tag:blogger.com,1999:blog-92228239416539712242024-03-11T00:39:48.622-07:00Technicalinfo.net BlogGunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.comBlogger220125tag:blogger.com,1999:blog-9222823941653971224.post-63619942745043421382019-01-09T09:28:00.000-08:002019-01-09T09:34:08.183-08:00Hacker History III: Professional Hardware Hacker<i>Following on from my <a href="http://technicalinfodotnet.blogspot.com/2019/01/hacker-history-i-getting-started-as.html" target="_blank">C64 hacking </a>days, but in parallel to my <a href="http://technicalinfodotnet.blogspot.com/2019/01/hacker-history-ii-bbs-years.html" target="_blank">BBS Hacking</a>, this final part looks at my early hardware hacking and creation of a new class of meteorological research radar...</i><br />
<br />
Ever since that first C64 and through the x86 years, I’d
been hacking away – mostly software; initially bypassing copy-protection, then
game cracks and cheats, followed by security bypasses and basic exploit
development.<br />
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Before bug bounty programs were invented in the 2010’s, as
early as 1998 I used to say the best way to learn and practice hacking skills
was to target porn sites. The “theory” being that they were constantly under
attack, tended to have the best security (yes, even better than the banks) and,
if you were ever caught, the probability of ever appearing in court and having
to defend your actions in front of a jury was never going to happen - and the folks that ran and built the sites would be the first to tell you that.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In the mid-to-late 1980’s, following France’s 1985 bombing
and sinking of the <span class="MsoHyperlink"><a href="https://www.greenpeace.org/new-zealand/about/our-history/bombing-of-the-rainbow-warrior/">Rainbow
Warrior</a></span> in New Zealand, if you wanted to learn to hack and not worry
about repercussions – any system related to the French Government was within
scope. It was in that period that war-dialing and exploit development really
took off and, in my opinion, the professional hacker was born – at least in New
Zealand it was. Through 1989-1991 I had the opportunity to apply those acquired skills
in meaningful ways – but those tales are best not ever written down.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Digital Radar<o:p></o:p></b></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><br /></b></div>
<div class="MsoNormal">
Easily the most fun hardware hacking I’ve ever done or been
involved with ended up being the basis for my post-graduate research and
thesis. My mixed hardware hacking and industrial control experience set me up
for an extraordinary project as part of my post graduate research and eventual Masters in Atmospheric Physics.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I was extremely lucky:</div>
<div class="MsoNormal">
</div>
<ol>
<li>The first Mhz digitizer cards were only just hitting the market</li>
<li><span style="text-indent: -0.25in;">PC buses finally had enough speed to handle Mhz
digitizer cards</span></li>
<li><span style="text-indent: -0.25in;">Mass storage devices (i.e. hard drives) were
finally reaching an affordable capacity/price</span></li>
<li><span style="text-indent: -0.25in;">My supervisor was the Dean of Physics and had
oversight of all departments “unused budgets”</span></li>
<li><span style="text-indent: -0.25in;">Digital radar had yet to be built</span></li>
</ol>
<br />
<div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<o:p></o:p></div>
<div class="MsoNormal">
My initial mission was to build the world’s first digital
high-resolution vertically pointing radar and to use it to prove or disprove the
“<a href="http://glossary.ametsoc.org/wiki/Seeder-feeder">Seeder-feeder mechanism
of orographic rainfall</a>”. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Taking a commercial analogue X-band marine radar and converting
the 25 kilo-watt radar with a range of 50 miles and a resolution measured in
tens-of meters, to a digital radar with an over-sampled resolution of 3.25 cm
out to a range of 10km was the start of the challenge – but successfully
delivered nevertheless. That first radar was mounted on the back of a 4x4
Toyota truck – which was great at getting to places no radar had been before.
Pointing straight up was interesting – and served its purpose of capturing the
Seeder-feeder mechanism in operation – but there was room for improvement.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Back at the (family) factory, flicking through pages of operation
specification tables for electric motors (remember – pre-Internet/pre-Google) and
harnessing the power of MS-DOS based AutoCAD, I spec'ed out and designed a mounting mechanism
for making the radar scan the sky like a traditional meteorological radar – but
one that could operate in winds of 80 mph winds, at high altitude, in the rain.
Taking a leaf out of my father’s design book – it was massively over engineered ;-)<o:p></o:p><br />
<br /></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_wkiCxR2QToERQEoHW7dBcQmHxwIzCignsAEYEDtGyR3C3-u59qf2-2YOIQSF0Wz0emv0gAO76SQ47eiGZRxfV9W-d1vCbSFJ2MNAEriTaIRj1-nhHnQtzCca7zvr1lG-nL9-ljEvY54h/s1600/RadarCaravan.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="652" data-original-width="913" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_wkiCxR2QToERQEoHW7dBcQmHxwIzCignsAEYEDtGyR3C3-u59qf2-2YOIQSF0Wz0emv0gAO76SQ47eiGZRxfV9W-d1vCbSFJ2MNAEriTaIRj1-nhHnQtzCca7zvr1lG-nL9-ljEvY54h/s400/RadarCaravan.JPG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: xx-small;">Home for many months - the mobile high resolution radar + attached caravan. Circa 1994.</span></div>
<br /></div>
<div class="MsoNormal">
This second radar was mounted to an old tow-able camper-van.
It was funny because, while the radar would survive 80+ mph winds, a gust of
50+ mph would have simply blown over the camper-van (and probably down the side of a hill or over a cliff). Anyhow, that arrangement
(and the hacks it took to get working) resulted in a few interesting scientific
advances:</div>
<div class="MsoNormal">
</div>
<ul>
<li><b style="text-indent: -0.25in;">Tracking
bumblebees</b><span style="text-indent: -0.25in;">. Back in 1994, while GPS was a thing, it didn’t have very good
coverage in the southern hemisphere and, due to US military control, it’s
positioning resolution was very poor (due to <a href="https://www.gps.gov/systems/gps/modernization/sa/" target="_blank">Selective Availability</a>). So, in order to work out a precise longitude
and latitude of the radar system, it was back to ancient ways and tracking the
sun. I had code that ran the radar in passive mode, scanned horizontally and
vertically until it found that big microwave in the sky, and tracked its
movements – and from there determine the radar’s physical location. (</span>Un)fortunately, through a mistake in my programming and leaving the radar
emitting it's 25kW load, I found it could sometimes lock-on and track bright blips near
ground-level. Through some investigation and poor coding, I’d managed to build
a radar tracking system for bumblebees (since bumblebees were proportional to
the wavelength and over-sampled bin size – they were highly reflective and
dominated the sun).</li>
<li><b style="text-indent: -0.25in;">Weather inside
valleys</b><span style="text-indent: -0.25in;">. The portability of the camper-van and the high resolution of the
radar also meant that for the first time ever it was possible to monitor and scientifically
measure the weather phenomenon within complex mountain valley systems. Old
long-range radar, with resolutions measured in thousands of cubic meters per
pixel, had only observed weather events above the mountains. Now it was
possible to digitally observe weather events below that, inside valleys and
between mountains, at bumblebee resolution.</span></li>
<li><b style="text-indent: -0.25in;">Digital contrails</b><span style="text-indent: -0.25in;">.
Another side-effect of the high resolution digital radar was its ability to
measure water density of clouds even on sunny days. Sometimes those clouds were
condensation trails from aircraft. So, with a little code modification, it became
possible to identify contrails and follow their trails back to their root source
in the sky – often a highly reflective aircraft – opening up new research paths
into tracking stealth aircraft and cruise missiles.</span></li>
</ul>
It was a fascinating scientific and hacking experience. If
you’ve ever stood in a doorway during a heavy rainfall event and watched a
curtain of heavier rainfall weave its way slowly down the road and wondered at
the physics and meteorology behind it, here was a system that digitally captured
that event from a few meters above the ground, past the clouds, through the
melting layer, and up to 10 km in the air – and helped reset and calibrate the mathematical
models still used today for weather forecasting and global climate modeling.<br />
<br />
By the end of 1994 it was time to wrap up my thesis, leave New Zealand, head off on my <a href="https://en.wikipedia.org/wiki/Overseas_experience" target="_blank">Great OE</a>, and look for full-time employment in some kind of professional capacity.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFtTaGaxndTO_mpO0KqQYuaD29fa1vkJcqbNQ8Tu8C_vs6-Ue5JDgObU_kP3kEOo1Hu0r93HBZmocxZ8NW1UKHf2cMF0H1FG8PT5kNGSFYf9NEGE115_goSAQpDdziP5bR1jjZ73CUiGeT/s1600/1519358504722.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="251" data-original-width="333" height="301" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFtTaGaxndTO_mpO0KqQYuaD29fa1vkJcqbNQ8Tu8C_vs6-Ue5JDgObU_kP3kEOo1Hu0r93HBZmocxZ8NW1UKHf2cMF0H1FG8PT5kNGSFYf9NEGE115_goSAQpDdziP5bR1jjZ73CUiGeT/s400/1519358504722.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.physics.auckland.ac.nz/en/about/our-research.html" target="_blank"><span style="font-size: xx-small;">A (much) later version of the High Resolution X-Band Radar.</span></a></div>
<br />
When I look back at what led me to a career in Information Security, the 1980's hacking of protected C64 games, the pre-Internet evolution of BBS and it's culture of build collaboration, and the hardware hacking and construction of a technology that was game changing (for it's day) - they're the three things (and time periods) that remind me of how I grew the skills and developed the experience to tackle any number of subsequent Internet security problems - i.e. hack my way through them. I think of it as a unique mix. When I meet other hackers who's passions likewise began in the 1980's or early 1990's, it's clear that everyone has their own equally exciting and unique journey - which makes it all the more interesting.<br />
<br />
I hope the tale of my journey inspires you to tell your own story and, for those much newer to the scene, proves that us older hands probably didn't really have a plan on how we got to where we are either :-)<br />
<br />
This is PART THREE of THREE.<br />
<br />
<a href="http://technicalinfodotnet.blogspot.com/2019/01/hacker-history-i-getting-started-as.html" target="_blank">PART ONE (C64 Hacking)</a> and <a href="http://technicalinfodotnet.blogspot.com/2019/01/hacker-history-ii-bbs-years.html" target="_blank">PART TWO (BBS Hacking)</a> are available to read too.<br />
<br />
--Gunter<br />
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<br />Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-46120004749021524932019-01-08T09:43:00.001-08:002019-01-08T09:43:14.653-08:00Hacker History II: The BBS Years<i>Post-C64 Hacking (in <a href="http://technicalinfodotnet.blogspot.com/2019/01/hacker-history-i-getting-started-as.html" target="_blank">Part 1 of Hacker History</a>)... now on to Part 2: The BBS Years</i><br />
<br />
Late 1986 (a few months before I started my first
non-newspaper delivery and non-family-business job – working at a local
supermarket) I launched my first bulletin board system (BBS). I can’t remember the software
that I was running at the time, but it had a single 14k dial-up facility running on all the
extra C64 equipment I’d been “gifted” by friends wanting faster/always access
too my latest cheats and hacks.<br />
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The premise behind the BBS was two-fold: I wanted to learn
something new (and hacking together a workable and reliable BBS system in the
mid-80’s was a difficult enough challenge), and I saw it as a saving time
distribution channel for my cheats/hacks; others could dial-in and download
themselves, instead of me messing around with stacks of floppy discs etc. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
At some point in 1986 I’d also saved enough money to by an <span class="MsoHyperlink"><a href="http://www.old-computers.com/museum/computer.asp?c=185">IBM PC AT</a></span>
clone – a whopping 12Mhz 80286 PC, complete with Turbo button and a 10Mb hard drive.
I remember specking out the PC with the manufacturer. They were stunned that a kid could afford their own PC AT and that he planned to keep it in his bedroom, and that he
wanted an astounding 16k of video memory (“what do you need that for? Advanced
ACAD?”)!<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
By 1989 the BBS had grown fairly large with a couple hundred
regular members with several paying monthly subscription fees, but the stack of
C64’s powering the BBS were showing their age and, in the meantime my main
computing had moved down the PC path from 286, to 386, and to a brand-spanking
new <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/Intel_80486">486</a></span>.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It was time to move on from C64 and go full-PC – both with
the BBS and the hacks/cheats I was writing.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
So in 1990, over the Summer/Christmas break from University
I set about shifting the BBS over to a (single) PC – running <span class="MsoHyperlink"><a href="https://en.m.wikipedia.org/wiki/RemoteAccess">Remote
Access</a></span>, with multiple dial-in lines (14.4k for regular users and 28.8k
for subscribers).<o:p></o:p><br />
<br /></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIq6lhCvs3Pzy4nOrUChya0jKBEVfDBT8z-Sq40rWYZVb30tr_e93-chM0me9eB9IJajthQ1wi2yYailK-HCI2sFt0WH3Caju_RcaqXVNE6KdwR1kU7mehKbuzCGi3zKpRbtTFdoWQ6pQk/s1600/RAConfig.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="679" data-original-width="1098" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIq6lhCvs3Pzy4nOrUChya0jKBEVfDBT8z-Sq40rWYZVb30tr_e93-chM0me9eB9IJajthQ1wi2yYailK-HCI2sFt0WH3Caju_RcaqXVNE6KdwR1kU7mehKbuzCGi3zKpRbtTFdoWQ6pQk/s400/RAConfig.jpg" width="400" /></a></div>
<br /></div>
<div class="MsoNormal">
The dropping of C64 and move to fully-fledged x86 PC
resulted in a few memorable times for me:<o:p></o:p></div>
<div class="MsoNormal">
</div>
<ul>
<li><b style="text-indent: -0.25in;">BBS’s are
like pets.</b><span style="text-indent: -0.25in;"> Owning and operating a BBS is a lot like looking after an
oversized pet that eats everything in its path and has destructive leanings; they’re
expensive and something is always going wrong. From the mid-80’s to mid-90’s
(pre-“Internet”) having a BBS go down would be maddening to all subscribers.
Those subscribers would be great friends when things were running, or act like ungrateful
modern-day teenagers being denied “screen-time” if they couldn’t dial-in for
more than a couple of days. Keeping a BBS running meant constant tinkering
under the covers – learning the intricacies of PC hardware architecture, x86
assembly, live patching, memory management, downtime management,
backup/recovery, and “customer management”. The heady “good-old days” of PC
development.</span></li>
<li><b style="text-indent: -0.25in;">International
Connectivity. </b><span style="text-indent: -0.25in;">With me in University and too-often referred to as the
“student that knows more about computers than the campus IT team”, in 1991 I
added </span><span class="MsoHyperlink" style="text-indent: -0.25in;"><a href="https://en.wikipedia.org/wiki/FidoNet">Fidonet</a></span><span style="text-indent: -0.25in;">
and </span><span class="MsoHyperlink" style="text-indent: -0.25in;"><a href="https://en.wikipedia.org/wiki/Usenet">Usenet</a></span><span style="text-indent: -0.25in;">
support to my BBS. There had been a few BBS’s in New Zealand before mine to
offer these newsgroups, but they were very limited (i.e. a small number of
groups) because they were reliant upon US dial-up for
synching (which was damned expensive!). My solution was to use a spare modem in the pack of a University lab
PC to connect semi-permanently to my BBS. From there my BBS used the
Universities “Internet” undersea cable connectivity to download and synch all
the newsgroups. Technically I guess you could call it my first “backdoor”
hacking experience – which ended circa 1993 after being told to stop as (by
some accounts) the BBS was peak consuming 1/3 of the entire countries academic
bandwidth.</span></li>
<li><b style="text-indent: -0.25in;">First
Security Disclosure</b><span style="text-indent: -0.25in;">. Setting up Remote Access (RA) was an ordeal. It was
only a week later – Christmas Eve 1990 – that I publicly disclosed my first
security vulnerability (with a self-developed patch); an authentication bypass to the system
that controlled what games or zones a subscriber could access. I can’t remember
how many bugs and vulnerabilities I found in RA, </span><span class="MsoHyperlink" style="text-indent: -0.25in;"><a href="https://en.wikipedia.org/wiki/QEMM">QEMM</a></span><span style="text-indent: -0.25in;">, MS-DOS, modem
drivers, memory managers, and the games that ran on RA over those years. Most
required some kind of assembly instruction patch to fix.</span></li>
<li><b style="text-indent: -0.25in;">Mailman and Sysop</b><span style="text-indent: -0.25in;">. Ever since those first BBS days in 1986, I’d felt that email
(or Email, or E-Mail) would be the future for communications. The tools and
skills needing for managing a reliable person-to-person or person-to-group
communication system had to be built and learned – as too did the management of
trust and the application of security. Some BBS operators loved being Sysops
(System Operators – i.e. Admins) because they could indulge their voyeurism tendencies.
