The ‘Compliance Only / CISSP / Minimum Viable Product / HR firewall’ infosec trapezoid of fuck

trapezoid-of-fuck

Yesterday (thurs, 3/24/16) I went on a tirade on twitter, regarding an experience I had in San Francisco during RSA week, while at a vendor party. I’ll let that whole conversation stand on it’s own, it’s over —-> here.

It spurred a TON of questions, comments, and tangential conversations, as well as the typical “I want to get into infosec and I thought the CISSP was the way to do it”.

Well, everything is sort of connected. But let me build some momentum here by starting with a few ‘sayings’ or ‘talking points’:

  • You will never succeed in a system thats DESIGNED to make you fail, in favor of perpetuating itself and the status quo.
  • You will never change a system from the inside, since they’re typically designed to withstand SPECIFICALLY change from the inside. “It worked last year, we’re not changing anything”.
  • If you want to be a hacker, and you have to ask “oh please sir, tell me how to become a hacker”, you’re never going to become a hacker. Hackers TYPICALLY are the people that analyze a thing, find a problem, and then exploit the problem. By asking, you’re demonstrating that you’re unwilling to take the time to look it up for yourself.
  • just_do_it_shia_lebouf.gif.png.webm.xps.ai.fap
  • if you tell me that I have to go get one of these certs to have the ability to complain about them, I will personally send Raymond Reddington and Bryan Mills to your house with a $2500 rimowa suitcase full of torture equipment. You’ll have a bad time.

So this concept is something that is rarely talked about because it is how people who have no clue about security maintain jobs in the security industry, and it is how companies and consulting org stay in business or stay ‘compliant’ while continually getting hacked over and over again, or turning in reports directly out of nessus/qualys with a rebranded PDF and charging $400k for the engagement.

It’s a four part fuckfest, so get your Gahllagher-style trashbag-poncho on, cuz it’s gonna get messy.

CERTIFICATIONS:

The original intention here was to have a way for people to know that someone ‘knows their shit’ without taking the time to interview them, ask them about their experiences, or otherwise interact with them at all, before rubber stamping them into a position of authority. The trouble is that when the certification places realized that this was HUGE MONEY, they tried to find ways to funnel as many people through the process as possible – especially people that are willing to pay 5 grand or so to avoid actually having any relevant experience whatsoever. Pay 5k, get a cert, look like you know shit. Wonderful.

Now, not *ALL*certs fit into this category. Just .. most of them. The CISSP and the CEH are two examples. You could be a plumber with no experience to speak of, but if you can convince 5 people or so to write you letters of recommendation, then bam – you’re in. Now you’re a plumber who’s never touched a firewall, and you’re ready to take your first CISO position.

 

COMPLIANCE ONLY SHOPS:

So compliance came into existence because places were found to be deficient in a lot of ways – like ENRON. Enron is why SOX (sarbanes oxley) exists. Look it up, you’ll see. You’ll make a face, too. There are a TON of compliance mechanisms that are designed to “demonstrate your security program (or business workflow) is up to snuff”.

Read that again. Slowly

TO DEMONSTRATE

THAT YOUR SECURITY PROGRAM

IS UP TO SNUFF

It doesn’t fucking read “do these bare-minimum steps and you wont get hacked”, does it?

Compliance is DESIGNED to be a checklist against an EXISTING SECURITY PROGRAM so that people have an idea of what their respective industry regulators are hoping to see in a company that ‘meets the guidelines’.
This is all very vague – and it’s INTENDED to be. It’s SUPPOSED to be confusing – because it creates jobs. Auditors and box checkers, people at a company to validate compliance etc.

Now I don’t claim to be an expert in any, or even a single one of these compliance mechanisms, but when you read the cliffs-notes of them all they all more or less read the same way and make the same points:

— Have some sort of security in place

— Read your fucking logs

— Have a policy so people know whats okay and what isn’t

— Check your business shit from time to time to make sure it’s solid and doesn’t have logical loopholes or problems

— Audit your security from time to time to get an idea of what your risks are (BUT NOT DEAL WITH THEM! none of these fucking things tell you what to do AFTER you get a pentest. They just want you to get one, and stop)

— then more specific stuff on HIPAA, NERC/CIP, FISMA, FINRA, SOX, PCI/DSS – because a bank doesn’t need to make sure its nuclear scada controllers are on segregated, highly monitored networks, and the hospital doesn’t need to make sure its stock trading platform complies with mandatory cashflow minimums.
At the ROOT, they’re all MOSTLY the same.
The trouble is that once these things got written they got huge and unwieldy, and places groan when they read them – as they should – this is ‘decision by committee’ and thats always an ugly mess. So what do they do? They do just the bare minimums in these regulatory statues to comply with the regulation so that they don’t get sued by the regulatory committees, or fined by the government.

THEY DO THE BARE MINIMUM THEN STOP.

this is not why compliance exists.

this is why compliance isn’t security.

 

MINIMUM VIABLE PRODUCT:

If you spend any time in a shop that produces something: software, hardware, a widget, a product – you’ll have probably heard this term. It means “the bare minimum functional shit you need to make this thing go and be sellable in the market”.

