Monday, February 6, 2017

InfoSec Fundamentals, Spoiler: AV is not dead

I've been thinking about this a lot, and I asked about it and got an answer I didn't expect on twitter, here:
This tweet which took mere to this article.

So here is a blog post about it.

First, I think a lot of what InfoSec teams do as "fundamentals" is a lot of time with little value in security the organization. And this is obvious to many people outside of InfoSec and make them not believe the threats, which are real and we know it, but still they don't believe them because they see us spin our wheels. Here is an example:


Dear god we spend a lot of time patching and telling people to patch. A lot of it. And lord knows our scanners mark all kinds of stuff as Critical and High. But you know what, most successful attacks don't take advantage of missing patches. Most take advantage of configuration issues (system and application) and human error. There is a very small number of issues that are actively exploited. Ask a pentester. They know them, they will say things like MS08-067 (yes you still find it all the time, often on physical security boxes, I love that), jboss auth bypass, MySQL auth bypass, maybe they will say Heart Bleed, maybe a few others. Done. Yet you patch 1000's of things. And spend a ton of time doing it. Then after everything is all patched up an attacker or pentester gets in on a jboss server with no authentication, or finds default creds, or phishes one user and snags your local admin and that hash works EVERYWHERE, or you reuse your domain admin password on IPMI and it was easily crackable, or you have unencrypted and reused passwords in a DB exposed in a nice SQLi attack, etc. But by all means, our scanner said this local priv escalation issue on a server is critical, lets patch it.

Prioritize patching issues people can use, and focus on configuration and application issues and be brave enough to re-classify issues even if a scanner said it was critical.

Back to the point:

Anyway, that article did talk about that, which is what I was expecting. Instead it did the AV is dead thing. Which annoys me so I'm writing a blog post.

Here is the deal, AV isn't dead. But many big AV names sell garbage. And InfoSec people don't test it and buy it anyway. InfoSec people don't test most thing. I can tell this because I've testing security software that simply is fake, and they still are selling it. Seriously, our industry has serious issues right now and all things any vendor claims needs to be tested in detail. Tons of them simply fake their product. Some big names rely on market share and have been phoning it in for years now. This brings me back to AV.

Yes, bypass techniques work. But they work far better and easier on some AV products than others. Again as a pentester. Some AV companies (with really big market shares) make pentesters very happy. Some smaller ones drive them nuts. Other smaller ones are 100% fake, so don't just pick a small one. You have to literally test them, for real. Collect viruses. Learn AV bypassing, use the Veil Framework for one but learn others too and role as many evil payloads as you can and bypass your current AV as much as you can in as many different ways as you can. Then test other products. If you do you will quickly come to one or two that kicks your ass and you will know the one you are using is garbage (assuming you are using a bad one like most companies are). If you then are brave enough to switch to one your own testing proves is better than what you have, you will start seeing a ton of generic backdoor alerts popping that you never saw before, as the legit AV program is popping targeted phishing emails that made it past everything else. When this starts happening you will wonder why anyone is saying AV is dead and wondering why they aren't testing the crap out of AV vendors and realizing some are far, far better than others catching real attacks and not going after signature counts.

Does that make your endpoints hack proof? Hell no. It makes them a lot more secure than they were, for a small amount of money and little effort. You need to do more of course. But all things alone have issues. App white listing is great until you get owned by powershell. Frankly, detection has become as important as prevention if not more so in my opinion. So all the effort you put in preventing attacks from working, if you aren't putting that much effort in detecting attacks that get through, you are in trouble imho. Centralized logging for example has become as important as AV or app whitelisting. Network Forensics is as important as firewalls. Etc.

Priorities issues with patches and just because your scanner said it is critical doesn't mean it is
Test everything, many products are poor or ourright fake
Detection is as important as prevention

But that is enough for now, it was just one tweet after all.