I hated BBS’s and Sysops that operated that way and it became an early mission of
mine to figure out ways of better protecting subscriber messages.</span></li>
</ul>
<br />
<div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<o:p></o:p></div>
<div class="MsoNormal">
That fumbling about and experimenting with PC hardware,
MS-DOS, and Windows at home and with the Bulletin Board System, coupled with learning
new systems at University such as <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/DEC_Alpha">DEC Alpha</a></span>, <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/OpenVMS">OpenVMS</a></span>,
<span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/Cray_Operating_System">Cray OS</a></span>,
and <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/HP-UX">HP-UX</a></span>
in the course of my studies, and the things I had to piece-together and program
at my parents factories (e.g. <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/Programmable_logic_controller">PLC’s</a></span>,
<span style="mso-spacerun: yes;"> </span><span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/Industrial_control_system">ICS’s</a></span>,
<span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/Remote_terminal_unit">RTU’s</a></span>, etc.)
all combined to add to a unique perspective on operating systems and hardware hacking.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
By the time I’d finished and submitted my post-grad research
thesis, it was time to tear down the BBS, sell all my computers and
peripherals, and leave New Zealand for my <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/Overseas_experience">Great OE</a></span>
(Overseas Experience) at the end of 1994.<o:p></o:p><br />
<br />
This is PART TWO of THREE.<br />
<br />
<a href="http://technicalinfodotnet.blogspot.com/2019/01/hacker-history-i-getting-started-as.html" target="_blank">PART ONE (C64 Hacking)</a> was posted yesterday and PART THREE (Radar Hacking) will be on Wednesday.</div>
<br />Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com1tag:blogger.com,1999:blog-9222823941653971224.post-63214137340117379302019-01-07T10:01:00.001-08:002019-01-08T09:56:57.061-08:00Hacker History I: Getting Started as a HackerCuriosity is a wonderful thing; and the key ingredient to
making a hacker. All the best hackers I know are not only deeply curious creatures
but have a driving desire to share the knowledge they uncover. That curiosity
and sharing underpins much of the hacker culture today – and is pretty core to
people like me and those I trust the most.<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Today I continue to get a kick out of mentoring other
hackers, (crossed-fingers) upcoming InfoSec stars and, in a slightly different
format, providing “virtual CISO” support to a handful of professionals (through my <a href="https://www.ablativesecurity.com/" target="_blank">Ablative Security</a> company) that
have been thrown headfirst into protecting large enterprise or local government
networks.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
One of the first questions I get asked as I’m mentoring,
virtual CISO’ing, or grabbing beers with a new batch of hacker friends at some
conference or other is “how did you get started in computers and hacking?”. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Where did it all start?<o:p></o:p></b></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><br /></b></div>
<div class="MsoNormal">
The early days of home computing were a mixed bag for me in
New Zealand. Before ever having my own computer, a bunch of friends and I would
ditch our BMX’s daily in the front yard of any friend that had a <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/Commodore_VIC-20">Commodore
VIC20</a></span> or <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/Amstrad">Amstrad CPC</a></span>, throw a
tape in the tape reader, and within 15 minutes be engrossed in a game –
battling each other for the highest score. School days were often dominated by
room full of <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/BBC_Micro">BBC Micros</a></span> – where
one of the most memorable early programs I wrote was to use a sensitive
microphone to capture the sounds of bugs eating. I can still remember plotting
the dying scream of a stick insect as it succumbed to science!<o:p></o:p><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2cQ7L3fzl95TBUJNvcWADsrz0P78eVyMXCCSntByXbKwTTSWnt1wMbOlT-2zPmj2KrThYkPL_ozCMdsux3U0UvMpI1EnARRSqMgtaYjTfQbw7v1n1l6vQkMtauxOtgKnnSQ_eGhr5hor4/s1600/commodore-64-1541-disk-drive.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="487" data-original-width="1039" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2cQ7L3fzl95TBUJNvcWADsrz0P78eVyMXCCSntByXbKwTTSWnt1wMbOlT-2zPmj2KrThYkPL_ozCMdsux3U0UvMpI1EnARRSqMgtaYjTfQbw7v1n1l6vQkMtauxOtgKnnSQ_eGhr5hor4/s400/commodore-64-1541-disk-drive.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "times" , "times new roman" , serif; font-size: xx-small;">Image via: <a href="https://www.worthpoint.com/worthopedia/commodore-64-1541-disk-drive-1817649026" target="_blank">WorthPoint</a></span></div>
<br /></div>
<div class="MsoNormal">
I remember well the first computer I actually owned – a
brand-spanking new <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/SV-328">SpectraVideo SV-328</a></span> (complete
with cassette tape reader) that Santa delivered for Christmas in 1983. I
thought it was great, but quickly tired of it because there weren’t many games
and all my friends were getting <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/Commodore_VIC-20">Commodore VIC-20</a></span>
or <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/Commodore_64">Commodore
64</a></span> microcomputers – which had oh so many more games. So, come late
1984, I flogged my SpectraVideo and brought (second-hand) my first Commodore 64
(C64).</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I can safely say that it was the C64 that lit my inner
hacker spark. First off, the C64 had both a tape (then later diskette) capability
and a games cartridge port. Secondly, New Zealand is a LONG way from where all
the new games were being written and distributed from. Thirdly, as a (pre)teen,
a single cartridge game represented 3+ months of pocket money and daily newspaper
deliveries.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
These three constraints resulted in the following:<o:p></o:p></div>
<div class="MsoNormal">
</div>
<ul>
<li><b style="text-indent: -0.25in;">My first
hardware hack.</b><span style="text-indent: -0.25in;"> It was possible to solder a few wires and short-circuit the
memory flushing and reboot process of the C64 via the games cartridge mechanism
to construct a “reset” button. This meant that you could insert the game
cartridge, load the game, hold-down your cobbled together reset button, remove
the games cartridge, and use some C64 assembly language to manipulate the game
(still in memory). From there you could add your own boot loader, save to tape
or floppy, and create a back-up copy of the game.</span></li>
<li><b style="text-indent: -0.25in;">“Back-up
Copies” and Community.</b><span style="text-indent: -0.25in;"> C64 games, while plentiful, were damned expensive
and took a long time to get to New Zealand. So a bunch of friends all with C64’s
would pool our money every few weeks to buy the latest game from the UK or US; thereafter
creating “back-ups” for each-other to hold on to – just in case the costly original
ever broke. Obviously, those back-up copies needed to be regularly tested for
integrity.</span><span style="text-indent: -0.25in;"> </span><span style="text-indent: -0.25in;">Anyhow, that was the basis of
South Auckland’s community of C64 Hackers back in 1983-1985. A bunch of 10-14
year-olds sharing the latest C64 games.</span></li>
<li><b style="text-indent: -0.25in;">Copy-protection
Bypassing.</b><span style="text-indent: -0.25in;"> Unsurprisingly, our bunch of kiwi hackers weren’t the first or
only people to create unauthorized back-ups of games. As floppies replaced
tapes and physical cassettes as the preferred media for C64 games, the software
vendors started their never-ending quest of adding copy-protection to protect
unauthorized copying and back-ups. </span>For me, this was when hacking become a passion. Here were companies of dozens,
if not hundreds, of professional software developers trying to prevent us from backing-up the programs we had purchased. For years we learned,
developed, and shared techniques to bypass the protections; creating new tools
for backing-up, outright removal of onerous copy-protection, and shrinking
bloated games to fit on single floppies.</li>
<li><b style="text-indent: -0.25in;">Games
Hacking.</b><span style="text-indent: -0.25in;"> At some point, you literally have too many games and the thrill of
the chase changes. Instead of looking forward to playing the latest game for
dozens of hours or days and iteratively working through campaigns, I found myself
turning to hacking the games themselves. The challenge became partially reversing
each game, constructing new cheats and bypasses, and wrapping them up in a cool
loader for a backed-up copy of the game. Here you could gain infinite lives,
ammo, gold, or whatever, and quickly step through the game – seeing all it had
to offer and doing so within an hour.</span></li>
<li><b style="text-indent: -0.25in;">Hacking
for Profit.</b><span style="text-indent: -0.25in;"> Once some degree of reputation for bypassing copy-protection
and creating reliable cheater apps got around, I found that my base of
“friends” grew, and monetary transactions started to become more common. Like-minded souls wanted to buy hacks and tools to back-up their latest game,
and others wanted to bypass difficult game levels or creatures. So, for $5-10
I’d sell the latest cheat I had.</span></li>
</ul>
<div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<o:p></o:p></div>
<div class="MsoNormal">
At some point in 1986 I recognized that I had a bunch of C64
equipment – multiple floppy drives, a few modems, even a new <span class="MsoHyperlink"><a href="https://en.wikipedia.org/wiki/Commodore_64#Commodore_64C">Commodore 64C</a></span>
– and more than enough to start a BBS.<o:p></o:p><br />
<br />
<i>This is PART ONE of THREE. </i><br />
<i><br /></i>
<i><a href="http://technicalinfodotnet.blogspot.com/2019/01/hacker-history-ii-bbs-years.html" target="_blank">PART TWO (BBS Hacking)</a> is up and PART THREE (Radar Hacking) on Wednesday.</i></div>
<br />Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com2tag:blogger.com,1999:blog-9222823941653971224.post-66281183190156463992018-12-04T17:02:00.000-08:002018-12-04T17:02:45.636-08:00Ubiquitous Video Surveillance and the Policing Paradigm Change it BringsPolicing in the 21st Century is obviously changing rapidly. New technological advances are fundamentally changing the way in which police forces and related government entities can track, locate, and collect evidence.<br />
<br />
Two game changing technologies - working together - perhaps underpin the greatest tool for policing the world over. The combination of high-resolution digital video capture and facial recognition. Both sit at the crux of future policing and bring new societal change.<br />
<br />
<b>Projecting forward, what could the next decade or two hold? </b><br />
<br />
It's easy to get in to the realm of Science Fiction and dystopian futures, but when I consider some of the social impact (and "opportunities") such technologies can bring, it naturally feels like the premise for several short stories.<br />
<br />
<b><i>One: Peaking Under Facial Obfuscation</i></b><br />
As I watch news of the "Yellow Vest" riots in Paris, it is inevitable that high-resolution digital video capture of protesters - combined with facial recognition - will mean that many group protest actions will become individually attributable. While the face of the perpetrator may not initially be tied to an identity, a portfolio of digital captures can be compiled and (at some future date) associated with the named individual.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwo0sSDz3quDhsU-k5C0XUpkBIBrS3q5rd3PBaOFA3DlBqGHeftSDL_yJXvjNfsmIURiB_THV7t3MRsrqwseOHe0AXlt-gt9ijTDKpzS5g2SIwUC1sFXlQao3QgjIEwawfTNKRoon_OYss/s1600/maskedrioters.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="360" data-original-width="539" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwo0sSDz3quDhsU-k5C0XUpkBIBrS3q5rd3PBaOFA3DlBqGHeftSDL_yJXvjNfsmIURiB_THV7t3MRsrqwseOHe0AXlt-gt9ijTDKpzS5g2SIwUC1sFXlQao3QgjIEwawfTNKRoon_OYss/s320/maskedrioters.jpg" width="320" /></a></div>
New technologies in the realm of full-color night-vision video capture and advanced infrared heat-based body and face mapping lie the basis of radically better tools for associating captured maleficence to an individual. Combined with the work being done with infrared facial recognition, and we'll soon find that scarfs, balaclavas, or even helmets will cease to protect the identity of the perpetrator.<br />
<br />
<b><i>Two: Perpetual Digital Trail</i></b><br />
Many large cities are approaching the point that it is impossible to stand in any public space or thoroughfare and not be captured by at least one video camera. Capitalizing on this, many metropolitan police forces are already able to real-time track a surveilled individual or entity through their networked cameras. In addition, some police forces have already combined such capabilities with facial recognition to quickly spot wanted individuals or suspects in crowds and track their movements across cameras in real-time.<br />
<br />
We can expect the density and prevalence of cameras to grow. We can also expect that the video captured from these cameras to increasingly move to the cloud and be retained indefinitely. The AI tooling today already enables us to intelligently stitch together all the video content and construct a historical trail for any person or physical entity.<br />
<br />
When combined with (One), it means that in the near future police forces could track (both forward and reverse in time) each suspect - identifying not only the history of travel and events preceding the crime, but also their origination (e.g. home) address... and from there, arrive at an identity conclusion. Imagine doing this for thousands of protesters simultaneously. Obviously, such a capability would also facilitate the capture of facial images of the suspect before they donned any masks or facial obfuscation tools they used during the protest or crime.<br />
<br />
<b><i>Three: Inferring Pending Harm and Stress</i></b><br />
As digital video cameras radically increase their capture resolution - moving from an average of 640x480 to 3096x2160 (4k Ultra HD) and beyond over the coming years; facial recognition accuracy will obviously improve, but we can expect other personal traits and characteristics to be accurately inferred.<br />
<br />
Studies of human movement and tooling for life-like movements in digital movies naturally lend to the ability to identify changes in an individuals movements and infer certain things. For example, being able to guess the relative weight and flexibility of contents within a backpack being worn by the surveilled individual, the presence of heavy objects being carried within a suit jacket, or changes in contents of a bag carried in-hand.<br />
<br />
If we also assume that the surveilled individual will be caught by multiple cameras from different locations, the combination of angles and perspective will further help define the unique characteristics and load of the individual. Police forces could use that intelligence to infer the presence of weapons for example.<br />
<br />
Higher resolution monitoring also lends itself to identifying and measuring other more personal attributes of the person being monitored. For example, details on the type and complexity of jewelry being worn, tattoos, or unique visible identifiers.<br />
<br />
Using physical tells such as sweat density, head-bobbing (see an earlier blog - <a href="http://technicalinfodotnet.blogspot.com/2016/12/body-worn-camera-technologies-futures.html" target="_blank">Body Worn Camera Technologies</a>), and heart-rate, it will be possible to identify whether the person is stressed, under duress, or has recently exerted themselves.<br />
<br />
<b><i>Four: The Reverse Paradigm</i></b><br />
Such technologies are not exclusive to police forces and government departments. It is inevitable that these technologies will also be leveraged by civilians and criminals alike - bringing a rather new dynamic to future policing.<br />
<br />
For example, what happens if anti-riot police cannot obfuscate their identity during a riot - despite balaclavas and protective helmets? If every retaliatory baton strike, angered shield charge, tear gas spray, or taser use can be individually attributed to the officer that did it (and the officer can be identified by face capture or uniform number), officers become individually responsible and ultimately accountable for their actions.<br />
<br />
Imagine for instance that every office present now had a virtual folder of video captures detailing their actions during the riots. With little effort and likely a little crowd-sourcing, each officer's identity would be discovered and publicly associated with their actions.<br />
<br />
It would be reasonable to expect that police officers would adjust their responses to riot situations - and its likely that many would not want to expose themselves to such risk. While it is possible new or existing laws could be used to protect officers from most legal consequences of "doing their job", the social consequences may be a different story.<br />
<br />
We've already seen how doxing can severely affect the life and safety of those that are victims, it would be reasonable to assume that some percentage of a rioting population would be only too eager to publish a police officers "crimes" along with all their identity, address, and any other personal data they could find. Would we expect police officers with young families take on the risk of riotous agitators arriving at their families doorstep - looking for vengeance.<br />
<br />
<b><i>Five: Ubiquitous Consumer-led Video Surveillance</i></b><br />
A question will inevitably be raised that the ability to construct digital trails or infer motivations and harm will be restricted to police and government entities. After all, they're the ones with the budget and authority to install the cameras.<br />
<br />
These challenges may be overcome. For example, new legal test cases may force governments to make such video feeds publicly available - after all, funding is through public money. We've seen such shifts in technology access before - e.g. GPS, satellite mapping, satellite imagery.<br />
<br />
An interesting model for consumer video that could become even more complete and ubiquitous video capture (and analytics) may be relatively simple.<br />
<br />
Just as today's home security systems have advanced to include multiple internal and external high-resolution video feeds to the cloud, maybe the paradigm changes again. Instead of a managed security monitoring service, things become community based and crowd sourced.<br />
<br />
For example, lets say that for each high-resolution video camera you install and connect to a community cloud service, you gain improved access to the accumulated mesh of every other contributing camera. Overlaying that mesh of camera feeds, additional services augment the video with social knowledge and identity information, and the ability to trace movements around an event - just like the police could - for a small fee. The resultant social dynamics would be very interesting... does privacy end at your doorstep? If every crime in a public space is captured and perpetrators labeled, does that make petty and premeditated crime disappear? Does local policing shift to community groups and vigilantes?<br />
<br />
<b>Conclusions</b><br />
Advances in high-resolution digital video cameras and facial recognition will play a critical role in how policing society changes over the next couple of decades.<br />
<br />
The anticipated advancements will certainly make it easier for police forces to track, identify, and hold accountable those that perpetuate crimes. But such technologies will also inevitably be likewise utilized by those being policed. While the illustrated scenarios began with the recent riots in France, the repercussions for police forces in Mexico facing wealthy cartels would perhaps be more dire.<br />
<br />
It is too early to tell whether the ubiquity of these advancing technologies will tilt the hand in one direction or the other or whether we'll reach a new technology stalemate. Accountability for an individuals actions - backed by proof - feels like the right societal movement, but opens doors to entirely new forms of abuse.<br />
<br />
-- Gunter Ollmann<br />
<br />Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-74891098448633260662018-10-01T16:47:00.001-07:002018-10-01T16:47:29.134-07:00The Diet Pill Security Model<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAP_abRjmhj_4eQoZydkxacM_KMTDEOwMQlmY-qshwXBD9moqcFvThqntXxf7AoMagr6sYH7fGJP5SN_qUnxOyoFCJVCGpUg7ALlcNUu6qVk-SPmXl8-iTRmNrhcE9-1yphGdTVjx41J5h/s1600/dietpillavoid.jpeg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="662" data-original-width="1000" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAP_abRjmhj_4eQoZydkxacM_KMTDEOwMQlmY-qshwXBD9moqcFvThqntXxf7AoMagr6sYH7fGJP5SN_qUnxOyoFCJVCGpUg7ALlcNUu6qVk-SPmXl8-iTRmNrhcE9-1yphGdTVjx41J5h/s320/dietpillavoid.jpeg" width="320" /></a></div>
The information security industry, lacking social inhibitions, generally rolls its eyes at anything remotely hinting to be a "silver bullet" for security. Despite that obvious hint, marketing teams remain undeterred at labeling their companies upcoming widget as the savior to the next security threat (or the last one - depending on what's in the news today).<br />
<br />
I've joked in the past that the very concept of a silver bullet is patently wrong - as if silver would make a difference. No, the silver bullet must in fact be water. After all, chucking a bucket of water on a compromised server is guaranteed to stop the attacker dead in their tracks.<br />
<br />
Bad jokes aside, the fundamental problem with InfoSec has less to do with the technology being proposed or deployed to prevent this or that class of threat, and more to do with the lack of buyers willing to change their broken security practices and compliment their new technology investment.<br />
<br />
Too many security buyers are effectively looking for the diet pill solution. Rather than adjusting internal processes and dropping bad practices, there is eternal hope that the magical security solution will fix all ills and the business can continue to binge on deep-fried Mars bars and New York Cheesecakes.<br />
<br />
As they say, "hope springs eternal".<br />
<br />
Just as a medical doctor's first-line advice is to exercise more and eat healthily, our corresponding security advice is harden your systems and keep up to date with patching.<br />
<br />
Expecting the next diet pill solution to cure all your security ills is ludicrous. Get the basics done right, and get them right all the time first, and expand from there.<br />
<br />
-- GunterGunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-73864100979343502672018-09-21T14:57:00.002-07:002018-09-21T14:57:52.853-07:00The Missing Piece of the Security Conference Circuit<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicmgD5LenZYC_Ab3QfymvbRPIN1_dkG1bqb-fufPD_m-jleo5Ti96t7FwhklisWNqVolv7KZJOBGo7UjSTYQFNqPEuSG231CZi-4KBfo8VR9xeZaoVGWbRvc_P9ahhyphenhypheng1YV_xT7zFS4b83/s1600/The-Missing-Piece-In-The-Puzzle.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1087" data-original-width="1062" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicmgD5LenZYC_Ab3QfymvbRPIN1_dkG1bqb-fufPD_m-jleo5Ti96t7FwhklisWNqVolv7KZJOBGo7UjSTYQFNqPEuSG231CZi-4KBfo8VR9xeZaoVGWbRvc_P9ahhyphenhypheng1YV_xT7zFS4b83/s320/The-Missing-Piece-In-The-Puzzle.jpg" width="312" /></a></div>
So far this year I think I've attended 20+ security conferences around the world - speaking at many of them. Along the way I got to chat with hundreds of attendees and gather their thoughts on what they hoped to achieve or learn at each of these conferences.<br />
<br />
In way too many cases I think the conference organizers have missed the mark.<br />
<br />
I'd like to offer the following thoughts and feedback to the people organizing and facilitating these conferences (especially those catering to local security professionals):<br />
<br />
<br />
<ul>
<li>Attendees have had enough of stunt hacking presentations. By all means, throw in one or two qualified speakers on some great stunt hack - but use them as sparingly as keynotes.</li>
<li>Highly specialized - border-line stunt hacking topics - disenfranchise many of the attendees. Sure, it's fun to have a deep-dive hacking session on voting machines, smart cars, etc. but when every session is focused on (what is essentially an) "edge" security device that most attendees will never be charged with attacking or defending... it's no longer overwhelming, it becomes noise that can't be applied in "real-life" for the majority of attendees.</li>
<li>As an industry we're desperately trying to engage those entering the job market and "sell" them on our security profession. Trinket displays of security (e.g. CTF, lock-picking) sound more interesting to people already in security... and much less so to those just entering the job market. Lets face it, no matter how much they enjoy picking locks, it's unlikely a qualification for first-line SOC analysts. Even for those that have been in the industry for a few years, these cliche trinket displays of security "skill" have become tired... and look like wannabe Def Cons.</li>
<li>Most attendees really want to LEARN something that they can APPLY to their job. They're looking for nuggets of smartness that can be used tomorrow in the execution of their job.</li>
</ul>
<br />
