Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Infosec’ Category

Ethics In Hacking and Dropping Code

leave a comment »

With the release of Autosploit, a tool for automatically scanning and exploiting hosts located via Shodan.io, a shit storm erupted on the ethics of releasing a tool like this. The problem has become just how easy it may now be to automate the attacks on vulnerable systems en masse that this tool could potentially provide. In an age where IoT devices as well as SCADA and ICS are sitting online in vulnerable states makes the possiblity of great damage to large networks more probable with such a tool. It also brings to the table the idea that the barrier to success on such attacks has been lowered to a new class of individuals with a limited knowledge base and creates an asymmetric threat model of a single individual able to wield greater attack capabilities with one tool.

Many arguments have been made on Twitter about the efficacy of releasing code like this but most have not focused on tools per se but instead on malcode or 0day’s. Now that there are bug bounty programs and companies that sell vulnerabilities we are living in a more dangerous time where the few with the money could buy exploits and do mass damage or commit mass surveillance and espionage. This also applies to countries willing to pay for 0day exploits to be in control of the attacks and have the upper hand. Think about that, our politics and our lives are at the mercy of code being sold to the highest bidder. We have weaponized code and tools made from it on a medium that was supposed to enlighten and bring us all together. Instead our baser nature has made the internet and everyone’s devices a tool for repression or subversion.

After the release of Autosploit, the hue and cry went up, and rightly it did. In a time where we have people releasing code and remarking “Let the world burn” I think it is time that we began to talk about the ethics of doing these things. Ethics kids is a philosophical discipline where you consider the moral responsibilities of what you do and the effects your actions could have. I think that too many people of a certain age group have had little to no training on ethics and this has helped to lead us to where we are today. In this specific case let’s talk about the ethics of releasing any code or tool that would lead to potential disastrous effect.

Many tools over the years have been dropped for free by hackers out there that could and were abused by others who downloaded and used them for their own desires. I have been exhorted to mention things like BackOrifice or L0phtcrack in the past and, well, there you go. Both tools were used for bad purposes as well as ostensibly good in the hands of penetration testers. Of course these were just placed on the net for free for anyone to have at first and this is where the quandary starts right? Did L0pht or CDC consider the potential damage that could be done with their tools? Did they put them out there with some self awareness that they may in fact be complicit in crimes because the tools that they created and distributed, for good or for ill, could be misused?

I point you all to Alfred Nobel, the inventor of Dynamite. He created a tool that would help in mining but in the end that tools devastating effects were used in other ways to hurt people and wage war. In an obituary that was accidentally run about him instead of his brother, he learned what the world perhaps thought of him regarding his invention. This bothered him so much that to atone for his actions he created the Nobel Prize to further science and other pursuits that do not further the harm of others. The idea that his inventions use for ill and how he would be perceived by history prompted his ethical response.

Today, we have people creating tools that could be misused and in some cases are for the sole purpose of misuse. The Autosploit tool may be a boon for some penetration testers, but the reality is that it is just another mass scan tool that seeks out vulnerable systems throughout the whole of the internet and loads the exploit potential to just break into them. This is not a refined tool for a scoped penetration test, this is a tool for mayhem. This is why I think others have made comments about the way it was released and the dangers in doing it so. The ethics though seem to have been glossed over concerning this release. What are the ethics of Autosploit’s creation and release on a Git repo? What is the morality behind doing so? Are there arguments for either of those or is it just another hacker saying; “Let the world burn” with no thought or accountability because it is the internet?

The problem we have today is that there are no ethical demands being placed on these coders and hackers. In fact, the whole notion of hacking has a very troubled side where illegal activities are the norm because the ethical and moral question of “should I do this” has not even been contemplated over the desire to know things. Sometimes I personally think that there is a fair bit of sociopathic behaviour in this community to begin with so that actually kind of aligns with the argument that ethics have not even been contemplated in some of these works. So as we move forward into a world of cyber warfare we have to care for the ethics and morality of what we do just as we have in all other forms of warfare in the civilized world.

