Tuesday, May 16, 2017

WannaCry Reflections

WannaCry Technical

Sorry, your not going to find loads of technical information here in this post.  

Ok, So Non-Technical

Alrighty then.  As the above indicated, this article is not going to be going into the technical guts of the (now) infamous worm that wrecked havoc and cancelled so many weekend plans.  There has been lots of articles (and alot of FUD) writen about it already.  Much of it by people who do not get paid directly to work with malware.  A quick Google search will show you more than you can ever handle.  

People Involved

I wanted to focus some attention on the people involved in dealing with this nasty little worm.  And no, I am not offering biographies on individuals.  Rather I wanted to say how impressed I was with the infosec community as a whole.  People, from all walks of life, different countries, timezones etc came together to work on the problem.  

Even before the worm started spreading, there were individuals who raised alarm over the fears that the vulnerability exploited by the worm.  People on Twitter stated that this one would be bad, "our next MS08-067".  I doubt that many of them could have even guessed how much damage would be wrought.  

It shouldn't be too surprising.  A vulnerability within a pervasive protocol, which would allow for remote code execution and give an attacker full SYSTEM level control, would be too tempting a target for anyone with malicious intent.  

Added to the mystic, was the fact that this flaw was found (and likely utilized) by none other than the NSA.  Only to be stolen and later released by the ShadowBrokers.  

What a perfect storm.  Who'd a thunk it?!?!  Well as we all know, it didn't take long before someone weaponized it, and added a self-replicating ability.  

Throughout the community, people came together to raise the alarm.  Then to analyze the malware and give technical information as to its capabilities.  Then to even work to help neuter the malware with its famous 'kill switch'.  Attribution has been attempted, however I think that effort will go on for a long time to come.

In the meantime, defenders are still working hard to stop the infection, apply patches and help reduce the impact of this worm.
Impact
The impact of the worm will definitely be hard to measure.  We have heard lots of people state that they believe it is the most destructive event in infosec.  I tend to agree.  While I do not have numbers, the ability of the worm to target sensitive files and spread has to give it an edge.  Other worms were definitely more 'disruptive', however many of them still failed to to give the lasting impact of having all of your valuable data rendered unrecoverable.  

The Future

As I have stated before, let no disaster go unused.  There will be good to come out of this.  

First, the importance of patching and keeping OS's updated will likely not be forgotten easily.  Even in hard to patch devices like embedded systems (MRI machines anyone?).  At the very least it gives us a data point to show people a quantifiable cost is for the risk.

Secondly, our "blue teams" importance will be cemented within the mindset of C-level executives.  Yes we may be a 'cost center', however we will firmly be labeled as an important factor in risk reduction.  Again, being able to show, in quantifiable numbers, your value to an organization, is KEY to C-levels understanding.

Thirdly, the importance of working together, worldwide, has been shown.  We are much stronger standing together and working collaboratively than we are apart.  We can come together and truly have a positive impact on worldwide information security.  My hope is, that this realization will empower organizations to open up more, to share information more freely.  To give their employees time (and more importantly money) to go and do those things that do not always benefit the company directly, by helping out the world community.  We are so connected and inter-dependent on each other that the more we collaborate, the stronger we all become.

A Final

I wanted to express my thanks to several people, but wanted to call one out in particular.  , the individual who (at least at first) accidentally registered the first worm's kill site.  He showed what we should strive for.  He helped out tremendously, and not just for the kill site.  But for his technical analysis of the worm, and even more so for his work coordinating between several global organizations to help protect and help people who were infected.  Added to that was the fact that after been given $10K, for his excellent work by @Hacker0x01 he stated it would be split between charities and for education stuff for others.  A true class act!  A beer on me anytime we meet dude!
Posted by at 1 comment:

Monday, May 8, 2017

World Class or Local Class

Again, apologies for another opinion piece.  Again this one has bugged me for a long time.

Another Ramble

I have been in the infosec field a fairly long time.  In addition, I have put myself out there through postings, email, social media, etc.  So I think it is safe to say I have a fairly large target on me in terms of recruiters and people looking for 'skilled' talent.

