Archive for the ‘FAIL’ Category
Equifax and Musicians
Screenshot from Zerohedge
So here’s my thing; It isn’t about the fact she was a music major and had two degrees in that. What it is really all about is the fact that she had no discernible security experience in the time she was working in the position or before to make her qualified to handle the job. THIS IS THE ISSUE PEOPLE! It is not about that she had a degree in nothing to do with security. So please stop all the 140 character bullshit and get it through your thick heads that even if you have a degree in IT this does not make you qualified necessarily to handle a job in information security ok?
Now that the CSO’s and CISO’s linkedin pages are redacted you can’t see much of anything but before they took them down I looked and neither had the requisite experience that would make me consider them for a position as an executive in charge of insuring that the security of the company and more importantly, the security of the clients data was in capable hands. Look. let’s face it you can say that the exec is just there as an advocate or to manage Trust me though, if they have no experience in the arena either they listen to their guys in the field and implicitly trust them and advocate or they just are compliance monkeys of the worst order.
I have lived it and I have seen it throughout my career in security. So please stop all the fuckery about “I have a degree in animal science and woe is me I am unfit for security!”
BULLSHIT
If you have a degree or not, you have to have put in the hours of study and actually doing the things! If you haven’t then you are out of your depth and bad things will happen.
Just look at Equifax.
K.
Robin Sage Has Taught Us Nothing It Seems…
Cutouts and LinkedIn
Recently I was sent an invite by the profile of “Emanuel Gomez” an alleged recruiter from Alaska asking to be added to my LinkedIn “friends” Some of you may have seen the event happen on LinkedIn as after I did a little due diligence OSINT it became clear that this account was a cutout for someone looking for entree to my list of connections using a rather obvious fake name and details. The first clue though was a quick search of the headshot used on Google image search which came up with the real person’s name and profile elsewhere. Once I got that hit it was all out OSINT time and here is what I found.
Real user profile of unsuspecting Richard Velazquez
The culprit behind this fake LI account is one Leon Jaimes, a techie in Alaska via Colorado. Leon had used an email address in his profile that led me right to him as he posted under his real name at various bulletin boards and had a flickr account attached to the same address. Within his data on the image upload site he had many personal details as well as an old registration with pertinent personal data on it that he had photographed and placed on the web… Yeah.. Sigh…
I made short work of Leon and dug up a lot on him including an arrest record for being drunk and trespassing in someone’s house. All I have to say is Leon, buddy, like I said in the email I sent to you, your OPSEC sucks! Leon actually emailed me back asking where he had gone wrong and admitting to the profile which I did not answer… I mean really? I am going to teach you better OPSEC? Two words FUCK. NO.
I had meanwhile begun a thread on LinkedIn about the incident (pic at top started the string) to alert others as to the ongoing ruse. I had seen others within my circle who had fallen for this as well as others he seemed to be aiming at. At the time of my initially getting the email to add him he had 23 people as connections. By 10 am he had 50. People were just click happy and adding him to their connections without really taking a closer look at his profile. Mind you, these were people in INFOSEC as well as MIL and Fed types! I checked the profile as of this writing though and it is now gone from LI so there is at least that and more than a few people have looked at my post and commented. Yet, it still bothers me that so many fell for such a poorly constructed profile.
FAIL.
Social Animals With Cognitive Issues
So what have we learned since the big hullabaloo over Robin Sage? It would seem not much really. Why is this? Why have people generally not learned from the event Tommy sparked back a few years ago? Are we just not teaching people about SE and the perils of cutout accounts and espionage being carried out by state actors and others via venues like LinkedIn? I actually believe that there are many concomitant issues at play here and I recently spoke at BsidesCT about the cognitive issues around security.
We are creatures of habit with lazy minds it seems with biological impediments cognitively as well as generally, as a species have adapted to being social animals. It’s this very social aspect that is being leveraged so well today as always in the espionage world. It is just that today you can reach people much easier via the net and social media and harvest much more data extremely quickly. There are of course a host of social mores that I could go into but perhaps that’s for another day. What I would really like to say here though is that if you are on LinkedIn and you are not at least trying to vet those people trying to get you to add them then you are likely adding cutout accounts as well who are spying on you.