Here's a few thoughts for security (/hacker) conference organizers:<br />
<br />
<br />
<ul>
<li>Have a track (or two) specifically focused on attack techniques (or defense techniques) where each presented session can clearly say what new skill or technique the attendee will have acquired as the leave the hallowed chamber of security knowledge goodness. This may be as simple as escalating existing skills e.g. "if you're a 5 on XSS today, by the end of the session you'll have reached a 7 in XSS against SAP installations", or "you'll learn how to use Jupyter Notebooks for managing threat hunt collaboration". The objective is simple: an attendee should be able to apply new skills and expertise tomorrow... at their day job.</li>
<li>Get more people presenting, and presenting for less time. Encourage a broader range of speakers to present on practical security topics. I think many attendees would love to see a "open mic" speaker track where security professionals (new and upcoming) can deep-dive present on interesting security topics and raise questions to attendees for help/guidance/answers. For example, the speaker has deep-dived into blocking spear-phishing emails using XYZ product but identified that certain types of email vectors evade it... they present proposals on improvement... and the attendees add their collective knowledge. It encourages interaction and (ideally) helps to solve real-world problems.</li>
<li>An iteration of the idea above, but focused on students, those job hunting for security roles, or on their first rung of the security ladder... a track where they can present on a vetted security topic where a panel of security veterans that evaluate the presentation - the content and the delivery - and provide rewards. In particular, I'd love to see (and ensure) that the presentation is recorded, and the presentation material is available for download (including maybe a backup whitepaper). Why? Because I'd encourage these speakers to reference and link to these resources (and conference awards) in their resumes/CV's so they can differentiate themselves in the hiring market.</li>
<li>Finally, I'd encourage (and offer myself up for participation) a track for practicing and refining interview techniques. It's daunting for all new starters in our industry to successfully navigate an interview with experienced and battle wary security professionals. It takes practice, guidance, and encouragement. In reality, starter interviewees have less than 15 minutes to establish their technical depth, learning capability, and group compatibility. On the flip-side, learning and practice sessions for technical security hiring managers on overcoming biases and encouraging diversity. We're an industry full of introverts and know-it-all's that genuinely want to help... but we all need a little help and coaching in this critical area.</li>
</ul>
<br />
-- Gunter OllmannGunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-22323350536711468552018-09-21T14:55:00.000-07:002018-09-21T14:55:00.768-07:00The Security Talent Gap is Misunderstood and AI Changes it AllDespite headlines now at least a couple years old, the InfoSec world is still (largely) playing lip-service to the lack of security talent and the growing skills gap.<br />
<br />
The community is apt to quote and brandish the dire figures, but unless you're actually a hiring manager striving to fill low to mid-level security positions, you're not feeling the pain - in fact there's a high probability many see problem as a net positive in terms of their own employment potential and compensation.<br />
<br />
I see today's Artificial Intelligence (AI) and the AI-based technologies that'll be commercialized over the next 2-3 years as exacerbating the problem - but also offering up a silver-lining.<br />
<br />
I've been vocal for decades that much of the professional security industry is and should be methodology based. And, by being methodology based, be reliably repeatable; whether that be bug hunting, vulnerability assessment, threat hunting, or even incident response. If a reliable methodology exists, and the results can be consistently verified correct, then the process can be reliably automated. Nowadays, that automation lies firmly in the realm of AI - and the capabilities of these newly emerged AI security platforms are already reliably out-performing tier-one (e.g. 0-2 years experience) security professionals.<br />
<br />
In some security professions (such as auditing & compliance, penetration testing, and threat hunting) AI-based systems are already capable of performing at tier-two (i.e. 2-8 years experience) levels for 80%+ of the daily tasks.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgq0rVQwZsPlV5kXdA3WI6lgrGD5nCnrMMVQYnMlgj8PhhKR2x0NmzCpu0UkfFNw62OSqYcU9zosUgyNretsKnGtEUSrpAGIaWvO3XvLpgZ9lakcjz96uBZy6qvb3XzKWVci5-szeQGJrTs/s1600/rust-belt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="457" data-original-width="1021" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgq0rVQwZsPlV5kXdA3WI6lgrGD5nCnrMMVQYnMlgj8PhhKR2x0NmzCpu0UkfFNw62OSqYcU9zosUgyNretsKnGtEUSrpAGIaWvO3XvLpgZ9lakcjz96uBZy6qvb3XzKWVci5-szeQGJrTs/s400/rust-belt.jpg" width="400" /></a></div>
<br />
On one hand, these AI systems alleviate much of the problem related to shortage and global availability of security skills at the lower end of the security professional ladder. So perhaps the much touted and repeated shortage numbers don't matter - and extrapolation of current shortages in future open positions is overestimated.<br />
<br />
However, if AI solutions consume the security roles and daily tasks equivalency of 8-year industry veterans, have we also created an insurmountable chasm for resent graduates and those who wish to transition and join the InfoSec professional ladder?<br />
<br />
While AI is advancing the boundaries of defense and, frankly, an organizations ability to detect and mitigate threats has never been better (and will be even better tomorrow), there are still large swathes of the security landscape that AI has yet to solve. In fact many of these new swathes have only opened up to security professionals because AI has made them available.<br />
<br />
What I see in our AI Security future is more of a symbiotic relationship.<br />
<br />
AI's will continue to speed up the discovery and mitigation of threats, and get better and more accurate along the way. It is inevitable that tier-two security roles will succumb and eventually be replaced by AI. What will also happen is that security professional roles will change from the application of tools and techniques into business risk advisers and supervisors. Understanding the business, communicating with colleagues in other operational facets, and prioritizing risk response, are the intangibles that AI systems will struggle with.<br />
<br />
In a symbiotic relationship, security professionals will guide and communicate these operations in terms of business needs and risk. Just as Internet search engines have replaced the voluminous Encyclopedia Britannica and Encarta, and the Dewey Decimal system, Security AI is evolving to answer any question a business may raise about defending their organization - assuming you ask the right question, and know how to interpret the answer.<br />
<br />
With regards to the skills shortage of today - I truly believe that AI will be the vehicle to close that gap. But I also think we're in for a paradigm change in who we'll be welcoming in to our organizations and employing in the future because of it.<br />
<br />
I think that the primary beneficiaries of these next generation AI-powered security professional roles will not be recent graduates. With a newly level playing field, I anticipate that more weathered and "life experienced" people will assume more of these roles.<br />
<br />
For example, given the choice between a 19 year-old freshly minted graduate in computer science, versus a 47 year-old woman with 25 years of applied mechanical engineering experience in the "rust belt" of the US,... those life skills will inevitably be more applicable to making risk calls and communicating them to the business.<br />
<br />
In some ways the silver-lining may be the middle-America that has suffered and languished as technology has moved on from coal mining and phone-book printing. It's quite probable that it will become the hot-spot for newly minted security professionals - leveraging their past (non security) professional experiences, along with decades of people or business management and communication skills - and closing the missing security skills gap using AI.<br />
<br />
-- GunterGunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-83128652671316890902018-04-24T23:56:00.000-07:002018-04-25T00:13:21.361-07:00Cyber Scorecarding ServicesAmple evidence exists to underline that shortcomings in a third-parties cyber security posture can have an extremely negative effect on the security integrity of the businesses they connect or partner with. Consequently, there’s been a continuous and frustrated desire for a couple of decades for some kind of independent verification or scorecard mechanism that can help primary organizations validate and quantify the overall security posture of the businesses they must electronically engage with.<br />
<br />
A couple decades ago organizations could host a small clickable logo on their websites – often depicting a tick or permutation of a “trusted” logo – that would display some independent validation certificate detailing their trustworthiness. Obviously, such a system was open to abuse. For the last 5 or so years, the trustworthiness verification process has migrated ownership from the third-party to a first-party responsibility.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLw_WAcYoX_esYf8CaiavxTdYfFs-tdyxOMQTocFI6hYlRSFmDjvSZefRjewA7uytuAwfXxd1MwGPEwrQT18GKhN0FHGqn635FcIGx1ggEp8-qFNnpVRzuOWOHRXzASdZFpslYajFPm2Vu/s1600/Student+Performance.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="235" data-original-width="627" height="119" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLw_WAcYoX_esYf8CaiavxTdYfFs-tdyxOMQTocFI6hYlRSFmDjvSZefRjewA7uytuAwfXxd1MwGPEwrQT18GKhN0FHGqn635FcIGx1ggEp8-qFNnpVRzuOWOHRXzASdZFpslYajFPm2Vu/s320/Student+Performance.png" width="320" /></a></div>
Today, there are a growing number of brand-spanking-new start-ups adding to pool of slightly longer-in-the-tooth companies taking on the mission of independently scoring the security and cyber integrity of organizations doing business over the Web.<br />
<br />
The general premise of these companies is that they’ll undertake a wide (and widening) range of passive and active probing techniques to map out a target organizations online assets, crawl associated sites and hidden crevasses (underground, over ground, wandering free… like the Wombles of Wimbledon?) to look for leaks and unintended disclosures, evaluate current security settings against recommended best practices, and even dig up social media dirt that could be useful to an attacker; all as contributors to a dynamic report and ultimate “scorecard” that is effectively sold to interested buyers or service subscribers.<br />
<br />
I can appreciate the strong desire for first-party organizations to have this kind of scorecard on hand when making decisions on how best to trust a third-party supplier or partner, but I do question a number of aspects of the business model behind providing such security scorecards. And, as someone frequently asked by technology investors looking for guidance on the future of such business ventures, there are additional things to consider as well.<br />
<br />
<b>Are Cyber Scorecarding Services Worth it?</b><br />
As I gather my thoughts on the business of cyber scorecarding and engage with the purveyors of such services again over the coming weeks (post RSA USA Conference), I’d offer up the following points as to why this technology may still have some business wrinkles and why I’m currently questioning the long-term value of the business model<br />
<br />
<b>1. Lack of scoring standards</b><br />
There is no standard to the scorecards on offer. Every vendor is vying to make their scoring mechanism the future of the security scorecard business. As vendors add new data sources or encounter new third-party services and configurations that could influence a score, they’re effectively making things up as they go along. This isn’t necessarily a bad thing and ideally the scoring will stabilize over time at a per vendor level, but we’re still a long way away from having an international standard agreed to. Bear in mind, despite two decades of organizations such as OWASP, ISSA, SANS, etc., the industry doesn’t yet have an agreed mechanism of scoring the overall security of a single web application, let alone the combined Internet presence of a global online business.<br />
<br />
<b>2. Heightened Public Cloud Security</b><br />
Third-party organizations that have moved to the public cloud and have enabled the bulk of the default security features that are freely available to them and are using the automated security alerting and management tools provided, are already very secure – much more so that their previous on-premise DIY efforts. As more organizations move to the public cloud, they all begin to have the same security features, so why would a third-party scorecard be necessary? We’re rapidly approaching a stage where just having an IP address in a major public cloud puts your organization ahead of the pack from a security perspective. Moreover, I anticipate that the default security of public cloud providers will continue to advance in ways that are not easily externally discernable (e.g. impossible travel protection against credential misuse) – and these kinds of ML/AI-led protection technologies may be more successful than the traditional network-based defense-in-depth strategies the industry has pursued for the last twenty-five years.<br />
<br />
<b>3. Score Representations</b><br />
Not only is there no standard for scoring an organization’s security, it’s not clear what you’re supposed to do with the scores that are provided. This isn’t a problem unique to the scorecard industry – we’ve observed the phenomenon for CVSS scoring for 10+ years.<br />
At what threshold should I be worried? Is a 7.3 acceptable, while a 7.6 means I must patch immediately? An organization with a score of 55 represents how much more of a risk to my business versus a vendor that scores 61?<br />
The thresholds for action (or inaction) based upon a score are arbitrary and will be in conflict with each new advancement or input the scorecard provider includes as they evolve their service. Is the 88.8 of January the same as the 88.8 of May after the provider added new features that factored in CDN provider stability and Instagram crawling? Does this month’s score of 78.4 represent a newly introduced weakness in the organization’s security, or is the downgraded score an artifact of new insights that weren’t accounted for previously by the score provider?<br />
<br />
<b>4. Historical References and Breaches</b><br />
Then there’s the question of how much of an organizations past should influence its future ability to conduct business more securely. If a business got hacked three years ago and the responsibly disclosed and managed their response – complete with reevaluating and improving their security, does another organization with the same current security configuration have a better score for not having disclosed a past breach?<br />
Organizations get hacked all the time – it’s why modern security now works on the premise of “assume breach”. The remotely visible and attestable security of an organization provides no real insights in to whether they are currently hacked or have been recently breached.<br />
<br />
<b>5. Gaming of Scorecards</b><br />
Gaming of the scorecard systems is trivial and difficult to defend against. If I know who my competitors are and which scorecard provider (or providers) my target customer is relying upon, I can adversely affect their scores. A few faked “breached password lists” posted to PasteBin and underground sites, a handful of spam and phishing emails sent, a new domain name registration and craftily constructed website, a few subtle contributions to IP blacklists, etc. and their score is affected.<br />
I haven’t looked recently, but I wouldn’t be surprised if some blackhat entrepreneurs haven’t already launched such a service line. I’m sure it could pay quite well and requires little effort beyond the number of disinformation services that already exist underground. If scorecarding ever becomes valuable, so too will its deception.<br />
<br />
<b>6. Low Barrier to Market Entry</b><br />
The barrier for entry in to the scorecarding industry is incredibly low. Armed with “proprietary” techniques and “specialist” data sources, anyone can get started in the business. If for some reason third-party scorecarding becomes popular and financially lucrative, then I anticipate that any of the popular managed security services providers (MSSP) or automated vulnerability (VA) assessment providers could launch their competitive service with as little as a month’s notice and only a couple of engineers.<br />
At some point in the future, if there ever were to be standardization of scorecarding scores and evaluation criteria, that’s when the large MSSP’s and VA’s would likely add such a service. The problem for the all the new start-ups and longer-toothed start-ups is that these MSSP’s and VA’s would have no need to acquire the technology or clientele.<br />
<br />
<b>7. Defending a Score</b><br />
Defending the integrity and righteousness of your independent scoring mechanism is difficult and expensive. Practically all the scorecard providers I’ve met like to explain their efficacy of operation as if it were a credit bureau’s Credit Score – as if that explains the ambiguities of how they score. I don’t know all the data sources and calculations that credit bureaus use in their credit rating systems, but I’m pretty sure they’re not port scanning websites, scraping IP blacklists, and enumerating service banners – and that the people being scored have as much control to modify the data that the scoring system relies upon.<br />
My key point here though lies with the repercussions of getting the score wrong or providing a score that adversely affects an organization to conduct business online – regardless of the scores righteousness. The affected business will question and request the score provider to “fix their mistake” and to seek compensation for the damage incurred. In many ways it doesn’t matter whether the scorecard provider is right or wrong – costs are incurred defending each case (in energy expended, financial resources, lost time, and lost reputation). For cases that eventually make it to court, I think the “look at the financial credit bureau’s” defense will fall a little flat.<br />
<br />
<b>Final Thoughts</b><br />
The industry strongly wants a scoring mechanism to help distinguish good from bad, and to help prioritize security responses at all levels. If only it were that simple, it would have been solved quite some time ago.<br />
<br />
Organizations are still trying to make red/amber/green tagging work for threat severity, business risk, and response prioritization. Every security product tasked with uncovering or collating vulnerabilities, misconfigurations, aggregating logs and alerts, or monitoring for anomalies, is equally capable of (and likely is) producing their own scores.<br />
<br />
Providing a score isn’t a problem in the security world, the problem lies in knowing how to respond to the score you’ve been presented with!<br />
<br />
-- Gunter OllmannGunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-75972935258469728772018-03-08T14:11:00.000-08:002018-03-08T14:11:29.768-08:00NextGen SIEM Isn’t SIEM<br />
<div class="MsoNormal">
Security Information and Event Management (SIEM) is feeling
its age. Harkening back to a time in which businesses were prepping for the
dreaded Y2K and where the cutting edge of security technology was bound to
DMZ’s, Bastion Hosts, and network vulnerability scanning – SIEM has been along
for the ride as both defenses and attacker have advanced over the intervening
years. Nowadays though it feels less of a ride with SIEM, and more like towing
an anchor.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Despite the deepening trench gauged by the SIEM anchor
slowing down threat response, most organizations persist in throwing more money
and resources at it. I’m not sure whether it’s because of a <a href="https://en.wikipedia.org/wiki/Sunk_cost">sunk cost fallacy</a> or the lack
of a viable technological alternative, but they continue to diligently trudge
on with their SIEM – complaining with every step. I’ve yet to encounter an
organization that feels like their SIEM is anywhere close to scratching their
security itch.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK7ScdmlOdHDigUyNATC_dAx0OVrp7vjq3ems8Qh-5ICai9DdYqWzwr0HAbL25v8LHQh7v2I75UDjwz4haqnCnjVKgWUT0jbWuaJCNW5noPVwAut7NwNmHIKI2SgMevaIMvW6ZMz2KU3zs/s1600/Pullup_Success.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1056" data-original-width="1600" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK7ScdmlOdHDigUyNATC_dAx0OVrp7vjq3ems8Qh-5ICai9DdYqWzwr0HAbL25v8LHQh7v2I75UDjwz4haqnCnjVKgWUT0jbWuaJCNW5noPVwAut7NwNmHIKI2SgMevaIMvW6ZMz2KU3zs/s400/Pullup_Success.jpeg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">The SIEM of Today<o:p></o:p></b></div>
<div class="MsoNormal">
The SIEM of today hasn’t changed much over the last couple
of decades with its foundation being the real-time collection and normalization
of events from a broad scope of security event log sources and threat alerting
tools. The primary objective of which was to manage and overcome the cacophony
of alerts generated by the hundreds, thousands, or millions of sensors and logging
devices scattered throughout an enterprise network – automatically generating
higher fidelity alerts using a variety of analytical approaches – and
displaying a more manageable volume of information via dashboards and reports.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
As the variety and scope of devices providing alerts and
logs continues to increase (often exponentially) consolidated SIEM reporting
has had to focus upon statistical analytics and trend displays to keep pace
with the streaming data – increasingly focused on the overall health of the
enterprise, rather than threat detection and event risk classification.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Whilst the collection of alerts and logs are conducted in
real-time, the ability to aggregate disparate intelligence and alerts to
identify attacks and breaches has fallen to offline historical analysis via
searches and queries – giving birth to the Threat Hunter occupation in recent
years. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Along the way, SIEM has become the beating heart of Security
Operations Centers (SOC) – particularly over the last decade – and it is often
difficult for organizations to disambiguate SIEM from SOC. Not unlike Frankenstein’s
monster, additional capabilities have been grafted to today’s operationalized
SIEM’s; advanced forensics and threat hunting capabilities now dovetail in to
SIEM’s event archive databases, a new generation of automation and
orchestration tools have instantiated playbooks that process aggregated logs,
and ticketing systems track responder’s efforts to resolve and mitigate
threats.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">SIEM Weakness<o:p></o:p></b></div>
<div class="MsoNormal">
There is however a fundamental weakness in SIEM and it has
become increasingly apparent over the last half-decade as more advanced threat
detection tools and methodologies have evolved; facilitated by the widespread
adoption of machine learning (ML) technologies and machine intelligence (MI).<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Legacy threat detection systems such as firewalls, intrusion
detection systems (IDS), network anomaly detection systems, anti-virus agents,
network vulnerability scanners, etc. have traditionally had a high propensity
towards false positive and false negative detections. Compounding this, for
many decades (and still a large cause for concern today) these technologies
have been sold and marketed on their ability to alert in volume – i.e. an IDS
that can identify and alert upon 10,000 malicious activities is too often
positioned as “better” than one that only alerts upon 8,000 (regardless of
alert fidelity). Alert aggregation and normalization is of course the bread and
butter of SIEM.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In response, a newer generation of vendors have brought
forth new detection products that improve and replace most legacy alerting
technologies – focused upon not only finally resolving the false positive and
false negative alert problem, but to move beyond alerting and into mitigation –
using ML and MI to facilitate behavioral analytics, big data analytics, deep
learning, expert system recognition, and automated response orchestration.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The growing problem is that these new threat detection and
mitigation products don’t output alerts compatible with traditional SIEM
processing architectures. Instead, they provide output such as evidence
packages, logs of what was done to automatically mitigate or remediate a
detected threat, and talk in terms of statistical risk probabilities and
confidence values – having resolved a threat to a much higher fidelity than a
SIEM could. In turn, “integration” with SIEM is difficult and all too often
meaningless for these more advanced technologies.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
A compounding failure with the new ML/MI powered threat
detection and mitigation technologies lies with the fact that they are
optimized for solving a particular class of threats – for example, insider
threats, host-based malicious software, web application attacks, etc. – and
have optimized their management and reporting facilities for that category.