This is why there are tens of millions of horribly insecure webcams, firewalls, watches, toilets, and other things connected directly to the internet, and it’s the core of why myself and other security researchers who ‘find random shit online’ have it so easy – because people build a thing, and once that thing is immediately viable as a product, it goes to the market (ever play an EA game? play any of the battlefields? tell me those were ‘legitimately solid’ on day 1. I dare you). Conceptually it’s easy, but it falls inline with the rest of the momentum here – doing the bare minimum and trying to get away with it for the sake of making money. Because making money is the point – not security. Security often “gets in the way” of making money – at least if you ask the sales folk. But I bet diginotar tells a different story.

 

HR FIREWALL:

You’ve probably seen job postings for people that have 10 years of ruby experience, or 10 years of go programming experience. It’s not a secret that job listings which come from an HR department are all sorts of broken and are routinely flying blind and solo through the jungle of bonkers. They ask for a CS degree, a CISSP and 5 years of experience to sit in a SOC an stare at an ELK stack or QRadar and literally press a button or send an email when a light goes red.

The intention here is to weed out shitty candidates. THERE ARE MANY. I’ve interviewed people who claimed they were redhat experts and didn’t know simple yum command lines. I’ve interviewed security people who “read the nmap book a while ago” and couldn’t tell me where to download kali linux. I’ve talked to networking engineers that told me about “UDP SESSIONS”.

The reason HR puts these absurd requirements into job listings is because they think it will cause people who don’t know their shit to avoid the job listing – WELL IT DOES THE FUCKING OPPOSITE – and it makes shit a lot worse for everybody.

Now, we have absurd job listings asking for absurd requirements, and places (like isc2 and the ec-concil) willing to ratify ANYBODY as ‘good enough’ if they pony up the cash.

Now we have HR departments who aren’t technical people, publishing job postings full of terms and acronyms they don’t understand, for hiring managers that very likely also do not understand what they want or even need, to get applicants who see these requirements and find out they can “just buy them” to get the job.

It’s creating hoops to jump through, for the sake of having hoops, in the false belief that jumping through these hoops makes you “better” somehow.
And it creates a market for places to give you “cheat codes” on how to jump through hoops.

And once  you get the job? There isn’t a single fucking hoop. And there’s no jumping. You sit and look at a display, or you curate a 25,000 word deep corporate policy on a confluence page.

And you paid 5k for a bootcamp, went through 7 interviews over 4 days, and moved to another city for it.
good. fucking. job.

 

So put these all together: Certs, the HR firewall, minimum viable product, and compliance-only “security departments”. What do you get?

HR publishes an unrealistic, absurd and laughable job description, designed to weed out bad possible candidates, but does nothing to tell legit one what they *ACTUALLY NEED* in a candidate, which leads to hiring employees that don’t know shit about security, who then work in a security department which does zero ACTUAL security – only preens and grooms the policy in the wiki, until the auditors come around, wherein they rush to get a 3rd party pentest done, then they edit the pentest report so that it matches the policy closely enough to avoid getting sued or fined this year. THEN, they are free to move on to releasing a product that has zero security considerations and was rushed out the door by a pushy sales/marketing department, because the quarterly figures are dipping and if the company stock doesn’t do well enough, the company doesn’t meet it’s figures and the stock drops, and there are bad articles written in the financial times the following week. This can lead to layoffs, or outsourcing of various departments.

 

That sounds MOTHERFUCKING SHITTY, doesn’t it?

Do you want to work in a place like that?

Is that your idea of a good time, or “doing security”?

Will you feel like you’re “making a difference”?

It’s a dog and pony show to make sure the people that have all the money and control don’t lose “unrealized gains” in the end. It’s smoke and mirrors to please auditors.

Non technical staff, making shit up in a policy to appease non technical auditors.

And you’re arguing with me on twitter over the value of the CISSP and the CEH in this scenario.

 

sigh.

 

For those of you who think the above is “utter bullshit”, do not despair. You can literally avoid it all. I’ll show you how!