OPSEC Lessons Learned
So I guess many people may not care at all who they connect to on LinkedIn. Perhaps some of those people are in INFOSEC or the Defense base as well. Maybe those users really have nothing in their profiles to protect and do not consider their connections to be of worth to some adversary somewhere. Perhaps those same people are idiots and have not been paying attention to the news for the last, oh, let’s say 3 years? Maybe there is just a general lack of education on the whole within companies about social engineering, phishing, and today’s common attacks? Is there actually a study out there showing just how much education is going on at a corporate and nationwide scale?
Here are the salient simple facts for you all to chew on:
- Everyone is a target and your information and your connections are important to an adversary looking to attack YOUR business.
- Social Media sites like LinkedIn are a goldmine for this intelligence gathering. Not only of your connections but also your personal information that you may leak there or other places that when mined, can lead to a fuller picture of who you are, your habits, and your weaknesses.
- Phishing and SPEAR-Phishing attacks start at this level with intelligence gathering on you and others in your circles. Plans are hatched leveraging who you know and who you work with to exploit yourself and others into clicking links or giving up intelligence to the adversary.
- All of the above happens every day to millions of people and the reality is you are the only one who can try to prevent it by being more aware of these things.
I should think that there would be more moratoriums on the use of LinkedIn and other places tagging where you work to your profile. This is a real harvest festival and has been for some time and yet no one has made a move here. LinkedIn also is a part of the problem too. They seem to be doing pretty much nothing to invent means of vetting people to insure they are who they say they are. Look at the recent case of Newscaster and their use of not only LI but also Facebook and Twitter. They had numerous people from the Aerospace community connected to them on LinkedIn and this was an Iranian operation (note** Amateurish and likely not state sponsored or run**) but still… You get the picture right?
I will leave you with these questions;
- What’s on your LinkedIn?
- Who are you connected to?
- What information is on your profile that could be used to tell what access you have, who you work for, who your friends are, what your preferences are etc…
- What secrets do you have that I can exploit from your social media accounts?
- What OPSEC precautions have you taken to protect your information?
- Are you even aware of these things?
Think before you click ADD USER.
K.
ASSESSMENT: Target Media and Lawsuit Failures
The Target Hack Media Failures:
From the moment that Brian Krebs first put out his story on the Target hack it’s been mostly a feeding frenzy of reporters trying to out scoop not only Brian but everyone else they could leverage to get a headline. Throughout the whole affair though there has been a lot of speculation on how the hack happened, the timelines and just what if anything Target knew about what was happening to them as it was going on. Since the first report we have come a long way to understanding through confidential sources just how the happened but the reality is that there are many things still unsaid about the hack itself with any certainty.
The biggest hole in the whole story to date has been how did the hackers infiltrate into Target in the first place? After looking at data that Brian had shown me and doing my own research on Rescator and the Lampeduza he and I came to some conclusions on how they most likely got into their systems. Primarily the phish on Fazio allowed the attackers to gain access to Target’s booking/payment systems for doing business with their vendor’s online. It was a supposition on my part that they used an infected Excel sheet, doc file or pdf to gain access to the peripheral system connected to the internet by passing it with the stolen credentials to Target’s online system. Once a user had the file inside they likely opened the document and infected themselves and thus allowed access to the general network. Of course then it become simply an issue of locating a machine that sits on the LAN where the servers and the POS can be accessed.
The media generally though has been harping on the idea that since Fazio is an HVAC company that they had access to ICS or PLC units within the Target network as this is all the rage in the news. There never has been any proof of this happening and in fact Fazio has made a statement saying they never had access to the Target HVAC systems remotely as they don’t do that kind of work for them. This however escaped the media in general as well as some Infosec bloggers that I know as well. Now however we have a new twist on this media festival of failure with the advent of the Target lawsuits recently brought out by banks involved with this mess.
The Target Lawsuit Failures:
The Target lawsuit now not only goes after Target Corp itself but also Trustwave, a security company that allegedly carried out the Target PCI-DSS (Payment Card Industry) assessment at or around the same time as the compromise to Target was happening. It was at this time that Trustwave certified that Target was in fact “PCI Compliant” and that in the industry’s eyes secure. Of course this is a misnomer that many in the security field have been venting about for years and the popular euphemism for it is “Check box Security” because in reality it is just a check mark on a form and not a real means of protecting data.
