Thursday, February 1, 2018

Cryptocurrency InfoSec Perspective

So I like Reddit. Some folks on Reddit decided to start their own Cyptocurrency for fun. I've been meaning to learn about how this works for real not just theory in part because I need to have more details to back up telling people blockchain can't fix their problems. What I learned so far was shocking as an InfoSec person. I'm still getting started and learning but I have enough to rant about. This is going to focus on the crazy InfoSec of all of this. Not the details, directions, overclocking the GPU, etc, etc. Go somewhere else if you want to learn to mine. Stay here if you want to learn how dangerous all of this is.

TL;DR:

  • Be careful what executable files you download and run, research the coin or software and if it doesn't look 100% legit don't do it.
  • Don't blow off AV warnings because other are
  • Be careful if your private key and know about any software you paste it into, that is all someone needs to empty out your wallet, if you really get into this look into hardware wallets
  • Research all software you are thinking about using. Google it with the word scam after the name. Really dig into anything that seems easy and is GUI based, the scammers appear to be targeting people who shy away from using command line tools. If you can't deal with command line, don't get into mining.

The Story:

The new currency (which is going to the moon) is Garlicoin. https://garlicoin.io/

For starters you need a wallet. Doing this what they say here https://pandawanfr.github.io/GarlicRecipes/wallet-win.html. This involves downloading a zip full of executable files and running many of them.  Sketchy, but I've been following this community for a while and I'm sure they are solid people. But people are doing this for 1000's of coins they have no involvement with, that is crazy. But OK moving on.

I need to get a miner. The official sites point me to this one. https://github.com/tpruvot/ccminer/releases. So yet another random exe from someone I don't know. Tpruvot. But he looks like a nice man from France and googling it looks like tons of people use his software to mine, it is very popular. Technically I can try to look over the code but it is a lot of code and forget it, now I'm mining coins. Probably safe, maybe.

So far I've run 3 executable files but the sources seems pretty trustworthy. Then everyone started to recommend installing a GUI wallet Garlium. So I did. https://xske.github.io/garlium/ To import the wallet I setup with the command line I have to give it my private key. Now if you don't know, that private key is all you need to steal my hard mined coins. And I need to put it into this software I know nothing about. And btw, AV pops it when you download it. I'm serious. That seems crazy but everyone is doing it and I want to be cool. But I did just give an unknown app that AV pops my private key. If this was full of bitcoin I wouldn't have done it. This is getting to be too much.

But now my hash rates aren't as good as everyone else. Well they are using this version of ccminer instead https://github.com/palginpav/ccminer/releases/tag/2.0-bitcore.v3 so I try it and it is far faster, more coins, sweet! But here is the thing. This is a github repo from some Russian I can't find much about or anyone who knows. There is no documentation and I don't know why it is faster or what was changed. Yet I'm running in on the same PC that the wallet is on and has the private key to the wallet. This is clearly a bad idea but no one is thinking twice about it. This is all getting a bit too much so I start to google around. What I found was shocking.

The whole cryptocurrency mining community seems to be built on people simply running compiled code, either GUI apps or command line exe files, from dubious sources. AV popping them is a common problem which everyone ignores. It is common to put your private key in random software, and I saw many people give advice on their website or in directions saying to save it in a text file on your computer. And people are installing these apps and running these programs from coins they know nothing about hoping to get in early in the next bitcoin. If anyone ever decided to be evil in rolling out a new coin they could easily make one decided to empty your wallets of your other coins, or worse. This makes me wonder if hardware wallets are really in wide use, but I don't know. So many people seems to keep tons of their coins on websites that get hacked and use online wallets, I kind of doubt it.

Finally people appear to clearly be making easy to use GUI mining tools for people that are just plan out scams. There are tons of scams, of clearly malicious software people are using to mine.