  • If you have zero security experience, but are currently a dev, a sysadmin, a netadmin or in another technical role, and are interested in moving into a security role, it’s actually pretty easy. Keep doing what you’re doing, and start going to the community conferences. Not huge ones like comdex/blackhat/rsa, the little ones near you. showmecon, shakacon, shmoocon, toorcon, derbycon, bsides, layerone, hushcon (ask twitter, there are tons of these) – the cons attended by “the doers”. The people that do the things – that make the tools – that present at cons on neat topics. There are very few “doers” in the community – stick close to them and you’ll absorb A TON.
  • Most people in the community are super happy to share – so jump in, make some friends, and ask questions. Don’t ask  “how do I get started”, it’s too broad – pick a specific topic and drill into it. “How do I start reversing malware?” “How do I do a pentest?” “How do I write shellcode?” – start with the ingredients, follow what seems fun/cool, and after you have 2-3 of those you’ll have an idea of what you want to do. Security is pretty broad, and there is more than just ‘redteam and blueteam’ to it. Get you hands dirty.
  • Asking “what certs should I get” tells me “I want to be part of the problem. I like that shitty shit shit scenario you described above, and I want to live that dream!” – to which I say ‘holy shit, you made it this far in this post? you must be SUPER HIGH.’. Certs will definitely get you jobs – but just not interesting ones or ones you want or like. They get you jobs where the business leaders need to be compliant and “have to have at least one CISSP on staff” to meet some bullshit goal – they don’t want you because of you, your personality, your skills, or your experience – they need a person so sit in a chair wearing a hat that says “I HAVE A CISSP” so that they can point at you and say “see? we have a guy who has that”. If thats the job that you WANT, then fine – I can’t help you, but most people that do security LIKE WHAT THEY DO and I literally can’t think of a shitter job to be in than “a guy who has a cert because the business needed a guy who has a cert”.
  • If the job title requires a cert, avoid it. Period. If the company wants a jr pentester, or a soc analyst or an entry level job, you don’t need a cert – no matter what they fucking say. It means THEY DON’T KNOW WHAT THEY WANT OR NEED. If they INSIST THAT YOU DO it means they do not understand the job or what it’s supposed to be, which spells “you’re gonna have a bad time”. If the people hiring you have no fucking idea what it takes to do the job, even at a high level, that’s a massive indicator that the job will be shitty and you will be miserable.
  • If you think you need a cert to get a job, you’re looking at the wrong jobs. Doctors and Lawyers, PHDs, rocket scientists – those people NEED degrees. Science doesn’t change in 3 months. The law doesn’t change overnight because someone found an exploit. What we do as hackers is SUPER FLUID, and we ROUTINELY are the ones that are quoted in college curriculums, the news, blogs, and publications. To be a hacker or work in security you need EXPERIENCE. Anybody that tells you different is either trying to get you into a compliance role, or simply doesn’t have the experience enough themselves to understand.
  • If you think you need to get a cert to make HR happy, you will be miserable if you get the job. Hacker jobs aren’t about obeying company policy and obeying HR. You’re probably in the wrong field. If you want to be a mindless robot that just obeys your boss for a living, I hear OPM and Sony are hiring.
  • if you hack “getting the job” you will be rewarded for it. Hacking the job means getting the job without going through HR. This can be done several ways:
    • Meeting the hiring manager at a con, or anywhere else, and having a conversation outside of work. This basically serves as a casual interview.
    • Being selected for a job based on your hobby, your previous work, your experience, code on github, conference presentation, or social media contributions (legit ones, not just ranting).
    • Being the author of a tool.
    • doing a rad research project.
    • TL;DR – if you do awesome shit, the job will come to you, not the other way around. Do not presume that you have to get a job first to do awesome shit. If you “become interesting”, people/money/influence/etc will come to you.
    • Doing awesome shit, having videos of you presenting at cons, releasing tools and code and all of that stuff is WAY WAY WAY MORE VALUABLE to a legitimate security practice than any cert. You are showing the world what you can do WITH EVIDENCE – not because you paid isc2 or whoever 5 grand to “tell the world you’re legit”.

 

This system dies if you don’t feed it. This is the reason that we hear squealings from the government and large corps about “not enough qualified people”- there are organizations that have successfully ‘done all the things’ with compliance and can do it with their eyes shut – but they still get the fuck hacked out of them on a regular basis – and nobody they interview can do the things they need done to protect the place. Here’s why:

Because HR posts bullshit

Bullshit walks through the door, takes the job

Bullshit copy/pastes a vague, worthless policy from the internet into confluence

Auditors come to audit the bullshit, and its found to be ‘not so stinky’

Bullshit is released into the wild, and gets hacked to fuck.

People see that bullshit got hacked, decide they need an expert, and ask HR to post a job listing.

20 GOTO 10.

Rinse and repeat.

They found that they have a problem, and they UTTERLY REFUSE to solve it. They insist on miring themselves into this cycle because it’s what they know, and they refuse to let outside folks in. The military has shit pay and requires clearance, big business requires ivy league education and degrees or roots in a wealthy family/community, large industry requires certifications that are irrelevant – NONE OF THEM put a person down in front of metasploitable and say ‘get me a shell’. NONE OF THEM put people on front of a cisco switch and say ‘put port 12 on vlan 2, and give vlan 2 an ip of 10.10.10.1’.

They all rely on certs to tell them who can do shit and who can’t because, and I shit you not: THEY SIMPLY CANT BE TROUBLED TO DO IT THEMSELVES.

People have heard me say in the past “If you don’t give a fuck about your own security, then nobody will give a fuck for you”. This is the embodiment of that sentiment. These are people who do not give a fuck about security, trying to hire people to give a fuck FOR THEM, hiring the wrong people which perpetuates the problem.

OR, they hire the RIGHT people, but because the system is designed to perpetuate itself and not actually solve any problems, the right people cannot get a foothold into a budget, they cannot hire talented subordinates, they cannot institute change in policy, and therefore they cannot effect any change whatsoever – so they quit. The cycle repeats yet again. It’s like the election cycle for senators, congress people, and the president. They spend the ENTIRETY of their first term doing NOTHING but trying to get re-elected. It’s exactly the same routine. They spend all their time trying to get the same budget, avoid fines, and stave off auditors and NOTHING ELSE.

It’s like that fucking plant from little shop of horrors, Audrey II. Every time a new person gets a CISSP, or a CEH – every time an ex pentester takes a job doing compliance – all I hear in my head is FEED ME SEYMOUR!

The way to fix this is ugly, but it’s the only way I have been able to come up with: Let them fend for themselves.

It sounds shitty, but it’s the truth. If these people refuse to acknowledge that their own refusal to ‘do something different to fix the problem’ is what’s CAUSING the problem and there’s nothing we can do to change their minds – even watch them be publicly burned at the stake like sony or ashley madison. Let them get hacked, let companies implode, let them wither on the vine. It’ll serve as a warning to others of “what happens if you willfully ignore security in favor of compliance”.

