Wednesday, January 17, 2018

Hey everybody let's be nation state hackers

Apparently Mitre is cross referencing attack data, collected on the ATT&CK platform,  with open source intel (OSINT) to create playbooks allowing organizations to emulate nation state hackers:
 MITRE created Adversary Emulation Plans. These are prototype documents of what can be done with publicly available threat reports and ATT&CK. The purpose of this activity is to allow defenders to more effectively test their networks and defenses by enabling red teams to more actively model adversary behavior, as described by ATT&CK. This is part of a larger process to help more effectively test products and environments, as well as create analytics for ATT&CK behaviors rather than detecting a specific indicator of compromise (IOC) or specific tool.
For some reason, despite their good intentions this reminds me of CB4, starring Chris Rock:

I mean I get the need for accurate data and good red-teaming, and  good on Mitre for helping make that possible, but I just know at some point someone is going to impersonate a known APT group and all sorts of hilarity will ensue.

(Or maybe I am just being pessimistic, I haven't had coffee yet this morning).

Sunday, January 14, 2018

What the hell people?

How come every computer geek on twitter is cooler than me?

On my profile I am like hey I like to shoot stuff, read sci-fi, and watch stupid teen comedies and fast and furious movies. Normal stuff right?  But then I see other peoples profiles and it's like I compose operas while driving formula one, read data directly from the magnetic fields emanating from the disk, have mastered the esoteric martial arts of the head hunters of Papau New Guinea, Pentester, DFIR expert, Lockpicker, Hostage Negotiator, and Master of Tantric Yoga and the Kama Sutra.

I guess I need to step up my game.

On the other hand I am employed, so there is that.

Monday, January 08, 2018

What I am reading 1/8/2018

NYTimes Cybersecurity Today Is Treated Like Accounting Before Enron
The tepid consequences are part of a growing problem. From a corporate governance and accountability perspective, cybersecurity today is being treated like accounting was before the fallout from the Enron scandal inspired the Sarbanes-Oxley Act’s increased standards for corporate disclosures. With the privacy and personal data of hundreds of millions of people at risk, and especially now with the increasing ubiquity of connected devices in our lives, the security of digital assets is too important for that kind of treatment. We need to bolster a culture of responsibility around cybersecurity, combining stronger and more uniform corporate governance with a clearer government commitment to enact better defensive policies.
I have long advocated for this.  Cybersecurity won't be taken seriously until companies and CEOs are hit in the pocketbook. 

DarkReadingVulnerability Management: The Most Important Security Issue the CISO Doesn't Own -
The number of attacks like the recent one against Equifax have risen dramatically in the last few years, resulting in the exposure of hundreds of millions of private records. Almost without exception there has been some fundamental flaw related to configuration or patching of systems. This trend will continue without systems designed to automatically identify, patch, and close vulnerabilities in core IT systems that can reduce the chance of human error.  We can accomplish this with automation typically found in large operational cloud deployments and the Constant Delivery (CD)/Constant Integration (CI) principles of DevOps.  These principles are already being used to automatically stop active attacks within the information security community and should now extend to IT operations to improve protections and stop the bad guys from getting in at all.
The problem with this approach is it assumes an organization is mature enough to implement DevOps.  The major mistake I have seen in vulnerability management programs is a lack of follow-up.  Servers are "patched" but the required restart is never executed so the patch is never really applied. This can be avoided if a second person validates the work.

Cisco - Incident Response: Are you ready? -

Security professionals experience “what if” scenarios every day as well: what if we experience a data breach? If my organization suffers loss from a breach, what happens to the business down the road? Unlike my scenarios, the likelihood of the breach occurring is very high and you may not even know it has happened. According to industry reports, it can take organizations more than 100 days to discover security incidents within their own environments. And due to resource constraints, nearly half of these incidents are never even investigated.
Think about that. Attackers lurking within corporate networks for months at a time. They continue to work smarter and faster, only needing to find one vulnerability to get inside a network. Meanwhile, the exploding number of new technologies, devices, and users on enterprise networks makes it unfeasible to block every attack all the time.
An incident response plan is critical for security. 

Sunday, January 07, 2018

It's 11:15 PM on a Sunday so of course the drunks have to be screaming and fighting in the parking lot

I wonder if it will be the SWAT team or just the normal cops this time?

Oh well, while we wait I will post the every two week or so compilation of cybersecurity job numbers based upon certification. 

I also have one based on keywords but I am going to get another set of numbers for comparison before I post that. 

