Podcast - Penetration Testing

Podcast - Penetration Testing

I was super pleased to be invited back to the Ministry of testing podcast ‘Super Testing Bros’ with James @JamesEspie & Dan @DanielBarrowNZ .

I’ve been doing some conference talks here in New Zealand and in Australia about removing the common misunderstandings and roadblocks I see defenders and engineering teams have working with external penetration testers and getting these teams working tighter.

James and Dan asked me if id like to have a bit of a more general chat about penetration testing with a bit of a QA focus I was happy to oblige (Show link).

Generally on the show we cover off:

  • What do you mean by penetration testing? What should it cover?

  • Can I do it myself? What is the advantage of an external pen tester?

  • What should I do to prepare / make the best of a penetration test?

  • What kind of things can I do to support our external security testers? Especially how do we handover the right context?

  • I want to learn more about penetration testing or become a pen tester, where do I turn?

  • How to choose a penetration testing company, should you use the same one every time or rotate?

  • How do your build a productive long term relationship with your external penetration testers.

I hope you all enjoy the show and it helps understanding penetration testing and give you some ideas as to how you can work tighter with penetration testers.

As always you’re welcome to send me an e-mail or chat to me on twitter (@SparkleOps ) if you have ideas you’d like to share or feedback.








Security BSides Perth

Security BSides Perth

Super proud to announce I’m heading to Perth later this year to talk at the Security BSides Perth conference about getting closer collaboration between defenders, engineers and external security testers. The talk is entitled "Caring for our pen tester friends”.

Abstract:

Quality assurance teams are becoming more context driven and collaborative. QA Testers are now needed from design through to supporting their applications into production.

Yet we still ask external security testers to test our applications engaging them at the end just before we ship to production. Often armed with very little handover we ask them “Did we built it securely?”.

I see a big gap between external security testers and development teams, its making life hard for both teams. I also see the damage it does to good security testing. Its time to bring these two team closer together and start take better care of our pen tester friends.

This talk covers advice for both engineering teams and their external penetration testers on collaborating more, ensuring the right context is exchanged and the teams work together for better security testing outcomes.

Looking forward to it and all the other talks released so far. Its going to be an outstanding weekend. The full line up is posted here.

If your coming along do come say hi :) 

OzSeCon

OzSeCon

If your interested in physical security, red teaming, lock picking and being with some friendly and inspiring hackers and infosec people then OzSecCon is for you. Everything about this conference was well run and I had an immensely enjoyable time. A huge thank you to conference organizers, ill be making the trip every year its on <3.

It was mentioned in the opening notes that the OzSecCon conference was pleased to be attracting and including in the more "digital" security folks and sharing the red team and physical security world together . It got me thinking a bit that besides the odd talk and a lock pick table at some of the security conferences I have been too there isn't much bringing these two groups. Well mission accomplished! From hanging out at the breaks and after parties it definitely attracted a wide range of people from all professions and interests :) 

The conference was run at the Melbourne Polytechnic West Heidelberg campus and allowed the conference attendees access some exceptional spaces including workshop facilities and tools which would normally be well out of reach for the average hobbyist lock picker all with then right supervision and people to help you use the facilities safely and learn if you were new.

Conference talks wise I was super amped to see @HydeNS33k from Walmart keynote and Auras Logan Woods & David Tredger talks on red teaming. Its super valuable for someone on a blue team to hear these war stories and get a better insight into the mindset and tactics employed by a red team during an audit.

Having this perspective helps me especially think about how I talk to other people if we are doing security awareness messaging / training being armed with some real world examples of things to be looking for. 

@attacus_au gave an excellent talk  about facial recognition technology and some of the initiatives people are working on to defeat it. Beyond camouflage (I was happy to hear the Vaporwave aesthetic is great for this) and other techniques this included a call to action to speak out against using this technology in ways that overreach and hurt our rights to privacy.  

I had gone to OzSecCon get some learns as a 'newbie' lock picker but never once picked up an actual lock. That's because aside from the talks I ended up spending a significant amount of my time at the Google tamper evident seal challenge. 

I've not done many CTF's like this before and was instantly hooked. There was an exceptional vibe of people working on different ways to beat tamper seals, steal items from mail bags or move seals from one place to another undetected. It was so much fun!

I was pretty happy to have placed 10/70 contestants in the tamper seal CTF and in awe of some of the people further up the ladder especially (including a few fellow Kiwi's , congrats on 5th @Phage_NZ). 

There is a fantastic write up and walk through by conference speakers Mos and Boo you should checkout if you were playing too. 

A huge thank you to Google and hosts who were on their feet all weekend making this a great competition and event. Kudos goes out to: Ben Low, Grace Nolan, Evengy Shatokhin, Tom Hennen, and David Wearing, you made my conference! 

