Equihax…I mean Equifax

What Happened

I know I’m a little late to the game, but I figured I’d share my .02 regarding the most recent, and largest to date data breach…Equifax.

On September 7th, Chairman and and CEO Rick Smith of Equifax had the following video announcement. They discovered “unauthorized access” on July 29th, hired Mandiant, and now are disclosing that the breach jeopardized the personal information of 143 million American consumers’ data…potentially more than half of all Americans. Not good at all. To be specific, they also outlined that 209,000 credit cards were exposed as well as 182,000 people’s Personal Identifiable Information such as names, address, phone numbers, email addresses, etc for example). These were part of their ‘dispute documents’ which were leaked. All we know for sure is that Equifax stated “PII”. This was specific to US, Canadian, and UK consumers.

What makes this worse is that the CFO and two presidents of Equifax’s business units sold share between 3 and four days after the breach was discovered. Equifax reported that these people had no knowledge of the breach and were not subject to insider trading laws. At the same time, SEC filings show the sales worth 1.8 million were not pre-planned. Working for a publically traded company, General rule of thumb, is not to trade when the company creates a blackout period. In the event there is some non-public information they become subject to said blackout period until the announcement is made public. I can’t believe that a breach was detected, Mandiant was contracted, and at no time the CFO wasn’t made aware of this. Incident Response plans almost always notify HR, Finance, Payroll, Legal, and Marketing in the event of a serious incident. Either this is gross negligence or insider trading. Pick one.

An additional note: At this time there is no attribution as to who the attacker(s) are.

 

From left: Equifax executives John Gamble, Rodolfo Ploder and Joseph Loughran.

Read more “Equihax…I mean Equifax”

New Script! – RDP Proxy Link Builder

Most of you know I work for a particular Privileged Account Security company. It’s sort of hard to unplug for your job when you really love what you do. With that said, sometimes when I’m off the clock, I’ll still work on some pet projects. This is one of them. In CyberArk’s Enterprise Password Vault version 9.7, they introduced a really cool new feature. Privilege Session Manager Remote Desktop Proxy. SysAdmins typically push back on any security control because they tend to introduce hurdles in their day to day operations. Security shouldn’t hinder operations as they’ll tend to be avoided or even worse yet, circumvented.  So PSMRDPP was developed to allow for Privilege Sessions to be initiated without having to authenticate and logon to the web interface. Using native RDP tools, you can access your privileged accounts. It’s really cool!

Anyways, I developed a script to build out the RDP links automatically that interface with the PSM Proxy server. It also works with Devolutions Remote Desktop Manager Sorry, only works in the paid version. They crippled the powershell functionality in the free version. Anyways, I’ve put the script up on GitHub. I’m going to continue to improve on the script, but for now you’re welcome to use it. It works great!

https://github.com/BinaryWasp/RDPProxyLinkBuilder

 

Hacker Conference Behavior

I’m heading to BSidesLV, DEFCON25, & Blackhat in Las Vegas this week. It’s going to be a great time and I’m really looking forward to it. Here’s some standard best practices I try to follow when attending a InfoSec related conference.

  1. Laptop Behavior
    1. Do not bring your laptop, unless specifically required. Try only using your your phone connected via VPN.
    2. Do not leave your laptop unattended at any time.
    3. Do not check-in your laptop as luggage.
    4. Turn off WiFi and Bluetooth.
  2. Printing, scanning, faxing
    1. Do not print from or scan to your laptops
  3. Internet access and connectivity
    1. Unless absolutely necessary for a job function, disable WiFi.
    2. Disable Bluetooth on your computer and phone.
    3. Disable NFS connectivity on your phone and computer.
    4. If Wifi is absolutely required, ONLY use your own provided wifi. I used a JetBack/MiFi and connect ONLY to that device.
    5. Always use a VPN as soon as you obtain WiFi access.
    6. Do NOT plug any network cable into the laptop.
    7. Do not plug any USB storage devices (hard drives, sticks, network adapters, Raspberry Pi’s, etc) into the laptop or phone.
  4. Document behavior
    1. Do not work on internal or sensitive documents in public.