Focus your energy on people and companies that DO CARE and you’ll have a truly welcoming experience and grow as a person and in your career. Take the time to find out WHO IT IS YOU’RE WORKING FOR before taking the job. Don’t take the job just for the money (that makes you part of the problem). Research the place you want to go work, they’ll respect you for it, and you’ll have a much MUCH better time for it, while avoiding the shitshow shops I described earlier.

Otherwise you’ll end up just another CISSP/CEH, part of the problem, perpetuating the trapezoid of fuck.

 

BlackHat – a movie review

I’d mentioned on the twitters a while ago that I got asked to do a review for the movie  “BlackHat”. I turned it in and it went into editing, but it came out only having something like a quarter of what I wrote still left in – and since I promised the twitters that they’d get to see me go all George Carlin style, I’m posting the original version of my writeup, before changes were made. I’ll link the edited one if it sees the light of day here as well.


So the reviews are in. Opening day weekend at the box office Blackhat
opened up earning 23 times less in the box office than American Sniper.
I think the movie was a thought experiment. A 70 million dollar one, at
that, but the tl;dr here is that I think they missed the forest for the
trees. The movie felt like a series of social-justice-warrior-esque ‘hat
tips’ and ‘m’ladys’ strung together by a tattered paper towel’s worth of
“movie”. They tried so hard to hat tip and compliment the ‘hackers’ they
forgot they were making a movie that was supposed to have characters, a
plot arc, and any sense of continuity or immersion.

Last week in San Francisco a movie theater was bought out and security
experts from a variety of big-name companies were invited for a sneak
preview. The reviews came in as thought the movie was a smashing success
– though I suspect that would be the case when they were asked while
stood right next to Chris Hemsworth and Miachael Mann who were there for
a meet and greet during the sneak preview.

Let me get right into the meat of things – the stuff the movie got
right. There were something like half a dozen scenes that made me point
at the screen and go “HAH!” in a good way – one of which was literally
EXACTLY the same as one I performed while on a redteam assessment in
2010 for a finance company.

Doing a WHOIS on an IP: Admittedly, a real whois query will give you
something like 3 pages of output, in the movie it gave only the
administrative contact info. Okay – I can see that for the sake of
clarity and making sure the non technical folks in the crowd get it.
Having 3 pages scroll by would be silly. But good on them for actually
using a legitimate tool in a real way.

Looking at a hex dump of a file: Again, legit, except when the camera
zoomed in more the actual dump looked something like this:

;lkjasd;fkljas;dklfj;alsdjf;lkasjdf;kljasd;fkljasdf A sentence in plain
clear english laksd’fka’sdlfjk’asdklf;lkajsdklf;jas;dlfj

Another dump screenshot:

<a bunch of nonprintable chars and little blocks>[ GPG ENCRYPTED MESSAGE ]<more nonprintables, and what the hex dump SHOULD have looked like>

It’s like they used the first hex dump and then thought ‘no that doesn’t
look right’ so they tried it again.

Almost, guys. Almost. Good try though. Sigh.

They mention an “onion router”, I chuckled. That was the only mention of
tor at all, and its surprising they didn’t say “tor”. Only security
experts know what an ‘onion router’ is, but EVERYONE knows tor –
especially because of the news. Kind of bizzare there.

The scene where the pretty asian actress walks into a bank dressed
sharply and says “hey, I spilled coffee on my presentation document, can
you print me out another one?” – I’ve done EXACTLY THAT during a red
team assessment, except it was a resume, not a preso. And she looks way
better in a pencil dress than I do.

Lastly the male cop who was firing a single stack .45 m1911 clone with
godlike accuracy. This and the last one were probably the two most
‘accurate’ scenes in the movie which pertain to hacking. The rest felt
sort of forced, as though you sat the marketing intern down for a
weekend, tried to fill his brain with “hacker stuff”, and then asked him
about it the following Monday and graded his responses. He’d get it
“mostly right” – not enough to be actionable in a security role – not at
ALL – but enough to make the hackers in the room feel like he gave it a
good strong shot, and their efforts in training the guy were worth it.
If he did it 2-3 more times he’d be pretty solid to at least talk like
he had a clue. The rest felt as though the movie was a waiter who had
spilled coffee in my lap, and was so distraught over it that he went
across the parking lot to TJ Maxx, bought $1000 of random clothing, then
came back into the place and while sobbing profusely and apologizing,
crumpled up the clothing and threw it at me from several feet away in an
effort to “fix it”. It was just awkward, and I couldn’t tell if I was
being trolled or not.

And now for the dumb. I hope you’ve got a helmet.

Speaking as a security researcher that has worked for a bit in the field
of ICS and SCADA equipment, I can say flat out that – yes – using
malware (or literally just a straight up python script you can do some
SERIOUS damage to industrial control equipment. Look into pymodbus. It’s
super easy) you can tell the control center one thing and the scada gear
another. It’s not really surprising at all – modbus is a really old,
really simple protocol. Think of it kind of like ARP – you can just spam
whatever to the network and computers just ‘obey’. It’s certainly not
rocket science. All the super technical looking graphics of electricity
flying around and whatever – I have no idea why they bothered keeping
that in. They could have used that time more wisely (I’ll get to that
later). The control displays wouldn’t ‘twitch’ or make noise like they
did in the movie, there would be no clues. For as hard as they tried,
there were still those typical hollywood “bleepy bloopy computer noises”
for every scene.