Well done OzSecCon. It was fun, safe and I learned stacks and had a absolute ball. Also shout out to the team who put a huge effort into the  electronic badge, as a ex hardware guy I know this was huge ... its my first electronic hacker con badge so its hanging somewhere special at work. See you next year. 

Much love @SparkleOps

 

Threat modelling - Security Personas

Threat modelling - Security Personas

I get real satisfaction out of running threat modelling workshops because after the session I can almost immediately see the results in the changes that get made in design and overhearing some of the conversations had around the security controls our applications need to have in place *before* we build them.  

I start threat modelling workshops by leading a discussion about what the term vulnerability actually means, stealing the definition from google:

"The quality or state of being exposed to the possibility of being attacked or harmed".

By that definition vulnerability is being exposed and there is only a unqualified potential of being attacked.

The key point to note to the class is usually an attacker needs to gain something from attacking you. It might be financial gain, something ideological or a just a display of skill and bragging rights. The question is what is their motivation? Why do this? 

The exercise of threat modelling will help us learn how we might be vulnerable but also help us understand the threats in terms of who, for what reasons and to what impact an attacker of their ability could have. We can then start to make well reasoned decisions using our limited resources to best defend our people and systems.

When we come to the who part of our threat model having a set of 'security personas' to select from helps us in the exercise of thinking about the types of the people, their abilities and motivations and perhaps look at the likely approach of multiple security personas on the same vulnerability. 

When tasked with thinking up some examples the class will often create security personas based on things they've seen or read about security incidents in the media or even in TV series or movies. This means initially your class might be saying we need to prepared to defend against highly skilled hackers or governments so it’s  Fsociety or Mossad that are our problem. 

This especially for a less technical audience with little to no infosec exposure is reasonable as while we might be security professionals who live and breathe this sort of mental exercise its likely your class does not.

You need to help people learn about the more realistic threats like, insider threats, an integrator getting compromised or the non malicious  genuine mistakes made by your staff like security misconfigurations or loosing a company laptop.  Once you help them get into it the range of threats the team needs to consider during threat modelling is almost always much wider then they'd probably initially considered. 

Unfortunately in my experience during workshops some members of the class will tag a certain person, team, product or vendor they work with (probably not present) as a security persona as in their eyes they are to blame for the vulnerabilities they know about and thus a called out as a threat. This is toxic and from the very outset I make it clear its unacceptable to do this in the workshop. 

So how do I overcome these two problems? Well you need to give your workshop an engaging set of characters they can kick off great conversations with, build a story around and then invent a new set of security personas to take forward with them for the rest of the workshop. 

For this I’m using sets of images of Funko pop collectible characters and asking the class questions like “Who is this?" and "Whats their skill set" and then "What are their potential motivations?" to help them imagine a story and build a security persona.

Ill give you a few examples and the kind of story we might attribute to a selection of these characters. 

 Muttley is a high school student. He loves computers, especially other peoples computers. Hes recently got access to some penetration testing tools and is experimenting on public systems using a laptop he fished out of a dumpster. He often scans for unpatched Wordpress and Drupal websites and anything on Shodan with default credentials and then defaces or shuts them down them for a laugh.&nbsp;

Muttley is a high school student. He loves computers, especially other peoples computers. Hes recently got access to some penetration testing tools and is experimenting on public systems using a laptop he fished out of a dumpster. He often scans for unpatched Wordpress and Drupal websites and anything on Shodan with default credentials and then defaces or shuts them down them for a laugh. 

 This is Loki, he’s a security researcher. Loki loves hacking and will try and&nbsp; make some cash from his research anyway he can. Sometimes he will go through a legitimate channel to sell his discoveries like  Bugcrowd  or  hacker one . But no big deal if he cant get paid by them or the vulnerable company hes talking to ....&nbsp;there are other places to sell vulerabilties to.

This is Loki, he’s a security researcher. Loki loves hacking and will try and  make some cash from his research anyway he can. Sometimes he will go through a legitimate channel to sell his discoveries like Bugcrowd or hacker one. But no big deal if he cant get paid by them or the vulnerable company hes talking to .... there are other places to sell vulerabilties to.

 This is Grumpy bear.  This is anyone who is mad at you or your company. Could be a customer, a vendor, employee or someone who just doesn't happen to agree with what you do for a living. They might not be a computer expert with offensive capabilities but that wont stop them paying your offices a visit.&nbsp;

This is Grumpy bear.

This is anyone who is mad at you or your company. Could be a customer, a vendor, employee or someone who just doesn't happen to agree with what you do for a living. They might not be a computer expert with offensive capabilities but that wont stop them paying your offices a visit. 