 

Okay, break’s over. Back to work!

So I took a little vacation to a tiny little rock out in the middle of the South Pacific. Isla de Pascua, Rapa Nui, Easter Island…whatever you want to call it, it was amazing. What an incredible time I will never forget. It was a little odd not having phone, internet, or any sort of tether back to society. At the same time, it was really nice to literally be off the grid for some time. However. It’s all done. Break’s over. It’s time to get back in the swing of things.

A day after getting back, I packed up and headed to Denver at the Optiv ES3 summit to do a brand new talk on insider threat. I love the city of Denver, so I’m always happy to get invited back out there. The talk, despite being my first presentation on the topic, went really well. The talk was well attended, and well received. Plus, at the end of the day I got to hang out and talk with Brian Krebs. That was great! I’m planning on heading back out to Denver sometime in August, but until then…there’s a LOT more to be done. (btw – the goatee got a good trip shortly after this picture.)

There’s a lot going on between now and even August. First off, I’ve got to make it out to Phoenix for a few client visits and prep for a round of forums I’m presenting later in Q3. I’ll fly back late Friday night. Then it’s up to Boston this coming Sunday. I’m presenting two new presentations at the CyberArk 2017 Impact Summit in Boston. I’ll be talking on Ransomware. The goal is to focus particularly on the WannaCry and NotPetya ransomworms and defensive strategies to address the next generation of Ransomware.  The next talk, is what I’m REALLY excited about. My good buddy Len Noe and I are basically going to carpet-bomb the audience with live demos of real penetration testing tools. A few of the things we plan to demo are the PoisonTap, BashBunny, Inveigh and Responder, the Wifi Pineapple, and my favorite live demo…MouseJack (code injection on a machine not even connected to the network).  It’s going to be a lot of fun. I also built one hell of a powerpoint presentation to go along with it. Something like 7 slides and 2.9GB. I rendered the slides as video and have scenes from Hackers playing silently in the background. Whichever breakout presentation gets the highest marks gets to present to the mainstage. Either way, it’s gonna be off the chain!

After Impact, we’ve got the CyberArk Midyear Sales Kickoff. I don’t have any expectations there, other than it’s going to be a lot of work while we’re up there.  After that, I have one week back in Dallas (unless something comes up, which it typically does). After that…it’s off to Vegas for Hacker Summer Camp! Woo hoo!  For Blackhat, I don’t get to attend, but I actually have to work the event. I absolutely love Blackhat. You get to meet a lot of great and interesting people. After that it’s onward to BSides and DEFCON 25. I’ve been waiting all year for this.  As soon as I heard it was at Caesar’s this year, I made sure my room was reserved. Due to my wife’s travel hacking, I have status at Caesars. I get a nice big room (photo below was the last time I stayed at Caesar’s Palace earlier this year at Gartner), access to free services, and the VIP lounge. So…now I have 3 friends staying with me in the room and live video feeds of the talks downstairs if they’re too packed. I’m really looking forward to it.

So yeah, that’s just July. August is gonna be crazy too!

Mastodon

So recently, the InfoSec community has made a mass exodus from Twitter to a new social network. This is an interesting one. Everyone’s moving to Mastodon. Mastodon is a free, open-source social network made up of federated servers. It’s a decentralized platform that doesn’t have a single company running, storing, and manipulating (for commercial gains) your data. Anyone can stand up a Mastodon server, however most simply pick out a server from the long list and participate.

From an end-user perspective, this is a twitter replacement. It’s very similar in that you have a limited (albeit longer character limit) to work within. Tweets are now called “toots” (yeah…sorry about that). Retweets are now boosts.

I’m still on the fence about the entire thing. I’m afraid it might not have enough traction in the social media market to be successful. However, I’m not going to complain. Rather I’m going to logon and participate. You can find me at Rainmaker@Mastodon.cloud.