The idea that a badguy hacker would abuse both the stock market and
industrial control equipment for the sake of stock gains is not a new
idea at all, though it really is giving them quite a lot of credit. The
dependency here is that doing it all from Jakarta would imply that there
is enough stable internet connectivity between all the moving parts to
establish even the loosest plotline involving conducting hackery over
the internet. A reactor in China connected to the internet? Not overtly
surprising. A series of dams in Jakarta, out in the middle of nowhere?
Highly unlikely. I spent a couple years researching ‘random things on
the internet’, and I found thousands of ICS and SCADA devices. The vast
majority of them were things like electrical and air conditioning
controls for office buildings and apartments, as well as many consumer
grade and low enterprise grade solar power collectors. I found four
hydroelectric plants, but they were all in France (bizzare. All in
France. No clue on that.), and literally nothing in Jakarta. It’s
plausable from a hardware standpoint but again it seems like they tried
so hard to be clever it broke the actual movie.

There’s a scene where Hemsworth walks into the destroyed powerplant and
is told the temperature has “gone down to 130” or so and it’s safe
enough to go inside. The scene depicts a server rack that’s been sprayed
with some kind of thick white residue which has dried and begun to
flake. The room is a complete wreck, but somehow the servers are okay?
There are no labels of any kind, and Hemsworth simply picks what appears
to be a random hard drive and removes it for recovery. I’m reminded of
when the datacenter at 1Wilshire in Los Angeles had a power failure
something like ten years ago – it was where Myspace was housing their
equipment. The facility had forgotten to put the A/C on the backup
power, so when the power failed the datacenter literally cooked itself
and parts of the server chassis melted. Millions of dollars worth of
servers were physically destroyed – from their own heat! We’re supposed
to believe that a nuclear power plant produces less heat than the
servers themselves would with no A/C? Insert your finest condescending
wonka jpeg here.

As far as the characters go, they all have the depth of a spoon. I’m
reminded of the Red Letter Media review of the Star Wars movies where
the narrator asks several people to describe characters from the
original Star Wars and the new Star Wars movies, and the volunteers are
unable to describe characters like Quai Gon Gin or Annakin other than
their simple physical appearances – they struggle to produce adjectives
to describe the characters, because they are empty or hollow. This is
what I was talking about in regards to ‘using time wisely’. They did
ZERO character development. There was zero plot development. The only
reason “the sister” is in the movie at all is so that Hemsworth could
have a romantic interest, and so that violence later in the movie could
add some artificial tension. Easy bake plot devices. Safe for ages 3 and up.

And when did Hemsworths character suddenly learn advanced hand to hand
combat? Was it while he was in prison? Was it while he was carding? I
guess I missed the part where the movie turned into a Jason Bourne
spinoff. I know a few hackers that have a few of these kinds of skills,
but it’s because they specifically went to get training for them, or
they had some lengthy military experience and actually saw combat. I
took 18 months of Systema training (it’s what they teach the Spetznaz)
for fun instead of signing up for a gym, and what I saw in the movie was
just as advanced, if not more.

Lastly, the foley. Foley is all the sound post processing work that’s
done on a movie. In many cases the actors have to re-voice themselves in
a studio after shooting so that the audio guys have more to work with.
In this case, it seems like the foley guy gave an ipad to his infant son
and the kid did all the foley for the movie. It was ATROCIOUS. Lips
moving not matching the words being spoken happened at least ten times.
It destroyed the immersion every time. Hemsworth walks into a datacenter
that he’s just crashed a truck into as a diversion, it’s dead quiet, you
can hear the clack clack of the plastic hard drive enclosure he puts it
down on the crash cart, and you can hear his keystrokes. I’m sorry but
NO. Anyone that’s ever walked into a datacenter will easily be able to
call BS on that. Other bits where there’s a lot of shakeycam action
going on and you can hear the audio quality click back and forth from
“the camera for the shot” and “the foley guys studio”, the background
noise randomly comes and goes – it literally broke the movie. You’d be
better off watching the whole thing on mute.

So in closing, Blackhat felt like an awkward, forced, identity crisis of
a movie. If the foley guys weren’t drunk I would have said ‘it’s
amusing, go see it – but not for the plot’. The real linux terminals and
real ssh prompts and mount commands were appreciated, but it felt like
the rest of the movie suffered greatly because of it. I wouldn’t say
it’s so bad you’d want to saw off your own head, but it’s definitely a
forgettable movie that will disappear once all the press it’s been
getting dies down.