 Not all threats are external or even malicious.  This is Tony the operations lead at your company. Hes currently busy getting devops sorted in the business (whatever that is) and doing all kinds of neat stuff in AWS while your company moves to the cloud.  Tony has no experience with AWS but convinced moving all the servers to the cloud is basically like a digital data center migration. How hard could it be?&nbsp;

Not all threats are external or even malicious.

This is Tony the operations lead at your company. Hes currently busy getting devops sorted in the business (whatever that is) and doing all kinds of neat stuff in AWS while your company moves to the cloud.

Tony has no experience with AWS but convinced moving all the servers to the cloud is basically like a digital data center migration. How hard could it be? 

It’s fun for the class to hear the stories their peers invent for your selection of these characters and what kind of resulting security personas get put forward. Perhaps if your leading the class be ready to offer some security personas of your own for a few of the characters if things get stale. 

Once you’ve done this you can start to think about these security personas might go about attacking your systems or people. 

You can ask questions to spark people’s imagination like “How is Muttley going to be different to Loki at approaching social engineering?” or “What happens when Grumpy bear steals Tonys laptop?” to encourage your workshop to think through various scenarios and hopefully unearth even more vulnerabilities. 

I hope this novel way of building security personas helps you either consider the kind of security personas to include in your threat models or in your teaching others to threat model. Its important the process is both engaging and done in a safe positive fashion and I think this approach really works great. 

I am always looking for ways to improve the workshops I run and how to engage and teach people about application security, so I was pretty pleased to get this reply to the tweet stream that spawned the blog post from  @ladynerd .

capture.PNG
tink.jpeg

I don't think I have seen any of the Tinker Bell movies. So for homework I guess ill be watching them to answer this one and give some consideration to how our own biases could impact the the security personas we create.

If you have any tips or comments on how you help people consider the personas in their threat modelling id love to hear from you. Hit me up on twitter @Sparkleops. 

Banner art credit Tony Fleecs https://www.tonyfleecs.com/ 💖 

InfosecNZ Slack Community

InfosecNZ Slack Community

InfosecNZ is a slack community for those in New Zealand working in tech or information security to network learn and share on a wide range of security topics and do our bit to help grow the security community in New Zealand. 

We have over 350 members discussing offensive and defensive topics like: 

  • Developer security 
  • Security news  
  • Threat hunting and intel sharing including working with CERTS
  • Incident response 
  • Vulnerability  management 
  • Physical security 
  • Penetration testing and red teaming 
  • A newbie friendly “Ask anything” support channel  

If you would like to join us please head over here and read our community code of conduct and then message me or one of the other admins on twitter. 

Come say hi and introduce yourself! 

2018 Verizon DBIR

2018 Verizon DBIR

Each year Verizon’s security team and BI analysts produce a yearly Data Breach Investigations Report (The DBIR) which provides analysis on over 53,000 security incidents and 2,216 confirmed data breaches.

It’s an exceptional breakdown of current and emerging cyber threats accompanied with an executive summary on how they impact various industries.

The ‘things to think about’ summary’s for each industry are a great reminder while companies are subject to highly sophisticated technical attacks a significant volume of incidents and breaches occur by attackers exploiting low hanging fruit exposed by misconfiguration of systems, misuse or poor handling of customer data and failures to apply the security controls and hygiene mandated by relevant compliance frameworks and best practises.

I strongly suggest you have a read and share with your engineering, ops and executives inside your company or organisation and encourage discussion on the findings and how the relate to your security roadmap and posture. 

You can download the full report here. A huge thank you and well done to the Verizon team and all the contributors this is a very helpful resource for the security community. 

 

NZ OWASP Day 2018

NZ OWASP Day 2018

Hey everyone, wanting to give a bit of signal boost to the OWASP NZ day next week.

OWASP NZ day is a free day of information security talks and workshops with some excellent speakers from all across the New Zealand tech and information security communities. OWASP NZ day is being run on the 5th of February at Auckland University in the Auckland CBD area.

Registrations are now open and you can secure a ticket by heading over the to conference page.

OWASP days are a great chance for people in all roles and levels of experience to learn more about a wide range of topics in information security. OWASP is not just a day for devs or security professionals. Project managers, agile coaches, designers, testers and everyone in between can get some value coming along (and asking questions!)

We have an amazing security and tech community in New Zealand who love their craft and love sharing with and teaching others. With a more diverse range of folks in other non security  roles turning up and asking questions it helps infosec people think and reflect about how we might better help work with and secure the people we work with. Its win win. 

If you know someone who is shy or unsure if this is for them, encourage them to come! 