The lawsuit is filled with ill informed views on what happened to Target as well as how security works and has been roundly regarded in the security community as well as the legal community as a joke. Using dubious sources on cyber security and primarily believing all that the media has written on the subject of the Target breach this lawsuit makes assumptions about the PCI that are common and untenable. One of the more egregious failures in comprehension is that any system of checks and or regulations would make any system or database secure just by the very fact that you have checked off all the boxes in a list of things to do. This is especially the case with PCI due in a larger part because of the way it is audited and by whom.
PCI-DSS Failures:
One of the real issues that seems to be coming out of the lawsuit and the reporting on it centers on encryption of data. The encryption of data at rest (in a database) or in flight (on the network between systems) is the crux of the issue it seems to the legal team for the litigants in the Target affair but I would like to state here and now that it is a moot one. The idea is that if everything is encrypted end to end then it’s all good. This is not the case though as in the case of this particular attack on Target the BlackPOS malware that was used scraped the RAM of the systems which was not encrypted and usually isn’t. This is a key factor in the case and unfortunately I know that the legal teams here as well as the legal system itself are pretty much clueless on how things work in technology today so this will just sail right over their heads.
Here are the facts in as plain a way as I can get across to you all:
- BlackPOS infects the system and scrapes the RAM for the card data
- BlackPOS then copy’s the data and exfiltrates it to an intermediary server to be sent eventually to the RU
- The data is not encrypted at this time and thus all talk of encryption of data or databases is moot unless said data came from database servers and not copied from POS terminals
- Encryption therefore in database or on the fly is a MOOT POINT in this case
There you have it. It’s a pile of fail all the way round and the media and the law are perpetuating half truths and misconceptions on how things really work in the digital world. There are many issues with PCI-DSS and the encryption issue that is cited in the law suit and the Wired piece linked above are just silly because the writers and the lawyers haven’t a clue. While PCI needs to either die a quick death for something better it is not the only reason nor the primary one that the attack on Target worked. There are of course many other reasons due to inaction that have been brought forth recently that do paint quite another picture of ineptitude that are the real culprits here.
Analysis:
Overall the analysis here is that there are many to be blamed for this hack and not all of them are the adversaries that carried it off. The fallout now with the lawsuits and the press coverage of the debacle has only amplified the failures and is making things worse for some and better for others. We have seen an uptick already in finger pointing as well as sales calls laden with snake oil on how their products could have stopped Rescator cold. The fact of the matter is Fireeye and Symantec both tried but the end users failed to allow it to act as well as heed their warnings. Of course one also should look at this and see that even if the tools had been heeded it may not have stopped the attack anyway without a full IR into what was going on.
The people who are any good in this business of security live every day with the assumption that their network is already compromised. This is a truism that we all should take to heart as well as the knowledge that we cannot stop every attack that is carried out against us. We can’t win every battle and we may never win the war but we have to try. Targets failures will hurt for some time within the company as well as to those who were working there at the time. I have no doubts that heads rolled and perhaps that was necessary. It is also entirely possible that people did try to stop this event but were told not to do something because it might affect their production environment. Of course this is all speculative but you people out there reading this from this business know what I am talking about. It’s a universal thing to be shackled in your battle to secure the network because it affects the bottom line.
What I would like you all to take away here though is that PCI is not the only reason for this hack and certainly it isn’t because Target was not encrypting their traffic or their databases. This is just a ridiculous argument to be having. Just as ridiculous as it is to have the cognitive dissonance to believe that checking a box in an audit makes anything more secure.
K.
YES WE CAN! (deploy a website without security and expect everyone in the nation to put their personal details into it)
Zep whpcd as Sdefp Ihfctv jfg ti!
