’ve also not cleared any of the conversations from my Twitter time-line if anyone is interested enough to search. If people post pictures of their account details online, and then don’t remove the same information once several people highlight the stupidity then, well, me deleting a couple of Twitter posts aren’t going to improve their security.

Categories: InfoSec, Privacy, Uncategorized

ms12-020 mitigations

2012/03/16 Comments off

This week has been an interesting one for followers of the info-sec arena. On Tuesday Microsoft released a patch and security bulletin for MS12-020 for a critical flaw in remote desktop protocol, allowing for remote code execution without the need to authenticate to the target system first. Since the patch was released the good, the bad and the ugly of infosec have been attempting to reverse engineer the patch to develop a functional exploit; and over the last 24hrs PoC code has started to become publicly available.

As a result, the SANS Internet Storm Centre has raised their InfoCon threat level to Yellow. This is because weaponised versions of functional exploit code are expected over the coming days and weeks, with past experience making it likely that the exploit will be linked to worm capabilities for automated propagation.

So, the sky is falling right? Not as much as the furore would have you believe. Despite this does have the potential to become a well known, well exploited and long running bug; it is defensible with solid practices in play.

  1. Turn it off: If you don’t need RDP (or any port/service for that matter), turn it off. Reduces the attack vector against known or unknown weaknesses in the service
  2. Patch it: Microsoft released a patch of the weakness on Tuesday BEFORE exploit code was widely publicly available. You should be patching systems as standard operations; if you’re not, no would be a good time to catch up and remove the oversight.
  3. Limit access: If you can’t turn the service off because you need it, does it need to be available to world? If not restrict access to trusted source locations only via either perimeter or host based firewalling (or both). It doesn’t remove the threat completely, but it should severely reduce the risk if you’re not accepting connections from any machine on the internet. Only allowing access to the port via a VPN connection would also reduce the ability of a malicious source to connect to the service.
  4. (Bonus Point) Logging: Make sure you keep a close eye on your system logs; if you do get compromised, the damage could be limited if you can identify and respond to the breach promptly.

I’ve enjoyed watching the action this week, and the potential fallout has the potential to be more interesting still; but you should be able to prevent your systems from become part of a large statistic of low-hanging fruit with a few easy or common steps to securing your environment against the threat.

–Andrew Waite

Categories: Exploit, InfoSec, MS Windows

HoneyD network architecture

I was recently asked about the network configuration I use for my honeyd sensor. I had thought I’d already written about this so initially went to find the article on honeyd configuration; but my memory was wrong and the original post only covered configuring the guest systems, not the honeyd host itself. So, as I now have a pretty(ish) network diagram showing my setup I may as well correct the earlier omission.

<DISCLAIMER: This may not be the best network design for running honeyd, this is merely how my environment is configured and it works for me as a research platform. As usual, your mileage may vary, especially if your use-case differs from my own>

As can be seen, the design has three distinct network segments:

  • Publicly route-able IPs
  • Internal network for honeypot hosts
  • Virtual network for honeyd guest systems. These IP addresses sit on loopback interface on the host, with a static route on the firewall to pass all virtual traffic to the honeyd host.

Using a perimeter firewall with NAT/PAT capabilities allows easy switching between emulated systems and services if your public IP resources are limited; a large network of guests can be configured in advance and left static, then a quick firewall change is all that is required to expose different systems to the world.

Additionally, as much as honeypot systems are designed to be compromised and collect information of malicious attacks (or perhaps more correctly, because of this) , low-interaction systems like honeyd is designed to avoid full compromise. If something goes wrong and the host system gets fully compromised, a (sufficiently configured) perimeter firewall provides some control of outgoing traffic, limiting the attackers options for using the honeypot sensor to attack other systems.

Not much to it really; if you use an different setup and/or can suggest ways to improve the setup let me know, always looking to improve my systems where possible.

— Andrew Waite

Categories: honeyd, Honeypot, InfoSec, Lab