Blog Post

UMAD_DOG

UMAD?

As part of my role at AlienVault I get to speak to journalists. A friend recently asked me how it was to respond to journalist queries.

In many ways it’s similar to communicating with C-level executives. For this, I try to follow the acronym of UMAD.

Usable: Is the information you provide usable by the party?

Memorable: Have you simply dumped knowledge, or made it a memorable piece of information. Sometimes, particularly for internal communications, it can be replaced by ‘measurable’ as metrics are what some organisation remember the most.

Actionable: Is there any action that can be taken based on the information you’ve provided, that otherwise would not have been taken.

Defensible: We don’t always get it right. But have you provided information that’s is at least defensible in terms of how you arrived at that conclusion.

jm hearted

Things I hearted last week

For the week ending 21st August 2016

The “Have I been pwned” API, rate limiting and commercial use

Cyber cold war?

Scammer gets scammed. Interesting story, but worth remembering hacking back is considered illegal in many jurisdictions.

U.S. to share supply chain threat intel with industry. Better threat intelligence sharing can definitely benefit companies, if they have the capabilities to consume and put it to use. Otherwise, it’ll be another case of, “thanks for the 10,000 lines in this CSV”

Interesting research into multiple vulnerabilities in BHU WiFi uRouter.

Nice, fun video by David Spark asking attendees at BSidesLV how to hire 1M Infosec pros when none are available.

The Grugq provides analysis on Shadow Broker in his inimitable no-holds-barred style.

Insider threats and the impact on company shares following a breach.

Intelligent cyber defense using threat analysis

And finally, a bit of self-promotion. Can you explain encryption to me?

533dd4_c4541a42f9564b1a97cab859fa289bfb

BSides Manchester 2016 roundup

BSides Manchester 2016

BSides Manchester is in its third year and they very kindly invited me back to be the MC for track 1.

I drove up to Manchester the night before. It was an uneventful trip, barring the usual average speed cameras on the M1 and the roadworks on the M6.

I’ve clocked up a fair amount of motorway miles these last couple of weeks, having been in the Scottish Highlands a week ago. During this time, I’ve discovered one of life’s biggest annoyances. Truck drivers who decide to overtake another truck when they are only going 2mph faster than the truck they are deciding to pass. This clogs up two lanes of the motorway for at least 5 miles as one truck slowly inches its way ahead of another.

Truck drivers aside, BsidesMCR is unique in being the only Bsides I attend that doesn’t coincide with another conference. This means there’s no running between venues and no looking for people at the wrong event.

Track 1 was my home for the day and I settled in by honouring the BsidesMCR tradition of taking a selfie. Unfortunately, most attendees were in track 2 so it was a largely empty room. But still, traditions are traditions and must be upheld.

bsmcr2016 bsmcr 2014bsmcr2015

 

 

But it wasn’t all about selfies, I got to meet many excellent friends and peers. I won’t even try to name everyone, but it was a pleasure to meet everyone there.

And now onto the talks – given that I was in track 1 all day, it only makes sense that I summarise them all. Which reminds me – a great chap named Cooper drove all the way from Holland / Belgium? (Somewhere in Europe) with all his recording equipment to film all the talks. At the conclusion of Bsides, he was set to drive back home, only to get packed to fly off to another conference! Sounds crazy – but totally appreciated. Look out for the talks being made available at some time in the near future on the BsidesMCR website.

Talk 1: Gavin Millard

Breaking out of the echo chamber

Gavin gave a talk on how to communicate outside of security circles. Illustrating how infosec coverage is common in the media and how vulnerabilities like Heartbleed get their own logo.

Metrics were touted as the universal language that the business spoke, which, in Gavin’s experience was something infosec was terrible at. To illustrate the point, if a marketing manager was asked how many leads they could generate with $1m, a metric-based detailed answer would likely be provided. But if a security executive was asked the same question, it would be unlikely to be equally articulate.

The NIST Cyber Security Framework, SANS top 20 critical controls and other standards were quoted as having good metrics that security teams could use.

