Front row perspective from Brian Krebs’ 2017 Keynote!

 

I had the amazing honor of getting front row for Brian Krebs’ KeyNote speech at the SailPoint Navigate Conference Last week in Austin, TX! Brian is an exceptional a Public Speaker, just as he is an exceptional writer. Krebs has been my teacher for a few years now (extensive reading and studying of his blog: https://krebsonsecurity.com ) During the Keynote, he captivated the audience by highlighting what he has learned in his experiences. I wrote as fast as I could by hand in my notebook, tried to capture as much of it as I could; and put it all together here:

Opening thoughts: 

  • Authentication and Identity Compromises are why there are so many Security breaches; the attacker essentially becomes the user with stolen, compromised credentials
  • Weakest part of the organization is the farthest point out – the users
  • “Everyone gets pen-tested whether or not they pay for it” < that is so true! 
  • Most breaches in the last decade, the org has had no clue the attacker was on their Network.
  • Security Awareness Training is still an effective method to help mitigate breaches.
  • We have no business using “static identifiers” in 2017! How do we get better?
  • Two Factor can blunt many attacks!  Industry relies on tools too much, need to rely more on human to interpret the tools. Target had tools, but people could not make sense of what they were getting.
  • Trained, Sec Ops to do basic ‘block and tackle’ , curious human beings to look at tool output needed to find the bad guys.
  • Build a solid SecOps team (  If orgs cut back on Security people, their visibility decreases.)
  • Mitigate Account Take-over [ e.g., using your same creds across multiple web services ]; credential replay can be done by bots at a slow rate to avoid SecTool detection; need a human eye on the screen.

Krebs then changed up topics to predictions:

  • Ransomware attacks may become more targeted and attackers will better understand the data ( and the value of that data ) which they are encrypt so they can ask a proper ransom for it.
  • IoT – will be a major challenge.  Shodan lists all kinds of targets. Krebs’ site was DDoS’d [ 620 Gbps ] by a massive Botnet consisting of IoT devices; expect this trend to continue.
  • Potentially more disruptive attacks [ WannaCry ]

More Solutions outlined:

  • Get beyond Compliance; don’t just meet the audit; go further
  • Invest in 2FA everywhere!
  • Do your back-ups correctly, don’t leave them open, or exposed!
  • Drills exercises; red team vs.  blue team so your team will be ready and can run the playbook!
  • Secure what you have
  • Watch out for vendor ‘kool-aid’ that their tools can replace people, simply not true!
  • Strengthen and invest in current employees
  • Assume you are compromised
  • Watch out for your business partners

After the speech was over; he wanted to stay up and answer questions for the audience; unfortunately, the vendor rushed him off stage so some c-level person could speak, ( but not before I got to shake his hand and thank him for all his work and how much he has helped me professionally )! thank you, Brian ! It was great to finally meet you!

Social Security Card was never meant to be used as an ID card.

This is a solid 7 minute video explaining the inception and original INTENDED use of the United States Social Security card; and how it was NEVER originally intended to be used as an identification card.  What?? REALLY???

The other “shocker” is that there is no Security built into the card regarding the number schema – pretty amazing [SAD] when you think about how much this number is used for major financial transactions, ( outside of Social Security itself). Yes, the number is fairly guessable if you know state of birth, year of birth. Because of this; and the plethora of Security breaches that have taken place over the years, I assume compromise when it comes to my own number; ( e.g., the bad guys have it somewhere – waiting to be used, along with millions of others’ SS numbers)

So then – The BEST thing you and I can do use utilize some kind of credit monitoring service; or continuously keep your credit report in FRAUD alert mode, making it hard for other people to open accounts in your name. FRAUD alerts must be set every 90 days; or if you are active military, one year.  FRAUD alerts fall under the ” I don’t have to out run the bear, I just need to out run you “; as fraud alerts don’t guarantee your identity can’t be stolen; it just makes it harder to steal yours than the next guys’  🙂

If you set an alert with one of the Bureaus – they notify the other ones. Here is the Equifax link to set an initial 90 day alert.

On Credit Monitoring – I have sort of a love-hate relationship with credit monitoring services; because I believe credit monitoring is something that the three(four) major credit bureaus should BE DOING ANYWAY as it clearly falls under their due diligence as record keepers of such critical information. BUT they don’t . . . and we must pay for the credit monitoring service from one of the major bureaus or a third party. That’s kind of wrong, but necessary in my eyes.

Stay safe!

 

 

 

Hackers driving tractors? Tractor bots? Maybe.