Friday, January 05, 2018

More MELTDOWNS - What I am reading 1/5/2018

Forbes - Here Are All The Available Fixes You Need For Those Huge Chip Hacks -- UPDATED -
Vendors are rushing out fixes for the Meltdown and Spectre attacks that were disclosed on Wednesday. The hacks can occur in various ways, but ultimately users should be aware both allow for an attacker to access the entire memory of a vulnerable computer. Smartphones and other devices containing the vulnerable Intel, AMD and ARM chips are open to either both or one of the attacks. Furthermore, Spectre attacks can be exploited over the Web just by visiting a website running the requisite malicious code; Meltdown attacks require the hacker to already have access to the computer.
I'm not sure exactly how the updates are being pushed out.  All my systems are on the compatible anti-virus list and I have not received the Microsoft or any of the Google, Firefox, etc. patches.  

GizmodoCheck This List to See If You’re Still Vulnerable to Meltdown and Spectre [Updated]

Update:  I did get the updates from Microsoft it's KB4056892

Infosec Institute - An Asset Management Guide for Information Security Professionals -

In the realm of information security and information technology, an asset is anything of value to a business that is related to information services. These can take the form of a device, data or information, or even as people or software systems within the structure of a business. Anything that has value and supports the operation of a business can be considered an asset.
It is therefore very important for an asset classification system to be implemented, monitored and followed closely. This will allow you, as an information security specialist, to take stock of your company’s requirements and create the appropriate strategies needed to maintain all of the information systems required to allow your business to operate efficiently.
Asset management is a huge part of a good security strategy and it his often neglected, but number 1 and number 2 on the CIS Top 20 Critical Security Controls are Hardware Inventory and Software Inventory for a reason.

Network Computing - A Networking To-Do List for 2018 -

SD-WAN, automation, and the cloud are here to stay, so getting up to speed on these trends will pay off for networking pros. Neglecting them may lead to loss of control over the infrastructure
That may be a little overstated but still they are areas of growing importance. 

Thursday, January 04, 2018

It's MELTingDOWN out there under the SPECTRE of total PC annihilation - What I am reading 1/4/2018

NYTimes - Researchers Discover Two Major Flaws in the World’s Computers -

The two problems, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks.
There is no easy fix for Spectre, which could require redesigning the processors, according to researchers. As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent — an ugly situation for people used to fast downloads from their favorite online services.
The Verge - How to protect your PC against the major ‘Meltdown’ CPU security flaw -
The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. They also allow an attacker to use JavaScript code running in a browser to access memory in the attacker’s process. That memory content could contain key strokes, passwords, and other valuable information. Researchers are already showing how easy this attack works on Linux machines, but Microsoft says it has “not received any information to indicate that these vulnerabilities have been used to attack customers at this time.”
Windows users can mitigate against Meltdown by:
  • Updating browsers (Firefox and Chrome have released updates)
  • Run windows update and make sure KB4056892
  • Run the detection tool issued by Intel to determine if your hardware is vulnerable
  • If a firmware update is needed check for links to support information and run updates.

In other words update and patch - In other words number 4 on the CIS Top 20 Critical Security controls, numbers 2 and 3 in the Australian Security Directorates Top 4 security controls and number 9 in the NSA's Information Assurance Directorates Top 10 Mitigations.

Wired - A Critical Intel Flaw Breaks Basic Security for Most Computers -

VUSEC's Bosman confirmed that when Intel processors perform that speculative execution, they don't fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer's kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel's memory with speculative execution.
Retrieving any data from that privileged peeking isn't simple, since once the processor stops its speculative execution and jumps back to the fork in its instructions, it throws out the results. But before it does, it stores them in its cache, a collection of temporary memory allotted to the processor to give it quick access to recent data. By carefully crafting requests to the processor and seeing how fast it responds, a hacker's code could figure out whether the requested data is in the cache or not. And with a series of speculative execution and cache probes, he or she can start to assemble parts of the computer's high privilege memory, including even sensitive personal information or passwords.
Sophos - F**CKWIT, aka KAISER, aka KPTI – Intel CPU flaw needs low-level OS patches - 

Google’s Project Zero bug hunting team has now published a detailed description of the behind-the-scenes research that’s been going on for the past few months. It’s both technical and jargon-heavy, but the main takeways are:
  • In theory, various Intel, AMD and ARM processors have features related to speculative execution and caching that can be exploited as described above.
  • AMD chips have so far only been exploited when using Linux with a non-default kernel feature enabled.
  • Intel chips have been exploited so that an unprivileged, logged-in user can read out kernel data slowly but steadily.
  • Intel chips have been exploited so that a root user in a guest virtual machine can read out host kernel data slowly but steadily.
(“Slowly” means that an attacker could suck out on the order of 1000 bytes per second, or approximately 100MBytes per day.)
Even if you assume that an attacker didn’t know where to focus his attempts, but could do no better than to grab live kernel data at random, you can consider this issue to be a bit like Heartbleed, where an attacker would often end up with garbage but might occasionally get lucky and grab hold of secret data such as passwords and private decryption keys.
Unlike Heartbleed, the attacker already needs a footprint on a vulnerable server, for example as a logged-in user with a command shell open, or as the owner of a virtual machine (VM) running on a hosting server. (In both cases the user ought to be constrained entirely to his own account or to his own VM.)
The RegisterMeltdown, Spectre: The password theft bugs at the heart of Intel CPUs -