Without a strong SIEM integration hook there is no single pane of glass for SOC
management; rather a half-dozen panes of glass, each with their own unique scoring
equations and operational nuances. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Next Generation SIEM<o:p></o:p></b></div>
<div class="MsoNormal">
If traditional SIEM has failed and is becoming more of a
bugbear than ever, and the latest generation of ML and MI-based threat
detection and mitigation systems aren’t on a trajectory to coalesce by
themselves into a manageable enterprise suite (let alone a single pane of glass),
what does the next generation (i.e. NextGen) SIEM look like?<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Looking forward, next generation SIEM isn’t SIEM, it’s an
evolution of SOC – or, to license a more proscriptive turn of phrase,
“SOC-in-a-box” (and inevitably “Cloud SOC”).<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The NextGen SIEM lies in the natural evolution of today’s
best hybrid-SOC solutions. The Frankenstein add-ins and bolt-ons that have
extended the life of SIEM for a decade are the very fabric of what must ascend
and replace it.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
For the NextGen SIEM, SOC-in-a-box, Cloud SOC, or whatever buzzword
the professional marketers eventually pronounce – to be successful, the core
tenets of operation will necessarily include:</div>
<div class="MsoNormal">
</div>
<ul>
<li><b style="text-indent: -0.25in;">Real-time
threat detection, classification, escalation, and response.</b><span style="text-indent: -0.25in;"> Alerts, log
entries, threat intelligence, device telemetry, and indicators of compromise
(IOC), will be treated as evidence for ML-based classification engines that
automatically categorize and label their discoveries, and optimize responses to
both threats and system misconfigurations in real-time.</span></li>
<li><b style="text-indent: -0.25in;">Automation
is the beating heart of SOC-in-a-box.</b><span style="text-indent: -0.25in;"> With no signs of data volumes
falling, networks becoming less congested, or attackers slackening off, automation
is the key to scaling to the businesses needs. Every aspect of SOC must be
designed to be fully autonomous, self-learning, and elastic.</span></li>
<li><b style="text-indent: -0.25in;">The
vocabulary of security will move from “alerted” to “responded”.</b><span style="text-indent: -0.25in;"> Alerts are
merely one form of telemetry that, when combined with overlapping sources of
evidence, lay the foundation for action. Businesses need to know which threats
have been automatically responded to, and which are awaiting a remedy or
response.</span></li>
<li><b style="text-indent: -0.25in;">The
tier-one human analyst role ceases to exist, and playbooks will be self-generated.
</b><span style="text-indent: -0.25in;">The process of removing false positives and gathering cohobating evidence
for true positive alerts can be done much more efficiently and reliably using
MI. In turn, threat responses by tier-two or tier-three analysts will be
learned by the system – automatically constructing and improving playbooks with
each repeated response.</span></li>
<li><b style="text-indent: -0.25in;">Threats
will be represented and managed in terms of business risk. </b><span style="text-indent: -0.25in;">As alerts become
events, “criticality” will be influenced by age, duration, and threat level,
and will sit adjacent to “confidence” scores that take in to account the
reliability of sources. Device auto-classification and responder monitoring
will provide the framework for determining the relative value of business
assets, and consequently the foundation for risk-based prioritization and
management.</span></li>
<li><b style="text-indent: -0.25in;">Threat
hunting will transition to evidence review and preservation.</b><span style="text-indent: -0.25in;"> Threat hunting
grew from the failures of SIEM to correctly and automatically identify threats
in real-time. The methodologies and analysis playbooks used by threat hunters
will simply be part of what the MI-based system incorporates in real-time.
Threat hunting experts will in-turn focus on preservation of evidence in cases
where attribution and prosecution become probable or desirable.</span></li>
<li><b style="text-indent: -0.25in;">Hybrid
networks become native.</b><span style="text-indent: -0.25in;"> The business network – whether it exists in the
cloud, on premise, at the edge, or in the hands of employees and customers –
must be monitored, managed, and have threats responded to as a single entity.
Hybrid networks are the norm and attackers will continue to test and evolve
hybrid attacks to leverage any mitigation omission.</span></li>
</ul>
<br />
<div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<o:p></o:p></div>
<div class="MsoNormal">
Luckily, the NextGen SIEM is closer than we think. As SOC
operations have increasingly adopted the cloud to leverage elastic compute and
storage capabilities, hard-learned lessons in automation and system reliability
from the growing DevOps movement have further defined the blueprint for
SOC-in-a-box. Meanwhile, the current generation of ML-based and MI-defined
threat detection products, combined with rapid evolution of intelligence
graphing platforms, have helped prove most of the remaining building blocks.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
These are not wholly additions to SIEM, and SIEM isn’t the
skeleton of what will replace it. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The NextGen SIEM starts with the encapsulation of the best
and most advanced SOC capabilities of today, incorporates its own behavioral
and threat detection capabilities, and dynamically learns to defend the
organization – finally reporting on what it has successfully resolved or
mitigated.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
-- Gunter Ollmann<o:p></o:p></div>
<br />Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-68054564153222830172018-03-06T16:07:00.003-08:002018-03-06T16:07:30.321-08:00Lock Picking at Security ConferencesBoth new and returning attendees at technical security conferences are often puzzled by the presence of <b>lock picking break-out areas and the gamut of hands-on tutorials</b>. For an industry primarily focused on securing electronic packets of ones and zeros, an enthusiasm for manual manipulation of mechanical locks seems out of place to many.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXAVK7lTlujLn9DKTOh8iHiimjWR-IYGm5ADHTDI4Kggj34EWhPZhIiSeozos4Li5umroH2PqAw4DgSNSfKk05w8CMwA10IuaSN-AUnVmt8FoVJVT7p6BDraugS2cqXhb9pDa69mFUDykj/s1600/giphy.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="424" data-original-width="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXAVK7lTlujLn9DKTOh8iHiimjWR-IYGm5ADHTDI4Kggj34EWhPZhIiSeozos4Li5umroH2PqAw4DgSNSfKk05w8CMwA10IuaSN-AUnVmt8FoVJVT7p6BDraugS2cqXhb9pDa69mFUDykj/s1600/giphy.gif" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Over the years, I’ve heard many reasons and justifications for the presence of lock picking villages, the hands-on training, and the multitude of booths selling the tools of the trade. The answers vary considerably and tend to be weighted by how much of a tinkerer or hacker the respondent thinks they are.<br />
<br />
The reality – I think – can be <b>boiled down to two primary reasons</b>.<br />
<br />
Like most longtime security professionals who now take to the stage to educate attendees on the fragility of the cyber-security domain, or attempt to mentor and guide the in-bound generation of attackers and defenders, locks and lock picking serve as a valuable teaching aid. As such, through our influence, we<b> encourage people to tinker and learn</b>.<br />
<br />
By examining how mechanical locks operate and how they have evolved to counter each new picking technique used to subvert earlier models, cyber-security professionals begin to <b>appreciate three fundamentals of security</b>:<br />
<br />
<ol>
<li>Attackers learn by dissecting and studying the intricacies of the defenses before them and must practice, practice, practice to defeat them. </li>
<li>Defenders must understand the tools and methodologies that the attackers avail themselves of if they are to devise and deploy better defenses, and </li>
<li>No matter how well thought-out in advance, the limitations of fabrication tolerances and the environments with which the security technology must operate within will introduce new flaws and vectors for attack.</li>
</ol>
<br />
These are incredibly important lessons that must be learned. Would-be professionals seeking to get into penetration testing, red teaming, or reverse engineering can’t just pick up the latest Hacking Exposed edition and complete online Q&A exams – they must roll-up their sleeves and accumulate the hours of hands-on experience of both failures and successes, and build that muscle-memory. Would-be defenders can’t just read the operations manuals of the devices they’ll be entrusted to protect, or sit through vendor training courses on how to operate threat detection systems – they must learn the tools of the attackers and (ideally) gain basic proficiency in their use if they’re to make valuable contributions to defense. Meanwhile, the third point is where both attackers and defender need to learn humility – no matter how well we think we know a system or how often we’ve practiced against a technology,<b> subtle flaws and unexpected permutations may undermine our best efforts through no fault of our own skills</b>.<br />
<br />
As a teaching aid, locks and lock picking are a tactile means of understanding the foibles of cyber security.<br />
<br />
But there is a second reason… because <b>it’s exciting and fun</b>!<br />
<br />
Lock picking feeds into the historical counter-culture of hacking. There’s a kind of excitement learning how to defeat something near the edge of legitimacy – an illicit knowledge that for centuries has been the trade-craft of criminals.<br />
<br />
With a few minutes of guidance and practice, the easiest locks begin to pop open and the hacker is drawn to the challenge of a harder lock, and so on. As frustrations grow, the reward of the final movement and pop of the lock is often as stimulating as scoring a goal in some kind of popular uniformed team sport.<br />
<br />
The skills associated with mastering lock picking however have little translation to being a good hacker – except perhaps the single-minded intensity and tenaciousness to solve technical changes.<br />
I have noticed that there are a disproportionate number of hackers who are both accomplished lock pickers, (semi) professional magicians, and wall-flower introverts. Arguably, locking picking (and magic tricks) may be the hackers best defense at uncomfortable social events. Rather than have an awkward conversation about sports or pop culture, it’s often time to whip out a lock and a pack of picks, and teach instead of prattle.<br />
<br />
-- Gunter OllmannGunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-32763424959685501722017-12-19T18:14:00.000-08:002017-12-19T18:14:19.005-08:00Consumer IoT Security v1.01They say charity begins at home, well IoT security probably should too. The growing number of Internet enabled and connected devices we populate our homes with continues to grow year on year - yet, with each new device we connect up, the less confident we become in our home security.<br />
<br />
The TV news and online newspapers on one-hand extol the virtues of each newly launched Internet-connected technology, yet with the other they tell the tale of how your TV is listening to you and how the animatronic doll your daughter plays with is spying on her while she sleeps.<br />
<br />
To be honest, it amazes me that some consumer networking company hasn't been successful in solving this scary piece of IoT real estate, and to win over the hearts and minds of family IT junkies at the same time.<br />
<br />
With practically all these IoT devices speaking over WiFi, and the remaining (lets guess at 10% of home deployments) using Zigbee, Z-Wave, Thread, or WeMo, logically a mix of current generation smart firewall, IPS, and behavioral log analytics would easily remediate well over 99% of envisaged Internet attacks these IoT devices are likely to encounter, and 90% of the remaining threats conducted from within the local network or residential airwaves.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRLHRMeyscxAkX_fNfdlOG5u11qwIYWqCV8EoODsEkxkGt-Q3HkjQuGT_GxoBuEEzalxc9-idMBMHct87CBqdlzBTsoMlXoCDYSWksy-kjVErzjwLWGS6PHfArVH_ED9pLSCVqoOdbORnQ/s1600/IoT-Graphic-1000x600.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1000" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRLHRMeyscxAkX_fNfdlOG5u11qwIYWqCV8EoODsEkxkGt-Q3HkjQuGT_GxoBuEEzalxc9-idMBMHct87CBqdlzBTsoMlXoCDYSWksy-kjVErzjwLWGS6PHfArVH_ED9pLSCVqoOdbORnQ/s400/IoT-Graphic-1000x600.png" width="400" /></a></div>
<br />
Why is that we haven't seen a "standard" WiFi home router employing these security capabilities in a meaningful way - and marketed in a similar fashion to the Ads we see for identity protection, insurance companies, and drugs (complete with disclaimers if necessary)?<br />
<br />
When I look at the long list of vulnerabilities disclosed weekly for all the IoT devices people are installing at home, it is rare to encounter one that either couldn't have an IPS rule constructed to protect it, or would be protected by generic attack vector rules (such as password brute forcing).<br />
<br />
If you also included a current (i.e. 2017) generation of ML -powered log analytics and behavioral detection systems in to the home WiFi router, you could easily shut out attack and abuse vectors such as backdoor voyeurism, bitcoin mining, and stolen credential use.<br />
<br />
Elevating home IoT security to v1.01 seems so trivial.<br />
<br />
The technologies are available, the threat is ever present, the desire for a remedy is there, and I'd argue the money is there too. Anyone installing an app controllable light bulb, door lock, or coffee maker, has obviously already invested several hundreds of dollars in their WiFi kit, Internet cable/fiber provider, laptop(s), and cell phone(s) - so the incremental hit of $100-200 to the WiFi router unit RRP plus a $9.99 or $19.99 monthly subscription fee for IPS signatures, trained classifiers, and behavioral analysis updates, seems like a no-brainer.<br />
<br />
You'd think that Cisco/Linksys, D-Link, Netgear, etc. would have solved this problem already... that IoT security (at home) would be "in the bag" and we'd be at v1.01 status already. Maybe market education is lagging and a focused advertising campaign centers on securing your electronic home would push market along? Or perhaps these "legacy" vendors need an upstart company to come along and replace them?<br />
<br />
Regardless, securing IoT at home is not a technologically challenging problem. It has been solved many times with different tools within the enterprise (for many years), and the limited scope and sophistication of home networking makes the problem much easier to deal with.<br />
<br />
I hope some intelligent security vendor can come to the fore and bring the right mix of security technology to the fore. Yes, it costs R&D effort to maintain signatures, train classifiers, and broaden behavioral detection scenarios, but even if only 1% of homes that have WiFi routers today (approximately 150 million) paid a $9.99 monthly subscription for updates - that $15m per month would be the envy of 95% of security vendors around the world.<br />
<br />
-- Gunter<br />
<br />
[Note to (potential) vendors that want to create such a product or add such capabilities to an existing product, I'd happily offer up my expertise, advice, and contact-book to help you along the way. I think this is a massive hole in consumer security that is waiting to be filled by an innovative company, and will gladly help where I can.]Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-29018602878293325032017-12-17T17:03:00.000-08:002017-12-17T17:05:07.122-08:00Deception Technologies: Deceiving the Attacker or the Buyer?Deception technologies, over the last three-ish years, have come into vogue; with more than a dozen commercial vendors and close to a hundred open source products available to choose from. Solutions range from local host canary file monitoring, through to autonomous self-replicating and dynamic copies of the defenders network operating like an endless hall of mirrors.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb5QN-EhJ-Z5JBmmRpN7MhOHjz-_uicqzkZfHJXjCKRT392DBnaaqmkNIjuu54TXrlmAaJtvOwOxEhpMTE4TXT4-OdxOUvOuy6aRCCsdOLI-B9KdPc99C-W2lVIdQOTvzlVT9sZxLGO2aW/s1600/deception.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="263" data-original-width="610" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb5QN-EhJ-Z5JBmmRpN7MhOHjz-_uicqzkZfHJXjCKRT392DBnaaqmkNIjuu54TXrlmAaJtvOwOxEhpMTE4TXT4-OdxOUvOuy6aRCCsdOLI-B9KdPc99C-W2lVIdQOTvzlVT9sZxLGO2aW/s400/deception.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
The technologies employed for deception purposes are increasingly broad - but the ultimate goal is for an attacker to be deceived into tripping over or touching a specially deposited file, user account, or networked service and, in doing so, sounding an alarm so that the defenders can start to... umm... well..., often it's not clear what the defender is supposed to do. And that's part of the problem with the deception approach to defense.<br />
<br />
I'm interested, but deeply cautious about the claims of deception technology vendors, and so should you be. It's incredibly difficult to justify their expense and understand their overall value when incorporated in to a defense in depth strategy.<br />
<br />
There have been many times over the last couple of decades I have recommended to my clients and businesses a quick and dirty canary solution. For example, adding unique user accounts that appear at the start and end of your LDAP, Active Directory, or email contacts list - such that if anyone ever emails those addresses, you know you've been compromised. And similar canary files or shares for detecting the presence of worm outbreaks. But, and I must stress the "but", those solutions only apply to organizations that have not invested in the basics of network hygiene and defense in depth.<br />
<br />
Honeypots, Honeynets, canaries, and deception products are HIGHLY prone to false positives. Vendors love to say otherwise, but the practical reality is that there's a near infinite number of everyday things that'll set them off - on hole or in part. For example:<br />
<br />
<ul>
<li>Regular vulnerability scanning,</li>
<li>Data backups and file recovery,</li>
<li>System patching and updates,</li>
<li>Changes in firewall or VPN policies,</li>
<li>Curious employees,</li>
<li>Anti-virus scanners and suite updates,</li>
<li>On-premise enterprise search systems,</li>
<li>Cloud file repository configuration changes and synchronization,</li>
</ul>
<div>
The net result being either you ignore or turn off the system after a short period of time, or you swell your security teams ranks and add headcount to continually manage and tune the system(s).</div>
<div>
<br /></div>
<div>
If you want my honest opinion though, I'd have to say that the time for deception-based products has already past. </div>
<div>
<br /></div>
<div>
If you're smart, you've already turned on most of the logging features of your desktop computers, laptops, servers, and infrastructure devices, and you're capturing all file, service, user, and application access attempts. You're therefore already capturing more of the raw information necessary to detect any threat your favorite deception technology is proposing to identify for you. Obviously, the trick is being able to process those logs for anomalies and responding to the threat.</div>
<div>
<br /></div>
<div>
This year alone the number of automated log analytics platforms and standalone products that employ AI and machine learning that are capable of real-time (or, worst case, "warm") detection of threats, has grown to outnumber all the tools in the Deception solution category - and they do it cheaper, more efficiently, and with less human involvement. </div>
<div>
<br /></div>
<div>
Deception vendors were too slow. The log analytics vendors incorporated more advanced detection systems, user behavioral analytics, and were better able to mitigate the false positive problems - and didn't require additional investment in host agents and network appliances to collect the data that the deception technologies needed.</div>
<div>
<br /></div>
<div>
As an enterprise security buyer, I think you can forget about employing deception technologies and instead invest in automated log analytics. Not only will you cover the same threats, but the log analytics platforms will continue to innovate faster and cover a broader spectrum of threats and SecOps without the propensity of false positives.</div>
<div>
<br /></div>
<div>
-- Gunter Ollman</div>
<div>
<br /></div>
Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-36723297854618216902017-12-16T23:36:00.001-08:002017-12-17T00:15:59.900-08:00What would you do if...As a bit of a "get to know your neighbor" exercise or part of a team building exercise, have you ever been confronted with one of those "What would you do if..." scenarios?<br />