You can review the list of speakers here. Hope to see you there ! 

Infosec reading list 2018

Infosec reading list 2018

One of my goals for 2018 was to read a wider range of books for my professional development and I have set myself a target of at least 10 books i'd like to have read before the year is out. Then blog about my learnings from each book here. 

Below is my hit list and I have put a little something about each as to why I picked it.  

Agile Application Security: Enabling Security in a Continuous Delivery Pipeline
By Laura Bell, Michael Brunton-Spall, Rich Smith, Jim Bird

This year I am starting a new role as an Application Security Specialist where I have been hired to assist development teams build security into their agile development process. I believe this will give me excellent foundation to really know im working on the right initiatives with our software teams.  

Im working with agile teams to run STRIDE threat modeling sessions with the aim to better understand the security objectives of their applications and design out some potential flaws early rather than having penetration testers find them at the end.

The first cut of this framework I did I got a lot of help looking at slides and conference talks from Adam so this book  was a natural choice to get some learnings and greater understanding on the topic. 

This was one of a few recommendations I took from the Red team blog - Red teamers bookshelf. Im hoping this will assist me in running blameless post mortems with teams and in my own reflections throughout the year. 

DFIR is a subject I enjoy learning about. In 2017 I spent a quite a bit of time reading articles and exploring the fantastic DFIR training site by Brett Shavers  site and reading the O'reilly defensive security handbook. This feels like a great logical next step. 

The next few are all around social engineering and the human element of security. Last year I started with Social engineering - The art of human hacking by Chris Hadnagy. I absolutely loved it and cant wait to move on to this next book.  

One of my mentors suggested that if im going to read most of Chris Hadnagy's books I should look to get an alternative perspective and Kevin Mitnick would be a good way to round out my reading here. 

More reading under the social engineering umbrella. Another recommendation from the  Red team blog - Red teamers bookshelf.

Another from  Red team blog - Red teamers bookshelf :) 

I want to continue learning and understanding Devops culture and exploring the avenues for collaboration between security and SRE/ops teams. I know this came recommended from SRE engineers who read it at my last company. 

Lastly the Phoenix Project, another book which comes as highly recommended from the SRE lead at my previous job. I've decided to re-read this as it been a while and found it have me immense value the first time through. Again it’s good to think about how you and your security team relate and function with in the rest of your business. 

Whats on your reading list for 2018? As always keen to continue the conversation on twitter @SparkleOps.

Re:scam

Re:scam

Netsafe New Zealand have built an amazing new chatbot called Re:scam. You can have Re:scam reply to scam and phishing emails on your behalf using a variety of false personas that all create a long and ultimately pointless conversation wasting the attackers time. Watch the launch video below. 

Follow along on twitter at @rescambot

Initially it look like Re:scam is targeting 419 scammers and not malware spammers or other types of phishing. Will be great to see how this evolves. Well done Netsafe NZ!

Keen to hear your thoughts on this, good idea? Maybe not? Have you used it yet to annoy a prince with some complex money issues? Let me know @SparkleOps.

Getting Phished - Humble pie with a side of ice cream

Getting Phished - Humble pie with a side of ice cream

I have been thinking over the content and structure of the security awareness chats I have with staff, picking out the things that are working well and those areas which need some improvement.  

Im still working hard on improving the parts where I talk about social engineering, especially phishing. Phishing it turns out is a really tricky topic to cover well without it being loaded with fear. We are after all talking about really malicious people praying on our personal weaknesses and vulnerabilities to trick us out of information or infect our computers. 

I have in the past made the mistake of focusing too much on conveying the lengths and methods an attacker might go to in order to deceive someone. I think it ended up being counter productive and not a risk a user would feel they personally would be subject to. 

Now days I usually talk about fake DocuSign requests and some examples of Paypal and Apple ID account as more generic phishing attempts as opposed to targeted phishing. Even the more generic examples are nasty enough and illustrate how if a person was not on their guard they might click through and get their computer infected or lose control of an account. 

It conveys the threat well enough, so job done? Well no. I have only at this point only explained the potential harm and some of the warning signs.

Im mindful after showing some of the better crafted examples you can be fairly certain there is now an even bigger fear brewing in your audience, that they might be the ones that get caught out. They failed to spot the con and clicked that malicious link. What would they do if this happened to them? Panic?

It’s really important to explain everyone is vulnerable one way or another. No one is immune from making an honest mistake while tired or under pressure. How can we assure our staff everyone including us the security professionals get baited every once and a while?

I have decided in my next session I am going eat some real humble pie and to start telling people I work with how I got phished recently. How one late night I ignored some of the signs I teach people to look for that somethings not right and gave up my e-mail and mobile number to a phishing scam.

