Silicon Shecky

Infosec Practitioner

Connect

Attribution, why it can sink us

By Leave a Comment

Attribution is tough. We all know that. We all question it. Some of our jobs might depend on it. Yet, through it all, we have a lot to learn about it.

I bring this up because I feel it is an elephant in the room. We as infosec professionals and even amateurs have a desire to know the who, what, where, when, why and how security events/incidents occur. It helps us plan out our defenses. It allows us to show worth to those outside our field. Attribution needs to be done carefully. this article from SC Magazine has an interesting statement in it, and this will be our example to work with at the moment. About halfway through the article the following statement is made:

Malwarebytes took this a step further and reported BadRabbit was produced by the team behind Petya/NotPetya, although the security firm did not offer any evidence to back this theory.

Malwarebytes is a well known and respected company. Their software has been used by millions. They are also putting credibility on the line with this sort of statement. Everything that I have seen so far on BadRabbit is that it uses some methods similar to NotPetya (which I have not seen evidence or attribution to the original Petya author(s) before). It is not using much if any code from NotPetya. In fact, the biggest issue I have with this statement, as just a statement, is that they are offering no evidence for a very certain attribution. Now, imagine you are a news company like CNN, FOXNews, or any other of the well known ones that are not dedicated to infosec. You have people keeping track of cybersecurity feeds, looking for news to pick out of there. You see news about BadRabbit, and go to Malwarebytes for their take on it, knowing this is a trusted company. They give you the above statement, you run with it, and the general public now thinks it is all the same. Weeks/months down the line, the attribution is shown as false, a retraction is issued and now trust is broken. The other side effect is the general person asking why should they listen to the world of information security when we get attribution wrong? How many quickly attributed things wind up changing or are questioned as time goes on.

Think about it. Look at what is going on with Kaspersky and what sort of attribution is pointed at them by the U.S. Government, and yet no evidence has been shown publicly. Look at how our own community has reacted. Heck look at the Sony hack a few years ago and what went on over attributing it to North Korea? Look at the inside joke we have about everything being North Korea, China or Russia who is responsible for X malware/breach.

The human psyche is a strange creature, but a couple things are certain from what I have seen. First, we are an impatient species. We want everything now, immediate, otherwise it is no good. This is an evolution that has occurred because of how society has changed over the last few hundred years. Second, like computer systems, our world is built on trust. Who we trust, what information we trust. Once that trust is broken, it takes a long while to get it back, if it comes back at all. Basically the boy who cried wolf syndrome. This is true inside the infosec community and outside it. The more initial trust you have in someone/something the more likely you are to forgive blunders. After all nothing and no one is perfect. You go outside your community though and that trust level becomes thinner and thinner.

So how do we fix this? The simplest and easiest way is to not give into having to be first in claiming something. Take the race out of it. Allow time to gather all the facts and properly analyze them. Second, well, that is learn lesson one, and make sure that those above you understand that. Remember an ounce of prevention is worth a pound of cure.

2.5 weeks out

By Leave a Comment

Certs in our industry are a funny thing. In fact, You mention OSCP or a SANS cert, and I rarely hear a bad word. On the other hand you hear CISSP, CEH, Security +, and may others and you get mixed reviews. Never mind that sometimes the job wants you to get one of these “paper” or “not worth the time” type certifications. There are reasons, and yes, while one could hack their way into getting one of these certs without having actual experience (even with the 5 year requirement for the CISSP), the upper levels of management in many companies, and HR in a lot of companies want to see some of these certs.

I go off on this because I just set up a date to take my CISSP cert. I know a bunch of infosec people, and many of them have told me not to do it, until they hear it is part of my bonus objectives for the year, and then it is, “Well I guess that is a good reason to.” Personally, I am nervous as all getup about it. I haven’t taken an exam in many years, and haven’t passed one in almost 10 years. Reality is that means I have not been good at taking exams, or memorization. Heck, we have google, duckduckgo, and other search engines, books in paper and digital format, and social media to ask questions and get answers from in real time. I’m getting older and the memory is not always what it once was. The fact that some of them feel my skills are well beyond this exam means a lot, but still it is something to toss out there. Something to get me a better raise, force more money maybe, but really it might shut some people up that I do not know what I am talking about. Mind you those people are not in the infosec world, and in a bunch of cases not in the IT field at all.

A self made man is what I am. I have learned from others and from books. I have experimented on my own equipment. I have no degree from a college. I know what I know and I don’t know so much more it is amazing. So much to learn. So why get down on a simple cert, that if you actually study for it, someone can learn something? I mean, isn’t that one of the things that makes infosec great, the constant learning?

This week and some thoughts on Kaspersky

By Leave a Comment

Interesting week this week for me. I uploaded a few new Powershell Scripts to my Github, mind you that while changing telephone numbers or unchecking an attribute box in AD is not sexy security, these scripts do show how to do some manipulation. The Attribute box for “Deny this user permission to Remote Desktop Session host server,” is the more interesting one due to Powershell having to manipulate the object using LDAP instead if normal AD commands. This is due to that attribute as part of the normal AD schema being buried in a single attribute that covers a bunch of odds and ends, and tough to manipulate otherwise. The idea of manipulating AD through LDAP does leave questions open to LDAP bugs being exploitable through Powershell, and how easy that could be. Also it means you have to make sure that some sort of LDAP logging is on, as some of the smaller attributes might not have changes logged by AD into the Windows Event Logs. I am going to investigate further into that.

One of the big things going on in our world is the whole Kaspersky debacle. So much information and/or misinformation has been floating around, that it really feels to me like a lot of this is PR posturing by the U.S. Government. What I want to point out is a few things.

  1. The data that was found using Kaspersky was not on a government machine. This was another Contractor that took classified materials out of the NSA and back to his house. This is important as we do not know the motives of this contractor. Yes I am going to go a little tin foil hat here, but what if it was a setup? What if said contractor intended for the data to get swiped from his home machine. I am not saying this is the case, but it is a possibility.
  2. The source of proving the Russians used Kaspersky to do this ex-filtration was Israel. More specifically Israeli hackers who had hacked into Kaspersky’s network. Think about that. If the Israelis hacked into Kaspersky’s network, why must Kaspersky have worked intentionally with the Russian government? Now Kaspersky being hacked is a black eye on the company, but we all know that there is no perfect security and anything can be hacked.
  3. Vendors work with Governments. Period. NSA had RSA put in a backdoor into its encryption. McAfee and Symantec have at times worked with the U.S. Government. It is a fact of life.
  4. Reuters reported that German intelligence found no evidence of Kaspersky software used for hacking. Now we start getting back into a he said/she said about what has happened.
  5. With all the cloud systems out there, this same hack is possible to do using Symantec, McAfee or any other AV vendor.

Now I am not saying that there are not issues, trust issues that Kaspersky has to work through, but this is the good ol’ U.S.A. here. We forgive Target, Home Depot, soon, Equifax, and all these other breaches of our own personal data. Keeping Kaspersky off Government machines I can understand, but it is still one of the top AV vendors and I will continue to recommend their software for home users until I see better proof not to. Remember in this day and age, it is all about who you want to have the data, and in the end it is probably everyone who does have it.