<br />
My socially awkward and introvert nature (through some innate mechanism of self preservation) normally helps me evade such team building exercises, but every so often I do get caught out and I'm forced to offer up an answer to the posed scenario.<br />
<br />
The last couple of times the posed question (or a permutation thereof) has been "What would you do if you were guaranteed to be financially secure and could choose to do anything you wanted to do - with no worries over money?" i.e. money is no object. It surprises me how many people will answer along the lines of building schools in Africa, working with war veterans, helping the homeless, etc.<br />
<br />
Perhaps its a knee jerk response if you haven't really thought about it and re-actively think of something that you expect your new found group of friends and colleges will appreciate, or maybe it is genuine... but for me, such a thought seems so shallow.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPW_hPsKc1ocV1nPaUBwvURD3ANjr02gwcIqorVooTlzE2IYsiOG5Ko-y4_huBtndis9SCmzuU_F_o7S_6jEbvtncTYpZzidWdcS_sblVINVb8gUjEBORgiIK-zB8hIKlvanOETd8ykUQB/s1600/eye-macro-close-up-1200x600.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1200" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPW_hPsKc1ocV1nPaUBwvURD3ANjr02gwcIqorVooTlzE2IYsiOG5Ko-y4_huBtndis9SCmzuU_F_o7S_6jEbvtncTYpZzidWdcS_sblVINVb8gUjEBORgiIK-zB8hIKlvanOETd8ykUQB/s400/eye-macro-close-up-1200x600.jpg" width="400" /></a></div>
I've often dwelled and retrospectively thought about the twists and turns of my career, my family life, and where I screwed up more than other times etc. and, along the way, I have though many many times about what I'd do if I were ever financially secure that I could chose to do anything.<br />
<br />
Without doubt (OK, maybe a little trepidation), I'd go back to University and purse a degree and career in bio-medical engineering research. But I don't have any desire to be a doctor, a surgeon, or pharmacist.<br />
<br />
I'd cast away my information security career to become someone driving research at the forefront of medicine - in the realm of tissue, organ, and limb regrowth... and beyond. And, with enough money, build a research lab to purse and lead this new area of research<br />
<br />
You see I believe were at the cusp of being able to regrow/correct many of the disabilities that limit so many lives today. We're already seeing new biomedical technologies enabling children deaf or blind from birth to hear their mothers voice or see their mothers face for the first time. It's absolutely wonderful and if anyone who's ever seen a video of the first moments a child born with such disabilities experiences such a moment hasn't choked up and felt the tears themselves, then I guess we're cut from different sheets.<br />
<br />
But that fusion of technology in solving these disabilities, like the attachments of robotic limbs to amputees, is (in my mind) still only baby-steps; not towards the cyborgs of science fiction fame, but towards to world of biological regrowth and augmentation through biological means.<br />
<br />
Today, we see great steps towards the regrowth of ears, hearts, kidneys, bone, and skin. In the near future... the future I would so dearly love to learn, excel, and help advance, lies in what happens next. We'll soon be able to regrow any piece of the human body. Wounded warriors will eventually have lost limbs restored - not replaced with titanium and carbon-fiber fabricated parts.<br />
<br />
I believe that the next 20 years of bio-medical engineering research will cause medicine to advance more that all medical history previously combined. And, as part of that journey, within the 30 years after that (i.e. 21-50 years from now), I believe in the potential of that science to not only allow humans to effectively become immortal (if you assume that periodic replacement of faulty parts are replaced, until our very being finally gives up due to boredom), but also to augment ourselves in many new and innovative ways. For example, using purely biological means, enabling our eyes to view a much broader spectrum of the electromagnetic spectrum, at orders of magnitude higher than today, with "built-in" zoom.<br />
<br />
Yes, it sounds fantastical, but that's in part to the opportunities that lie ahead in such a new and exciting field, and why I'd choose to drop everything an enter "...if you were guaranteed to be financially secure and could choose to do anything you wanted to do - with no worries over money."<br />
<br />
-- GunterGunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-75853983700003988552017-01-15T13:16:00.000-08:002017-01-15T13:16:34.977-08:00Allowing Vendors VPN access during Product Evaluation<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_qZOqvHMRp3JuDuPwJMgE_gBOmVzLPv1QchWkUXTAg-o2gHvljdsyHVvbHDLr17b8Kq9FYdC6v4KcluuR-HfPj2_4pHdf1vRY3wUdozBIBXSUtPKv9AltjmlZVgJXQB_JDBCzQKj0hu7j/s1600/MechanicalTurk.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_qZOqvHMRp3JuDuPwJMgE_gBOmVzLPv1QchWkUXTAg-o2gHvljdsyHVvbHDLr17b8Kq9FYdC6v4KcluuR-HfPj2_4pHdf1vRY3wUdozBIBXSUtPKv9AltjmlZVgJXQB_JDBCzQKj0hu7j/s200/MechanicalTurk.jpg" width="186" /></a></div>
For many prospective buyers of the latest generation of network threat detection technologies it may appear ironic that these AI-driven learning systems require so much manual tuning and external monitoring by vendors during a technical “proof of concept” (PoC) evaluation.<br />
<br />
Practically all vendors of the latest breed of network-based threat detection technology require varying levels of network accessibility to the appliances or virtual installations of their product within a prospect’s (and future customers) network. Typical types of remote access include:<br />
<br />
<ul>
<li>Core software updates (typically a pushed out-to-in update)</li>
<li>Detection model and signature updates (typically a scheduled in-to-out download process)</li>
<li>Threat intelligence and labeled data extraction (typically an ad hoc per-detection in-to-out connection)</li>
<li>Cloud contribution of abstracted detection details or meta-data (often a high frequency in-to-out push of collected data)</li>
<li>Customer support interface (ad hoc out-to-in human-initiated supervisory control)</li>
<li>Command-line technical support and maintenance (ad hoc out-to-in human-initiated supervisory control)</li>
</ul>
<br />
Depending upon the product, the vendor, and the network environment, some or all of these types of remote access will be required for the solution to function correctly. But which are truly necessary and which could be used to unfairly manually manipulate the product during this important evaluation phase?<br />
<br />
To be flexible, most vendors provide configuration options that control the type, direction, frequency, and initialization processes for remote access.<br />
<br />
When evaluating network detection products of this ilk, the prospective buyer needs to very carefully review each remote access option and fully understand the products reliance and efficacy associated with each one. Every remote access option eventually allowed is (unfortunately) an additional hole being introduced to the buyers’ defenses. Knowing this, it is unfortunate that some vendors will seek to downplay their reliance upon certain remote access requirements – especially during a PoC.<br />
<br />
Prior to conducting a technical evaluation of the network detection system, buyers should ask the following types of questions to their prospective vendor(s):<br />
<br />
<ul>
<li>What is the maximum period needed for the product to have learned the network and host behaviors of the environment it will be tested within?</li>
<li>During this learning period and throughout the PoC evaluation, how frequently will the product’s core software, detection models, typically be updated? </li>
<li>If no remote access is allowed to the product, how long can the product operate before losing detection capabilities and which detection types will degrade to what extent over the PoC period?</li>
<li>If remote interactive (e.g. VPN) control of the product is required, precisely what activities does the vendor anticipate to conduct during the PoC, and will all these manipulations be comprehensively logged and available for post-PoC review?</li>
<li>What controls and data segregation are in place to secure any meta-data or performance analytics sent by the product to the vendor’s cloud or remote processing location? At the end of the PoC, how does the vendor propose to irrevocably delete all meta-data from their systems associated with the deployed product?</li>
<li>If testing is conducted during a vital learning period, what attack behaviors are likely to be missed and may negatively influence other detection types or alerting thresholds for the network and devices hosted within it?</li>
<li>Assuming VPN access during the PoC, what manual tuning, triage, or data clean-up processes are envisaged by the vendor – and how representative will it be of the support necessary for a real deployment?</li>
</ul>
<br />
It is important that prospective buyers understand not only the number and types of remote access necessary for the product to correctly function, but also how much “special treatment” the PoC deployment will receive during the evaluation period – and whether this will carry-over to a production deployment.<br />
<br />
As vendors strive to battle their way through security buzzword bingo, in this early age of AI-powered detection technology, remote control and manual intervention in to the detection process (especially during the PoC period) may be akin to temporarily subscribing to a <a href="https://en.wikipedia.org/wiki/The_Turk" target="_blank">Mechanical Turk</a> solution; something to be very careful of indeed.<br />
<br />
-- Gunter Ollmann, Founder/Principal @ <a href="http://www.ablativesecurity.com/" target="_blank">Ablative Security</a><br />
<div>
<br /></div>
Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-4881728735188724602017-01-13T10:13:00.001-08:002017-01-13T10:13:13.031-08:00Machine Learning Approaches to Anomaly and Behavioral Threat DetectionAnomaly detection approaches to threat detection have traditionally struggled to make good on the efficacy claims of vendors once deployed in real environments. Rarely have the vendors lied about their products capability – rather, the examples and stats they provide are typically for contrived and isolated attack instances; not representative of a deployment in a noisy and unsanitary environment.<br />
<br />
Where anomaly detection approaches have fallen flat and cast them in a negative value context is primarily due to alert overload and “false positives”. False Positive deserves to be in quotations because (in almost every real-network deployment) the anomaly detection capability is working and alerting correctly – however the anomalies that are being reported often have no security context and are unactionable.<br />
<br />
Tuning is a critical component to extracting value from anomaly detection systems. While “base-lining” sounds rather dated, it is a rather important operational component to success. Most false positives and nuisance alerts are directly attributable to missing or poor base-lining procedures that would have tuned the system to the environment it had been tasked to spot anomalies in.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH2w7LV2VT5yb_cRvjZCpc_Ivp0vJDAHWjJX2SoOjey4ZCHAndAW37BfXupIBvV0dJKKSBxf344oJacnWsKWXXObC7NQiiLghtTBls3ktVvrlRQOkOqYyekuvxpr8v1xg2D_fr0Mnr5vuP/s1600/7650660.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH2w7LV2VT5yb_cRvjZCpc_Ivp0vJDAHWjJX2SoOjey4ZCHAndAW37BfXupIBvV0dJKKSBxf344oJacnWsKWXXObC7NQiiLghtTBls3ktVvrlRQOkOqYyekuvxpr8v1xg2D_fr0Mnr5vuP/s320/7650660.jpg" width="320" /></a></div>
Assuming an anomaly detection system has been successfully tuned to an environment, there is still a gap on actionability that needs to be closed. An anomaly is just an anomaly after all.<br />
Closure of that gap is typically achieved by grouping, clustering, or associating multiple anomalies together in to a labeled behavior. These behaviors in turn can then be classified in terms of risk.<br />
<br />
While anomaly detection systems dissect network traffic or application hooks and memory calls using statistical feature identification methods, the advance to behavioral anomaly detection systems requires the use of a broader mix of statistical features, meta-data extraction, event correlation, and even more base-line tuning.<br />
<br />
Because behavioral threat detection systems require training and labeled detection categories (i.e. threat alert types), they too suffer many of the same operational ill effects of anomaly detection systems. Tuned too tightly, they are less capable of detecting threats than an off-the-shelf intrusion detection system (network NIDS or host HIDS). Tuned to loosely, then they generate unactionable alerts more consistent with a classic anomaly detection system.<br />
<br />
The middle ground has historically been difficult to achieve. Which anomalies are the meaningful ones from a threat detection perspective?<br />
<br />
Inclusion of machine learning tooling in to the anomaly and behavioral detection space appears to be highly successful in closing the gap.<br />
<br />
What machine learning brings to the table is the ability to observe and collect all anomalies in real-time, make associations to both known (i.e. trained and labeled) and unknown or unclassified behaviors, and to provide “guesses” on actions based upon how an organization’s threat response or helpdesk (or DevOps, or incident response, or network operations) team has responded in the past.<br />
<br />
Such systems still require baselining, but are expected to dynamically reconstruct baselines as it learns over time how the human operators respond to the “threats” it detects and alerts upon.<br />
Machine learning approaches to anomaly and behavioral threat detection (ABTD) provide a number of benefits over older statistical-based approaches:<br />
<br />
<ul>
<li>A dynamic baseline ensures that as new systems, applications, or operators are added to the environment they are “learned” without manual intervention or superfluous alerting.</li>
<li>More complex relationships between anomalies and behaviors can be observed and eventually classified; thereby extending the range of labeled threats that can be correctly classified, have risk scores assigned, and prioritized for remediation for the correct human operator.</li>
<li>Observations of human responses to generated alerts can be harnesses to automatically reevaluate risk and prioritization over detection and events. For example, three behavioral alerts are generated associated with different aspects of an observed threat (e.g. external C&C activity, lateral SQL port probing, and high-speed data exfiltration). The human operator associates and remediates them together and uses the label “malware-based database hack”. The system now learns that clusters of similar behaviors and sequencing are likely to classified and remediated the same way – therefore in future alerts the system can assign a risk and probability to the new labeled threat.</li>
<li>Outlier events can be understood in the context of typical network or host operations – even if no “threat” has been detected. Such capabilities prove valuable in monitoring the overall “health” of the environment being monitored. As helpdesk and operational (non-security) staff leverage the ABTD system, it also learns to classify and prioritize more complex sanitation events and issues (which may be impeding the performance of the observed systems or indicate a pending failure).</li>
</ul>
<br />
It is anticipated that use of these newest generation machine learning approaches to anomaly and behavioral threat detection will not only reduce the noise associated with real-time observations of complex enterprise systems and networks, but also cause security to be further embedded and operationalized as part of standard support tasks – down to the helpdesk level.<br />
<br />
-- Gunter Ollmann, Founder/Principal @ <a href="http://www.ablativesecurity.com/" target="_blank">Ablative Security</a><br />
<br />
(first published January 13th - "<a href="http://www.ablativesecurity.com/single-post/2017/01/13/From-Anomaly-to-Behavior-and-on-to-Learning-Systems" target="_blank">From Anomaly, to Behavior, and on to Learning Systems</a>")Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-25446120871434740732016-12-23T10:11:00.000-08:002016-12-23T10:11:16.428-08:00Body Worn Camera Technologies – Futures and Security<div class="MsoNormal">
“Be careful what you wish for” is an appropriate adage for the
flourishing use and advancement of body worn camera (BWC) technologies. As
police forces around the world adapt to increased demands for accountability –
where every decision, reaction, and word can be analyzed in post-event forensic
fashion – the need and desire to equip each police or federal agent with a
continuously recording camera has grown.</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheu6Gm0sc8fv4Qe6GsJtM6IMjf8CTOnMRif-55ROdL42JrfPpQlXWuqvgMoWGIp3-R-fKAMlrT2kqJ5JQB9b34SGOD-hEOtCyiPOi-WsRnBupCHBztdUQDFyDSCbe_pxASQ7AZbE5VWuqj/s1600/ap_philadelphia_police_body_cameras.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheu6Gm0sc8fv4Qe6GsJtM6IMjf8CTOnMRif-55ROdL42JrfPpQlXWuqvgMoWGIp3-R-fKAMlrT2kqJ5JQB9b34SGOD-hEOtCyiPOi-WsRnBupCHBztdUQDFyDSCbe_pxASQ7AZbE5VWuqj/s320/ap_philadelphia_police_body_cameras.jpg" width="320" /></a></div>
<div class="MsoNormal">
There are pros and cons to every technology – both from
technical capability and societal changes. The impartial and continuous recording
of an event or confrontation places new stresses on those whose job is to
enforce the thousands of laws society must operate within on a daily basis, in
the knowledge that each interpretation and action could be dissected in a court
of law at some point in the future. Meanwhile, “offenders” must assume that
each action – hostile or otherwise – could fall afoul of some hitherto unknown law
in fully recorded technicolor.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
Recently the National Institute of Justice released a market
survey on <a href="https://www.ncjrs.gov/pdffiles1/nij/grants/250381.pdf">Body
Worn Camera Technologies</a>. There are over 60 different BWCs specifically created
for law enforcement use and the document provides information on the marketed capabilities
of this relatively new class of technology.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The technological features of the current generation of BWCs
are, overall, quite rudimentary - given limitations of battery power,
processing capabilities, and network bandwidth. There is however a desire by
the vendors to advance the technology substantially; not just in recording
capability, but in areas such as facial recognition and cloud integration.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Today’s generation of BWCs truly are the 1.0 version of a
policing platform that will evolve rapidly over the coming decade. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I’ve had a chance to look a little closer at the
specifications and capabilities of today’s BWC solutions and have formulated
some thoughts to how these BWC platforms will likely advance over the coming
years (note that some capabilities already exist within specialized military
units around the world – and will be easy additions to the BWC platform once
the costs to produce reduce):</div>
<div class="MsoNormal">
</div>
<ol>
<li><b style="text-indent: -0.25in;">Overcome
the bandwidth problem to allow real-time streaming and remote analysis of the
video date.</b><span style="text-indent: -0.25in;"> As cellular capabilities increase and 4G/5G becomes cheaper and
more reliable in metro centers, “live action” can be passed to law enforcement
SOC (just like existing CCTV capabilities). In cases where such cellular
technology isn’t reliable, or where having multiple law enforcement officers working
in the same close geographic proximity, the likely use of mobile cellular
towers (e.g. as a component of the police vehicle) to serve as the local node –
offering higher definition and longer recording possibilities, and remote SOC “dial-in”
to oversee operations with minimal bandwidth demands.</span></li>
<li><b style="text-indent: -0.25in;">Cloud
integration of collected facial recognition data.</b><span style="text-indent: -0.25in;"> As the video processing
capabilities of the BWC improves, it will be possible to create the unique
codification of faces that are being recorded. This facial recognition data
could then be relayed to the cloud for matching against known offender
databases, or for geographic tracking of individuals (without previously knowing
their name – but could be matched with government-issued photo ID’s, such as
driver license or passport images). While the law enforcement officer may not
have immediately recognized the face or it may have been only a second’s passing
glimpse, a centralized system could alert the officer to the persons presence.