Monday, February 22, 2016

RSA Vendor Comps and You

With RSA coming up I've been thinking about this because it seems many people on both sides of this don't appear to understand the rules. Which is crazy annoying at best, at worst it makes our industry more scummy if that is possible. I had a vendor who comped me tickets to a conference once literally forward the 6 month old email to me showing it explaining that I had to buy things from him still, after I told him I switched vendors months before. I switched for a very good reason and he made a ton of money from the company before the switch, and I told him all about it, it was all on the up and up but I got this scummy email anyway. I had to reply telling him that wasn't a kickback and no, I don't have to buy anything from him. If the sales guys don't know the difference between a comp and a kickback then we are in trouble. So here goes:

Buyer Rules:

  1. If a vendor offers you RSA tickets (or anything else like dinner or a ballgame for that matter), they want to spend time with you. You should go if you say yes, don't say you are going and no show or send an employee. If you don't want to go just say no thank you. If you want to send an employee tell them and see what they say.
  2. Never lie and say you are interested when you aren't or you can buy something when you know you can't. The vendors don't care just be honest, they will work on the relationship for the long term but hate being lied to.
  3. If a vendor comps you RSA tickets for example, you owe them some of your time, stop by their booth, talk to whoever they want you to talk to. 30 minutes or less should do it.
  4. You don't have to do a long dinner with them if you don't want to, if they offer switch it to a meeting maybe coffee or a beer during happy hour.
  5. Free stuff from booths requires some amount of listening to their pitch but not a lot and if they are taking too much of your time say so and if they won't stop walk away. You are selling your time and if it isn't worth it bail.
  6. You don't owe anyone anything other than some of your time. After that it is done and if they try to guilt you into anything block them and move on.
  7. You can sign up for as many parties as you want and only show up to some, no worries. You are selling your email and they will spam the hell out of you.

Vendor Rules:

  1. If you pay for someone to go to RSA you are buying some of their time while they are there, nothing more, nothing less.
  2. Gifts at booths is to get people to listen to your pitch and get leads, if they get bored you are taking too long or you are selling something they aren't in the market for. That isn't their fault.
  3. No matter how much you give away to someone, they owe you nothing! None of this is a kickback. If they take your free stuff and buy another product or use another vendor, bringing up you bought them a nice dinner or paid for their Expo pass is scummy. 
  4. If you are lied too, simply note that and remember that about that person, there is nothing else you can do.
Buyer Tips:
  1. Sales folks get crazy desperate the last day of the Expo especially the area around the edges where the small booths are and they get way out into the hall and stop you from moving on. Hit the small booth areas early on and avoid them later on.
  2. Stay away from long sales pitch dinners at RSA, there is more fun to be had and you can get those anytime.

Vendor Tips:
  1. Don't give away Expo tickets if you will have no one to talk to the person there, all you are buying is their time.
  2. Don't try to force them into a long dinner, offer coffee or a quick beer in the afternoon instead.
  3. Drawings suck IMHO.
  4. Small useful items are the best.
  5. You don't have to email us and tell us you have a booth at RSA, we know! Seriously. Email us about talks your people are giving or parties you are putting on. But if the email just says visit us at booth #123, then stop and don't send it.

Wednesday, September 2, 2015

#RSAC vs. #VMWorld Take 2

I've noticed some more things and realized I called out what I was seeing at VMWorld on the last one without calling out the difference so I'll explain a few things better too.

  1. At InfoSec Cons people want to understand how things work, why they do what they do, what happens if you do something unexpected, etc. At VMWorld no one seems to care, they want to know how to make software work not how they heck the software does what it does. Which is sad, some of this software is freaking amazing but not one talk is about how they do what they do. I keep wondering how to break into it and remotely sniff traffic on virtual switches or grab files from virtual SANs without even touching the guest OS, but I digress. 
  2. Deep Dive talks at security CONs show code typically. At VMWorld Deep Dive talks I would call high level overview and are mostly slides with video recording of someone clicking buttons on a GUI as the speaker talks over it and that is the deep dive demo. Seriously. Almost no one at VMWorld seems to care that isn't really a deep dive, I've meet one person so far who isn't happy about that other than me.
  3. The booth swag is way worse. Most booths don't give anything away it is all a chance to win something, how horrible.
  4. The wifi is just as messed up as a typical security con and I'm seeing people doing evil doing the wifi pineapple thing cloning the main wifi network, you name it. They don't give a secure option either nor do they publish the correct MAC addresses on the APs so you are just screwed and have to turn wifi off. Everyone is complaining about the wifi but they don't seem to get why it is bad and that is isn't safe and that it is slow because it is all being routed through a guys laptop. I find it a bit funny.

