Monday, February 22, 2016

RSA Vendor Comps and You

With RSA coming up I've been thinking about this because it seems many people on both sides of this don't appear to understand the rules. Which is crazy annoying at best, at worst it makes our industry more scummy if that is possible. I had a vendor who comped me tickets to a conference once literally forward the 6 month old email to me showing it explaining that I had to buy things from him still, after I told him I switched vendors months before. I switched for a very good reason and he made a ton of money from the company before the switch, and I told him all about it, it was all on the up and up but I got this scummy email anyway. I had to reply telling him that wasn't a kickback and no, I don't have to buy anything from him. If the sales guys don't know the difference between a comp and a kickback then we are in trouble. So here goes:

Buyer Rules:

  1. If a vendor offers you RSA tickets (or anything else like dinner or a ballgame for that matter), they want to spend time with you. You should go if you say yes, don't say you are going and no show or send an employee. If you don't want to go just say no thank you. If you want to send an employee tell them and see what they say.
  2. Never lie and say you are interested when you aren't or you can buy something when you know you can't. The vendors don't care just be honest, they will work on the relationship for the long term but hate being lied to.
  3. If a vendor comps you RSA tickets for example, you owe them some of your time, stop by their booth, talk to whoever they want you to talk to. 30 minutes or less should do it.
  4. You don't have to do a long dinner with them if you don't want to, if they offer switch it to a meeting maybe coffee or a beer during happy hour.
  5. Free stuff from booths requires some amount of listening to their pitch but not a lot and if they are taking too much of your time say so and if they won't stop walk away. You are selling your time and if it isn't worth it bail.
  6. You don't owe anyone anything other than some of your time. After that it is done and if they try to guilt you into anything block them and move on.
  7. You can sign up for as many parties as you want and only show up to some, no worries. You are selling your email and they will spam the hell out of you.

Vendor Rules:

  1. If you pay for someone to go to RSA you are buying some of their time while they are there, nothing more, nothing less.
  2. Gifts at booths is to get people to listen to your pitch and get leads, if they get bored you are taking too long or you are selling something they aren't in the market for. That isn't their fault.
  3. No matter how much you give away to someone, they owe you nothing! None of this is a kickback. If they take your free stuff and buy another product or use another vendor, bringing up you bought them a nice dinner or paid for their Expo pass is scummy. 
  4. If you are lied too, simply note that and remember that about that person, there is nothing else you can do.
Buyer Tips:
  1. Sales folks get crazy desperate the last day of the Expo especially the area around the edges where the small booths are and they get way out into the hall and stop you from moving on. Hit the small booth areas early on and avoid them later on.
  2. Stay away from long sales pitch dinners at RSA, there is more fun to be had and you can get those anytime.

Vendor Tips:
  1. Don't give away Expo tickets if you will have no one to talk to the person there, all you are buying is their time.
  2. Don't try to force them into a long dinner, offer coffee or a quick beer in the afternoon instead.
  3. Drawings suck IMHO.
  4. Small useful items are the best.
  5. You don't have to email us and tell us you have a booth at RSA, we know! Seriously. Email us about talks your people are giving or parties you are putting on. But if the email just says visit us at booth #123, then stop and don't send it.

Wednesday, September 2, 2015

#RSAC vs. #VMWorld Take 2

I've noticed some more things and realized I called out what I was seeing at VMWorld on the last one without calling out the difference so I'll explain a few things better too.


  1. At InfoSec Cons people want to understand how things work, why they do what they do, what happens if you do something unexpected, etc. At VMWorld no one seems to care, they want to know how to make software work not how they heck the software does what it does. Which is sad, some of this software is freaking amazing but not one talk is about how they do what they do. I keep wondering how to break into it and remotely sniff traffic on virtual switches or grab files from virtual SANs without even touching the guest OS, but I digress. 
  2. Deep Dive talks at security CONs show code typically. At VMWorld Deep Dive talks I would call high level overview and are mostly slides with video recording of someone clicking buttons on a GUI as the speaker talks over it and that is the deep dive demo. Seriously. Almost no one at VMWorld seems to care that isn't really a deep dive, I've meet one person so far who isn't happy about that other than me.
  3. The booth swag is way worse. Most booths don't give anything away it is all a chance to win something, how horrible.
  4. The wifi is just as messed up as a typical security con and I'm seeing people doing evil doing the wifi pineapple thing cloning the main wifi network, you name it. They don't give a secure option either nor do they publish the correct MAC addresses on the APs so you are just screwed and have to turn wifi off. Everyone is complaining about the wifi but they don't seem to get why it is bad and that is isn't safe and that it is slow because it is all being routed through a guys laptop. I find it a bit funny.

Tuesday, September 1, 2015

InfoSec vs. Infrastructure Communities

Backstory:
I've considered myself part of the InfoSec community since going to my first DEF CON 15 years ago. Back then I had already been doing security work for a while but was not aware of the community and really that this could be your 100% focus until going to DEF CON, I was a self taught Infrastructure guy but my eyes were open and I never looked back. Until recently due to the Infra leader leaving my current company and I got asked to take over part of it with security. So I find myself at VMWorld this week. It tuns out VMWorld is Infra's RSA Conference. I mean exactly, same place, same size Expo, the vendors that do both even have their booths in the same spots. I know because I was just at RSA. So I've been noticing some differences in the communities that I found interesting enough to post and see what everyone else thought.