 

SecurityLedger.com published an article about Farmers using Jail-broken diagnostic software for their Tractors. Apparently, some Farmers are frustrated at the high cost associated with a house call from Certified John Deere Technicians to diagnose problems with Tractors; so much so, that apparently these Farmers are frequenting  websites to obtain Jailbroken John Deere Software, (from an Eastern European source), that would allow the Farmers to interface with the tractor diagnose the problem themselves.

This is bad. Jailbroken software has a high risk of compromise because the user cannot verify its integrity. The same entity who jailbroke the connector/software could have tampered with it to add some extra “features”; or a third party could download the Jailbroken software, modify it and re-upload it with a rootkit pre-installed for anytime access.

This article from Wired, mentions a “Tractor hack” by obtaining a laptop from a friend of a friend with the Vendor Connectors and Jailbroken Software pre-installed. Hmmm. I wonder where that came from?  Yeah – so if I wanted to have a Tractor-bot that I could control, I might write some software and release into the wild.  Yeah -so point being . .That laptop itself could be the backdoor to all kinds of badness and infect every piece of Equipment to which it connects.

You get it. Installing or using Jailbroken software to interface with a Tractor or Combine is introducing BIG RISK into a BIG MACHINE. What kind of risk are we really talking about?  What does Combine software even do?

Looking in the cab, there are on dash displays of Tillage and Speed Maps – Field Boundaries and Freeform Zones – so an attacker could “re-draw” the field to encompass any area he/she would wish; or remove physical boundaries.  CROP CIRCLES! Looking at the rest of the tractor, at a minimum, the software would control a vast array of sensors which relay data about the various moving parts, ( tiller speed, motor rpms, heat, oil pressure, etc ), some of which visible from the cab – where other readouts only the vendor can read.

Newer farming machinery would most likely employ more software controlled actuators. Actuators control the independent physical mechanisms (on/off/variable speed) of a machine with a control signal. It is not too far of a leap then if you think about the architecture behind the components of Stuxnet that were designed to spin centrifuges faster; and then replay bogus sensor readouts to the operators thats reads ‘all systems normal’; that same methodology could be used to control software actuators of farming machinery and injure human beings.

I’ll admit it’s a stretch, but it’s possible. Jail-broken software is sketchy, people – and when you are dealing with a 30,000 pound Combine, you just don’t install software that has not been verified through the vendor. I understand the John Deere service call is expensive. The potential alternative is way more expensive.

Stay Safe and Farm on!

LucasFilm inadvertently gives away details about its Network Infrastructure

Like any Star Wars fan, I was happy to see the release of the official movie title this week. Gizmodo shared an official photo from Rian Johnson’s office which is, I believe an official LucasFilm sanctioned photo.

sw_image

If you look next to R2-D2’s right leg, there appears to be a Cisco Phone. What is the big deal? Well, that little tip of the hand reveals a lot.

Further investigation shows that appears to be a Cisco CP-7965.  I determine the model # by the fact it appears to have a color screen and there are six buttons on the right and four buttons under the screen. This phone is part of a series of Cisco VoIP phones that run on an IP network.

It can be easily determined that if LucasFilm has Cisco phones, the upstream network switches that provide them with connectivity and power, are yes, you guessed it – Cisco switches.

For now, the phone is more interesting to me , though. Because if I know the model number, I can then key a search for registered vulnerabilities against that model.

These are older, but still a possibility

http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20110601-phone.html

Now, there is no way to tell what code they are running on that phone, but it gives the bad guys a place to start. Again this is a case of a photo that is meant to show one thing, but too much is revealed.

Let’s circle back around to how that phone gets its power and data. These phones are supplied power by Power over Ethernet (PoE) and since this is in an office of an end user, it is probably an Cisco access-layer type switch, of which there are only a few models, each one running code of some kind. Same methodology applies, accept now there is a little more guesswork, because we don’t know the exact model of switch, just a list of potentials – so the list of exploits to try is larger.

The lesson here is clear. Don’t take pictures of offices that house potential sensitive data. In this case, it was the phone; no one would think a phone could reveal so much about an internal network, but it does.

There are some other elements in the photo that tell us more, someone could guess the Smart TV type and model, the table type and model, the software running on the screen.

Be safe! Look at the pics you put on the internet!

 

Highly Vulnerable Income Tax Booth at local big box store

When I am out and about, I am always looking at set ups at the places I visit. On the way out of my local big box store, this Tax Preparation Booth caught my eye big time. It was New Years Eve when I saw this, so apparently the employee thought it would be best to post a big white note on the chair letting the world know there was not going to be anyone in this tax booth for three days.