In addition, while an officer is questioning or detaining a suspect, facial
recognition can be used to confirm their identity in real-time.</span></li>
<li><b style="text-indent: -0.25in;">BWC, visor,
and SOC communication integration. </b><span style="text-indent: -0.25in;">As BWCs transition from a “passive
recording” system in to a real-time integrated policing technology, it is reasonable
to assume that advancements in visual alerting will be made – for example a
tactical visor that presents information in real time to the law enforcement
officer – overlaying virtual representations and meta-data on their live view
of the situation. Such a technology advance would allow for rapid crowd
scanning (e.g. identifying and alerting of wanted criminals passing through a
crowd or mall), vehicles (e.g. license plate look-up), or notable item
classification (e.g. the presence of a firearm vs replica toy).</span></li>
<li><b style="text-indent: -0.25in;">Broad
spectrum cameras and processing.</b><span style="text-indent: -0.25in;"> The cameras used with today’s BWC
technology are typically limited to standard visible frequencies, with some
offering low-light recording capabilities. It is reasonable to assume that a
broader spectrum of frequency coverage will expand upon what can be recorded
and determined using local or cloud based processing. Infrared frequency
recording (e.g. enabling heat mapping) could help identify sick or ailing
detainees (e.g. bird flu outbreak victim, hypothermic state of rescued person),
as well as provide additional facial recognition capabilities independent of
facial coverings (e.g. beard, balaclava, glasses) – along with improved capabilities
in night-time recording or (when used with a visor or ocular accessory) for
tracking a runaway.</span></li>
<li><b style="text-indent: -0.25in;">Health
and anxiety measurement.</b><span style="text-indent: -0.25in;"> Using existing machine learning and signal
processing techniques it is possible to measure the </span><a href="https://www.extremetech.com/computing/159309-mit-researchers-measure-your-pulse-detect-heart-abnormalities-with-smartphone-camera" style="text-indent: -0.25in;">heart
rate variability (HRV) from a recorded video</a><span style="text-indent: -0.25in;"> stream. As the per-unit compute
power of BWC devices increase, it will be possible to accurately measure the
heart rate of an individual merely by focusing on their face and relaying that
to the law enforcement officer. Such a capability can be used to identify possible
health issues with the individual, recent exertions, or anxiety-related
stresses. Real-time HRV measurements could aid in determining whether a
detainee is lying or needs medical attention. Using these machine learning techniques,
HRV can be determined even if the subject is wearing a mask, or if only the
back of the head is visible.</span></li>
<li><b style="text-indent: -0.25in;">Hidden
weapon detection.</b><span style="text-indent: -0.25in;"> Advanced signal processing and AI can be used to
determine whether an object is hidden on a moving subject based of fabric
movements. As a clothed person moves, the fabrics used in their clothing fold,
slide, oscillate, and move in many different ways. AI systems can be harnessed
to analyze frame-by-frame movements, identify hard points and layered stress
points, and outline the shape and density of objects or garments hidden or
obscured by the outer most visible layer of clothing. Pattern matching systems
could (in real-time) determine the size, shape, and relative density of the
weapon or other hidden element on the person. In its most basic form, the
system could verbally alert the BWC user that the subject has a holstered gun
under the left breast of their jacket, or a bowie knife taped to their right
leg. With a more advanced BWC platform (as described in #3 above), a future
visor may overlay the accumulated weapon and hard-point detection on the law enforcement
officer’s view of the subject – providing a pseudo x-ray vision (but not
requiring any active probing signals).</span></li>
</ol>
<br />
<div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<o:p></o:p></div>
<div class="MsoNormal">
Given the state of current and anticipated advances in
camera performance, Edge Computing capability, broadband increases, and
smart-device inter-connectivity over the coming decade, it is reasonable to
assume that BWC technology platform will incorporate most if not all of the
above listed capabilities.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
As video evidence from BWC becomes more important to successful
policing, it is vital that a parallel path for data security, integrity, and
validation of that video content be advanced. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The anti-tampering capabilities of BWC systems today are severely
limited. Given the capabilities of current generation off-the-shelf video
editing suites, manipulation of video can be very difficult if not impossible
to detect. These video editing capabilities will continue to advance.
Therefore, for trust in BWC footage to remain (and ideally grow), new classes
of anti-tamper and frame-by-frame signing will be required – along with
advanced digital chain of custody tracking. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<br />
<div class="MsoNormal">
Advances and commercialization block-chain technology would
appear at first glance to be ideally suited to digital chain of custody
tracking.<o:p></o:p></div>
Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-43196494605372000842016-12-21T14:51:00.002-08:002016-12-21T14:51:47.542-08:00Edge Computing, Fog Computing, IoT, and Securing them All<div class="MsoNormal">
The oft used term “the Internet of Things” (IoT) has
expanded to encapsulate practically any device (or “thing”) with some modicum
of compute power that in turn can connect to another device that may or may not
be connected to the Internet. The range of products and technologies falling in
to the IoT bucket is immensely broad – ranging from household refrigerators that
can order and restock goods via Amazon, through to Smart City traffic flow
sensors that feed navigation systems to avoid jams, and even implanted heart
monitors that can send emergency updates via the patient’s smartphone to a cardiovascular
surgeon on vacation in the Maldives. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The information security community – in fact, the InfoSec
industry at large – has struggled and mostly failed to secure the “IoT”. This
does not bode well for the next evolutionary advancement of networked compute technology.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Today’s IoT security problems are caused and compounded by
some pretty hefty design limitations – ranging from power consumption, physical
size and shock resistance, environmental exposure, cost-per-unit, and the manufacturers
overall security knowledge and development capability. <o:p></o:p></div>
<div class="MsoNormal">
The next evolutionary step is already underway – and exposes
a different kind of threat and attack surface to IoT.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
As each device we use or the components we incorporate in to
our products or services become smart, there is a growing need for a “brain of
brains”. In most technology use cases, it makes no sense to have every smart device
independently connecting to the Internet and expecting a cloud-based system to
make sense of it all and to control. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It’s simply not practical for every device to use the cloud
the way smartphones do – sending everything to the cloud to be processed,
having their data stored in the cloud, and having the cloud return the processed
results back to the phone.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Consider the coming generation of automobiles. Every motor,
servo, switch, and meter within the vehicle will be independently smart –
monitoring the devices performance, configuration, optimal tuning, and fault
status. A self-driving car needs to instantaneously process this huge volume of
data from several hundred devices. Passing it to the cloud and back again just
isn’t viable. Instead the vehicle needs to handle its own processing and
storage capabilities – independent of the cloud – yet still be interconnected.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The concepts behind this shift in computing power and
intelligence are increasingly referred to as “Fog Computing”. In essence,
computing nodes closest to the collective of smart devices within a product
(e.g. a self-driving car) or environment (e.g. a product assembly line) must be
able to handle he high volumes of data and velocity of data generation, and
provide services that standardize, correlate, reduce, and control the data
elements that will be passed to the cloud. These smart(er) aggregation points
are in turn referred to as “Fog Nodes”. <o:p></o:p></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm6qV2eiCbguzK4IpRB9fqAMT9eheAxsDXFFei5LYISQRVj4IqItOxnjQL7OW0TMgANiqR-frlqelfKA1Fl03xHIdyujsUZvbqf2GhRN18YEvq9zSkC5nu1d9zAIpCWXq48Ux8CA28cw_r/s1600/Fog_Architecture_-1200x533.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm6qV2eiCbguzK4IpRB9fqAMT9eheAxsDXFFei5LYISQRVj4IqItOxnjQL7OW0TMgANiqR-frlqelfKA1Fl03xHIdyujsUZvbqf2GhRN18YEvq9zSkC5nu1d9zAIpCWXq48Ux8CA28cw_r/s400/Fog_Architecture_-1200x533.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Source: Cisco</td></tr>
</tbody></table>
<div class="MsoNormal">
Evolutionary, this means that computing power is shifting to
the edges of the network. Centralization of computing resources and processing within
the Cloud revolutionized the Information Technology industry. “Edge Computing”
is the next advancement – and it’s already underway.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
If the InfoSec industry has been so unsuccessful in securing
the IoT, what is the probability it will be more successful with Fog Computing
and eventually Edge Computing paradigms?<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
My expectation is that securing Fog and Edge computing
environments will actual be simpler, and many of the problems with IoT will
likely be overcome as the insecure devices themselves become subsumed in the
Fog.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
A limitation of securing the IoT has been the processing
power of the embedded computing system within the device. As these devices
begin to report in and communicate through aggregation nodes, I anticipate those
nodes to have substantially more computing power and will be capable of
performing securing and validating the communications of all the dumb-smart devices.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
As computing power shifts to the edge of the network, so too
will security. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Over the years corporate computing needs have shifted from
centralized mainframes, to distributed workstations, to centralized and public
cloud, and next into decentralized Edge Computing. Security technologies and
threat analytics have followed a parallel path. While the InfoSec industry has
failed to secure the millions upon millions of IoT devices already deployed,
the cure likely lies in the more powerful Fog Nodes and smart edges of the
network that do have the compute power necessary to analyze threats and mitigate
them.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
That all said, Edge Computing also means that there will be
an entirely new class of device isolated and exposed to attack. These edge
devices will not only have to protect the less-smart devices they proxy control
for, but will have to be able to protect themselves too.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<br />
<div class="MsoNormal">
Nobody ever said the life of an InfoSec professional was
dull.<o:p></o:p></div>
Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-18595345055763104772016-12-07T13:54:00.001-08:002016-12-07T13:54:20.258-08:00Sledgehammer DDoS Gamification and Future Bugbounty Integration<div class="MsoNormal">
Monetization of DDoS attacks has been core to online crime
way before the term cybercrime was ever coined. For the first half of the
Internet’s life DDoS was primarily a mechanism to extort money from targeted
organizations. As with just about every Internet threat over time, it has
evolved and broadened in scope and objectives.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The new report by Forcepoint Security Labs covering their
investigation of the <a href="https://www.forcepoint.com/sites/default/files/resources/files/datasheet_sledgehammer_the_gamification_of_ddos_attacks_en.pdf">Sledgehammer
gamification of DDoS attacks</a> is a beautiful example of that evolution.