#VMWord vs. #RSAC

  1. People at VMWord overall are older, I know the hoards of kids I'm thinking of at security cons are not as represented at RSAC as other cons like DEF CON, but still. I don't think the kids these days think Infrastructure is cool. In 20 years this may be a problem.
  2. There are way less women at VMWorld than RSAC. Way less. A working at the center asked me why there were no women, he said he worked many of these events and this one had the least amount of women. I asked him if he worked RSA and he said yes, way more at RSA. I agree. I find it interesting there is an outcry about this in InfoSec but not Infra, Infra is far more male dominated from what I can see.
  3. VMWorld didn't get the note on "booth babes" probably due to point #2. It is like going back in time on that front, not all the booths but a lot and a lot really have the appearances of let's say professional dancers and leave it at that. 
  4. The booths are even more vague! Everyone uses the same buzzwords and you can't even tell what the company does without talking to them. I figured out this is because they all appear to do the exact same thing. Which is crazy. It reminds me of the days where every other booth was an IPS vendor, Infra is in that phase right now.
  5. Speaking of everyone doing the same thing, Infra isn't even Infra anymore. Almost all the booths are software or hardware the runs special software on top of it and it is only their software that makes them different than anyone else. Oh and their software does the same thing as everyone else on the same kind of hardware but we are better because, um, ya. Today Infra folks think they are working on a server when they play with software the abstracts the whole hardware layer. When I asked hardware questions no one knows the answers. I find this totally insane and I wonder how many people will be able to make this stuff work in 20 years.
  6. The parties are in the same places but totally different. The music is way quite and no one is even thinking about dancing and people are more into the sliders than the booze. Frankly being older I kind of like these parties better than a crazy Rapid7 party where you can't hear anyone talk. Maybe this is due to point #1.

Anyone I'm starting day two at VMWorld and will see what else I notice. If anyone reading has their own observations or disagrees or whatever leave your comments. Or reply to me on twitter.  

Saturday, April 18, 2015

MS15-034 Ruby Script

I made one and it is here: https://github.com/secjohn/ms15-034-checker.

When MS15-034 hit earlier this week there was a lot of activity. A few Python scripts came out quickly. Someone used one of those to make a Metasploit module very fast, a bit later a nmap script came out. But other than the Metasploit module no one made a ruby script to check for it. And frankly that bothered me so I made one. Let me explain why it bothered me.

Ruby isn't just a good high level language, it is what Metasploit uses. Metasploit is by far the most useful offensive tool in the InfoSec toolbox. And everyone in InfoSec should know how to use it, defensive people simply must understand how attacks work and how attackers think to defend well. If you don't agree or understand why buy me a drink at a con and I'll talk your ear off until you get it or are out of drink money. I'll be at RSA next week. :-) Anyway, Metasploit is a framework and sometimes you need to tweak a module to get it to work against the computer you are attacking. Knowing Ruby allows you to do that. Not being able to do that can mean the difference between getting in or falsely thinking the computer is secure.

Python is good and all but Ruby is a perfectly fine scripting language and your scripts don't have to look like a Metasploit module or part of a large object oriented program.

So my fellow InfoSec folks with various degrees of Ruby skills, keep the dust off them. Check out the script. Make another one that is better with half the lines of code for fun, or not using the gem I used, or whatever. Keep sharp out there, the skills will come in handy and you don't have to learn Python to do this kind of thing if you already know some Ruby.

Tuesday, January 20, 2015

Educating non-InfoSec People

EA was hacked and isn't admitting, in my opinion. Let me explain. EA has an application used to buy games and in game things called Origin. I have an Origin account I almost never use, I used it to buy some single player games in the past. I got a your password was reset email and thought, that isn't good. So I tried and failed to login. I had a new password reset email sent to me and logged on to see many, many game purchase I didn't do, and lucky got me, they had all failed. I tried to turn on a security feature to alert me when the account logged in from another IP but couldn't because the answer to my secret password was changed. So I opened up a ticket. It turns out it was changed to a long string of text and not all english characters, joy. So I'm good now. But keep in mind a few things. One, I'm reasonably sure my home PC is not infected or owned in any way. Two, I use an email address for this I don't use for normal emails and is a domain I own not gmail, etc. Three, the password was strong and not reused other places. Four, to get the answer to the secret question from my PC they would have had to owned my PC since I opened the account back in 2013. All of this points to EA was the leak of my data not me, and they stored all of this in clear text or hashed or encrypted with poor key security but in any way stored it in a way that didn't keep the data private when stollen, clear text is my guess. The person on the phone that helped me was nice and said they are dealing with a lot of these and they are forwarding them all to their fraud department who is trying to figure out what is going on.