So this is all crazy. Now that I have some coins I get to figure out how horrible the markets are. More to come. :-)

Monday, February 6, 2017

InfoSec Fundamentals, Spoiler: AV is not dead

I've been thinking about this a lot, and I asked about it and got an answer I didn't expect on twitter, here:
This tweet which took mere to this article.

So here is a blog post about it.

First, I think a lot of what InfoSec teams do as "fundamentals" is a lot of time with little value in security the organization. And this is obvious to many people outside of InfoSec and make them not believe the threats, which are real and we know it, but still they don't believe them because they see us spin our wheels. Here is an example:

Patching:

Dear god we spend a lot of time patching and telling people to patch. A lot of it. And lord knows our scanners mark all kinds of stuff as Critical and High. But you know what, most successful attacks don't take advantage of missing patches. Most take advantage of configuration issues (system and application) and human error. There is a very small number of issues that are actively exploited. Ask a pentester. They know them, they will say things like MS08-067 (yes you still find it all the time, often on physical security boxes, I love that), jboss auth bypass, MySQL auth bypass, maybe they will say Heart Bleed, maybe a few others. Done. Yet you patch 1000's of things. And spend a ton of time doing it. Then after everything is all patched up an attacker or pentester gets in on a jboss server with no authentication, or finds default creds, or phishes one user and snags your local admin and that hash works EVERYWHERE, or you reuse your domain admin password on IPMI and it was easily crackable, or you have unencrypted and reused passwords in a DB exposed in a nice SQLi attack, etc. But by all means, our scanner said this local priv escalation issue on a server is critical, lets patch it.

Prioritize patching issues people can use, and focus on configuration and application issues and be brave enough to re-classify issues even if a scanner said it was critical.

Back to the point:

Anyway, that article did talk about that, which is what I was expecting. Instead it did the AV is dead thing. Which annoys me so I'm writing a blog post.

Here is the deal, AV isn't dead. But many big AV names sell garbage. And InfoSec people don't test it and buy it anyway. InfoSec people don't test most thing. I can tell this because I've testing security software that simply is fake, and they still are selling it. Seriously, our industry has serious issues right now and all things any vendor claims needs to be tested in detail. Tons of them simply fake their product. Some big names rely on market share and have been phoning it in for years now. This brings me back to AV.

Yes, bypass techniques work. But they work far better and easier on some AV products than others. Again as a pentester. Some AV companies (with really big market shares) make pentesters very happy. Some smaller ones drive them nuts. Other smaller ones are 100% fake, so don't just pick a small one. You have to literally test them, for real. Collect viruses. Learn AV bypassing, use the Veil Framework for one but learn others too and role as many evil payloads as you can and bypass your current AV as much as you can in as many different ways as you can. Then test other products. If you do you will quickly come to one or two that kicks your ass and you will know the one you are using is garbage (assuming you are using a bad one like most companies are). If you then are brave enough to switch to one your own testing proves is better than what you have, you will start seeing a ton of generic backdoor alerts popping that you never saw before, as the legit AV program is popping targeted phishing emails that made it past everything else. When this starts happening you will wonder why anyone is saying AV is dead and wondering why they aren't testing the crap out of AV vendors and realizing some are far, far better than others catching real attacks and not going after signature counts.

Does that make your endpoints hack proof? Hell no. It makes them a lot more secure than they were, for a small amount of money and little effort. You need to do more of course. But all things alone have issues. App white listing is great until you get owned by powershell. Frankly, detection has become as important as prevention if not more so in my opinion. So all the effort you put in preventing attacks from working, if you aren't putting that much effort in detecting attacks that get through, you are in trouble imho. Centralized logging for example has become as important as AV or app whitelisting. Network Forensics is as important as firewalls. Etc.

TL;DR:
Priorities issues with patches and just because your scanner said it is critical doesn't mean it is
Test everything, many products are poor or ourright fake
Detection is as important as prevention

But that is enough for now, it was just one tweet after all.