Their analysis paper walks through both the malware agents and the scoreboard/leaderboard
mechanics of a Turkish DDoS collaboration program (named Sath-ı Müdafaa or
“Surface Defense”) behind a group that has targeted organizations with
political ties deemed inconsistent with Turkey’s current government.</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9xKhA1BSUza2qvt7PTbtovd0Y99AePQa7w-_vBwswiAoA9f0CyNE9jbT8te4DkzbT-ENE0kun9zpejHbgjL2cXMgCTIhVjMKgiK9mr68Xon0CZetusl4NoGYs2JD213h02Ib0d-Sh8vOR/s1600/blocks-ipad.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9xKhA1BSUza2qvt7PTbtovd0Y99AePQa7w-_vBwswiAoA9f0CyNE9jbT8te4DkzbT-ENE0kun9zpejHbgjL2cXMgCTIhVjMKgiK9mr68Xon0CZetusl4NoGYs2JD213h02Ib0d-Sh8vOR/s200/blocks-ipad.png" width="200" /></a></div>
<div class="MsoNormal">
In this most recent example of DDoS threat evolution, a pool
of hackers is encouraged to join a collective of hackers targeting the websites
of perceived enemies of Turkey’s political establishment.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
Using the DDoS agent “Balyoz” (the Turkish word for “sledgehammer”),
members of the collective are tasked with attacking a predefined list of target
sites – but can suggest new sites if they so wish. In parallel, a scoreboard
tracks participants use of the Balyoz attack tool – allocating points that can
be redeemed against acquiring a stand-alone version of the DDoS tool and other
revenue-generating cybercrime tools, for every ten minutes of attack they
conducted.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
As is traditional in the dog-eat-dog world of cybercrime,
there are several omissions that the organizers behind the gamification of the
attacks failed to pass on to the participants – such as the backdoor built in
to the malware they’re using.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Back in 2010 I wrote the detailed paper “<a href="https://www.damballa.com/downloads/r_pubs/WP_Understanding_the_Modern_DDoS_attack.pdf">Understanding
the Modern DDoS Threat</a>” and defined three categories of attacker –
Professional, Gamerz, and Opt-in. This new DDoS threat appears to meld the
Professional and Opt-in categories in to a single political and money-making
venture. Not a surprise evolutionary step, but certainly an unwanted one.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
If it’s taken six years of DDoS cybercrime evolution to get
to this hybrid gamification, what else can we expect?<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In that same period of time we’ve seen ad hoc website
hacking move from an ignored threat, to forcing a public disclosure discourse,
to acknowledgement of discovery and remediation, and on to commercial bug bounty
platforms.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The bug bounty platforms (such as <a href="https://bugcrowd.com/">Bugcrowd</a>, <a href="https://hackerone.com/">HackerOne</a>,
<a href="https://www.vulbox.com/">Vulbox</a>, etc.) have successfully gamified the
low-end business of website vulnerability discovery – where bug hunters and
security researchers around the world compete for premium rewards. Is it not a
logical step that DDoS also make the transition to the commercial world?<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Several legitimate organizations provide “DDoS Resilience
Testing” services. Typically, through the use of software bots they spin up
within public cloud infrastructure, DDoS-like attacks are launched at paying
customers. The objectives of such an attack include the measurement and verification
of the defensive capabilities of the targets infrastructure to DDoS attacks, to
exercise and test the companies “blue team” response, and to wargame business
continuity plans.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<br />
<div class="MsoNormal">
If we were to apply the principles of bug bounty programs to
gamifying the commercial delivery of DDoS attacks, rather than a contrived limited-scope
public cloud imitation, we’d likely have much more realistic testing capability
– benefiting all participants. I wonder who’ll be the first organization to
master scoreboard construction and incentivisation? I think the new bug bounty
companies are agile enough and likely have the collective community following
needed to reap the financial rewards of the next DDoS evolutionary step.<o:p></o:p></div>
Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-37993537977302648662016-12-01T09:06:00.000-08:002016-12-01T09:06:19.407-08:00NTP: The Most Neglected Core Internet ProtocolThe Internet of today is awash with networking protocols, but at its core lies a handful that fundamentally keep the Internet functioning. From my perspective, there is no modern Internet without DNS, HTTP, SSL, <a href="http://searchtelecom.techtarget.com/feature/BGP-essentials-The-protocol-that-makes-the-Internet-work" target="_blank">BGP</a>, SMTP, and NTP.<br />
<br />
Of these most important Internet protocols, NTP (Network Time Protocol) is the likely least understood and has the least attention and support. Until very recently, it was supported (part-time) by just one person - <a href="http://nwtime.org/bio/harlan-stenn/" target="_blank">Harlen Stenn</a> - "who had lost the root passwords to the machine where the source code was maintained (so that machine hadn't received security updates in many years), and that machine ran a proprietary source-control system that almost no one had access to, so it was very hard to contribute to".<br />
<br />
Just about all secure communication protocols and server synchronization processes require that they have their internal clocks set the same. NTP is the protocol that allows all this to happen.<br />
<br />
<a href="https://icei.org/" target="_blank">ICEI</a> and <a href="https://cacr.iu.edu/" target="_blank">CACR</a> have gotten involved with supporting NTP and there are several related protocol advancements underway to increase security of such vital component of the Internet. NTS (Network Time Security), currently in draft version with the Internet Engineering Task Force (IETF), aims to give administrators a way to add security to NTP and promote secure time synchronization.<br />
<br />
While there have been remarkably few exploitable vulnerabilities in NTP over the years, the recent growth of DDoS botnets (such as <a href="https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html" target="_blank">Mirai</a>) utilizing <a href="http://www.csoonline.com/article/3118234/networking/ntp-reflection-attacks-hit-record-high.html" target="_blank">NTP Reflection Attacks</a> shone a new light on its frailties and importance.<br />
<br />
Some relevant stories on the topic of how frail and vital NTP has become and whats being done to correct the problem can be found at:<br />
<br />
<ul>
<li><a href="http://www.infoworld.com/article/3144546/security/time-is-running-out-for-ntp.html" target="_blank">Time is Running Out for NTP</a></li>
<li><a href="http://boingboing.net/2016/11/29/ntp-the-rebirth-of-ailing-fa.html" target="_blank">NTP: the rebirth of ailing, failing core network infrastructure</a></li>
<li><a href="https://boingboing.net/2016/11/11/the-internets-core-infrastru.html" target="_blank">The internet's core infrastructure is dangerously unsupported and could crumble (but we can save it!)</a></li>
</ul>
<br />
<br />Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-36734965647990077812016-11-29T14:05:00.002-08:002016-11-29T14:05:56.671-08:00The Purple Team PentestIt’s not particularly clear whether a marketing intern thought he was being clever or a fatigued pentester thought she was being cynical when the term “Purple Team Pentest” was first thrown around like spaghetti at the fridge door, but it appears we’re now stuck with the term for better or worse.<br />
<br />
Just as the <a href="http://technicalinfodotnet.blogspot.com/2016/11/navigating-pentest-world.html" target="_blank">definition of penetration testing</a> has broadened to the point that we commonly label a full-scope penetration of a target’s systems with the prospect of lateral compromise and social engineering as a Red Team Pentest – delivered by a “Red Team” entity operating from a sophisticated hacker’s playbook. We now often acknowledge the client’s vigilant security operations and incident response team as the “Blue Team” – charged with detecting and defending against security threats or intrusions on a 24x7 response cycle.<br />
<br />
Requests for penetration tests (Black-box, Gray-box, White-box, etc.) are typically initiated and procured by a core information security team within an organization. This core security team tends to operate at a strategic level within the business – advising business leaders and stakeholders of new threats, reviewing security policies and practices, coordinating critical security responses, evaluating new technologies, and generally being the go-to-guys for out-of-ordinary security issues. When it comes to penetration testing, the odds are high that some members are proficient with common hacking techniques and understand the technical impact of threats upon the core business systems.<br />
<br />
These are the folks that typically scope and eventually review the reports from a penetration test – they are however NOT the “Blue Team”, but they may help guide and at times provide third-line support to security operations people. No, the nucleus of a Blue Team are the front-line personnel watching over SIEM’s, reviewing logs, initiating and responding to support tickets, and generally swatting down each detected threat as it appears during their shift.<br />
<br />
Blue Teams are defensively focused and typically proficient at their operational security tasks. The highly-focused nature of their role does however often mean that they lack what can best be described as a “hackers eye view” of the environment they’re tasked with defending.<br />
<br />
Traditional penetration testing approaches are often adversarial. The Red Team must find flaws, compromise systems, and generally highlight the failures in the targets security posture. The Blue Team faces the losing proposition of having to had already secured and remediated all possible flaws prior to the pentest, and then reactively respond to each vulnerability they missed – typically without comprehension of the tools or techniques the Red Team leveraged in their attack. Is it any wonder that Blue Teams hate traditional pentests? Why aren’t the Red Team consultants surprised that the same tools and attack vectors work a year later against the same targets?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2L6HUtt903t9ipf3TSwOO0Fu6tR-dfEPTQClmiADLHXYDpSYQqsmABQh5wi_CgUo7vPlVmE_zwLJwLaI3M54TqPIHtJ_vYfJ1PeoU70JdupkTaKzz_wzochiLhhc-4hbXWZR-0jLGz_EW/s1600/PurpleTeaming1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2L6HUtt903t9ipf3TSwOO0Fu6tR-dfEPTQClmiADLHXYDpSYQqsmABQh5wi_CgUo7vPlVmE_zwLJwLaI3M54TqPIHtJ_vYfJ1PeoU70JdupkTaKzz_wzochiLhhc-4hbXWZR-0jLGz_EW/s400/PurpleTeaming1.jpg" width="400" /></a></div>
<br />
A Purple Team Pentest should be thought of as a dynamic amalgamation of Red Team and Blue Team members with the purpose of overcoming communication hurdles, facilitating knowledge transfer, and generally arming the Blue Team with newly practiced skills against a more sophisticated attacker or series of attack scenarios. <br />
<br />
<b>How to Orchestrate a Purple Team Pentest Engagement</b><br />
<br />
Very few organizations have their own internal penetration testing team and even those that do regularly utilize external consulting companies to augment that internal team to ensure the appropriate skills are on hand and to tackle more sophisticated pentesting demands.<br />
<br />
A Purple Team Pentest almost always utilizes the services of an external pentest team – ideally one that is accomplished and experienced in Red Team pentesting.<br />
<br />
Bringing together two highly skilled security teams – one in attack, the other in defense – and having them not only work together, but to also achieve all the stated goals of a Purple Team pentest, requires planning and leadership.<br />
<br />
To facilitate a successful Purple Team Pentest, the client organization should consider the following key elements:<br />
<br />
<ul>
<li><b>Scope & Objectives -</b> Before reaching out and engaging with a Red Team provider, carefully define the scope and objectives of the Purple Team Pentest. Be specific as to what the organizations primary goals are and what business applications or operational facilities will be within scope. Since a key objective of conducting a Purple Team Pentest is to educate and better arm the internal Blue Team and to maximize the return on a Red Team’s findings, identify and list the gaps that need to be addressed in order to define success.</li>
<li><b>Blue Team Selection -</b> Be specific in defining which pieces of the organization and which personnel constitute the “Blue Team”. Go beyond merely informing various security operations staff that they are now part of a Blue Team. It is critical that the members feel they are a key component in the company’s new defensive strategy. Educate them about the roles and responsibilities of what the Blue Team entails. Prior to engaging with a Red Team provider and launching a Purple Team Pentest, socialize and refine the scope and objectives of the proposed Purple Teaming engagement with the team directly.</li>
<li><b>Red Team Selection -</b> It is important that the client select a Red Team that consists of experienced penetration testers. The greater the skills and experience of the Red Team members, the more they will be able to contribute to the Purple Team Pentest objectives. Often, in pure Red Team Pentest engagements, the consulting team will contain a mix of experienced and junior consultants – with the junior consultants performing much of the tool-based activities under the supervision of the lead consultant. Since a critical component of a Purple Team Pentest lies in the ability to communicate and educate a Blue Team to the attacker’s methodologies and motivations, junior-level consultants add little value to that dialogue. Clients are actively encouraged to review the resumes of the consultants proposed to constitute the Red Team in advance of testing.</li>
<li><b>Playbook Definition -</b> Both sides of the Purple Teaming exercise have unique objectives and methodologies. Creation of a playbook in advance of testing is encouraged and so too is the sharing and agreement between the teams. This playbook loosely defines the rules of the engagement and is largely focused on environment stability (e.g. rules for patch management and rollout during the testing period) and defining exceptions to standard Blue Team responses (e.g. identifying but not blocking the inbound IP addresses associated with the Red Team’s C&C).</li>
<li><b>Arbitrator or Referee -</b> Someone must be the technical “Referee” for the Purple Team Pentest. They need to be able to speak both Red Team and Blue Team languages, interpret and bridge the gap between them, manage the security workshops that help define and resolve any critical threat discoveries, and generally arbitrate according to the playbook (often adding to the playbook throughout the engagement). Ideally the arbitrator or referee for the engagement is not directly associated with, or a member of, either the Red or Blue teams.</li>
<li><b>Daily Round-table Reviews -</b> Daily round-table discussions and reviews of Red Team findings are the center-piece of a successful Purple Team Pentest. Best conducted at the start of each day (mitigating the prospect of long tired days and possible overflow of working hours – curtailing discussion), the Red Team lays out the successes and failures of the previous days testing, while the Blue Team responds with what they detected and how they responded. The review facilitates the discussion of “What and Why” the Red Team members targeted, explain the “How” they proceeded, and allows the Blue Team to query and understand what evidence they may have collected to detect and thwart such attacks. For example, daily discussions should include discussions covering what traffic did the tool or methodology generate, where could that evidence have been captured, how could that evidence be interpreted, what responses would pose the biggest hurdle to the attacker?</li>
<li><b>Pair-down Deep Dives -</b> Allowing members of the teams to “pair down” after the morning review to dive deeper in to the technical details and projected responses to a particular attack vector or exploitation is highly encouraged.</li>
<li><b>Evaluate Attack and Defense Success in Real-time -</b> Throughout the engagement the “Arbitrator” should engage with both teams and be constantly aware of what attacks are in play by the Red Team, and what responses are being undertaken by the Blue Team. In some attack scenarios it may be worthwhile allowing the Red Team to persist in an attack even if it has been detected and countered by the Blue Team, or is known to be unsuccessful and unlikely to lead to compromise. However, the overall efficiency can be increased and the cost of a Purple Team Pentest can be reduced by brokering conversations between the teams when attack vectors are stalled, irrelevant, already successful, or known to eventually become successful. For example, the Red Team are able to get a foothold on a compromised host and then proceed to bruteforce attack the credentials of an accessible internal database server. Once the Red Team have successfully started their brute-force attack it may be opportune to validate with the Blue Team that they have already been alerted to the attack in process and are initiating countermeasures. At that point in time, in order to speed up the testing and to progress with another approved attack scenario, a list of known credentials are passed directly to the Red Team and they may progress with a newly created test credential on that (newly) compromised host.</li>
<li><b>Triage and Finding Review -</b> Most Red Team pentests will identify a number of security vulnerabilities and exploit paths that were missed by the Blue Team and will require vendor software patches or software development time to remediate. In a pure Red Team Pentest engagement, a “Final Report” would be created listing all findings – with a brief description of recommended and generic best practice fixes. In a Purple Team Pentest, rather than production of a vulnerability findings report, an end-of-pentest workshop should be held between the two teams. During this workshop each phase of the Red Team testing is reviewed – discoveries, detection, remediation, and mitigation – with an open Q&A dialogue between the teams and, at the conclusion of the workshop, a detailed remediation plan is created along with owner assignment.</li>
</ul>
<br />
<b>The Future is Purple</b><br />
<br />
While the methodologies used in Purple Team penetration testing are the same as those of a stand-alone Red Team Pentest, the business objectives and communication methods used are considerably different. Even though the Purple Team Pentest concept is relatively new, it is an increasingly important vehicle for increasing an organizations security stature and reducing overall costs.<br />
<br />
The anticipated rewards from conducting a successful Purple Team pentest include increased Blue Team knowledge of threats and adversaries, muscle-memory threat response and mitigation, validation of playbook response to threats in motion, confidence in sophisticated attacker incident response, identification and enumeration of new vulnerabilities or attack vectors, and overall team-building.<br />
<br />
As businesses become more aware of Purple Teaming concepts and develop an increased understanding of internal Blue Team capabilities and benefits, it is anticipated that many organizations will update their annual penetration testing requirements to incorporate Purple Team Pentest as a cornerstone of their overall information security and business continuity strategy.<br />
<br />
<i>-- Gunter Ollmann</i><br />
<div>
<br /></div>
Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-43024146855514958292016-11-28T08:14:00.002-08:002016-11-29T16:09:42.598-08:00Navigating the "Pentest" WorldThe demand for penetration testing and security assessment services worldwide has been growing year-on-year. Driven largely by Governance, Risk, and Compliance (GRC) concerns, plus an evolving pressure to be observed taking information security and customer privacy seriously, most CIO/CSO/CISO’s can expect to conduct regular “pentests” as a means of validating their organizations or product’s security.<br />
<br />
An unfortunate circumstance of two decades of professional service oriented delivery of pentests is that the very term “penetration testing” now covers a broad range of security services and risk attributes – with most consulting firms provide a smorgasbord of differentiated service offerings – intermixing terms such as security assessment and pentest, and constructing hybrid testing methodologies.<br />
<br />
For those newly tasked with having to find and retain a team capable of delivering a pentest, the prospect of having to decipher the lingo and identify the right service is often daunting – as failure to get it right is not only financially costly, but may also be career-ending if later proven to be inadequate.<br />
<br />
<b>What does today’s landscape of pentesting look like?</b><br />
<br />
All penetration testing methodologies and delivery approaches are designed to factor-in and illustrate a threat represented by an attack vector or exploitation. A key differentiator between many testing methodologies lies in whether the scope is to identify the presence of a vulnerability, or to exploit and subsequently propagate an attack through that vulnerability. The former is generally bucketed in the assessment and audit taxonomy, while the latter is more commonly a definition for penetration testing (or an ethical hack).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipFETIC7sR7ZalBckkGl2ZfQa7-Bop6RO0dl3qlfrFdfVlMfXBe_EQvkvDHQlM5A1lgs6SFAKV9rG7eED5RK1nHirH5RTT26vct-r9ANMjtdSn-njdIYIAtNw98tLU5L9z3ZTGeC1sLJ-L/s1600/Slide1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipFETIC7sR7ZalBckkGl2ZfQa7-Bop6RO0dl3qlfrFdfVlMfXBe_EQvkvDHQlM5A1lgs6SFAKV9rG7eED5RK1nHirH5RTT26vct-r9ANMjtdSn-njdIYIAtNw98tLU5L9z3ZTGeC1sLJ-L/s400/Slide1.JPG" width="400" /></a></div>
<div>
<div>
The penetration testing market and categorization of services is divided by two primary factors – the level of detail that will be provided by the client, and the range of “hacker” tools and techniques that will be allowed as part of the testing. Depending upon the business drivers behind the pentest (e.g. compliance, risk reduction, or attack simulation), there is often a graduated-scale of services. Some of the most common terms used are:</div>
<div>
<ul>
<li><b>Vulnerability Scanning</b><br />The use of automated tools to identify hosts, devices, infrastructure, services, applications, and code snippets that may be vulnerable to known attack vectors or have a history of security issues and vulnerabilities.</li>
<li><b>Black-box Pentest</b><br />The application of common attack tools and methodologies against a client-defined target or range of targets in which the pentester is tasked with identifying all the important security vulnerabilities and configuration failures of the scoped engagement. Typically, the penetration scope is limited to approved systems and windows of exploitation to minimize the potential for collateral damage. The client provides little information beyond the scope and expects the consultant to replicate the discovery and attack phases of an attacker who has zero insider knowledge of the environment. </li>
<li><b>Gray-box Pentest</b><br />Identical methodology to the Black-box Pentest, but with some degree of insider knowledge transfer. When an important vulnerability is uncovered the consultant will typically liaise with the client to obtain additional “insider information” which can be used to either establish an appropriate risk classification for the vulnerability, or initiate a transfer of additional information about the host or the data it contains (that could likely be gained by successfully exploiting the vulnerability), without having to risk collateral damage or downtime during the testing phase.</li>
<li><b>White-box Pentest (also referred to as Crystal-box Pentest)</b><br />Identical tools and methodology to the Black-box Pentest, but the consultants are supplied with all networking documentation and details ahead of time. Often, as part of a White-box Pentest, the client will provide network diagrams and the results of vulnerability scanning tools and past pentest reports. The objective of this type of pentest is to maximize the consultants time on identifying new and previously undocumented security vulnerabilities and issues.</li>
<li><b>Architecture Review</b><br />Armed with an understanding of common attack tools and exploitation vectors, the consultant reviews the underlying architecture of the environment. Methodologies often include active testing phases, such as network mapping and service identification, but may include third-party hosting and delivery capabilities (e.g. domain name registration, DNS, etc.) and resilience to business disruption attacks (e.g. DDoS, Ransomware, etc.). A sizable component of the methodology is often tied to the evaluation and configuration of existing network detection and protection technologies (e.g. firewall rules, network segmentation, etc.) – with configuration files and information being provided directly by the client.</li>