Tuesday, September 1, 2015

InfoSec vs. Infrastructure Communities

I've considered myself part of the InfoSec community since going to my first DEF CON 15 years ago. Back then I had already been doing security work for a while but was not aware of the community and really that this could be your 100% focus until going to DEF CON, I was a self taught Infrastructure guy but my eyes were open and I never looked back. Until recently due to the Infra leader leaving my current company and I got asked to take over part of it with security. So I find myself at VMWorld this week. It tuns out VMWorld is Infra's RSA Conference. I mean exactly, same place, same size Expo, the vendors that do both even have their booths in the same spots. I know because I was just at RSA. So I've been noticing some differences in the communities that I found interesting enough to post and see what everyone else thought.

#VMWord vs. #RSAC

  1. People at VMWord overall are older, I know the hoards of kids I'm thinking of at security cons are not as represented at RSAC as other cons like DEF CON, but still. I don't think the kids these days think Infrastructure is cool. In 20 years this may be a problem.
  2. There are way less women at VMWorld than RSAC. Way less. A working at the center asked me why there were no women, he said he worked many of these events and this one had the least amount of women. I asked him if he worked RSA and he said yes, way more at RSA. I agree. I find it interesting there is an outcry about this in InfoSec but not Infra, Infra is far more male dominated from what I can see.
  3. VMWorld didn't get the note on "booth babes" probably due to point #2. It is like going back in time on that front, not all the booths but a lot and a lot really have the appearances of let's say professional dancers and leave it at that. 
  4. The booths are even more vague! Everyone uses the same buzzwords and you can't even tell what the company does without talking to them. I figured out this is because they all appear to do the exact same thing. Which is crazy. It reminds me of the days where every other booth was an IPS vendor, Infra is in that phase right now.
  5. Speaking of everyone doing the same thing, Infra isn't even Infra anymore. Almost all the booths are software or hardware the runs special software on top of it and it is only their software that makes them different than anyone else. Oh and their software does the same thing as everyone else on the same kind of hardware but we are better because, um, ya. Today Infra folks think they are working on a server when they play with software the abstracts the whole hardware layer. When I asked hardware questions no one knows the answers. I find this totally insane and I wonder how many people will be able to make this stuff work in 20 years.
  6. The parties are in the same places but totally different. The music is way quite and no one is even thinking about dancing and people are more into the sliders than the booze. Frankly being older I kind of like these parties better than a crazy Rapid7 party where you can't hear anyone talk. Maybe this is due to point #1.

Anyone I'm starting day two at VMWorld and will see what else I notice. If anyone reading has their own observations or disagrees or whatever leave your comments. Or reply to me on twitter.  

Saturday, April 18, 2015

MS15-034 Ruby Script

I made one and it is here:

When MS15-034 hit earlier this week there was a lot of activity. A few Python scripts came out quickly. Someone used one of those to make a Metasploit module very fast, a bit later a nmap script came out. But other than the Metasploit module no one made a ruby script to check for it. And frankly that bothered me so I made one. Let me explain why it bothered me.

Ruby isn't just a good high level language, it is what Metasploit uses. Metasploit is by far the most useful offensive tool in the InfoSec toolbox. And everyone in InfoSec should know how to use it, defensive people simply must understand how attacks work and how attackers think to defend well. If you don't agree or understand why buy me a drink at a con and I'll talk your ear off until you get it or are out of drink money. I'll be at RSA next week. :-) Anyway, Metasploit is a framework and sometimes you need to tweak a module to get it to work against the computer you are attacking. Knowing Ruby allows you to do that. Not being able to do that can mean the difference between getting in or falsely thinking the computer is secure.

Python is good and all but Ruby is a perfectly fine scripting language and your scripts don't have to look like a Metasploit module or part of a large object oriented program.