One of the trends I have noticed for the past 4 or 5 years, have been recruiters calling me up, stating they are looking for 'world class' talent.  Senior skills and people which are hard to find.  Of course they are hard to find.  There are not as many rockstars in any field, as there are simple rocks.  Yet, companies continue to insist they want this talent LOCAL to them.

This makes no sense to me.  If you are looking for diamonds, you do not strip mine a whole area determined to find them....  You go where THEY are!  You spend the time and effort to go to where they exist, and work your magic.

Skilled talent, especially in senior levels are not easy to find, and sometimes impossible to find in your area.  Yet when you find someone, you tell them they have to move.  This is wrong in so many levels.  If you want 'world class' talent, they need to be able to work from anywhere in the 'world'.  Please do not bother me with claims stating how cool your company is, or how you only hire the best, when you refuse to allow them to work from wherever they are.  This is key.

If you do not have a remote work ability, don't waste my time.  Professionals are professionals no matter where they are.  They work hard and have no need for someone to keep looking over their shoulder to ensure they are doing what they are paid for.  Professionals are passionate.  They will be no matter where they are in relation to their boss, director, peers, customers etc.

Final Point

If you are not allowing your professionals to work from anywhere in the world, you are NOT looking for world class talent.  Please stop bothering me and others with your HR shit speaking!  I am good at what I do, VERY good.  If you want me, take me.  If not, GTFO, I'm busy....
Posted by at No comments:

Saturday, May 6, 2017

Of Snakeoil and Infosec

To start, apologies for posting another opinion piece.  This topic has been bugging me for a while, and along with a post by another security blogger last week, I felt it needed to be said.

To all infosec vendors, hardware, software, and services....

Please check your grand claims and marketing bullshit at the door.  There is no need for it.  If your product/service is good, we in the community will know it.  We will talk about it.  We will BUY it...  However, if you use terms like 'unhackable', 'unbreakable', '100% secure'....  We will ALSO talk about it, but not in your favor.  Nor will be 'buy' it.  Shit claims like this is why you (and especially your marketing division) are the laughing stock of the rest of the world.  

First

NOTHING is unbreakable (Sorry Oracle, you of all companies should know this is BULLSHIT).  If you claim that your product is 100% secure, EXPECT me to test it.  I will, and I will find its flaws.  And of even greater threat, I WILL publish findings.  

The recent article by Scott Helme about nomx (https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protocol/) was the catalyst for me to write this.  Too many times vendors make grand claims to sell blinkenlights.  Products or services to 'solve' the security problem.  If you make the claim, have the balls to back it up, or shut up.  You are directly responsible for your customers current security issues.  They trust you, believe you, buy into you.  And what do you do?  You sell them snake oil.  Magical cures which in the end, do more harm than good.  

Second

So that brings me to a second point.  If a researcher, or anyone, goes through the work to point out the flaws in your 'widget', man up and respond with respect.  These guys often have more knowledge and have done more work to secure your products than your whole security team.  Responding with threats of litigation, defamation against their skills or character, will not only NOT win you friends, but will actively turn the community against you.  The best defense is not always a good offensive.  It just proves you are an offensive company that should be avoided.

Scott's article is not the only example of such actions being taken.  Infosec history is LITTERED with examples.  (https://www.wired.com/2013/04/ciphercloud-stackexchange/ was a personal favorite).  Even I myself have been accused of false claims against a company when I exposed a companies claims of 'best of breed' encryption to be rubbish.  

Thoughts of a Conclusion

This got me thinking.  Why would a company fight so hard against the community that has conclusively shown their product or service is flawed.  And it hit me....

If you are a honest infosec vendor, you know it's best to work with the community, not against it.  There are thousands of people who would be willing to put forth hard work to help improve security, no matter where it is.  You know it will be worth the effort because the effort is worthwhile.

If you are a snakeoil salesman, a researcher pointing out flaws is threatening you with extinction.  So I can see why you would fight so hard.  Just know, there are no perfect secrets, all truth comes out, and everyone will get what they truly deserve in the end.  Stop before you start, you are not smarter than the rest of the world, we WILL figure you out!

Posted by at No comments:
Subscribe to: Posts (Atom)