<li><b>Redteam Pentest</b><br />Closely related to the Black-box pentest, the Redteam pentest mostly closely resembles a real attack. The scope of the engagement (targets and tools that can be used) is often greater than a Black-box pentest, and typically conducted in a manner to not alert the client’s security operations and incident response teams. The consultant will try to exploit any vulnerabilities they reasonably believe will provide access to client systems and, from a compromised device, attempt to move laterally within a compromised network – seeking to gain access to a specific (hidden) target, or deliver proof of control of the entire client network.</li>
<li><b>Code Review</b><br />The consultant is provided access to all source code material and will use a mix of automated and manual code analysis processes to identify security issues, vulnerabilities, and weaknesses. Some methodologies will encompass the creation of proof-of-concept (PoC) exploitation code to manually confirm the exploitability of an uncovered vulnerability.</li>
<li><b>Controls Audit</b><br />Typically delivered on-site, the consultant is provided access to all necessary systems, logs, policy-derived configuration files, reporting infrastructure, and data repositories, and performs an audit of existing security controls against a defined list of attack scenarios. Depending upon the scope of the engagement, this may include validation against multiple compliance standards and use a mix of automated, manual, and questionnaire-based evaluation techniques.</li>
</ul>
</div>
<div>
<b>The Hybrid Pentest Landscape</b></div>
<div>
<br /></div>
<div>
In recent years the pentest landscape has evolved further with the addition of hybrid services and community-sourcing solutions. </div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiul3U3oEoKy5bGxRP9RNOxFmrl96uIMG2sm68m5ecgjrEmbFYDpVNBzYFcIPhqGYJDLTmMp0vVQRsg6RC3dIGeCQ1kkBzK2glKmahoTaXA0cdkck8rIX29REF3axmPgV9p_K-LaKuHOexK/s1600/Slide2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiul3U3oEoKy5bGxRP9RNOxFmrl96uIMG2sm68m5ecgjrEmbFYDpVNBzYFcIPhqGYJDLTmMp0vVQRsg6RC3dIGeCQ1kkBzK2glKmahoTaXA0cdkck8rIX29REF3axmPgV9p_K-LaKuHOexK/s400/Slide2.JPG" width="400" /></a></div>
<div>
<div>
Overlapping the field of pentesting, there are three important additions:</div>
<div>
<ul>
<li><b>Bug Bounty Programs</b><br />Public bug bounty programs seek to crowdsource penetration testing skills and directly incentivize participants to identify vulnerabilities in the client’s online services or consumer products. The approach typically encompasses an amalgamation of Vulnerability Scanning and Black-box Pentest methodologies – but with very specific scope and limitations on exploitation depth. With (ideally) many crowdsourced testers, the majority of testing is repeated by each participant. The hope is that, over time, all low-hanging fruit vulnerabilities will be uncovered and later remediated. </li>
<li><b>Purple Team Pentest</b><br />This hybrid pentest combines Redteam and Blueteam (i.e. the client’s defense or incident response team) activities in to a single coordinated testing effort. The Redteam employs all the tools and tricks of a Redteam Pentest methodology, but each test is watch and responded to in real-time by the client’s Blueteam. As a collaborative pentest, there is regular communication between the teams (typically end of day calls) and synching of events. The objectives of Purple Team pentesting is both assess the capabilities of the Blueteam and to reduce the time typically taken to conduct a Redteam Pentest – by quickly validating the success or failure of various attack and exploitation techniques, and limiting the possibility of downtime failures of targeted and exploited systems.</li>
<li><b>Disaster Recovery Testing</b><br />By combining a Whitebox Pentest with incident response preparedness testing and a scenario-based attack strategy, Disaster Recovery Testing is a hybrid pentest designed to review, assess, and actively test the organization's capability to respond and recover from common hacker-initiated threats and disaster scenarios.</li>
</ul>
</div>
<div>
Given the broad category of “pentest” and the different testing methodologies followed by security consulting groups around the globe, prospective clients of these services should ensure that they have a clear understanding of what their primary business objectives are. Compliance, risk reduction, and attack simulation are the most common defining characteristics driving the need for penetration testing – and can typically align with the breakdown of the various pentest service definitions.</div>
</div>
<div>
<br />
<i>[Update: First graph adapted from Patrick Thomas' tweet - <a href="https://twitter.com/coffeetocode/status/794593057282859008">https://twitter.com/coffeetocode/status/794593057282859008</a>]</i></div>
<br />Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-4387431251783144322016-07-10T11:39:00.001-07:002016-07-10T11:39:19.519-07:00The Future of Luxury Car Brands in a Self-Driving CityFor the automotive manufacturing industry, the next couple of decades are going to be make or break for most of the well known brand names we're familiar with today. <div>
<br /></div>
<div>
With the near term prospect of "self-driving" cars and city-level smart traffic routing (and monitoring) infrastructure fundamentally changing the way in which we drive, and the shift in city demographics that promotes a growing move away from wanting (or being able to afford) a personal vehicle, it should be clear to all that the motoring practices of the last century are on a trajectory to disappear pretty quickly.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOqifcNt9h5BswGH1UyicgqXHfqVLEgmnskWi972NyJtSxsMHY5slmSqJnMmlQ-jM4egKS8KXEpKe1U-xok24SS3VxqAFhDxYNBm5q4LIofkSEaVvTuYTiKxOAf6rRFG6pjXPUU9uwy5Sn/s1600/self-drivingCar.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOqifcNt9h5BswGH1UyicgqXHfqVLEgmnskWi972NyJtSxsMHY5slmSqJnMmlQ-jM4egKS8KXEpKe1U-xok24SS3VxqAFhDxYNBm5q4LIofkSEaVvTuYTiKxOAf6rRFG6pjXPUU9uwy5Sn/s400/self-drivingCar.jpg" width="400" /></a></div>
<div>
As self-driving cars eventually negate the "love of driving" and city traffic routing and control systems begin to rigorously enforce variable speed limits, congestion charging, and overall traffic management, the personal car becomes more and more just another impersonal transport system. If that's likely the case (or even partially the case), then what does the future hold for the manufacturers of luxury cars?</div>
<div>
<br /></div>
<div>
Earlier this month I spent a week in Bavaria, Germany, visiting customers and prospects. The economies of cities like Stuttgart and Munich fundamentally revolve around the luxury automotive industry. Companies like BMW, Audi, and Porsche define the standard in personal vehicle luxury and generally lead the world in technical innovation (especially in safety features). Speaking with locals around Bavaria there is a very real fear that the next two decades could see the fall and eventual demise of these brands.</div>
<div>
<br /></div>
<div>
If the act of "driving" is completely replaced with computer control systems and the vehicle itself eventually becomes a commodity (because every vehicle performs the same way, travels at the same speeds, and is carefully governed by city traffic management systems), luxury vehicle "performance" is no longer a perceived value. As the mandated vehicle safety designs are achieved by all manufacturers and there's only a small percentage difference between the best and the worst (yet all getting "five stars"), advanced safety innovation no longer becomes a distinguishing factor. Finally, as Millennials (and the majority of city-bound Generation X and Y) give up the love, desire, and financial capability to own a personal vehicle - and instead seek "on-demand" public transport systems the likes that Uber and its kin will spawn - then "luxury" becomes a style choice without a premium.</div>
<div>
<br /></div>
<div>
Like those Bavarians I spoke with, these luxury car manufacturers are going to have to change dramatically if they are to continue to be the brands they are today. Despite all the technical innovation they've been renowned for over the last century, it does appear that they are late to the party and need to dramatically change their businesses in pretty short order.</div>
<div>
<br /></div>
<div>
As a BMW owner myself, I'm surprised at how far the company appears to be behind the global changes. I'd have thought that such a technically innovative company would have grasped the social and economic affects on luxury vehicle sales to city dwellers for the coming decade or two. While BMW (and other luxury car brands) have doubled down on vehicle performance, emission controls, renewable energy, and environmentally friendly design, it feels like they've been caught flat-footed in the innovation and desires of people (and city planners) to remove themselves from being the weakness behind the steering wheel... and the implication on all luxury vehicle brands.</div>
<div>
<br /></div>
<div>
I'm positive that the engineers at BMW and other traditionally innovative vehicle manufacturers have many relevant technologies tested and maybe shelved in their laboratories and around test tracks.</div>
<div>
<br /></div>
<div>
While I doubt that "luxury" will form less of a vehicles buying decision in the future - especially when the trend is towards fleet management of such vehicles (e.g. taxis, delivery, etc.) - I think that, for these companies to survive, they're going to have to become "technology companies".</div>
<div>
<br /></div>
<div>
Although late to the party, present-day luxury vehicle manufacturers can transform in to strong technology companies. For example, some opportunities could include:</div>
<div>
<ul>
<li>With several decades of technical safety R&D innovation (e.g. collision avoidance, LADAR, automated parking, route guidance systems, land management, sleepy driver recognition, etc.) they already have the credentials and respect in the industry (and with consumers) as being the research leaders... so why not bundle up these safety features and license them under their brands. For example, the future Google self-driving car... music by Bose, safety by BMW.</li>
<li>As designers of engines (combustion, hybrid, and electric) they have decades of experience in design and performance. That could translate in to innovating city-wide refueling management platforms and systems.</li>
<li>"Smart Cities" are still mostly a desire rather than a reality. There is huge opportunity for proven technology companies to come in and define the rules, criteria, monitoring, and management of city-wide traffic control systems. Detailed knowledge of vehicle performance, capabilities, and safety controls whole be an ideal platform for building upon.</li>
<li>Regardless of just how many driver-less cars come to market over the coming decades, there are still going to be hundreds of millions of cars that were never built or designed to be "driver-less". There is an obvious requirement for supplemental or conversion kits for older vehicles - not just their own models.</li>
</ul>
<div>
The list above could be expanded considerably and I doubt that similar thoughts haven't also been discussed at various points in the last half-decade by the luxury brands themselves. However it would seem to me that now is a time of action.</div>
</div>
<div>
<br /></div>
<div>
It'll be very interesting to see how these luxury vehicle manufacturers reinvent themselves. If they have the funds now, then not only should they continue to innovate down safety technology paths, but they should probably be looking down the acquisition path... bringing into the fold new tech companies specializing in fleet and city vehicle management, taxi and courier management and control systems, city traffic monitoring and control systems, and maybe even a new generation of refueling station.</div>
Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-68558530996035707222016-07-09T09:41:00.000-07:002016-07-09T09:41:25.231-07:00Next Generation Weapons: The Eye Burner RifleThe fantasy worlds of early 20th Century science fiction writers, in many ways, appear to be "now-ish" in terms of the technologies we'll wage war or police the civil population. Many of the weapons proposed a century ago were nuclear-based... well, perhaps "Atomic" was the more appropriate label at the time. Some authors pursued electric guns or "lightening" throwers, and by the mid-20th century the more common man-portable weapon systems were based upon high-powered laser systems.<br />
<br />
When I think of new weapon systems... man-portable... and likely to be developed and employed within the coming quarter century, I think that many of the systems will integrate automatic target acquisition processes and coherent light - for"less lethal" confrontations. The term "less lethal" is of course relative and doesn't exclude weapon systems that are proficient at maiming and causing great pain or suffering.<br />
<br />
One such system that, given current technological advances, lies within the finger tips of today's weapon designers could encompass the use of high intensity light, automated facial feature recognition, and "high-powered" laser light - and have a higher degree of target incapacitation than current personal small-arms have today.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ4fNK__QtAtGopcTnuu2VQ-GfurRqNVBrmYqsHqijrSEbGuQ7TpiOkv1pUee5uF7q6HmA8nIkptlosHhspmgupRHtyGtalLWNKa2_VeBLGXZsB4W92DOkFVtVUqFCBCHD_KU8lwZCd9a2/s1600/laser1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ4fNK__QtAtGopcTnuu2VQ-GfurRqNVBrmYqsHqijrSEbGuQ7TpiOkv1pUee5uF7q6HmA8nIkptlosHhspmgupRHtyGtalLWNKa2_VeBLGXZsB4W92DOkFVtVUqFCBCHD_KU8lwZCd9a2/s320/laser1.png" width="195" /></a></div>
The concept would be of a handheld configuration (similar size and dimensions of a rifle) that, when manually pointed in the direction of a target, bathes the target in a high intensity "white light" (giving the weapon system a range of say 50 meters) for a short period of time, at which point an embedded high-definition video device uses facial recognition processes to identify the physical eyes of the target currently "lit up", and subsequently automatically aligns a built-in high-powered laser with the targets eyes and fires. The laser, depending upon the power of the light source, would either temporarily or permanently blind the target.<br />
<br />
A single trigger pull would bath the target with the main light function (which may temporarily disorient them anyway), but during that trigger pull the automated eye acquisition, eye targeting, and laser firing would happen in a fraction of a second (faster than a bullet could traverse the distance between shooter and target). I guess after the laser has successfully acquired the eyes and fired, the main light function would end... like a half-second burst of white light. To an external observer, the weapon user appeared to just fire a burst of white light at the head or torso of the target.<br />
<br />
Obviously there are a lot of nuances to a "future" weapon like this. For example, would the target blink or close their eyes if the initial "white light" was directed at them? - At night, the answer is likely yes, however the facial recognition systems would still work and even a current "off-the-shelf" laser of the 5-20W range is strong enough to "burn through" the eyelids and damage the eyes. During the day it would obviously be easier... in fact perhaps the "white light" component is not required... instead the shooter merely targets the "head" and the rest of the system figures out the eyes and fires (or fries) the eyes of the target.<br />
<br />
There are of course questions about ethics. But, compared to several ounces of hollow-point lead flying at several times the speed of sound, the option of permanent blindness is still a recoverable situation for the target.<br />
<br />
[Wandering thoughts in SciFi]Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-74709332242249122762016-01-29T05:37:00.003-08:002016-01-29T05:37:45.080-08:00Watching the Watchers Watching Your NetworkIt seems that this last holiday season didn’t bring much cheer or goodwill to corporate security teams. With the public disclosure of remotely exploitable vulnerabilities and backdoors in the products of several well-known security vendors, many corporate security teams spent a great deal of time yanking cables, adding new firewall rules, and monitoring their networks with extra vigilance.<br />
<br />
It’s not the first time that products from major security vendors have been found wanting.<br />
<br />
It feels as though some vendor’s host-based security defenses fail on a monthly basis, while network defense appliances fail less frequently – maybe twice per year. At least that’s what a general perusal of press coverage may lead you to believe. However, the reality is quite different. Most security vendors fix and patch security weaknesses on a monthly basis. Generally, the issues are ones that they themselves have identified (through internal SDL processes or the use of third-party code reviews and assessment) or they are issues identified by customers. And, every so often, critical security flaws will be “dropped” on the vendor by an independent researcher or security company that need to be fixed quickly.<br />
<br />
Two decades ago, the terms “bastion host”, DMZ, and “firewall” pretty much summed up the core concepts of network security, and it was a simpler time for most organizations – both for vendors and their customers. The threat spectrum was relatively narrow, the attacks largely manual, and an organization’s online presence consisted of mostly static material. Yet, even then, if you picked up a book on network security you were instructed in no short order that you needed to keep your networks separate; one for the Internet, one for your backend applications, one for your backups, and a separate one for managing your security technology.<br />
<br />
Since that time, many organizations have either forgotten these basic principles or have intentionally opted for riskier (yet cheaper) architectures and just hoping that their protection technologies are up to the task. Alas, as the events of December 2015 have shown us, every device added to a network introduces a new set of security challenges and weaknesses.<br />
<br />
From a network security perspective, when looking at the architecture of critical defenses, there are four core principles:<br />
<br />
<ol>
<li>Devices capable of monitoring or manipulating network traffic should never have their management interfaces directly connected to the Internet. If these security devices need to be managed over the Internet it is critical that only encrypted protocols be used, multi-factor authentication be employed, and that approved in-bound management IP addresses be whitelisted at a minimum. </li>
<li>The management and alerting interfaces of security appliances must be on a “management” network – separated from other corporate and public networks. It should not be possible for an attacker who may have compromised a security device to leverage the management network to move laterally onto other guest systems or provide a route to the Internet. </li>
<li>Span ports and network taps that observe Internet and internal corporate traffic should by default only operate in “read-only” mode. A compromised security monitoring appliance should never be capable of modifying network traffic or communicating with the Internet from such an observation port. </li>
<li>Monitor your security products and their management networks. Security products (especially networking appliances such as core routers, firewalls, and malware defenses) will always be a high-value target to both external and internal attackers. These core devices and their management networks must be continuously monitored for anomalies and audited. </li>
</ol>
<br />
In an age where state-sponsored reverse engineers, security research teams, and online protagonists are actively hunting for flaws and backdoors in the widely deployed products of major security vendors as a means of gaining privileged and secret access to their target’s networks, it is beyond prudent to revisit the core tenets of secure network architecture.<br />
<br />
Corporate security teams and network architects should assume not only that new vulnerabilities and backdoors will be disclosed throughout the year, but that those holes may have been accessible and exploited for several months beforehand. As such, they should adopt a robust defense-in-depth strategy including “watchers watching watchers.”Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0tag:blogger.com,1999:blog-9222823941653971224.post-52046924399203061062016-01-29T05:20:00.000-08:002016-01-29T05:30:27.026-08:00Shodan's Shining LightThe Internet is chock full of really helpful people and autonomous systems that silently probe, test, and evaluate your corporate defenses every second of every minute of every hour of every day. If those helpful souls and systems aren’t probing your network, then they’re diligently recording and cataloguing everything they’ve found so others can quickly enumerate your online business or list systems like yours that are similarly vulnerable to some kind of attack or other.<br />
<br />
Back in the dark ages of the Internet (circa the 20th century) everyone had to run their own scans to map the Internet in order to spot vulnerable systems on the network. Today, if you don’t want to risk falling foul of some antiquated hacking law in some country by probing IP addresses and shaking electronic hands with the services you encounter, you can easily find a helpful soul that’s figured it all out on your behalf and turn on the faucet of knowledge for a paltry sum.<br />
<br />
One of the most popular services to shine light on and enumerate the darkest corners of the Internet is Shodan. It’s a portal-driven service through which subscribers can query its vast database of IP addresses, online applications and service banners that populate the Internet. Behind the scenes, Shodan’s multiple servers continually scan the Internet, enumerating and probing every device they encounter and recording the latest findings.<br />
<br />
As an online service that diligently catalogues the Internet, Shodan behaves rather nicely. Servers that do the scanning aren’t overly aggressive and provide DNS information that doesn’t obfuscate who and what they are. Additionally, they are little more troublesome than Google in its efforts to map out Web content on the Internet.<br />
<br />
In general, most people don’t identify what Google (or Microsoft, Yahoo or any other commercial search engine) does as bad, let alone illegal. But if you are familiar with the advanced search options these sites offer or read any number of books or blogs on “Google Dorks,” you’ll likely be more fearful of them than something with limited scope like Shodan.<br />
<br />
Unfortunately, Shodan is increasingly perceived as a threat by many organizations. This might be due to its overwhelming popularity or its frequent citation amongst the infosec community and journalists as a source of embarrassing statistics. Consequently, security companies like Check Point have included alerts and blocking signatures in a vain attempt to thwart Shodan and its ilk.<br />
<br />
On one hand, you might empathize with many organizations on the receiving end of a Shodan scan. Their Internet-accessible systems are constantly probed, their services are enumerated, and every embarrassing misconfiguration or unpatched service is catalogued and could be used against them by evil hackers, researchers and journalists.<br />
<br />
In some realms, you’ll also hear that the bad guy competitors to Shodan (e.g. cyber criminals mapping the Internet for their own financial gain) are copying the scanning characteristics of Shodan so the target’s security and incident response teams assume it’s actually the good guys and ignore the threat.<br />
<br />
On the other hand, with it being so easy to modify the scanning process – changing scan types, modifying handshake processes, using different domain names, and launching scans from a broader range of IP addresses – you’d be forgiven for thinking that it’s all a bit of wasted effort… about as useful as a “keep-off-the-grass” sign in Hyde Park.<br />
<br />
Although “robots.txt” in its own way serves as a similarly polite request for commercial Web search scanners to not navigate and cache pages on a site, it is most often ignored by scanning providers. It also serves as a flashing neon arrow that directs hackers and security researchers to the more sensitive content.<br />
<br />
It’s a sad indictment of current network security practices that a reputable security vendor felt the need and justification to add detection rules for Shodan scans and that their customer organizations may feel more protected for implementing them.<br />
<br />
While the virtual “keep-off-the-grass” warning isn’t going to stop anyone, it does empower the groundskeeper to shout, “Get off my land!” (in the best Cornish accent they can muster) and feel justified in doing so. In the meantime, the plague of ever-helpful souls and automated systems will continue to probe away to their hearts content.Gunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.com0