So I looked it up and found things like this: http://venturebeat.com/2014/12/30/hackers-are-breaking-into-origin-and-making-fraudulent-purchases/ So based on my experience and that is lines up with many others it seems to me that: EA was hacked, they store this info in the clear, they don't have the logging capabilities to determine they were hacked for sure but they suspect it, EA leadership has made the stance that without 100% positive confirmation of a breach they will just deal with it and tell people they have found no evidence of a breach. This is where it gets interesting.

I'm a member of a large online gaming community. So I warned them to change their EA Origin password AND their secret question/answer combo. The overwhelming response I got was disbelief a "large company" such as EA would have been hacked without telling everyone about it and that they wouldn't have been properly encrypting this information and instead the people kept trying to tell me how to scan my PC for malware. I finally gave up trying to explain this to them and they get what they get I warned them. But I found it rather shocking that a group of tech savvy but non-InfoSec people put so much faith in companies doing InfoSec correctly. If you are reading this you are probably in InfoSec and are probably saying the same thing I am. Almost no company does this correctly. It is totally believable EA doesn't encrypt this data. It is even more believable than they decide not to report a breach unless they have to and they have a hard time finding evidence of it. These aren't just believable they are likely based on all I've seen over the years. Yet the average person thinks so highly in the tech capabilities of these large companies it comes off as conspiracy theory craziness and you can't even explain it.

This struck me as very bad. If more people knew how poorly their data was secured people would be mad about it and things would change for the better. But I'm not sure what to do about it. I'm interested in what you all think on the topic, if anyone made it this far. How do you convince people how poorly most companies do InfoSec without them dismissing you as crazy?

Monday, January 5, 2015

Told you so...Almost

From my last post you can see I had serious doubts about the FBI claim that North Korea is involved int he Sony hack and I'm deeply concerned that the FBI is being used as a propaganda arm of the Executive branch of government. Here is an update:

Norse Corp took on the investigation and figured it out in more detail and shared their findings with the FBI. The FBI rejected it and still has not shared why they rejected it or what if any evidence they have against North Korea:
http://nypost.com/2014/12/30/new-evidence-sony-hack-was-inside-job-cyber-experts/

The US Govt sanctioned North Korea while admitting no real evidence exists and no one seems to care but NK:
http://boingboing.net/2015/01/02/obama-administration-north-ko.html

The stalled Cyber Security bill now has support of Republicans in the senate and will likely pass given the NK Sony hack link:
http://www.washingtonpost.com/blogs/post-politics/wp/2014/12/18/eyes-turn-to-the-next-congress-as-sony-hack-exposes-cybersecurity-flaws/

That bill is deeply flawed and shouldn't pass:
https://www.eff.org/issues/cyber-security-legislation

As far as I can tell the Sony hack happened, an insider working with some Russians to extort money as far as I can tell. The White House used the FBI to blame NK to get an unpopular cyber security bill passed. When the story lost it's legs over the holidays they sanctioned NK to keep it alive to try to keep momentum on the bill they want. Once the bill passes I bet they drop the NK story and arrest the insider. Time will tell though.

Friday, December 19, 2014

Sony, the FBI, and NK

The FBI came out saying they thought North Korea hacked Sony: http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.

The main points are, malware code looked reused from previous code attributed to North Korea, the malware uses NK IP addresses, and the "tools" used were similar to a South Korea bank attack believed to be from NK, whatever that means. Here is the problem from the U.S. intelligence departments mouth:
Another indicator pointing to U.S. intelligence is the familiarity with Sony’s computer network. “It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords,” Rogers notes. “While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider.”


That is still all true, which makes the FBI release read like nonsense to me. Consider the possibility of a pure North Korea attack with no insider. That would mean the attacker would need to gain access to Sony's network, likely with an email phish attack or maybe an undetected web attack. Gain access to many files and find passwords in password files and system documentation and diagrams and piece together the information needed to make this malware. And while possible, that makes no sense at all to me. Once you have that level of access and understanding, making malware is the last thing you would do. At that point simply use normal system tools to extract all the data you want without being detected or leaving malware behind. Anyone knowledgeable to create this malware would know better than to use malware if they already had all the access they needed without it. This scenario makes no sense to me and as the quote above states, doesn't pass the Occam's razor test. Let's assume they had access, but couldn't use the tools they needed to get the data and needed to write their own code and...It just doesn't pass the test unless they know something they aren't telling us which is possible but still more assumptions and therefore still doesn't pass the test.

What does pass the test is an insider with this knowledge either is behind the attack, or willfully gave up this information to an attacker and is part of the attack. The attacker could still be North Korea, but only with an insider's help. But more likely that that, an insider working with another outside group with the skills needed and is intent on financial gain from extorting money from Sony and had the idea of trying to blame North Korea or just Korea in general for the attack to cover their tracks. If they knew how the company and media and governments would jump on it for their own self interests, they are brilliant. But I'm guessing they didn't know it would work out so well but rolled with it when the NK part of the story took on a life of its own. And why not? Now that the FBI said what they said, for whatever reason, it is hard for me to picture them finding and bringing to justice the criminals involved if it turns out NK wasn't behind it. And that is the dangerous part of this game which I predict will be played out again and again. How easy is it to get away with a crime like this and blame a nation state if we are so willing to let the nation state be blamed?