It was a Thursday night, I had my feet up on the couch listening to some music and was flicking through Instagram on my phone. I was really tired, It had been a really busy week.  I saw a promoted advert for Ben and Jerrys ice cream which apparently is opening up stores here in New Zealand. 

For avery limited time Ben and Jerrys were offering a select few people the chance to grab up to 3 free tubs of any flavour of ice cream provided we shared it somehow on social media. I love ice cream and I sure love twitter, what luck! Im perfect! 

The advert was well designed and the branding looked absolutely like what I had seen in other Ben and Jerrys stores I had been to in Singapore and the US. Just enter your full name, email and mobile number and we will send the voucher codes out it said. 

There were a few things right away that if I was paying heed to my own advice id have at this point wanted to reconsider engaging with this offer. 

1. Instagram are not perfect, they like many other social media sites will take ad revenue from anyone. Including people running a phishing scam. Just because its from Instagram there is no guarantee this is legitimate. 

2. This was a limited time offer, appealing to scarcity and creating a sense of urgency. Get in quick before its gone!

3. Thats a lot of personally identifiable information to give away for 3 samples of ice cream. 

4. The amount of genuinely free lunches that exist online (none).

5. This popped out of Instagram into a browser, is everything still looking ok?

Now in my defence I was really looking forward to this ice cream. I was going to pick it up and enjoy it with a bit of Netflix on the weekend. This is what I was thinking about when I blasted right past all the warning signals and gave them all the details they needed. 

Moments later I started getting SMS spam and spam messages starting to pile up in my inbox.  It very suddenly hit me what id gone and done. Free ice cream? Brendan you idiot! I went back to the Instagram  post and saw a bunch of other unlucky ice cream fans warning people in the comments this is a scam and not to engage. 

Social engineering is something I love learning about and hope to one day participate in some social engineering CTF contest and maybe even some trainings.

While no expert in the subject by any means I know enough to give other staff their security awareness training in what they should be on the look out for. Point is if anyone thinks this interest in the subject gives me some kind of elevated immunity from being conned I am sorry to admit turns out offers of free ice cream are enough to do the job on me somedays. 

I felt pretty stupid. Really stupid. Fact is everyone can be exploited and do silly things under pressure or when they are tired and there is no real shame in getting baited. This needs to be part of the security trainings on phishing as much as coverage of the motivations and methodologies of the attackers your helping your people become aware of. 

Understanding it happens to the best of us is important but it also needs to be backed with an assurance if it does happen the right support and assistance will be blamelessly in place and provided for people who ask for help when it goes wrong.

I filed an abuse report to Instagram and my ISP/telco to get help. They both helped a lot in stopping the spam id signed myself up for. Make sure your people know the security team is here to do the same! 

Will be interesting to see how sharing this story of mine goes. Im willing to bet an open admission of my own mistakes and how I was able to recover quickly will help take the heat and fear out of potentially being phished at work. Understanding the threat, knowing what to look for and having actionable steps if things do go wrong is what I think makes for valuable secuirty awareness training.

Do you do secuirty awareness sessions in your company? What works for you and your staff when explaining social engineering topics?

Keen as always to continue the conversation on twitter @SparkleOps . 

Intel pushing more AMT firmware updates for CVE-2017-5698

Intel pushing more AMT firmware updates for CVE-2017-5698

In May this year Intel announced a serious remote exploit vulnerability in their Intel Active Management Technology (AMT). AMT is a a hardware and firmware technology for remote out-of-band management of computers. Intels full summary of the technology and the vulnerability is here

If the Intel AMT feature was not something in use by your organisation it was simply best to patch then disable the feature. There were however in some cases no patches provided by some hardware vendors. 

Good news! Intel have updated their advisory to say more firmware updates available to address Intel AMT vulnerability you can read that advisory here.

If you were left with machines in your fleet unpatched because of this nows a great time to go back and check for updates.

You can do so for some of the more popular vendors here:

For those interested one of the better original white papers on the vulnerability by researchers Embedi is here with their proof of concept here.

Docusign breached - Account emails used for phishing attacks

Docusign breached - Account emails used for phishing attacks

DocuSign have confirmed a breach where according to their forensics attackers gained access to one of systems enabling them to harvest customers email addresses and then use them to launch phishing attacks. 

Brian Krebs has done an excellent write up here

If regardless of  you are a DocuSign customer or not you will want to brief your IT, operations and customer support people to be alert for inbound phishing e-mails to staff and be potentially also be ready to field reports from your customers and any 3rd parties you deal with that may be receiving these malicious e-mails. 

Now is an excellent time to also send a security awareness message out to the rest of your business that details some short and concise advice for your users to report anything they get to the right people running incident response. 