While people like Katie Moussouris advocates for penetration testing tools being classified in ways that they are not declared illegal, we too have to look at the ethical concerns of the tools and how they are released to the world at large. Wassenar is a great idea but I feel that it is a myopic approach to larger issues in our ever more connected world. If you look at the actions of the Balkanization of the internet, you can see the actions of China and Russia joining together in a pact to repel the US hegemony in the internet you have to follow that all the way back to the tools that make such issues possible. The tools that you all create for hacking and exploitation that you should have some ethical concerns over when they are used perhaps in ways you did not intend.

Thus, take the ethical pause before you just dump them online …Unless all you care about is watching the world burn.

K.

Written by Krypt3ia

2018/02/02 at 20:12

Posted in Infosec, Uncategorized

I Am Danny Glover: I Am Too Old For This Shit

with 2 comments

Welp, I am gonna say what others I interacted with this year at Defcon imparted in person. Just gonna rip the Band-aid right off, no Bactene, nada….

Defcon has become too big for it’s own good.

There, I said it…

*waits for inevitable whining and recriminations from those who love it and run it*

Really though, the congestion even in Caesar’s was too much to deal with and certainly the fact of getting into lines and then not seeing the talk because you were too far down said line is… Well.. Disappointing to say the least. Add to this that you can see the media later online, why the fuck am I going to attempt to brave the hoards and pay $260 to attend? Everyone says “HallwayCon” now but even that was stupifyingly impossible because the traffic analysis had been fubar’d for this one.

Nope, I am just too old for this shit now. The paradigm of BlackHat is the new RSA, Defcon is the new BlackHat, and Bsides is the new Defcon is really true I think. I had a better time at Bsides and actually got to have substantive educational interludes as well as conversations at Bsides. I attended BlackHat this year and had classes and I also have to say that the Classes were excellent but the presentations were a bag of fail, but hey at least I got to see them. A special note goes out to Matt Suiche on spectacular fail on slides with large blocks of text and his inability to speak English clearly for the ShadowBrokers presentation. In fact, let me also add that he did not add anything to the discourse on the subject by just regurgitating, in large blocks of text on screen, things we all could just Google.

But I digress…

It seems to me now in hindsight that the only way one will get good content and a hassle free way to consume it is to pay exorbinate fee’s to see it so all the other kids aren’t there rubber necking in front of you gawping at all the shiny shiny. Even if you have to listen to the likes of the CISO of FaceCult drone on about how they are going to save the world in between laser light shows (YAY HOOLICON!)

Jesus fuck I am too old for this shit…

Next year maybe I will just do SANS…

Dr. K.

Written by Krypt3ia

2017/08/07 at 21:01

Posted in Infosec

Eugene and the DoD

leave a comment »

Da! Let me share you this blog on Eugene! Look, this whole kerfuffle over Eugene and the DoD has reached epic douchery in the news and now with the Putin administration threating “actions” against the US if they somehow embargo Eugene’s business. Well, let me first start with this little ditty below.. Go ahead, read it…

Ok done? Yeah, Eugene was in the KGB school and he worked for the GRU too according to the Wiki page here. What this means is that Eugene is a “former” made man of the KGB and Military Intelligence apparatus in Russia. He lived in the times when it was the Soviet Union and at the height of the times where the cold war was in a deep freeze. Fuck, just go watch The Amerikans and then come back… I will be waiting…

Ok watched them all have we? So now you know how it was to live in the 80’s huh? Well there you have it. Anyway, Eugene was a member of the organizations that have recently hacked us. What? You are saying it’s the FSB now and it isn’t the KGB?

Fuck you.

FSB is KGB with different letters at the front now ok? If you actually read up a bit you will see that Putin actually gave back the powers that the KGB had back in the day recently so once again they are functioning much like the old bad days as the KGB. Putin as well is an old school KGB man who has used all kinds of KGB fuckery to get where he is and stay there so once again, you say FSB, I say; Fuck. You.

Right, so now back to the present unpleasantness, it seems that Eugene is now offering a code evaluation by anyone who wants to (specifically the DoD) so pretty pretty please buy our shit? Look, it’s not about the code, we don’t necessarily think there are backdoor’s in the product now. No, what the worry is consists of that close snookums relationship Eugene had with the TWO entities that just hacked our election in 2016. Come on people, no one leaves the KGB and certainly NO ONE says NO to Putin right?

Imagine that Eugene’s software is clean as a whistle.