An open letter to celebrities

I think the odds of any of the recently compromised celebs actually reading this are practically a billion to one. I’m going to go over things anyway:

 

  • First and foremost – lift a finger to help yourselves. Seriously. If you don’t take your own security seriously, nobody else will. If your password is in lists that already exist (rockyou, etc), you’re gonna have a bad time. Spend 5 minutes to check. Don’t know how? ASK SOMEONE – there are a bajillion people that would stab each other at the opportunity to help
  • Second – Do not presume that corporate entities have your best interests in mind. They do not. They exist to placate shareholders and to “make money”. Apple is a great example. While there are many people who work for apple that strive to better their security posture, at the end of the day apple is a publicly held company and is at the mercy of their shareholders – so if the board of directors says ‘fuck security’, then you’re kind of on your own there. Do not let your fate depend on someone else. Protect yourself from people and companies that “give no fucks” and introduce risks to your personal brand and your reputation. Understand that “shit gets hacked sometimes” and factor that into your decision making process. Ask yourself “what would happen if <this service under scrutiny> got popped? What would happen to me?”
  • Third – If you take naked pictures of yourself, again, lift a finger to help yourself and do not store them in places that other people can get to them. I know that the point here is that they’re being sent to boyfriend/girlfriend/husband/pet groomers/whoever, but if the intention is that “only that person should see it”, then seriously take 5 minutes to give the operational security of that photo some thought. “what would happen if the service I’m using to transmit this photo got popped? could the paparazzi get to it?” etc.

 

This is not rocket science, people – and security professionals say EXACTLY THE SAME THINGS every time there’s some huge hack or leak like this.

The problem is that nobody listens. So if there’s someone out there that knows a better way, I’m all ears.

For now, I’ll start with putting together a talk for the next TedX San Diego – we’ll see if I can even make the roster. Security people complaining to other security people is getting us nowhere.

 

Scanning the whole internet

During DefCon 22, myself @paulm and @erratarob were on a panel where we scanned the internet, live, on stage. This is not the first time we’ve done this together – we did the same thing at Shmoocon 2014 as well.

Previously, @paulm did a ‘internet-wide vnc scan’ at Toorcon in October 2013, and before that I presented at HITB, LayerOne, the previous ToorCon, Defcon 20, and a bunch of other conferences about my findings on shodan. (search youtube for my name, you’ll see)

Between the three of us, we’ve been at this for something like 3 years.

Yesterday (Wednesday, Aug 13th) I did something a little differently. Instead of keeping the results of the scan completely private and only displaying them during a conference talk, I stepped through them all (something on the order of 30,000 images) by hand. It took basically two days. I posted some of the results that I found which made a series of amusing talking points. A wide range of devices were discovered, from a caviar plant, to japanese, italian, latvian and ukranian power stations, to a donut manufacturing plant, to curtains (yes, curtains. you can control curtains over the internet). On the second day (Today, Thursday the 14th) while posting more findings I was confronted by several people on twitter who started deliberately asking pointed questions about the legality of what we were doing. That caused a cascade effect where several other people began asking the same questions over and over again. I found myself in a loop.

I thought it prudent at this point to put it all down in one post, along with all the history, previous videos, and research material in an attempt to make a ‘one stop shop’ answer post for anybody that may have.

  • What you’re doing is illegal

No, actually it isn’t. Yahoo, Google, Microsoft, Websense, EVERY A/V VENDOR IN THE WORLD, and Shodan – they all do similar scans. Some keep those results secret, some sell them, some make them public. Just because we’re not a giant corporate monolith doesn’t change the law. The only actual difference is that they have fleets of corporate lawyers to defend their positions – we’re just three security researchers trying to make a difference. The important part is that we KEEP ACTIVE BLOCK LISTS and we happily add people to the blocklist who do not want to be scanned again. This is part of being a responsible internet neighbor. If someone wants to be left of the list, give me ips/networks to add to the blocklist. It’s as simple as that.

  • Are you logging in to every instance of VNC that you find?

Using that language “logging in” implies that the service actually asks for a login. This couldn’t be further from the truth. Nobody “logged in” anywhere – please be aware that the words you elect to use to describe this kind of research actually matter. These were unpassworded instances of VNC – meaning they never asked for any login whatsoever. You point a VNC client at the IP and bam – you’re looking at some gui. Every instance that asked for a password was dropped – we didn’t try to authenticate ever. That would actually be breaking the law. There were no hacks, no bypasses, no sneaky bullshit – we were completely above board. If it asked for a password we left it alone and moved on.

  • But like, what if you pressed a button?

No human hands ever touched these systems. The scan was completely automated and had no mouse/keyboard input of any kind. The secondary scanner was written in python and is opensourced HERE on github – all it did was grab a screenshot of the vnc instance if it was permitted to connect without a password. Feel free to have a look at the code for yourself – Paul has some other code up that would be useful to look at as well, so please feel free to go up a directory and look at his other repos.

  • Are you notifying people of things you find?

Yes – but the vast majority of the things that we were reporting on were not published to twitter. The REALLY sensitive things that were withheld I couldn’t in good conscience publish to twitter because invariably SOMEONE would fuck with them and then I’d have to answer for publishing it. Also, it’s pretty irresponsible to leak that kind of stuff. I tried to only publish stuff that was amusing and nobody could “easily screw with”, without a bunch of prior knowledge or similar research. Here are some of the things we found, but didn’t post on twitter – this is also the current working list we’re using to notify people:

– A person who works at IBM writing an email

– MANY instances of desktops in a variety of languages working on documents: universities, banks, pharmacies, visible copies of signed checks, tons of PII data. Not for public consumption.

– Control equipment with its public host/ip exposed: you name it. water, power, agricultural, lab equipment.. nothing went on twitter if someone could just immediately hit it.

– and the list goes on – use your imagination. I found curtains for fucks sake, so think good and hard.

