Viewing entries tagged

My purplecon talk released

My purplecon talk released

Just a quick post to let you all know the video is up from my talk ‘Caring for our pen tester friends’ I did at purplecon in 2018.

The supporting material I wrote for their great archive is also on my blog here

Hope you enjoy it and as usual if you want to talk about the content with me you can shoot me an e-mail form the contact page or hit me up on twitter @SparkleOps.

InfosecNZ Slack Community

InfosecNZ Slack Community

InfosecNZ is a slack community for those in New Zealand working in tech or information security to network learn and share on a wide range of security topics and do our bit to help grow the security community in New Zealand. 

We have over 350 members discussing offensive and defensive topics like: 

  • Developer security 
  • Security news  
  • Threat hunting and intel sharing including working with CERTS
  • Incident response 
  • Vulnerability  management 
  • Physical security 
  • Penetration testing and red teaming 
  • A newbie friendly “Ask anything” support channel  

If you would like to join us please head over here and read our community code of conduct and then message me or one of the other admins on twitter. 

Come say hi and introduce yourself! 

2018 Verizon DBIR

2018 Verizon DBIR

Each year Verizon’s security team and BI analysts produce a yearly Data Breach Investigations Report (The DBIR) which provides analysis on over 53,000 security incidents and 2,216 confirmed data breaches.

It’s an exceptional breakdown of current and emerging cyber threats accompanied with an executive summary on how they impact various industries.

The ‘things to think about’ summary’s for each industry are a great reminder while companies are subject to highly sophisticated technical attacks a significant volume of incidents and breaches occur by attackers exploiting low hanging fruit exposed by misconfiguration of systems, misuse or poor handling of customer data and failures to apply the security controls and hygiene mandated by relevant compliance frameworks and best practises.

I strongly suggest you have a read and share with your engineering, ops and executives inside your company or organisation and encourage discussion on the findings and how the relate to your security roadmap and posture. 

You can download the full report here. A huge thank you and well done to the Verizon team and all the contributors this is a very helpful resource for the security community. 


Infosec reading list 2018

Infosec reading list 2018

One of my goals for 2018 was to read a wider range of books for my professional development and I have set myself a target of at least 10 books i'd like to have read before the year is out. Then blog about my learnings from each book here. 

Below is my hit list and I have put a little something about each as to why I picked it.  

Agile Application Security: Enabling Security in a Continuous Delivery Pipeline
By Laura Bell, Michael Brunton-Spall, Rich Smith, Jim Bird

This year I am starting a new role as an Application Security Specialist where I have been hired to assist development teams build security into their agile development process. I believe this will give me excellent foundation to really know im working on the right initiatives with our software teams.  

Im working with agile teams to run STRIDE threat modeling sessions with the aim to better understand the security objectives of their applications and design out some potential flaws early rather than having penetration testers find them at the end.

The first cut of this framework I did I got a lot of help looking at slides and conference talks from Adam so this book  was a natural choice to get some learnings and greater understanding on the topic. 

This was one of a few recommendations I took from the Red team blog - Red teamers bookshelf. Im hoping this will assist me in running blameless post mortems with teams and in my own reflections throughout the year. 

DFIR is a subject I enjoy learning about. In 2017 I spent a quite a bit of time reading articles and exploring the fantastic DFIR training site by Brett Shavers  site and reading the O'reilly defensive security handbook. This feels like a great logical next step. 

The next few are all around social engineering and the human element of security. Last year I started with Social engineering - The art of human hacking by Chris Hadnagy. I absolutely loved it and cant wait to move on to this next book.  

One of my mentors suggested that if im going to read most of Chris Hadnagy's books I should look to get an alternative perspective and Kevin Mitnick would be a good way to round out my reading here. 

More reading under the social engineering umbrella. Another recommendation from the  Red team blog - Red teamers bookshelf.

Another from  Red team blog - Red teamers bookshelf :) 

I want to continue learning and understanding Devops culture and exploring the avenues for collaboration between security and SRE/ops teams. I know this came recommended from SRE engineers who read it at my last company. 

Lastly the Phoenix Project, another book which comes as highly recommended from the SRE lead at my previous job. I've decided to re-read this as it been a while and found it have me immense value the first time through. Again it’s good to think about how you and your security team relate and function with in the rest of your business. 

Whats on your reading list for 2018? As always keen to continue the conversation on twitter @SparkleOps.



Netsafe New Zealand have built an amazing new chatbot called Re:scam. You can have Re:scam reply to scam and phishing emails on your behalf using a variety of false personas that all create a long and ultimately pointless conversation wasting the attackers time. Watch the launch video below. 

Follow along on twitter at @rescambot

Initially it look like Re:scam is targeting 419 scammers and not malware spammers or other types of phishing. Will be great to see how this evolves. Well done Netsafe NZ!

Keen to hear your thoughts on this, good idea? Maybe not? Have you used it yet to annoy a prince with some complex money issues? Let me know @SparkleOps.

Docusign breached - Account emails used for phishing attacks

Docusign breached - Account emails used for phishing attacks

DocuSign have confirmed a breach where according to their forensics attackers gained access to one of systems enabling them to harvest customers email addresses and then use them to launch phishing attacks. 

Brian Krebs has done an excellent write up here

If regardless of  you are a DocuSign customer or not you will want to brief your IT, operations and customer support people to be alert for inbound phishing e-mails to staff and be potentially also be ready to field reports from your customers and any 3rd parties you deal with that may be receiving these malicious e-mails. 

Now is an excellent time to also send a security awareness message out to the rest of your business that details some short and concise advice for your users to report anything they get to the right people running incident response. 

Wannacry ransomware outbreak - Update

Wannacry ransomware outbreak - Update

A few updates as things have unfolded further over the weekend. My original post when Wannacry  aka wcry ransomware first dropped is here.

Firstly and mostly importantly lots of critical infrastructure, hospitals and telcos which have legacy Windows 8 and XP machines are getting emergency support from Microsoft. Bravo Microsoft this is a great step to help defenders mitigate this threat.

Microsoft have also released this  customer guidance 

If you run these systems in production I have the direct links here thanks to this posting from Threat Post

Download English language security updates: Windows Server 2003 SP2 x64Windows Server 2003 SP2 x86, Windows XP SP2 x64Windows XP SP3 x86Windows XP Embedded SP3 x86Windows 8 x86, Windows 8 x64

Download localized language security updates: Windows Server 2003 SP2 x64Windows Server 2003 SP2 x86Windows XP SP2 x64Windows XP SP3 x86Windows XP Embedded SP3 x86Windows 8 x86Windows 8 x64

It seems the best mitigation is patching as soon as practically possible. If offlining or patching a machine is not an option then disabling SMB v1 is the next best thing.

Dont forget your change control and testing though. Nothing worse than accidentally offlining your business in the name of keeping it safe from potential threats.

Dont expect Wannacry to be a one off. Its exploiting a serious windows vulnerability and the chatter I see from security researchers I trust suggest its trivial to repackage and launch additional waves of attacks. We have already seen a wcry 2.0 version with the kill switch the original iteration had flagged off. 

Im following these sources  to help me follow this incident and ensure I have the right information in front of me to know our response is solid:

Thats all for now. My thoughts are with everyone incident responding to this. Its going to be a very rough week.