Now imagine that it is sitting on many USGOV and MIL systems.

Now imagine that all that telemetry from those systems is going to RUSSIA.

Then alternatively consider that with all those systems running Eugene’s product, how easy it would be to say, inject a malware or a protocol into all of it to do… “Things”

Think about that hacker kids.

Think about that you spies too.

You all see where I am going with this right? Now of course you could maybe do that with another vendor too but how much more work would it be to do that with Symantec? What I am saying is that Eugene lives in Russia, his assets are there, his LIFE is there and if Putin were to sidle up and say “do this thing” what choice would he have? JESUS FUCK PEOPLE! You know who the next randomly dead Russian would be right Eugene?

So, all this fuckery around the code and exploits etc… Stop. It’s really about access and what could happen in a place where we have seen pretty nakedly what Putin wants and does. So no, the DoD should not have Kaspersky products on their shit. I would be really surprised if they did given where it is made and managed… But then again, I think about all those SF86’s and China and… Fuck….

So there you have it. We are in another hot cold war with a Putichurian candidate in office. Do you really think we need the trifecta of Eugene’s access potential to be expanded to the military?

Yeah neither do I.

K.

Written by Krypt3ia

2017/07/03 at 16:38

The DNC Hack: SVR? KGB? GRU? Lone Hacker?

with 2 comments

191

Attribution Games:

I grow more and more weary of the attribution games being played in INFOSEC and the DNC hack is just another in a cavalcade of epic missing the point parades. Since the “scoop” given to WaPo by Crowdstrike, there has been a flurry of allegations, revelations, and throwing of attribution dice akin to a basement game of Magic The Gathering repleate with summoning!

“I summon the Russian GRU!”

“I summon the LONE ACTOR!”

“I summon the KGB!”

*slaps down cards on table* TAKE THAT!

The reality here is that there are more than a few games going on here. Think about it, Crowdstrike gets a media coup by selling this story to WaPo, who just happens to have been banned by the Orange Julius of our time, presidential candidate Donald Trump! WaPo jumps on this like a child on a fresh tit and runs with the attribution story and sets the world on fire for Donny boy with the release that the DNC not only was hacked but that his dirty laundry may be in the hands of Kommisar Putin!

“Whoa”

So, first let’s set aside the whole issue of marketing, which is akin for me, to choking on a hairball left from that chick in “Ringu” and move on to the veracity of the attribution as well as the real need to name and shame here. I for one can believe that the two nation state actors software and activities were found by Crowdstrike on the DNC systems. The fact that there are two disparate groups from the same nation state is interesting in itself. I guess they are not really talking to each other and given the state of affairs there in Russia I can see this as being a true accounting. However, I can also see my way to there being third, fourth, fith, sixtieth actors also in the network or having had been in the past as well. Face it, these are government systems who usually go to the lowest bidder right? This was likely the Diagon Alley of Democratic networks.

So, to say that it was only these two actors might be a stretch. There is room for doubt and after the dump by “Guccifer2” as they are calling themselves, it is easier to think that perhaps there is more to the story than what we have been given by the media, the DNC, and Crowdstrike. That the documents are legit on the wordpress site by Gucci and that they seem to be pretty well stamped down on metadata, one can’t make too many assumptions.. Oh, yeah, but everyone is! At the end of the day for me, even though I will play the game a little bit below the fold here, the real issues should be how the hackers did it, and fixing the behaviors of the DNC to stop it from happening for a year or two at a time in the future. Not so much pointing at Russia and yelling; “YOU TOOK OUR SHIT! BAD POOTY! BAD!”

Put another way… I eagerly await the FBI warrants and 10 most wanted cyber listings for the Russian actors they have all this attribution on … I suspect I will be waiting the rest of my life for that one kids… Just sayin. This was mostly about marketing as far as I am concerned and I have to give them props for working that one. Sales must be up in the government area now because of this caper right?

Metadata and Cyrillic:

Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович)  Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!

Dr._Strangelove

NAILED IT!

You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…

  • Much of the data was stamped out in saving from format to format
  • Emails of users though were still embedded in the excel files
  • The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
  • The image files have no metadata.. none.. niente clean.
  • Grizzli777 is just someone who pirates

Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.

*squint.. takes drag of cigarette*

So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!