On the floor, to the right of the note & chair, is  . . . (you guessed it ) completely exposed backside of computer on which YOUR taxes will be done. You might ask, well, what can someone really do? or how do you hack that quick enough where an employee would not notice?

kiosk

 

It would take less than 5 seconds to install a hardware USB keylogger between the keyboard usb end and the input. Leave the tiny keylogger there unnoticed for tax season; and then come back and and gather your plunder! ( 5 secs to remove it )

Say you don’t want to come back.   The USB Rubber Ducky  Can grab windows creds directly from memory and copy them into a text file in moments – or perform whatever custom scripting you want on the target; ( download a payload, etc, etc ).

The other sad, sad thing about this Booth is the third red circle in the upper left, the exposed consumer router. Another way in to do pretty much whatever you want. You could put a RaspiPi on there with dual homed network interfaces ( Ethernet to the Tax Router –  DHCP ) and a hidden Wifi to connect to it whenever you are in range – and hop right onto that network any ol time you want.

I would think a Tax Booth would have the most value to bad guys due to the detailed amount of PII ( Personally Identifiable Information) you could get on so many of the clients; and all other tax booths to which it connects.  Think about it. The bad guys having the same tax info you give to a company to do your taxes. The bad guys can then become you.  If you do use a strip-mall or booth type tax service – Do your best to watch for this stuff. As mentioned in the previous post. Keep a fraud alert on your credit report. Watch your accounts closely. Question even the smallest charges for unknown things. Be aware!

Stay safe! Stay Secure!

 

Thoughts on Cricket Liu’s DDoS Webcast

I’m always excited when I get to hear Cricket speak about DNS. Why? Because the man knows his stuff. Cricket Liu literally wrote the book on DNS and I first got to meet him back  in 2007 when I worked for Corporate Express. He is one of the few hyper-smart people that also possesses solid public-speaking chops and ability to story-tell.

Today’s Webcast was sponsored by InfoBlox; and it was titled ‘Lessons from the Latest DDoS attack’ ; referring to the Oct 21st attack that took out DYN, ( DNS provider ) for several hours. Companies who host their DNS through DYN were affected – and not available.

The take away I got from listening to Cricket today was – Redundancy!  Specifically, when Cricket highlighted adding Redundant Authoritative Name Servers across different providers to a company’s Architecture as a way to ensure availability when a single DNS provider is going through 3.2Gbps DD0S or other outage. ( e.g. deploy your Redundant Authoritative Name Servers in BOTH DYN and RackSpace have )

Cricket also talked briefly about Response Policy Zones as a DDoS defense, likening them to fancy customization blacklists with the added kick of being able to redirect that traffic elsewhere. Response Policy Zones  is a deep dive topic I will tackle in a future blog.

He talked about the IoT devices that made up the attack; and how they were conscripted by the Mirai code to become slavebots; due to poor password design / users not changing defaults.  Brian Krebs the best write up on this Cricket also mentioned something I had not heard anywhere else; and that was that many of the IoT devices are connected to high bandwidth links; each saturated with junk traffic.

Listening to someone, really listening, can tell you a lot about how they think. His simple, yet powerful advice on DNS provider redundancy is solid. I’m a believer. Redundancy is a topic we’ve covered here before when talking about Cloud Providers. I understand that it is a cost decision not to implement layers of redundant architecture; yet at some point – when weighing the risks; and likelihood of that risk manifesting [ DDoS ], it becomes more expensive not to implement redundant architectures.

This gets more interesting, DDoS attacks are growing – take a look ! I think we will see more DDoS defense tools / talks and news in the very near future.

Stay Protected!

 

In the wild: Electric Car-Charging Station reveals Software Version, Firmware Version and Asset ID !

While hitting the local Walgreens for a late afternoon caffeine fix, I was intrigued by the new charging station they recently installed. I am all for clean energy; I am a fan of Tesla and development of Electric cars – so this was pretty great to see this Charging Station in my neighborhood.

Upon closer inspection, I noticed some things and I snapped a pic:

3_pump

There is no reason, (other than to help a hacker who wants to compromise this device) to show the Software Version, Firmware Version and Asset ID on the public facing screen.

This info tells the bad guys whether or not their crafted malware will work on this station; this tells them what feature sets are on; and if they’ve done their homework, what bugs are present in these versions. To me, this is just plain unacceptable to have this level of unnecessary technical data out there in plain sight for all to behold.

This Charing Station is another IOT device out there for the taking.  If you want to go deeper, [ insert Leo DiCaprio squinting his eyes jpeg ], The industry White-Hat expert on Electric Car-Charging Station hacking, Ofer Shezaf, explains the dangers of vulnerable charging stations in his detailed .pdf.

Stay Safe!

Let’s Encrypt a USB stick with LUKS!

Encryption is often perceived as being much harder implement than it is. A quick example to prove my point with a USB stick in a linux box.