 

Additionally, one of the people we’ve been working with is Kashmir Hill, a journalist working at Forbes who focuses on privacy and security – she volunteered to do some of the notifications because “being contacted by a forbes journalist” is probably less jarring than being contacted by “three random hacker assholes who scanned the internet”. We met in person during Defcon over the weekend and had several hours to shoot the breeze and talk about a pretty wide array of topics. We let her view the results herself so she could get a good idea of “the state of security”. I’m fairly certain she’s now got a pretty good idea, from ‘the attackers perspective’, how easy it is to get into stuff. You just have to be willing to scan the entire internet to find all the super low hanging fruit.

I hope this writeup has been informative. If you have any questions, please feel free to comment, and if appropriate or applicable, I will amend the post to include the new info.

 

Intelligence Sport

Recently the Layer One security conference had its annual gathering in Monrovia, California. This year though, I did something different for the con – I elected to not speak, but to participate in contests – I know many very talented folks who go to conferences and essentially avoid the talks to spend time with people they only get to see a couple times a year, and to play in contests designed for this very particular, very clever demographic.

Several years ago, Dark Tangent invented a contest at Defcon called ‘tamper evident’. The intention was to train hackers on how to defeat security seals of various types ranging from stickers, to clasps, to ziptie-like things and all sorts of bizarre stuff in between. The contest essentially was a box that that teams were given, and the box was sealed with anti-tamper tape or stickers, and inside the box there were more envelopes and seals that the team had to ‘undo and redo’ without any evidence of shenanigans (http://s3.roosterteeth.com/images/Cless4354447044055.jpg). This particular form of contest never really got me excited – because – well … it’s a box. And you had to come up with like, a $5000 chemistry set to tote with you, and the teams got so enamored with it that they’d rent ANOTHER ROOM and set that second room up as a fucking lab to do the contest. Well more power to those guys, but that sort of investment to defeat a bunch of stickers was silly to me.

… Until this year. This year the logic to the contest was applied practically (or as I said it at con, this is “the practical application of tamper”). The organizers of the contest rented a room at the hotel, and renamed the contest to ‘The Room’. In the room they had placed a few items with tamper-evident seals, as well as meticulously positioned things within the room to leak if they had been touched or altered in any way. Things like positioning coat hangers a certain way, moving books around, or cutting sections out of book pages to leave items inside. False light bulbs, coins hidden in various places, rugs and towels carefully arranged.. They really took the time to turn what used to be ‘a contest about a box’ into a full blown spy game.

The thing that made this contest DISTINCTLY different were the theatrics. The point of The Room wasn’t just to ‘get in and defeat seals’ (we were worried that once we got in the room it would just be a box on a table and a stopwatch and they’d say ‘GO!’), it was the concept of tamper in practice – this was a room that someone was staying in, and our mission was to ‘find out as much as we possibly could about them’. Clues, props, receipts, the position of things, hidden documents – it was straight up out of a bond/bourne movie. We were graded not only on the physical tamper items, but we were graded on how well we understood the plot/narrative. Since this was a mock ‘intelligence operation’, the objective was more than just ‘defeating stuff’ – and that made it SUPER SUPER interesting.

We arrived to the con a day early knowing that we would need some time for prep – and we ended up hitting home depot, REI and another store to buy a bunch of kit. Hilariously, the only kit I personally used was my flashlight (a headlamp would have been better), and my camera. My teammate and I brought full kits with us and used practically nothing. He used a heat gun and a bit of acetone and tweezers for a couple tamper seals, but overall the “actual tamper” part was only a small component of the other physical stuff in the room.

The theatrics really were top notch. At the start of the contest we were given envelopes. They instructed us to find a man with a suitcase handcuffed to him, and to ask him about ‘the cobbler’. Once we did that, he asked us who we were looking for, and we gave the name that was on our envelope. At that point we were handed a burner phone and told to expect a call. The call came in and instructed us to go to a certain floor to meet someone – and when we did we were given a room key and told “You have 30 minutes, tell me everything you can about the person staying in the room”.

At the end of the day, after all of the teams had made their runs, we were gathered up to do a walkthrough of the room so the organizers could show us all the things they did, and where they were hidden. At the end of the walkthrough, Schuyler says ‘And props to whoever planted the buttplug, that was hilarious and amazing’. The room went dead silent and everyone looked around at eachother. One team spoke up saying ‘we found the thing – we thought it was part of the contest. It wasn’t part of the contest?’. Schuylers eyes get the size of dinner plates ‘Wait.. so NOBODY HERE planted the buttplug in the room?’ – a volley of head-shaking and looking around at everyone else in the room followed.  .. then roaring laughter.

“Do you mean to tell us that out of EVERY POSSIBLE ROOM that the contest could have happened in, we HAPPENED to find the one where some previous guest had left a buttplug hidden behind a drawer, then forgot it when they left?”

This contest is bound by the rules of reality – in that without great involvement, “every aspect” of the environment simply cannot be controlled – we were at the mercy of the hotel for the room, and we were randomly issued one with a secret buttplug.

“Fate, it seems, it not without it’s sense of irony” –Morpheus

I spent the rest of the weekend laughing and shouting ‘what are the odds?!’.

Everyone who played thoroughly enjoyed themselves, and supported the idea of doing it again. Hilariously now the “buttplug incident” has set a precedent to stash sex toys after your room-toss for the next team to find.

Overall the contest was wonderful, completely immersive and a great time. If you dig on spy movies and ever had the inclination to play in that world for a little bit, this contest is your chance. I really hope to either see it at other cons, or again at Layer One next year.