All of this hoo ha really means nothing. The fact of the matter is that now Donny’s dirty dirt is open source!

YAAAAY!

Wait.. I read it.. What the shit people? REALLY? THAT’S ALL YOU HAD HILLARY? COME ON!

It doesn’t matter who did it really.. Horse is out of the barn and the barn is on fire kids. So please, stop with all the wankery and move on to the next hack ok?

DATA:

Screenshot from 2016-06-17 13:35:04

Screenshot from 2016-06-17 13:33:43

Screenshot from 2016-06-17 13:31:49

Screenshot from 2016-06-17 12:51:57

Screenshot from 2016-06-17 12:46:55

Screenshot from 2016-06-17 12:46:44

Screenshot from 2016-06-17 12:46:33

Screenshot from 2016-06-17 12:46:14

Screenshot from 2016-06-17 12:46:03

Screenshot from 2016-06-17 12:45:43

Screenshot from 2016-06-17 12:44:48

Screenshot from 2016-06-17 09:51:34

Motivation Analysis and Hypothesis

RIGHT! Well now I want to play the attribution/motivation/game of clue too! So here goes…

Imagine if you will that Russia did do it. Imagine also that Gucci2 is still Russia’s services performing a disinfo campain against Crowdstrike. Now imagine why would they be doing that? Why would they drop Donny’s dox AND all the other fun stuff for the Clinton campaign, which is in trouble already over the cybers! What effects would this have? Let’s list it out for you…

  • Dropped dox of the dirt —-> Blows all Hill had on him unless there is a double secret probation file somewhere
  • Dropped dox yet to be releast on Wikileaks —> Let’s say, as Gucci2 alluded, they were also in Hill’s mail server, ya know, the one that wasn’t supposed to be? Oh yeah…
    • If that server was popped by the Russians and Gucci1 those criminal charges could be much more deleterious right? *waves at FBI*
  • Dropping of dox and general hackery causes DNC and the election process to be even more fractious than it already is
  • Dropping dox makes Hill’s candidacy potentially weaker (hint hint server –> Russians–>PWN wink wink nudge nudge!

So all those effects would do what possibly? Why would they want to do this? WHO WOULD WANT A TRUMP PRESIDENCY?????

Why Pooty of course!

Think about it kids. Given your knowledge of Teeny Tiny Baby Hands Trump, do you think he could stand up to a bearish Putin?  *sorry had to use that one*  Do you think that perhaps Donald is easily.. Shall we say.. Distracted or led? Come on, I know you can all reason this out. A Trump presidency would be sweet sweet love for Putin. He would have a friend, and someone he can sit on his knee to play ventriloquist with! … Well, until he has to polonium enema him that is.

That’s my theory and I am sticking with it… For all the fucks that it is worth.

I will say though.. I am waiting on those documents to show up in Wikileaks. That’s when the shit is really gonna hit the fan.

See you all in INFOSEC attribution Hell.

K.

 

Written by Krypt3ia

2016/06/17 at 18:34

Insider Threats: The Most Dangerous Threat

leave a comment »

Screenshot from 2016-03-14 07:58:00

On The Seven Pillars of Wisdom the notion that the “insider threat” can be one of the most devastating threats to an organization. I have pointed this out before concerning INFOSEC but I thought it would be prudent to do so again with the story of the caliphate and Abu Hamed. As a practitioner of the INOSEC arts *chuckle* one of the things that we have to take into account in the #BlueTeamLife is the insider threat and the general tenor within the organizations we work for. One has to take the pulse of the org and see what the overall temp is of the work force. Have there been layoffs? Are people generally disgruntled? Who amongst them may be a turncoat and be stealing your data or setting up the Locky malware inside your domain controllers?

All of these thoughts should cross your mind now and again as an internal player within a security organization. Frankly yes, you can have utter devastation to your network and your org from just one end user being click happy, but imagine if you will a disgruntled employee who has keys to the kingdom and a will to wreck it all as they give you the finger walking out the door. I personally have been party to one such incident that included a logic bomb and many hours trying to figure out what they did to get the org working again. You can never discount the insider threat and you shouldn’t.