Monday, February 22, 2016

RSA Vendor Comps and You

With RSA coming up I've been thinking about this because it seems many people on both sides of this don't appear to understand the rules. Which is crazy annoying at best, at worst it makes our industry more scummy if that is possible. I had a vendor who comped me tickets to a conference once literally forward the 6 month old email to me showing it explaining that I had to buy things from him still, after I told him I switched vendors months before. I switched for a very good reason and he made a ton of money from the company before the switch, and I told him all about it, it was all on the up and up but I got this scummy email anyway. I had to reply telling him that wasn't a kickback and no, I don't have to buy anything from him. If the sales guys don't know the difference between a comp and a kickback then we are in trouble. So here goes:

Buyer Rules:

  1. If a vendor offers you RSA tickets (or anything else like dinner or a ballgame for that matter), they want to spend time with you. You should go if you say yes, don't say you are going and no show or send an employee. If you don't want to go just say no thank you. If you want to send an employee tell them and see what they say.
  2. Never lie and say you are interested when you aren't or you can buy something when you know you can't. The vendors don't care just be honest, they will work on the relationship for the long term but hate being lied to.
  3. If a vendor comps you RSA tickets for example, you owe them some of your time, stop by their booth, talk to whoever they want you to talk to. 30 minutes or less should do it.
  4. You don't have to do a long dinner with them if you don't want to, if they offer switch it to a meeting maybe coffee or a beer during happy hour.
  5. Free stuff from booths requires some amount of listening to their pitch but not a lot and if they are taking too much of your time say so and if they won't stop walk away. You are selling your time and if it isn't worth it bail.
  6. You don't owe anyone anything other than some of your time. After that it is done and if they try to guilt you into anything block them and move on.
  7. You can sign up for as many parties as you want and only show up to some, no worries. You are selling your email and they will spam the hell out of you.

Vendor Rules:

  1. If you pay for someone to go to RSA you are buying some of their time while they are there, nothing more, nothing less.
  2. Gifts at booths is to get people to listen to your pitch and get leads, if they get bored you are taking too long or you are selling something they aren't in the market for. That isn't their fault.
  3. No matter how much you give away to someone, they owe you nothing! None of this is a kickback. If they take your free stuff and buy another product or use another vendor, bringing up you bought them a nice dinner or paid for their Expo pass is scummy. 
  4. If you are lied too, simply note that and remember that about that person, there is nothing else you can do.
Buyer Tips:
  1. Sales folks get crazy desperate the last day of the Expo especially the area around the edges where the small booths are and they get way out into the hall and stop you from moving on. Hit the small booth areas early on and avoid them later on.
  2. Stay away from long sales pitch dinners at RSA, there is more fun to be had and you can get those anytime.

Vendor Tips:
  1. Don't give away Expo tickets if you will have no one to talk to the person there, all you are buying is their time.
  2. Don't try to force them into a long dinner, offer coffee or a quick beer in the afternoon instead.
  3. Drawings suck IMHO.
  4. Small useful items are the best.
  5. You don't have to email us and tell us you have a booth at RSA, we know! Seriously. Email us about talks your people are giving or parties you are putting on. But if the email just says visit us at booth #123, then stop and don't send it.

Wednesday, September 2, 2015

#RSAC vs. #VMWorld Take 2

I've noticed some more things and realized I called out what I was seeing at VMWorld on the last one without calling out the difference so I'll explain a few things better too.