Wannacry ransomware outbreak - Update

Wannacry ransomware outbreak - Update

A few updates as things have unfolded further over the weekend. My original post when Wannacry  aka wcry ransomware first dropped is here.

Firstly and mostly importantly lots of critical infrastructure, hospitals and telcos which have legacy Windows 8 and XP machines are getting emergency support from Microsoft. Bravo Microsoft this is a great step to help defenders mitigate this threat.

Microsoft have also released this  customer guidance 

If you run these systems in production I have the direct links here thanks to this posting from Threat Post

Download English language security updates: Windows Server 2003 SP2 x64Windows Server 2003 SP2 x86, Windows XP SP2 x64Windows XP SP3 x86Windows XP Embedded SP3 x86Windows 8 x86, Windows 8 x64

Download localized language security updates: Windows Server 2003 SP2 x64Windows Server 2003 SP2 x86Windows XP SP2 x64Windows XP SP3 x86Windows XP Embedded SP3 x86Windows 8 x86Windows 8 x64

It seems the best mitigation is patching as soon as practically possible. If offlining or patching a machine is not an option then disabling SMB v1 is the next best thing.

Dont forget your change control and testing though. Nothing worse than accidentally offlining your business in the name of keeping it safe from potential threats.

Dont expect Wannacry to be a one off. Its exploiting a serious windows vulnerability and the chatter I see from security researchers I trust suggest its trivial to repackage and launch additional waves of attacks. We have already seen a wcry 2.0 version with the kill switch the original iteration had flagged off. 

Im following these sources  to help me follow this incident and ensure I have the right information in front of me to know our response is solid:

Thats all for now. My thoughts are with everyone incident responding to this. Its going to be a very rough week.

Wannacry Ransomware outbreak

Wannacry Ransomware outbreak

Woken up this morning to hear there has been a significant outbreak of ransomware known as Wannacry hitting windows machines which haven't applied the MS17-010 patch .

Ive copied the executive summary in the gist linked below as it perfectly contains the needs to know on this (credit to the rain-1 who stood this up). 

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. (source: malwarebytes)
  • Infections: NHS (uk), Telefonica (spain), FedEx (us), University of Waterloo (us), Russia interior ministry & Megafon (russia), Сбера bank (russia), Shaheen Airlines (india, claimed on twitter), Train station (germany), Neustadt station (germany)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.

Im following these sources  to help me follow this incident and ensure I have the right information in front of me to know our response is solid:

So its time to help support your friends and family ensure thier older windows machines are current with their patching and if your in tech, read up and share with our IT departments, SRE/ops folks to ensure patching is rolled out across your fleet of windows machines. 

New Zealand's first Security Bsides conference - Wellington 2017

New Zealand's first Security Bsides conference - Wellington 2017

Excellent news! The first Security Bsides conference for New Zealand is being run this year in Wellington. I figured id pop up a post giving the basic details.

  1. Wellington secuirty Bsides is running on the 23rd & 24th of November 2017 @ Shed 6.
  2. The call for paper is now open, why not submit a talk here?
  3. There is a slack community for this conference where you can join the community and organisers and chat leading up to the event. 
  4.  You can follow along on twitter or check out https://bsides.nz

Im very keen to head along and perhaps do a lightning talk this year, provided work and life commitments don't stop me. 

Will be a super welcome opportunity for the community to get together and share learnings and catch up.

 

LastPass exploits and feeling vulnerable

LastPass exploits and feeling vulnerable

I wanted to talk about the recent LastPass password manager exploits reported by @taviso and the negative perceptions it may create for LastPass as a password manager for its users. 

Its likely people who don't live and breathe the world of software and security see exploit reports like these and without context are left feeling their security tools are leaving them vulnerable.

Vulnerability - 'The quality or state of being exposed to the possibility of being attacked or harmed.'

I think it's important to talk to people about security flaws, the responsible discourse process and how the efforts put in by researchers like @taviso are of real value improving the security tools like LastPass. 

Password managers like LastPass are now an absolute essential for both home and business users. The DBIR data breach investigations report produced by Verizon's enterprise security team each year shows us that still one of the leading factors in users accounts being breached was poor password management and lack of 2FA being implemented.

These breaches were likely not the result of a highly sophisticated technical attack but attackers taking advantage of what is essentially low hanging security fruit. All of which can be mitigated if users are educated on use of a password manager and 2FA. 

But if the password manager they use is being reported as wide open to being exploited and their passwords stolen of what use is it?  Well thats the issue, The discussion and reporting surrounding these exploits walks right past some very important considerations and context users needed to make a judgement call on how vulnerable they really are. 