The same can be said about agent provocateurs in your org as well. This may seem like fiction to you but consider where you work and what they have as data goes. Would a competitor want to steal that data? Perhaps they would instead like to burn your org down to the ground to get ahead? All of these scenarios are possible and you as the #BlueTeamLifer have to consider these things as you attempt to secure the sieve that is your networking environment.

Do you have any content in your awareness training about outsiders trying to get information from your employee base? Do you have content about not wearing badges to local bars or being circumspect at conferences? If not, perhaps you should assess your crown jewels and start creating some.

At the end of the day it is better to be prepared for this type of activity than to be totally unaware of the possibility.

Think about it.

K.

Written by Krypt3ia

2016/03/14 at 12:10

My new line of INFOSEC T-Shirts from “Everything Is Bad”

leave a comment »

Written by Krypt3ia

2016/02/12 at 15:11

Posted in Infosec

The 2015 INFOSEC KRAMPUS LIST

leave a comment »

krampus-1-web-72RECTANGLE*_550_310_s_c1_c_t

GO HERE AND VOTE NOW!!

Written by Krypt3ia

2015/11/03 at 11:41

Dark Reading: CISOs Caught In A Catch-22

with 3 comments

Screenshot from 2015-07-22 10:36:45

Full article:

JESUS FUCK.

Now that I have that out of the way let me take this article and turn some things on their head a bit. I would ask, if I were writing an article on this subject just how talented on average are these CISO’s that are being made scapegoats and not allowed at the C-Level table? Are these CISO’s capable of making those security decisions to start? How technical are these CISO’s on average and have they worked the bulk of their career in information security?

See this is what burns me much of the time. We have CISO’s who are titular C-Level execs that most often than not NEVER carried out a pentest and have little to no real experience carrying out a security program to start with. This is a problem and one that everyone seems to not quite grok in the corporate world but if you are in INFOSEC and you are capable, usually you are not considered to be C-Level material at the average corp. This is just my experience of this being in the business so long but hey, this article seems to be backing this up a bit as well.

On top of all this it seems that the people asked in this survey of sorts showed that the CISO, like much everything else in INFOSEC is considered the red headed step child that is better neither seen nor heard. That is until they have had a breach and then they can blame the CISO that they have not empowered and perhaps never trusted because they weren’t competent to start with.

But hey.. That’s just me right?

The role of the CISO is evolving more now because the breaches today are at a high and the compromises with data dumps have been making the news cycle burn brightly. That’s the extent of it really, these companies aren’t looking at the news, turning to their boards or other C-Levels and saying

“SHIT! WE REALLY NEED SOME TALENT AND EMPOWERMENT TO THE CISO NOW NOW NOW!”

Mmmmmyeah, not happening that I have seen. Evolutions kids is a long ass process and in nature it takes millions of years. I am afraid though that in INFOSEC we don’t have that much time. So here are my bullet point thoughts to leave you with;

  1. We’re fucked
  2. If your CISO has no experience and shows that in meetings with other execs… You’re fucked
  3. If your CISO has no empowerment… You’re fucked
  4. If your CISO has no empowerment and no real experience he will be gone soon and… You’re fucked anyway
  5. Corporations are like living entities made of of large amounts of cells (people) that are in essence psychopaths. They are self involved, manipulative, and only want what they want and will do anything to get it.

You’re fucked.

K

Written by Krypt3ia

2015/07/22 at 19:56

Posted in Infosec

THE DEFENDER’S DILEMMA: CISO’s and Execs to the right of me… APT’s and Hackers to the left… Here I am stuck in the middle with you.

with one comment

tumblr_m54evg82j61rtr1jto1_400

 The Defender’s Dilemma:

This week I came across a tweet from @violetblue about an article she wrote for ZDnet on a RAND study that had recently been published. The report; “The Defenders Dilemma: Charting A Course Toward Cyber Security” The report ostensibly showed that the end game for information security was as predicted by 99.9999 percent of the information security workers in the world today. Simply put, there is no winning the game and you should really just listen to the WOPR and not play at all. How about a nice game of chess?

WOPR

All kidding aside though, many in the game know that there is no winning the cyber war. All you can do is perhaps win battles. Endless battles. The war will never end unless by some miracle someone uses the Nash Equilibrium Theorem to bring all the game players to the table and stop the game with wins all around. I somehow doubt that this will happen, just as much as I doubt that the same model can be used against Da’esh but that is a story for another day.