So my fellow InfoSec folks with various degrees of Ruby skills, keep the dust off them. Check out the script. Make another one that is better with half the lines of code for fun, or not using the gem I used, or whatever. Keep sharp out there, the skills will come in handy and you don't have to learn Python to do this kind of thing if you already know some Ruby.

Tuesday, January 20, 2015

Educating non-InfoSec People

EA was hacked and isn't admitting, in my opinion. Let me explain. EA has an application used to buy games and in game things called Origin. I have an Origin account I almost never use, I used it to buy some single player games in the past. I got a your password was reset email and thought, that isn't good. So I tried and failed to login. I had a new password reset email sent to me and logged on to see many, many game purchase I didn't do, and lucky got me, they had all failed. I tried to turn on a security feature to alert me when the account logged in from another IP but couldn't because the answer to my secret password was changed. So I opened up a ticket. It turns out it was changed to a long string of text and not all english characters, joy. So I'm good now. But keep in mind a few things. One, I'm reasonably sure my home PC is not infected or owned in any way. Two, I use an email address for this I don't use for normal emails and is a domain I own not gmail, etc. Three, the password was strong and not reused other places. Four, to get the answer to the secret question from my PC they would have had to owned my PC since I opened the account back in 2013. All of this points to EA was the leak of my data not me, and they stored all of this in clear text or hashed or encrypted with poor key security but in any way stored it in a way that didn't keep the data private when stollen, clear text is my guess. The person on the phone that helped me was nice and said they are dealing with a lot of these and they are forwarding them all to their fraud department who is trying to figure out what is going on.

So I looked it up and found things like this: So based on my experience and that is lines up with many others it seems to me that: EA was hacked, they store this info in the clear, they don't have the logging capabilities to determine they were hacked for sure but they suspect it, EA leadership has made the stance that without 100% positive confirmation of a breach they will just deal with it and tell people they have found no evidence of a breach. This is where it gets interesting.

I'm a member of a large online gaming community. So I warned them to change their EA Origin password AND their secret question/answer combo. The overwhelming response I got was disbelief a "large company" such as EA would have been hacked without telling everyone about it and that they wouldn't have been properly encrypting this information and instead the people kept trying to tell me how to scan my PC for malware. I finally gave up trying to explain this to them and they get what they get I warned them. But I found it rather shocking that a group of tech savvy but non-InfoSec people put so much faith in companies doing InfoSec correctly. If you are reading this you are probably in InfoSec and are probably saying the same thing I am. Almost no company does this correctly. It is totally believable EA doesn't encrypt this data. It is even more believable than they decide not to report a breach unless they have to and they have a hard time finding evidence of it. These aren't just believable they are likely based on all I've seen over the years. Yet the average person thinks so highly in the tech capabilities of these large companies it comes off as conspiracy theory craziness and you can't even explain it.

This struck me as very bad. If more people knew how poorly their data was secured people would be mad about it and things would change for the better. But I'm not sure what to do about it. I'm interested in what you all think on the topic, if anyone made it this far. How do you convince people how poorly most companies do InfoSec without them dismissing you as crazy?

Monday, January 5, 2015

Told you so...Almost

From my last post you can see I had serious doubts about the FBI claim that North Korea is involved int he Sony hack and I'm deeply concerned that the FBI is being used as a propaganda arm of the Executive branch of government. Here is an update:

Norse Corp took on the investigation and figured it out in more detail and shared their findings with the FBI. The FBI rejected it and still has not shared why they rejected it or what if any evidence they have against North Korea:

The US Govt sanctioned North Korea while admitting no real evidence exists and no one seems to care but NK:

The stalled Cyber Security bill now has support of Republicans in the senate and will likely pass given the NK Sony hack link:

That bill is deeply flawed and shouldn't pass:

As far as I can tell the Sony hack happened, an insider working with some Russians to extort money as far as I can tell. The White House used the FBI to blame NK to get an unpopular cyber security bill passed. When the story lost it's legs over the holidays they sanctioned NK to keep it alive to try to keep momentum on the bill they want. Once the bill passes I bet they drop the NK story and arrest the insider. Time will tell though.