So how do we address some of the typical concerns and put things into proper context for our people?

We want to start with the possible misconception having security flaws reported is a huge failing on LastPass's account and we should all be switching to another password manager product to continue being safe. 

Its important to explain to users that all software has bugs and security faults and that its unlikely another companies password managers product is free from similar such issues. While companies will conduct their own testing and engage 3rd party security testers to review their products things can still get missed.  

Its follows then that we should  also aim to spend some time explaining the work security researchers do what a responsible disclosure process looks like. When issues are disclosed to vendors in this manner by researchers users are not being made instantly vulnerable to the exploit but instead the researcher is working with the vendor so they have an opportunity to fix the issues and push a fix to users. This is the case with the exploits been reported to LastPass there is nothing malicious going on that places them at risk.  

What will help people determine if they are at risk is knowing how we expect vendors to behave during such a disclosure. Vendors who are transparent about confirming the issue and quickly turning around a fix like LastPass has done should help users gain confidence in the software products and the security maturity of the vendor. 

Vendors who are not communicative, take significantly longer than the grace period to turn around fixes or respond with threats of legal action to a responsible disclosure are more likely to have a product or service that isn't being well managed with a mature security program and this is what is more likely to place them and their accounts at risk. 

Armed with a bit of education around responsible disclosures and some detail around the response from LastPass I'm confident in telling my users LastPass still provides them the protection they need to be safe at work and at home. 

While the LastPass exploits reports are still fresh and in the news its a great time to reach out to your users with a security awareness message on all of the above and provide that context that I feel is often missing when things like this happen. 

Additionally in your messaging explain that if passwords ever are compromised the second layer of protection they have in 2FA is what mitigates this if something does go terribly wrong. Help them set it up if they don't have it turned on.

Perhaps also consider showing them the haveibeenpwned service run by @troyhunt so they know if sites with no 2FA protection are breached they can quickly go and generate a new strong password before someone malicious can compromise their accounts. 

Our willingness to provide education and support in making these tools work and putting the risks in the right context and perspective when they arise will really help users feel a lot less exposed and vulnerable. 

Interested to hear your thoughts, hit me up on twitter @SparkleOps .

 

 

 

 

Getting Slack with security

Getting Slack with security

Been a while since I have posted up. The first 6 months of my new security role have been exciting with lots of learnings to share. 

I thought id share the security slack channels we are using that help us as a team and promote a healthy engaging security culture. 

#Suspicious_Activity

We created this channel as a way for employees to share anything that concerns them with the security team. Using slack for this over other ways of reporting issues also has the added benefit that other employees can also see these reports and be alerted too. Often we get multiple confirmations meaning we have a better list of people to talk to right away. 

We can get reports ranging from strange behaviour on users machines, phishing / vishing attacks or issues with physical security. The key here is employees are welcome to report anything, nothing is considered too trivial.

They can be assured when they post they will get timely and supportive response back from the security team. 

Best of all suspicious activity gives us the chance to give people praise for reporting issues and handling incidents in accordance with the security awareness training they did with us. We always sign off with 'Security is team sport, and your reports are helping everyone keep safe'.

Periodically I summarise events reported back to our general channel to provide a security awareness message and a concise reminder of what to do if employees experience the same kind of problems.

We do have other means to report issues (Phone, e-mail, a report an issue form) but so far this channel has been the way thats been the most engaging and rewarding for both our users and the security team.

#Vuln-Alarming (Vulnerability alerting)  

I have a vulnerability alerting channel in which we have subscribed to all our cloud tool and vendor security RSS feeds (using /feed). 

We have the security team, our SRE team and anyone else who is interested to see alerts from vendors and the vulnerability alerts updates provided by groups like US CERT. 

Again multiple eyes on these feeds has been very positive. Typically the security team work with our SRE team by having a simple emoji voting system to signal the status of various updates that have been posted in this channel. 👀 for 'Im reading this update , ❗️for We have an issue we need to address and ✅ for Patching is done / No issue ' all clear '

If something warrants it we can briefly triage in channel or elect to have a chat / quick meeting. 

We also pipe in alerts from the defnd.io tool we use made by @safestack . This provides us with vulnerability alerting on a huge range of cloud tools, and any changes to these cloud tools terms of service / policies we may want to be aware of. It also scans for domain names similar to those of which we own so we can be aware of potential phishing attacks launched from them much sooner. 

#Security

We of course have a general security chat channel open to all. Mostly to discuss security news items which employees wish to share and discuss with others. The theme of multiple eyes on and shared learning continues here. 

The very important tip I have to offer here is watching for articles posted or people giving out poor security advice and practises. I watch this channel closely for this and try in a non combative way to make contributions that put people on the right track. 