What this report is telling us though is pretty much common knowledge within the community and I have to wonder just how many execs, which come out of this report not too well as to their cognizance on the issues, will actually you know, read the report in the first place. It would seem that this reports 169 pages is another echo within the INFOSEC echo chamber that once again the executives will not see, hear, or understand because there are too many words to read. Honestly RAND, after you say all these things you really even expect them to read the executive summary and understand it all?

Sampling Problems and Conclusions:

Eh.. Still, even if someone like me were to try to synthesize this report into a comestible for the exec set, I would still have to deal with the fact that I dislike your sampling data and some of your conclusions up to and including your heuristic model ten years into the cyber future. Honestly, what the ever living fuck RAND? Let me start with your sampling of CISO’s out there in the wide wide cyber world.

  As a result of interviewing 18 CISOs, we drew three sets of conclu- sions: those we expected, those that confirmed our suppositions, and those that came as surprises.

Eighteen CISO’s? EIGHTEEN? Holy what the bad statistics Batman! How do you even think you can conclude much of anything from such a small sample of the pool out there RAND? I read that and I literally felt like I had just re-heard one of those old ad’s where “Nine out of ten dentists approve!” What bullshit is this? Ok, let’s forget the whole thing about sampling and statistics, ya know, math and just go with the logic here of talking to only 18 guys. How do you know that these guys aren’t idiots? How engaged are these people? How efficacious is their leadership? I mean all of these things matter when you are asking people for their considered opinions for some kind of study! This number reminded me of a quote from “Back To School” with the late Rodney Dangerfield.

Thornton Melon: [in college bookstore] Hey, you guys get everything you need?

Jason Melon: Oh, yeah, we got it.

Thornton Melon: Good… Hey! What’s with the used books?

Jason Melon: Well, what’s wrong with used books?

Thornton Melon: They’ve already been read!

Jason Melon: Yeah, and they already been UNDER-LINED, too. Get it?

Thornton Melon: That’s the problem. The last guy who under-lined them, he could have been a maniac! Hey, get these guys some new books. Huh? Get some new books, will ya?

The sample is important kids and RAND just screwed the pooch on that one. Which brings me to another interlude they had in the report that shows you just how important this is.

Screenshot from 2015-06-12 08:39:34WHAAAAAAAAAT? What kind of CISO doesn’t even know where the firewalls are?

Oh.. Wait… What am I thinking? I mean how many CISO’s are or were actual practitioners with real world technical experience out there huh? Now that would  a statistic that is rather important to the comprehension of the issue in the first place right? Evidently RAND doesn’t think that this is an important data point in this study though. So yeah, we have “CISO’s GONE WILD” here as well as some seemingly tuned in responses from the whopping sample of 18 respondents that finished an average 15 out of 20 questions on their questionnaire. With these stats these guys may as well be Ponemon for fucks sake!

Conclusions:

In the executive summary they lay out their conclusions from this study and surprisingly I agree with many of them but from long experience in the field not from 18 CISO’s answering nearly twenty questions. Most of these are just common sense really and logical conclusions and there was no need for a survey however poorly constructed to get to the answers. However there are some gems in there.

The conclusions we expected were as follows:

•Security postures are highly specific to company type, size, etc.,
and there often are not good solutions for smaller businesses.

•The importance of intellectual property varies with the individual
firms’ missions.

Cybersecurity is a hard sell, especially to chief executives. ….Yes, yes it is.

•Although CISOs generally lack a way to know whether they are
spending enough on cybersecurity, they split between those who
think spending is sufficient and those who feel more is needed.

….. So 50/50? Uhhh Clue please?

•Air-gapping, wherein networks are electronically isolated from
the Internet, can be a useful option. (In a softer form, it is com-
patible with tunneling through the Internet but otherwise not
interacting with it).

……. NO. WAY. How long have we been saying this?

•Responding to the desire of employees to bring their own devices
(BYOD) and connect them to the network creates growing
dilemmas.

…… WORST fucking idea EVER.

•CISOs feel that attackers have the upper hand, and will continue
to have it.

…… Well duh, they do. It’s asymmetric warfare you idiots!