On connecting stuff to the internets..

So  my last blogpost was nearly a year ago.

That’s … kinda bad. I should probably post more often.
Originally I had thought that posting ranty, angry posts was bad form and that instead of just yelling and flinging my arms about on a blog, I should find other ways of getting messages across.

Boy was I wrong 😀

Since my last post, I’ve been interviewed by the BBC, the ABC, CNN Money, F5’s DevCentral, asked to write articles for several small publications, and asked to speak at half a dozen conferences because of my findings on shodan. Seriously – after giving essentially the same talk something like 3 times (but adding more meat every time) I had figured that people would get bored of me and shodan. Oops. I was wrong there too. Also, I keep finding shit. Last bit of laugh-then-cry hilarity was finding a pack of GE_CENTRICITY hits. It was an eyebrow raiser for me too.

What’s GE Centricity? its THIS, found like THIS (also, I think this tarnishes the character of agent smith – he was a pretty epic bad guy, and now he’s doing “commercials for good”? Sad.)

I don’t mention this because I think it makes me special or whatnot – I mention it because it’s all a MASSIVE SURPRISE TO ME. Personally I don’t think these findings should be getting this kind of media attention – and I’ve openly scolded two reporters who used my findings to write ‘you should be scared’ articles.

Journalists: If you’re telling your audience that they should be afraid, it makes you a shitty journalist. You should be helping me(read: us, as in the security community) make it a big deal to the people that make these devices that what they’re doing is hurting the safety and privacy of people who buy their stuff – not telling the victims that they should be afraid. Shame on you.

I am not performing crazy reverse engineering, I’m not inventing epic hacks, I haven’t circumvented any impressive security controls (I found some fairly-bonehead level vulns on a bunch of cameras, but that’s about it).. all I’m doing is literally pointing out things that are connected to the internet. Albeit, I did write a bunch of scripts to automate this discovery process..

 

Inception-Squint

 

 

 

 

 

 

 

 

What? Are you saying there’s stuff online that people don’t know about.. .that’s hugely vulnerable? Or that orgs are allowing these massive security failures to go on unchecked?

Yes, actually, that’s exactly what I’m saying. People don’t care unless you hurt their image. They seemingly don’t care even if you hurt their pocketbook substantially. So long as their reputation goes unharmed, literally no fucks are given.

 

Step one is admitting you have a problem – and as a security community if we allow businesses and colleagues to keep doing this stuff, it means what we do is just a dog and pony show – and it makes us all look bad.

That’s all for now – let’s just focus on step one for a while – we have to find a way to make these vendors give fucks.

Finding out how is going to be the challenge.

 

 

BsidesLA Slides/Code

So I whipped a talk recently to give at BSidesLA about how to stack tools voltron-style together and get some pretty gnarly successes. Here are some light talking points to give you an idea of what the subject matter was, but I should let the slides do most of the talking for me (though they may be slightly vague without the video, which isn’t up at the time of this writing.)

  • Use shodan to find things online (ec2, one-off sites, etc) not brought to the attention of IT or InfoSec before going live
  • Enumerate attack surface without actually performing active scans (many shops forbid infosec guys to scan their own environment. Crazy, right? I know!)
  • Use shodan for red teaming (enumerating attack surface quietly, finding “hidden stuff”, all without actually actively scanning)
  • Bolt on the python api, pipe out results, do crazy things
    • Screenshot 50,000 webpages using a threaded script
    • Check for HTTP 200 OK return codes for direct object access vulns
    • Pipe output of Shodan directly into metasploit via an RC script
      • Leverage metasploits powerful auxiliary scanner tools to do enumeration
      • Launch very targeted attacks on huge attack surface with NO PORT SCANS 🙂
    • whatever else you can think up python can do for you! 😀

 

Screenshotter script: PYTHON!

RC Script generator: PYTHON MOAR!

Slides: PDF!

 

LayerOne 2012 | Drinking from the caffeine firehose we know as shodan

Video of my presentation:

(edit: the videos audio doesnt start until 18 seconds in. I’ve edited it, and the video is updating on youtube. This is temporary, please bear with me)


Slide Deck: long-tail-of-the-internet.pdf

Script: shodan-turk.py

So, you pillaged a domain controllers hashes…

So you’ve managed to find your way to a domain controller, perhaps used metasploits meterpreter, perhaps got system, migrated to lsass.exe and perhaps were able to use incognito to smart_hashdump and nab all the password hashes.  Well, you can hand those off to john the ripper and it will happily crack the LM portion of what you’ve got – but you’ll end up with a bunch of uppercase passwords.

Enter lm2ntcrack.pl – a dandy little perl script that will take the uppercase password and use it as a dictionary to crack the NTLM password for you. Only trouble is that since it was written, the awesome guys  at openwall who develop john the ripper have changed the output format of cracked password files. The lm2ntcrack input format was written for a ~2009 version of JtR, so to get it properly working someone had to go and make a tiny tweak in the script where it analyzes the syntax/order of the input file.

So I did it! First time, actually, that I’ve done something like this. And it appears to work! – at least it works on the ntlm hashes I have from a demo network.

 

Anyhow, here’s my updated copy of the script – lm2ntcrack-viss.pl

 

Save that as a .pl file (it’s a .txt so it doesn’t get run on the site).

Feedback welcome!