 

More Speaking Events!

More events to add to the calendar:

May 5th – CISO Thought Leadership Forum – Dallas,TX Panelist on Insider Threat.

May 12-13 – BSides Denver – Denver CO

May 20th – BSides Cincinnati  – Cincinnati OH

June 20th – Optive ES3 – Denver CO

July 12th – CyberArk Impact – Boston MA

Inbetween all this, I’ve got my regular Advisor duties to attend to. Somewhere in all this, I’m taking the wife and kids to Easter Island in the middle of the South Pacific. After this, I think I’m going to take a couple months off to refresh and brush up on some new content.

 

The Government won’t Protect your Privacy. Here’s how you can do it instead.

Last month Congress passed a resolution overturning an Obama-era FCC rule that mandated ISP’s to get their customers’ consent before sharing their browser history with other companies. The rules are additionally required ISPs to protect that data from hackers and inform customers of any data breaches.

The resolution was passed by the Senate in a partisan vote and was promptly signed by the President shortly thereafter.  I have my own political beliefs and I’ll keep them to myself, the Internet has enough of people openly sharing their political opinions. Unlike most, I know I don’t have the whole story on just about every topic, so I’ll keep to the points I do know, and that’s internet security and your privacy.

This is extremely valuable to businesses, but I can’t see how this is a benefit to the American citizen in any way. During the previous elections and debates, at no time was something like this even discussed. I’m disappointed.

From the reading I did, the reason this got passed was because ISP’s stated that companies such as Google & Facebook were profiting off their consumers’ browsing habits…why couldn’t the ISP’s? Technically speaking, they’re right. These mega Internet titans aren’t your friends advocating for your privacy. We, the consumer, are the product.

What you don’t see here is that this is just a dog & pony show. None of this really actually matters. ISP’s have been able to sell your web browsing data for quite some time. It’s just something you didn’t realized you signed up for when you blew past the terms and services of your ISP contract. All this proved was that they can continue to still do just that.

“The consequences of passing this resolution are clear: broadband providers like AT&T, Comcast, and others will be able to sell your personal information to the highest bidder without your permission. No one will be able to protect you, not even the Federal Trade Commission that our friends on the other side of the aisle keep talking about.”

– Representative Anna Eshoo (D-CA)

Wrong. 

I beg to differ. We as tech savvy citizens of the internet do indeed have the ability to protect ourselves. Here are 4 tips I recommend:

  1. Clearing your cookies or your browsing history doesn’t help. They’re tracking the DNS queries and your actual internet traffic. The solution to this is using a Virtual Private Network (VPN for short). In my opinion, this is the best solution to protecting your internet traffic from ISPs. All an Internet service provider will see is encrypted VPN traffic…nothing more. However, you need to trust your VPN as they’ll see all the data. You need assurance that logs are not kept and your information is not being sent to a 3rd party. I highly recommend Private Internet Access. These guys are legit. It’s very simple to use. They support regular at home internet access, but also have VPN clients for Android and Apple as well. I don’t go anywhere unless I’m on a VPN.
  2. Don’t use Google. I know it’s so pervasive, it’s hard to get away from. Use search engines like DuckDuckGo.com instead.
  3. Chrome tracks your history even if you use other search engines, so try using a more security focused web browser that doesn’t phone back home to Mountain View or Cupertino CA. Tor Browser is probably the best known for protecting your privacy, but that can be a little much for some folks. Other browsers I recommend are Comodo DragonSRWare Iron Browser, or White Hat Aviator:
  4. Face it, if you sign up for a social network with online marketing, you’re going to be tracked for demographics. I recommend creating multiple profiles with fake data to follow businesses, celebrities, movies…basically anything other than your close friends and family.  There’s a new social network called Mastodon that I’ve discovered and I highly recommend. I need to feel it out some more, but I’ll be doing a blog post on Mastodon shortly.