The conclusions that confirmed our suspicions were these:

•Customers look to extant tools for solutions even though they do
not necessarily know what they need and are certain no magic
wand exists.

……..But Mandiant and others are more than willing to sell you a “wand”

•When given more money for cybersecurity, a majority of CISOs
choose human-centric solutions.

……..What? Where? WHO?!?! FO FUCK SAKES SHOW ME! Oh yeah.. 18 CISO’s DERP.

•CISOs want information on the motives and methods of spe-
cific attackers, but there is no consensus on how such information
could be used.

.…What have I been saying? They want it but really it’s USELESS hear that TI firms?

•Current cyberinsurance offerings are often seen as more hassle
than benefit, useful in only specific scenarios, and providing little
return.

…..But they are all the rage in making sure your ass is covered.

•The concept of active defense has multiple meanings, no standard
definition, and evokes little enthusiasm.

….Yes, well they have not met Dave Aitel or any of the other boys who cry CYBER PEARL HARBOR!

•CISOs lack a clear vision on incentives

… Um not being fired?

•Information-sharing tends to live within a web of trust.

….And next to the land of the unicorns with gumdrop kids

•CISOs tend to be optimistic about the cloud, but, apart from
those who sell cloud services, most are willing to be only cautious
fast followers.

…CLOUD IS THE NEW CYBER VIAGRA! But it isn’t the CISO’s choice remember that CEO guy?

•CISOs are likely to assign lower priority to security-as-a-service
offerings.

…Well, yeah, I mean you wanna outsource everything and have nothing to control?

•CISOs, in general, are not ready to concentrate their purchases
from a single vendor (but also are not sure that heterogeneity is
the best solution, either).

…Meh, I have seen a lot of eggs in one place lately.

The conclusions that came as surprises were the following:

•A cyberattack’s effect on reputation (rather than more-direct
costs) is the biggest cause of concern for CISOs. The actual intel-
lectual property or data that might be affected matters less than
the fact that any intellectual property or data are at risk.

…Ummm yeah, if you have no CUSTOMERS then you don’t have REVENUE right? WTF.

•In general, loss estimation processes are not particularly compre-
hensive.

… Loss estimation of future events.. Say heard of the Cat in box paradox?

•The ability to understand and articulate an organization’s risk
arising from network penetrations in a standard and consistent
matter does not exist and will not exist for a long time.

…Uhh what? WTF? If you are pwn3d and your shit stolen you are fucked. Simple.

God.. What a wankery waste of time having to read all that drivel. It gets worse though as they philosophize on future events with heuristics. WOOOOOO! Now that’s a read! I had to extra coffee up for that nonsense. Look, if you want to study this shit great, but unless you have a solution to the problem why waste my time? Oh, and yeah, I will be the only one reading it all because I have taken a poll of my own that shows EXECS DON’T FUCKING READ THIS SHIT NOR MUCH ELSE THAT SECURITY PUTS OUT!

Just sayin.

I have linked the document above so go ahead if you like pain and read the whole 169 pages. I did and look how well adjusted I am!

K.

Written by Krypt3ia

2015/06/12 at 15:11

Posted in Infopocalypse, Infosec

Advanced Persistent Failure: The Malaise of INFOSEC

with one comment

Screenshot from 2015-04-27 14:15:25

An INFOSEC Maturity Differential Diagnosis:

Advanced Persistent Failure (APF *tm*) is a term that I coined today in my Twitter feed that I have yet to trademark before Rob Graham (@erratarob) gets around to it.

Advanced Persistent Failure: The inability for human beings and their collectives to learn from security incidents, data, polls, and any other lessons learned that would normally cause changes to be made. Instead, the cognitive dissonance wins out and they believe nothing is ever wrong, they are safe, and unicorn devices will prevent their data from being stolen”

Why it came to me today was the article pictured above by Brian Krebs, who begs the question “What is your orgs security maturity?” I find it interesting that the guy who is out there on the net and the one person you “don’t want to hear from” of late because if he’s calling it’s because your data is out on the net and he knows about it. Brian is actually asking a question that many others have asked in the past but I don’t think any of them, myself included, ever get the traction with the hoi polloi because we aren’t all famous or ‘rock stars’ in the industry. Still, even with someone like Brian begging the question, I still don’t think the message will get through the static of all the sales pitches and self absorbed thought processes out there in the corporate world to make one whit of difference.