Once such example of this was discussions around recent vulnerability disclosures in popular password managers and SMS 2FA authentication. While granted some the flaws exposed were quite glaring the discussion in channel  created the impression especially for some of our less technical users that password managers and 2FA were broken or not effective an means of protecting their accounts. 

We had to reaffirm that while nothing is perfect both password managers and 2FA are absolutely essential and highly effective measures to have in place for the type of threats that face the typical user in our company. 

So moving on to some of the channels we use that are specific to the security team. 

#Security_unplanned (Private Channel)

This is trick I picked up from our awesome SRE team. We have a private channel where members of the security team can quickly post comments outlining any unplanned work thats come up.

It can be user questions, requests or noting that something has not gone to plan and needed a bit extra work to get done. 

We periodically review the channel history and create a summary of these items. It gives us insights as to what opportunities we have to build new run books or wiki articles, add training or generally automate something thats taking up our time.

Especially if its something thats a recurring need for our users we can build something to help the users help themselves. 

#Security_alerting

Many of the tools we use can ship logs to a log store like Splunk or Sumologic which we can in turn have a slack bot alerting on events of interest to us.  

Its still something of an experiment right now but so far it has been a real help to us. Again we hope to expand upon the quality of alerts by having it include the associate run books or useful links when an alert triggers. 

#Incident_response (Private)

Each incident response has its own channel with a descriptive title that includes the date in the channel name. 

Besides the obvious communication and transparency advantages for incident responders we also can use the timeline of the channel to help us construct our blameless post-mortems. Once the incident is resolved we can conduct our inital discussion and talk about our planned mitigations before we publish the post mortem to the wider business for review and feedback. 

Its been very beneficial to retrospectively look at commonalities between incident responses of the same kind. Especially for say phishing attacks where we can start to look at who was targeted and how. We can use this information to help refine our security awareness messaging and training for our users. Give us ideas on improvements to the run books and incident response plans we maintain to deal with such an incident.

#Security team channel

Lastly a few things I wanted to share around our security teams channel which I think have been beneficial. 

We share our teams mission and goals for the week in channel. This helps keep us focused on the results we want to achieve week to week but had the added benefit others can see what we are working on too.

Its great for engineering teams to see the upcoming penetration testing or gain visibility on security reviews we are conducting.

I have just started to at the months end quickly review the work we have completed and post up a summary of the security teams wins.

Its really positive to take a brief moment to celebrate the things we are achieving as a team. Successful incident responses, improvements to training and security awareness communications are the kinds of things we want to call out and be proud of. 

Keen to hear some of the things you are all doing with slack to help your security efforts where you work. Hit me up on twitter and say hi @SparkleOps :) 

Back from Kiwicon

Back from Kiwicon

Hello everyone,

I've just returned from an amazing week at the last Kiwicon security conference in Wellington, New Zealand. 

In the coming days i'm going to be posting up two different blog posts, one around the training I attended and another for the conference talks and event itself. 

I was most fortunate to attend the 'Security on a shoestring' day of training presented by the CEO of Safestack Laura Bell (Twitter @Lady_nerd) . Laura gave us an excellent day going over  the security team basics we need to be thinking about. The training gracefully adjusted to meet the needs of our diverse audience and spoke to those in small agile start ups to some of the bigger enterprises equally. Its was outstanding value and fun. 

Im writing up my take aways as a new security professional and the fairly extensive to do list I built while taking notes on the course.

The Kiwicon conference itself has been an integral part of my professional development and put me in touch with some of the greatest people in our industry over the last 10 years i've been to 8 of the 10 total and its always and intense two days of hacking and defending talks from the best in security from New Zealand and abroad. 

Im still really distilling all the learnings, I took away an enormous amount from the conference but the key talks for (and the main body of content of my next post) were:

  • Darren Bilby from Google security on failed security initiatives and the some of the alternative strategies they have employed to defend effectively.
  • Eleanor Saitta from Etsy securty gave a great security culture talk which spoke in detail about the need to understand be connected with the users you serve so you can best help them be safe but not roadblock or make their lives worse by saying no. 
  • Finally the AWS hacking end to end talk by Daniel Grzelak the security intelligence manager at Atlassian. Some of the attacks presented were simple and truly frightening. Its a call to really consider how effectively you are monitoring your AWS environment for changes.

While I do enjoy the technical talks focused on breaking and attacking immensely my passions in security really are in defending and building a great security team that helps spread a great company security culture. I think that'll be not only the focus of the next two posting but all postings. 

If that sounds like you ... stay tuned! I'll have something up in the coming week. Until then .. were you at the conference? Keen to chat and hear your experiences ... hit me up on twitter at @SparkleOps