  1. At InfoSec Cons people want to understand how things work, why they do what they do, what happens if you do something unexpected, etc. At VMWorld no one seems to care, they want to know how to make software work not how they heck the software does what it does. Which is sad, some of this software is freaking amazing but not one talk is about how they do what they do. I keep wondering how to break into it and remotely sniff traffic on virtual switches or grab files from virtual SANs without even touching the guest OS, but I digress. 
  2. Deep Dive talks at security CONs show code typically. At VMWorld Deep Dive talks I would call high level overview and are mostly slides with video recording of someone clicking buttons on a GUI as the speaker talks over it and that is the deep dive demo. Seriously. Almost no one at VMWorld seems to care that isn't really a deep dive, I've meet one person so far who isn't happy about that other than me.
  3. The booth swag is way worse. Most booths don't give anything away it is all a chance to win something, how horrible.
  4. The wifi is just as messed up as a typical security con and I'm seeing people doing evil doing the wifi pineapple thing cloning the main wifi network, you name it. They don't give a secure option either nor do they publish the correct MAC addresses on the APs so you are just screwed and have to turn wifi off. Everyone is complaining about the wifi but they don't seem to get why it is bad and that is isn't safe and that it is slow because it is all being routed through a guys laptop. I find it a bit funny.

Tuesday, September 1, 2015

InfoSec vs. Infrastructure Communities

Backstory:
I've considered myself part of the InfoSec community since going to my first DEF CON 15 years ago. Back then I had already been doing security work for a while but was not aware of the community and really that this could be your 100% focus until going to DEF CON, I was a self taught Infrastructure guy but my eyes were open and I never looked back. Until recently due to the Infra leader leaving my current company and I got asked to take over part of it with security. So I find myself at VMWorld this week. It tuns out VMWorld is Infra's RSA Conference. I mean exactly, same place, same size Expo, the vendors that do both even have their booths in the same spots. I know because I was just at RSA. So I've been noticing some differences in the communities that I found interesting enough to post and see what everyone else thought.

#VMWord vs. #RSAC

  1. People at VMWord overall are older, I know the hoards of kids I'm thinking of at security cons are not as represented at RSAC as other cons like DEF CON, but still. I don't think the kids these days think Infrastructure is cool. In 20 years this may be a problem.
  2. There are way less women at VMWorld than RSAC. Way less. A working at the center asked me why there were no women, he said he worked many of these events and this one had the least amount of women. I asked him if he worked RSA and he said yes, way more at RSA. I agree. I find it interesting there is an outcry about this in InfoSec but not Infra, Infra is far more male dominated from what I can see.
  3. VMWorld didn't get the note on "booth babes" probably due to point #2. It is like going back in time on that front, not all the booths but a lot and a lot really have the appearances of let's say professional dancers and leave it at that. 
  4. The booths are even more vague! Everyone uses the same buzzwords and you can't even tell what the company does without talking to them. I figured out this is because they all appear to do the exact same thing. Which is crazy. It reminds me of the days where every other booth was an IPS vendor, Infra is in that phase right now.
  5. Speaking of everyone doing the same thing, Infra isn't even Infra anymore. Almost all the booths are software or hardware the runs special software on top of it and it is only their software that makes them different than anyone else. Oh and their software does the same thing as everyone else on the same kind of hardware but we are better because, um, ya. Today Infra folks think they are working on a server when they play with software the abstracts the whole hardware layer. When I asked hardware questions no one knows the answers. I find this totally insane and I wonder how many people will be able to make this stuff work in 20 years.
  6. The parties are in the same places but totally different. The music is way quite and no one is even thinking about dancing and people are more into the sliders than the booze. Frankly being older I kind of like these parties better than a crazy Rapid7 party where you can't hear anyone talk. Maybe this is due to point #1.

Anyone I'm starting day two at VMWorld and will see what else I notice. If anyone reading has their own observations or disagrees or whatever leave your comments. Or reply to me on twitter.  

Saturday, April 18, 2015

MS15-034 Ruby Script

I made one and it is here: https://github.com/secjohn/ms15-034-checker.

When MS15-034 hit earlier this week there was a lot of activity. A few Python scripts came out quickly. Someone used one of those to make a Metasploit module very fast, a bit later a nmap script came out. But other than the Metasploit module no one made a ruby script to check for it. And frankly that bothered me so I made one. Let me explain why it bothered me.