“Thanks for the 300 page security report”, Nobody, Ever.

Dashboards was another area Gavin said are often weak. Sharing a mock of a good dashboard, Gavin suggested infographic tools or similar could be used to spruce up dull and difficult-to-read power point presentations.

DSC_0576

To conclude, Gavin stated that security professionals should learn to ‘communicate like a suit’.

Talk 2: Ben Turner

21st Century War Stories

Ben is a red teamer, a charismatic speaker, and likeable guy. His talk setup the importance of red-teaming as opposed to simple vulnerability scanning, assurance reviews, or limited-scope penetration tests.

His talk was filled with some great real-life examples which included getting into the core banking system of a bank via an ATM in a mall in the middle east.

DSC_0577

Ben spent some time talking through his tools of choice, why reconnaissance up front is perhaps the most important step, and why it’s important to know what the objective is. Stating that popping a shell isn’t the objective. That’s the starting point – the real objective begins after that.

In closing Ben shared a red-team testing tool that he wrote with his colleague Dave Hardy called PoshC2. It’s maintained, free and open source, and I’ll try to carve out some time in the coming weeks to take a closer look at it.

Talk 3: Jerome Smith

From CSV to CMD to qwerty

Jerome was enlisted to do a pen test in a locked down environment. It was so tough, that he wasn’t even allowed to take in his own testing laptop. So he had to McGuyver his way into creating malicious CSV files. But excel generates lots of notifications whenever there is embedded content within a file.

The talk chronicled his journey to crafting better payloads that will run in excel generating little or no warnings.

DSC_0578

A very well-presented and engaging talk.

Talk 4: James Kettle

Hunting Asynchronous Vulnerabilities

James is perhaps the only speaker that has presented at BsidesMCR all three years, so he must know his stuff.

It was a very informative talk in which James discussed the invisible attack surface which forms the asynchronous vulnerability world. Asynchronous vulnerabilities are a bit like blind second order injection attacks, in which you get no immediate feedback. That means no error messages, no detectable time delays, and no differences in application output.

All of this makes them very difficult to discover – which, I guess is part of the fun.

DSC_0579

The solution to this was to issue a payload that triggers a callback out-of-band from the vulnerable application to an attacker-controlled listener. It does rely on perfectly crafting an exploit.

James also touched upon how Burp Suite has a lot of functionality built in to assist with hunting asynchronous vulnerabilities.

Mind-meltingly good stuff.

Talk 5: Andy Davis & David Clare

Vehicle cyber security & innovation        

You didn’t need to be into vehicle security to appreciate this talk by Andy and David. Some proper worrying stuff divulged. Simply looking at the massive attack surface connected road vehicles have is enough to give someone a big case of “nope” and moonwalk right out of there.

DSC_0582

The pair talked through their assessment methodology including vmap, which is kind of like nmap, but for vehicles. They showed some videos during their presentation of exploits in action, such as killing the ignition or locking up the steering wheel of a moving car.

Other attack avenues that the duo explored were related to the ECU, USB, video protocols, media protocols, mifi, rear seat entertainment, tyre pressure monitoring system, remote keyless entry, DAB, and GPS.

DSC_0583

The talk concluded with some tips as to what needs to be done. These were:

  1. Greater awareness for manufacturers and developers
  2. Embedding of cyber security standards into vehicle manufacturing
  3. SDLC
  4. Independent security assessment

Talk 6: Ken Munro & Dave Lodge

Hacking a Mitsubishi Outlander. A lesson in automative IoT Security

In the second of two vehicle-related talks. Ken and Dave gave two talks for the price of one.

Part one focussed on the Mitsibishi outlander and the security risks they found, and how they found it.

DSC_0588

The pair shared how when they first approached Mitsubishi with their findings, they were dismissed as being of no consequence. However, when the media picked up the story, Mitsubishi quickly reversed their stance and deemed it a serious issue they would fix immediately.

The second part of the talk was around hacking IoT devices. They stated that hacking most IoT devices is like hacking a linux box that hasn’t been updated since the mid 90s with the tools and knowledge from 2016.