Screenshot from 2015-04-27 14:03:27Full report here

Screenshot from 2015-04-27 14:18:36

 What I mean to say is that even with someone like Brian asking the question, the companies and people that comprise them likely will not navel gaze enough to make the changes that are recommended by such posts and supporting data. Now you may just consider me to be a jaded bastard or a pessimist, which I am both, but I want you all to take in the reality of the situation. How many orgs do you know of that have been on the right path security wise from the start? How many of those orgs only began to change post an intrusion that caused great deals of damage and FUD? Seriously, take a look at the chart above and compare it to your own org. Now ask yourself honestly these important questions;

  1. If I am in reactive org can I change the org to not be?
  2. If I am compliance driven the motivation has already been given yet I am still unable to secure things.. Why?
  3. If my executive chain does not get it now how can I change this?

Now these questions may be daunting for the average security worker but then consider a CISO or director asking these questions too. Do you honestly think that even if they sent this article to the executive set that they would even bother? Why would they? Do your execs get security at all? I am sure some of you out there are like “yeah they get it, my org rocks!” to which I say “Good for you! Liar.” It is my opinion, after a long time in this business as a consultant, that orgs in general are fucked up and not clued in on security as the rule. Doubt this? Just look at all the big compromises and advanced persistent failure we have seen over the last few years. How about this though, just consider the reports recently about POS machines with default passwords that have not been changed in 20 years.

How bout them apples? We all know that default passwords are bad and they should be changed as a rule but no one is doing that. Why do we persistently fail at doing the simple things? Perhaps it is because humans are just bad at determining long term risk? Perhaps none of us is as bad as all of us when it comes to making security decisions? Or maybe it is just because there is no real imperative on the part of companies to really care because the financial and reputational losses are not that great today? Let me ask you this.. Do you think that the former CEO of (insert hacked company) is now living on the street in a cardboard box because they failed to care about the security at (insert hacked company) ?

Lemme give you a hint… No.

Clearly it is not an imperative so by Brian asking the question it may get some air time but really, how many orgs do you think are going to read that article and yell “BY JOVE HE’S RIGHT! WE MUCH CHANGE THIS HENCEFORTH!”

Lemme give you a second hint… None of them.

BUT CSO MAGAZINE SAID:

Hell, even if Steve Ragan wrote a piece on this *hint hint* I still expect that the vast majority of the security people out there, even with taking that article and forwarding it to directors and CISO’s would be able to effect a change for the better security wise. Why? Because once again, people don’t give a shit and they aren’t being forced to do anything about it. No, really, that is my opinion and I am going to stick to it. Nothing will change unless they are forced to be cognizant of the issues as well as responsible, really responsible at the end of the day. So there will be very little to hope that your CISO will be magically reporting directly to your CEO. There will be very little hope that your CISO will be working directly with the board of directors UNLESS maybe, if you are lucky, you have been hacked spectacularly and in the news. Those orgs though that have made those changes post being hacked I feel are more unicorns than anything else though. So yeah Steve, please write about this and have that drop in all the CISO’s email boxes! It will be all hopey changey!! Secretly though I would hope you just link back to me about the APF of all of this though, ya know, just as a cautionary tale and a buzzkill.

Face facts kids, we are well and truly shit out of luck here. I certainly don’t expect us as a species to change how we operate because some people in the media pointed out the realities of our collective fail. Sure, China is hacking the shit out of us. Iran is about to cyber nuke the lot of us and the Russki’s are all up in our President’s emails but will we change our SOP for security because of it? No, no we won’t we will just continue to stumble along like we have been all along. Our predilection for Advanced Persistent Failure is like an addiction really. Security is hard! We can’t make those changes to passwords! I mean how will we rememberize them? Oh. My. God! Enlightenment, even the ‘brick” that @Gattaca and others use out there does not have the play or the sexy that a new blinky light APT stopper has on the RSA floor as hawked by booth… Babes? Men? Whatever the flavor of the day is now in our stupid industry of fail.

Prepare for the next fail tsunami kids. Nothing will change.

K.

Written by Krypt3ia

2015/04/27 at 19:03

Posted in Infosec