Ruby isn't just a good high level language, it is what Metasploit uses. Metasploit is by far the most useful offensive tool in the InfoSec toolbox. And everyone in InfoSec should know how to use it, defensive people simply must understand how attacks work and how attackers think to defend well. If you don't agree or understand why buy me a drink at a con and I'll talk your ear off until you get it or are out of drink money. I'll be at RSA next week. :-) Anyway, Metasploit is a framework and sometimes you need to tweak a module to get it to work against the computer you are attacking. Knowing Ruby allows you to do that. Not being able to do that can mean the difference between getting in or falsely thinking the computer is secure.

Python is good and all but Ruby is a perfectly fine scripting language and your scripts don't have to look like a Metasploit module or part of a large object oriented program.

So my fellow InfoSec folks with various degrees of Ruby skills, keep the dust off them. Check out the script. Make another one that is better with half the lines of code for fun, or not using the gem I used, or whatever. Keep sharp out there, the skills will come in handy and you don't have to learn Python to do this kind of thing if you already know some Ruby.

Tuesday, January 20, 2015

Educating non-InfoSec People

EA was hacked and isn't admitting, in my opinion. Let me explain. EA has an application used to buy games and in game things called Origin. I have an Origin account I almost never use, I used it to buy some single player games in the past. I got a your password was reset email and thought, that isn't good. So I tried and failed to login. I had a new password reset email sent to me and logged on to see many, many game purchase I didn't do, and lucky got me, they had all failed. I tried to turn on a security feature to alert me when the account logged in from another IP but couldn't because the answer to my secret password was changed. So I opened up a ticket. It turns out it was changed to a long string of text and not all english characters, joy. So I'm good now. But keep in mind a few things. One, I'm reasonably sure my home PC is not infected or owned in any way. Two, I use an email address for this I don't use for normal emails and is a domain I own not gmail, etc. Three, the password was strong and not reused other places. Four, to get the answer to the secret question from my PC they would have had to owned my PC since I opened the account back in 2013. All of this points to EA was the leak of my data not me, and they stored all of this in clear text or hashed or encrypted with poor key security but in any way stored it in a way that didn't keep the data private when stollen, clear text is my guess. The person on the phone that helped me was nice and said they are dealing with a lot of these and they are forwarding them all to their fraud department who is trying to figure out what is going on.

So I looked it up and found things like this: http://venturebeat.com/2014/12/30/hackers-are-breaking-into-origin-and-making-fraudulent-purchases/ So based on my experience and that is lines up with many others it seems to me that: EA was hacked, they store this info in the clear, they don't have the logging capabilities to determine they were hacked for sure but they suspect it, EA leadership has made the stance that without 100% positive confirmation of a breach they will just deal with it and tell people they have found no evidence of a breach. This is where it gets interesting.

I'm a member of a large online gaming community. So I warned them to change their EA Origin password AND their secret question/answer combo. The overwhelming response I got was disbelief a "large company" such as EA would have been hacked without telling everyone about it and that they wouldn't have been properly encrypting this information and instead the people kept trying to tell me how to scan my PC for malware. I finally gave up trying to explain this to them and they get what they get I warned them. But I found it rather shocking that a group of tech savvy but non-InfoSec people put so much faith in companies doing InfoSec correctly. If you are reading this you are probably in InfoSec and are probably saying the same thing I am. Almost no company does this correctly. It is totally believable EA doesn't encrypt this data. It is even more believable than they decide not to report a breach unless they have to and they have a hard time finding evidence of it. These aren't just believable they are likely based on all I've seen over the years. Yet the average person thinks so highly in the tech capabilities of these large companies it comes off as conspiracy theory craziness and you can't even explain it.

This struck me as very bad. If more people knew how poorly their data was secured people would be mad about it and things would change for the better. But I'm not sure what to do about it. I'm interested in what you all think on the topic, if anyone made it this far. How do you convince people how poorly most companies do InfoSec without them dismissing you as crazy?