They even demonstrated (almost) how they were able to install ransomware on an IoT thermostat.

DSC_0589

Talk 7: Richard Crowther

Designing systems to be hard to attack

After a day of mostly breaking talks, the final talk of the day was far more up my street in terms of examining how to design secure systems.

Richard works at the newly-formed National Cyber Security Centre and shared some great insights into how CESG and the Government look to design and architect systems that are more secure.

Ultimately, a lot of the older security principles still apply equally well today as when they were originally published.

DSC_0590

Richard spoke about the things that need to get in place first, followed by security architecture design goals such as designing services for easy maintenance without large windows of time where patches can’t be applied. How to reduce the impact of a compromise by segmenting a sercice, anonymising data, and regularly rebuilding core components.

DSC_0591

He went on to discuss malware mitigation techniques and secure design principles. Overall a very intellectual talk to end the day on.

 

 

photo-2

Be in a Vegas music video

Apologies if you found the title of this post to be a bit click-baity. But bear with me, I’m pretty excited about this.

Next week is hacker summer camp aka Blackhat, Defcon, and BsidesLV in sunny Las Vegas.

I asked myself, other than the talks, the networking, and the things we won’t talk about – what else can one do with so many people in one place?

The answer is simple, we all get together and film a music video.

Knowing that almost everyone is a huge Nickleback fan, you’re almost guaranteed to be familiar with the song and music video for “Rockstar” where each line, or couple of lines are lip-synced to by different people.

 

And that’s pretty much the idea for this video. I’ll come along with my camera and lyrics and will be seeking willing volunteers to lip sync along to a couple of lines.

It’s intended to be a bit of fun – you don’t need to wear any face-paint or fancy outfits – just be prepared to mime along to the sounds of  “infosec rockstar”

Sample lyrics from the first couple of verses to give you a taste of what’s in store:

I’m through with standin’ in lines to talks I’ll never get in

Keep entering CTF’s but I’m never gonna win

This cyber hasn’t turned out

Quite the way I want it to be

(Tell me what you want)

I want a brand new SIEM correlating events

Forensic capture of all the packets

And threat intelligence

That’s useful to my boss and me

(Yeah, so what you need?)

I need shodan license that’s got no limit

And a virtual machine with a kali on it

Make plane fly sideways

At thirty-seven thousand feet

(Been there, done that)

 

If you’re interested in participating – you can find me at BSidesLV on Tuesday. You can also pop along and see my talk at 17:30 in the hire ground track.

talk

Wednesday and Thursday I’ll be at Blackhat and will mainly be at the AlienVault booth. Unfortunately, I won’t be sticking around for Defcon this year though.

Hope to catch up with many of you fine folk in the mild warmth of Las Vegas!

 

jm hearted

Things I hearted last week

For the week ending 24th July 2016

Lessons learnt from trying to negotiate with five different ransomware gangs. If you’re willing to haggle, you can get a discount.

This isn’t a new talk by Jim Manico, but the first time I saw it and serves as a great lesson on TSL/SSL and how HTTPS should be implemented. (43 min video)

Brian Krebs at it again, Carbanak gang tied to Russian security firm.

China bans testing of self-driving cars on public highways pending regulation.

Raytheon shared a post discussing Pokemon Go and how augmented reality plays a role in the military.

What does a hacker look like? A style guide from TV & movies.

Skype finalizes its move to the cloud, ignores the elephant in the room. Spoiler alert: things like security, privacy, eavesdropping, protocols etc.

Everything you need to know about web shells.

Troy Hunt on why HTTPS has a speed advantage over HTTP.

An iPhone case that detects snooping.

How we broke PHP, hacked Pornhub and earned $20,000. These types of writeups are the reason I’m such a fan of bug bounties.

A nice writeup on The Long-Term Effects of Tracking Employee Behavior. Lots of takeaways from a security perspective, both in terms of tracking – but understanding what you’re measuring.

Finally, not so much security, but relevant to business models. A fantastic analysis of the Unilever buyout of Dollar Shave Club.