Hackers In The House
I sat in horror and increasing rage inside my office watching the live online stream of the House committee’s Science and Technology meeting concerning the security of healthcare.gov. Horror and rage that were fuelled by cogent statements made by a panel of security experts that shown light on the fact that the US government had completely abdicated any responsiblity for security on the healthcare.gov site. My rage came from the responses by house members who for all intents and purposes but by the grace of god have the ability to wipe themselves in the morning after their daily ablutions.
The hackers or more to the point security professionals that included @hackingdave made a reasonable argument that the healthcare site was in fact fundamentally flawed where security was concerned and that it seemed that the government had in fact not considered the security import of the nature of the data they were to traffic in. SQL flaws are abundant on the site and the interconnections to backend databases including places like the IRS will make it the single point of failure for what I am sure will be the worlds largest compromise of PII data on the planet short of the machinations of the NSA.
While I understand that many of the players in the House committee are not technically capable of even programming a blinking VCR properly, I expect that they could actually listen and comprehend the basic fact that identity theft is a large issue today in the world and that this site would be a gold mine to anyone perpetrating such a crime. It seems though from watching many of these dullards questions to the panel this week that most in the halls of power cannot conceive of anything more than what they are going to have for lunch later and what party line they are going to tow.
Healthcare.gov Is A Ticking Time Bomb
To put it plainly the healthcare.gov site is a bomb just waiting to go off. The vulns that were discussed in the hearing and on the blogs thus far are not out of the capabilities of many of the bad guys online today and will be exploited. …That is if they haven’t already. What I heard in this hearing made me cringe due to the ease of the attacks as well as the seeming lack of due diligence on the part of the Canadian firm that made it not to mention the US government’s abdication of controls to be implemented in design.
As the panel pointed out the federal government wants us to not only become accustomed to using all of our PII to log into this shitty site but also that by inference, they don’t give a damn about our privacy never mind out PII or HIPAA data by the size of things. All that really counted in the creation of the healthcare.gov site was the speed at which it could be implemented. Something that as we have seen also caused as another byproduct, a shitty infrastructure that failed to handle the load required. Now ponder the code errors that live within the massive amount of code and your head will explode from the security failure potential here. I am pretty sure that the code has not been vetted properly from a rugged devops standpoint so let’s just assume that it is riddled with bugs.
Lest we not forget too all of the back-end database connections, infrastructure design, and implementation that in all likelihood is greatly flawed as well and one might lose sleep at night. I sat through the committee meeting also wondering about what mitigations that they may have for security on the DMZ/Back-end/internally such as SIEM, Firewalls, and IDS/IPS. Do they have any? A question came up in the meeting that had me even wondering IF they were logging event logs for security at all within this Rube Goldberg device they are calling healthcare.gov as well.
In the end I think the House and the Senate should really look at this whole issue and DEMAND that an accounting be made of the security that may or may not have been built into this site’s code base, the way it is run, and all the connections to the various back-ends in other government facilities and databases BEFORE we start signing up anyone else to it. I don’t give a fuck about the politics of it! They have done a shitty job of protecting the American citizen’s interests here from both parties machinations and it has to stop.
Perhaps “someone” should start a petition on the whitehouse.gov site for an investigation to be carried out?
Just a suggestion…. Or wait.. Is that site down now too?
Media DERPOUT
Oh well it’s not like all this security stuff matters really I guess judging by the response of the media to this story. A day after the hearing only one major news source (ABC) had a story that Google could find. The rest of the media seem to be blind or ignoring the large bag of fail that is the security posture of the healthcare.gov site. Even now days after the fact the news media seem rather tepid on it all. We will I suppose, have to wait until the ultimate compromise happens to a majority of the US citizenry’s PII data and other records to happen before it makes it even to NPR as a story huh?
What makes me wonder though is why none of this seems to be lighting a fire under anyone other than the security community? Is it because as we all well know in the industry that we speak a foreign language than the rest of the world? Is it because we are seen as Cassandra’s or boys crying wolf? I am flummoxed about this really and I could spend time pondering over the psychological aspects of denial and comprehension of security risks but I find of late there just is no point anymore. We are fucked and there is naught we can do about it. I think Dave and the panel could probably attest to that now but probably more so as time passes and nothing is substantively done about the security of this site.
So go get your healthcare people! For every 100th visitor your data gets a free trip to Ukraine!
K.