I insert my USB stick and look at mount -l or cat the etc/mtab file and we see that it is /dev/sda (for this example)

# create a LUKS-formatted password on the USB stick

[you@yourlinuxbox -]# umount /dev/sda

[you@yourlinuxbox -]# cryptsetup --verbose --verify-passphrase luksformat /dev/sda

#answer passphrase questions

[you@yourlinuxbox -]# cryptsetup luksOpen /dev/sda usb # create a new crypt device file

[you@yourlinuxbox -]# mkfs -t ext4 /dev/mapper/usb #create file system (notice mapper)

That’s it! When you put the usb stick in – it will prompt for passphrase!  O

Let’s talk about Cisco bugs, outsourcing of critical resources and Disaster Recovery

I am commenting on “Cisco’s Network Bugs Are Front and Center in Bankruptcy Fight”

http://www.bloomberg.com/news/articles/2016-09-08/cisco-s-network-bugs-are-front-and-center-in-bankruptcy-fight

The short version is this: PeakWeb, Platform-as-a-service (PAAS) provider had a catastrophic outage they blamed on a Cisco bug. PeakWeb’s customer, MachineZone felt the brunt of this; as none of MachineZone’s customers were able to access their  gaming platform, so much so MachineWeb is filing for Bankruptcy.

This Article fascinated the Network Engineer in me; as I have dealt with so many bugs bringing down Network Systems. In this case; the end customer felt the edge of sword; resulting in Bankruptcy. The Article references the Cisco Nexus 3000. Cisco Nexus Switches have had their fare share of bugs since coming onto the market in 2008, I, and many of my peers have experienced many of them first hand. Although some of the bugs are catastrophic, yes – this is not a Brad Reese article to bash on Cisco.

I think the weak link here was not the bug, but the relationship/contract Machine Zone had with Peak Web as well as Peak Web’s own lack of any apparent Disaster Recovery Plan. Outsourcing to the Cloud is almost a no-brainer these days with all of the low cost horse-power that is out there.  Although true, the Info Security Engineer has been skeptic of  “the Cloud”  . . . really going back since I began watching companies turn over their critical systems and applications and put them in computers they don’t own run by people they did not hire. Don’t get me wrong, the Cloud has it’s place for some things, but in most cases –  just not the entirety of your critical infrastructure. The case referenced here supports my argument. Even from an InfoSec standpoint, PeakWeb’s outage comprised the Availability of Machine Zone’s data of the Confidentiality/Integrity/Availability triad.

An alternative for Machine Zone, if they were so determined to use Cloud, they could have leveraged another redundant PAAS provider, as a ‘warm standby’ and had their Application ‘Game Stack’ / Container / Docker / and ready to go in a 2 -to -4 hour -or even 8 hour period. Fire up the back-up’Game Stack’ / Container / Docker and then some public DNS changes; and viola – ready to go.  Even if their hypothetical back-up could have handled 70% of the normal traffic load; thats still 70% of customers they are serving. Having a “warm site” would have killed two birds with one stone. First, all of their eggs are not in one basket ( no matter how much the Cloud Provider preaches their own redundancy ), second – they now have a Disaster Recovery Plan.  I understand that these alternative solutions are expensive; especially for a smaller org.., but what is the cost of not having a DR? Bankruptcy.

Another what if scenario . . what if Machine Zone had their Network / App Platform  in-sourced in their own Data Center they owned and controlled and their own talent to manage it? Can’t promise they would not have had a 10 hour outage; buy my opinion as a seasoned Network Engineer is the the likelihood that their network would not have been down that long; even with a bug like that – assuming they followed standard redundant Architecture in building their  infrastructure. (Again, I know this is expensive).  Also, they would have owned the relationship with Cisco and leveraged Cisco TAC ( probably one of the best Technical Support organizations on the planet ) , to help them resolve rather than having a middle man and a contract that bound their hands of doing anything to improve their situation.

My heart goes out to MachineWeb, I don’t mean to be an “Armchair critic” and point out what they did wrong, but it makes for an interesting and lesson-learned and personal take-away. Especially true in an era where most businesses don’t think twice about the implications of moving critical infrastructure to “the Cloud”.  We just see the cheap price and we hear about all their redundant Data Centers – so we buy in. So I am not bashing anyone, just challenging you to think about all implications of Cloud-sourcing your infrastructure and or Applications to another organization whose policies you do not control.

Fun Fact:    The term ‘Cloud’ is derived from old Telco schematics where a ‘cloud’ logo was used to represent the ambiguity of the entire carrier network; in an otherwise detailed depiction of the connectivity of your own network layout. To me, “the Cloud” is just another word for ‘Other People’s Computers’, I don’t own or manage.

Stay safe! Stay Secure! Chris out.