One last takeaway here. I see so many people saying this is Trump’s fault. Partially they’re right. He did sign the resolution. However, the following people share an equal part of the blame:
Read more “The Government won’t Protect your Privacy. Here’s how you can do it instead.”

Another Email from Reddit

I should start off by saying I apologize if this isn’t the best forum to ask the following question, or if you get bombarded with these types of requests. I’ve been following /r/CISSP for the last couple weeks as I am planning to begin studying for it after I attempt the ITIL Foundation exam in the next week.

As I’m starting my InfoSec career (I currently have ~2 years work experience), my thought has always been to build a broad foundation of understanding as I feel to really understand/succeed in Security, it requires an understanding of Networking, System Administration, Management/Business, and Tools. Because of this, I’ve started working toward a variety of certifications, and will slowly start building those foundations up, while working on more specific Security certifications too. I currently hold the following certifications, Cisco: CCNA R&S and Security; CompTIA: Security+, CSA+, and CASP; EC-Council: CEH; Microsoft: MCSA 2k12; Splunk: Power User. I’ve run across your idea of “cert-snowballing” and I think it’s a great idea, and builds somewhat on top of what I was already doing.

I plan on continuing this year and trying to attain the MCSE: Cloud Platform and Infrastructure, as well as the Splunk Certified Admin this year after my CISSP (or in my case, Associate of ISC2). There are a lot of other certs I want to work toward after these: LFCS (CentOS), eJPT, CCNP RS/Sec, VMware, and more. But, I thought I would ask if you had any advice or thoughts on how you might recommend me snowballing my certs as my current job works primarily with Splunk/ACAS(Nessus) and I have the ability to study for a wide variety of technologies, whatever I feel would be useful going forward.

I appreciate you taking the time to read this wall of text, and any thoughts/advice you might have.

Respectfully,

Scott

Hey Scott,

First off, wow. You’ve built quite the collection of certifications and skillsets already. Congratulations. With the credentials you’ve already obtained, you’re already a formidable candidate. With that said, it looks like you have a wide and varying skillset. I think it’s time you dial it in a little and pick a specialization. It appears network security and perhaps SIEM & Analytics might be something your interested in focusing on? Honestly, pick your what you’re passionate about before anything else. It doesn’t have to be about money. That comes on its own. Figuring out what I want to do long-term is something I’m struggling with myself. I’m trying to decide if I should go for the OSCP or take the CCSP next. I still don’t know what I want to be when I grow up. 🙂

I think additionally, you might want to look into some mentoring. I had some very powerful mentors in the past and wouldn’t be where I am today without them. I’m currently looking to find someone to assist me with taking my career to the next level. I suggest you do the same. https://infosecmentors.net/ is a site I recently discovered. You might want to check that out.

Anyways, my .02: I think you should continue to read /r/cissp and continue to study. However, I think the SSCP would be a better bang for your buck at the moment. You can get the full-fledged certification instead of having to settle for the associate. All the knowledge you’d gain would be applicable to the CISSP anyway. Plus, you can take the remainder of the time to aquire other certifications between now and your 5th year.

Lastly, I think you’d be a really good candidate for a position I’m looking to hire. If you’re interested in working from home, making hella good money, and becoming a thought leader in the industry let me know. I love my job and I think you would too! https://www.cyberark.com/career-search/#!/job_region=35

CFP Submission Template

So while at HouSecCon, I was politely told told how bad my CFP’s were. The gentleman didn’t pull any punches, but overall he did make some good points. I don’t think I was taking the CFP process seriously as I had no idea what it actually entailed. He said that this was being reviewed by your peers in the industry and you really should put your best foot forward. With that said, he directed me to a few resources to improve my game. This is only part of it.

Here is a really good CFP template I recommend you build off of. I blatantly ripped this off of the BSides Las Vegas site, who subsequently blatantly ripped it off the ShmooCon site.

Read more “CFP Submission Template”