On Tuesday, we warned that a blueprint blunder in Intel's CPUs could allow applications, malware, and JavaScript running in web browsers, to obtain information they should not be allowed to access: the contents of the operating system kernel's private memory areas.
These zones often contain files cached from disk, a view onto the machine's entire physical memory, and other secrets. This should be invisible to normal programs.
Thanks to Intel's cockup – now codenamed Meltdown – that data is potentially accessible, meaning bad websites and malware can attempt to rifle through the computer's memory looking for credentials, RNG seeds, personal information, and more.
Finally, if you are of the opinion that us media types are being hysterical about this design blunder, check this out: CERT recommends throwing away your CPU and buying an non-vulnerable one to truly fix the issue. 

This article by The Register is actually the best of the bunch and includes a video demonstration of a Meltdown attack.

SANS has a webcast scheduled to address what Meltdown and Spectre are and how to mitigate them today at 9 am Pacific.

(Sorry it was all Meltdown and Spectre today but you'll live - especially since I have no readers and am only addressing the voices in my head anyway - unless SKYNET seizes this opportunity to rise up and destroy mankind)

Wednesday, January 03, 2018

What I am reading 1/3/2018

Pakistan has been accused of playing a "double game" and harbouring "terrorists" by Nikki Haley, the US ambassador to the UN, as the war of words continues between the two countries over military aid.
Haley's comments come a day after President Donald Trump threatened to cut aid to Pakistan for allegedly lying to the US and offering "little help" in hunting "terrorists" in neighbouring Afghanistan.
 Without a doubt the Taliban has been seeking refuge in Pakistan's tribal areas and the ISI has been backstabbing the US for years, but the problem is more systemic.  Pakistan's government is a corrupt kleptocracy and even if they weren't fucking around with this they are not deserving of US support.

LA Times - A longtime Republican senator says he'll retire, and the White House nervously eyes his likely successor, Mitt Romney -
Sen. Orrin G. Hatch’s announcement Tuesday that he would retire rather than seek an eighth term representing Utah opened the door to a return to public office by Mitt Romney, the 2012 Republican presidential nominee and a sometimes harsh critic of President Trump.
The contentiousness between the president and Romney has been so acute that Trump had publicly implored Hatch to run again, a barely veiled effort to deny Romney a route to the Senate. But at 83, having spent nearly half his life as a senator, Hatch spurned the president’s request and made good on his long-ago vow to leave office at the conclusion of his current term. He will depart as the longest-serving Republican in the Senate’s history.
This is a tough one for me, I am not a fan of President Trump, but I do agree with some of his policies, whereas I do like Romney personally but disagree with his stances on immigration and a couple other things.    It will drive the Trump base batshit if he wins. 

NYTimes - China Offers Tax Incentives to Persuade U.S. Companies to Stay -
BEIJING — China said on Thursday that it would temporarily exempt foreign companies from paying tax on their earnings, a bid to keep American businesses from taking their profits out of China following Washington’s overhaul of the United States tax code.
There is, however, a catch: To be eligible, foreign companies must invest those earnings in sectors encouraged by China’s government — including railways, mining, technology and agriculture — according to a statement from the Finance Ministry. The measure is retroactive from Jan. 1 this year, the ministry said.

HMMM, I thought the tax overhaul was going to be ineffective in convincing businesses to repatriate overseas earnings. 

Reuters - The Bitcoin Hoax -
...(I)f the issue is more competition, the remedy is to break up the big banks, not to return to a digitized version of 19th century boom and bust credit creation. I may agree with Dimon on Bitcoin – I agreed with Steve Bannon on not going to nuclear war with North Korea – but that doesn’t mean I support either Bannon’s racism or Dimon’s predatory banking.
In sum, we should hardly be surprised that Bitcoin is on a wild speculative ride—that’s the essence of privatized credit creation. And if you think this gambling is zero-sum and victimless, kindly Google these: Panic of 1837, Panic of 1857, Panic of 1873, Panic of 1893, Panic of 1907 and, of course, the Great Depression of 1929-1940 and the Collapse of 2008.
Boing Boing - Cory Doctrow has restarted his podcast -

Some people may be interested so I included it.  I, personally, consider him to be the most overrated writer alive and am actually kind of upset that DefCon included him in their DefCon26 reading list. (His story, When Sysadmins Ruled The Earth, kind of says it all.  Whatadouche)

Hey everybody let's be nation state hackers

Apparently Mitre is cross referencing attack data , collected on the ATT&CK platform ,  with open source intel (OSINT) to create playbo...