Upcoming Speaking Engagements!

It’s that time of year again! Andy’s running around like crazy. In the course of 8 days I’ll be doing 4 different talks in 3 different states. Looks like we’re closing out the year with a bang!

I’ve got some surprises in store for everyone. Stay tuned!

Hacking RDP with a MitM Password Attack

The other day, my friend and co-worker clued me in on a new attack he found. It worked so well, we had to share it.
As it says on their GitHub page,

Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH).

Take a look how simple it is to steal an RDP credential off the network without ever having to touch the victim’s machine. Things like certificates and network level access are important security controls you should implement to protect from attacks like this.

Equihax…I mean Equifax

What Happened

I know I’m a little late to the game, but I figured I’d share my .02 regarding the most recent, and largest to date data breach…Equifax.

On September 7th, Chairman and and CEO Rick Smith of Equifax had the following video announcement. They discovered “unauthorized access” on July 29th, hired Mandiant, and now are disclosing that the breach jeopardized the personal information of 143 million American consumers’ data…potentially more than half of all Americans. Not good at all. To be specific, they also outlined that 209,000 credit cards were exposed as well as 182,000 people’s Personal Identifiable Information such as names, address, phone numbers, email addresses, etc for example). These were part of their ‘dispute documents’ which were leaked. All we know for sure is that Equifax stated “PII”. This was specific to US, Canadian, and UK consumers.

What makes this worse is that the CFO and two presidents of Equifax’s business units sold share between 3 and four days after the breach was discovered. Equifax reported that these people had no knowledge of the breach and were not subject to insider trading laws. At the same time, SEC filings show the sales worth 1.8 million were not pre-planned. Working for a publically traded company, General rule of thumb, is not to trade when the company creates a blackout period. In the event there is some non-public information they become subject to said blackout period until the announcement is made public. I can’t believe that a breach was detected, Mandiant was contracted, and at no time the CFO wasn’t made aware of this. Incident Response plans almost always notify HR, Finance, Payroll, Legal, and Marketing in the event of a serious incident. Either this is gross negligence or insider trading. Pick one.

An additional note: At this time there is no attribution as to who the attacker(s) are.

 

From left: Equifax executives John Gamble, Rodolfo Ploder and Joseph Loughran.

Read more “Equihax…I mean Equifax”

New Script! – RDP Proxy Link Builder

Most of you know I work for a particular Privileged Account Security company. It’s sort of hard to unplug for your job when you really love what you do. With that said, sometimes when I’m off the clock, I’ll still work on some pet projects. This is one of them. In CyberArk’s Enterprise Password Vault version 9.7, they introduced a really cool new feature. Privilege Session Manager Remote Desktop Proxy. SysAdmins typically push back on any security control because they tend to introduce hurdles in their day to day operations. Security shouldn’t hinder operations as they’ll tend to be avoided or even worse yet, circumvented.  So PSMRDPP was developed to allow for Privilege Sessions to be initiated without having to authenticate and logon to the web interface. Using native RDP tools, you can access your privileged accounts. It’s really cool!

Anyways, I developed a script to build out the RDP links automatically that interface with the PSM Proxy server. It also works with Devolutions Remote Desktop Manager Sorry, only works in the paid version. They crippled the powershell functionality in the free version. Anyways, I’ve put the script up on GitHub. I’m going to continue to improve on the script, but for now you’re welcome to use it. It works great!

https://github.com/BinaryWasp/RDPProxyLinkBuilder

 

Hacker Conference Behavior

I’m heading to BSidesLV, DEFCON25, & Blackhat in Las Vegas this week. It’s going to be a great time and I’m really looking forward to it. Here’s some standard best practices I try to follow when attending a InfoSec related conference.

  1. Laptop Behavior
    1. Do not bring your laptop, unless specifically required. Try only using your your phone connected via VPN.
    2. Do not leave your laptop unattended at any time.
    3. Do not check-in your laptop as luggage.
    4. Turn off WiFi and Bluetooth.
  2. Printing, scanning, faxing
    1. Do not print from or scan to your laptops
  3. Internet access and connectivity
    1. Unless absolutely necessary for a job function, disable WiFi.
    2. Disable Bluetooth on your computer and phone.
    3. Disable NFS connectivity on your phone and computer.
    4. If Wifi is absolutely required, ONLY use your own provided wifi. I used a JetBack/MiFi and connect ONLY to that device.
    5. Always use a VPN as soon as you obtain WiFi access.
    6. Do NOT plug any network cable into the laptop.
    7. Do not plug any USB storage devices (hard drives, sticks, network adapters, Raspberry Pi’s, etc) into the laptop or phone.
  4. Document behavior
    1. Do not work on internal or sensitive documents in public.

 

Okay, break’s over. Back to work!

So I took a little vacation to a tiny little rock out in the middle of the South Pacific. Isla de Pascua, Rapa Nui, Easter Island…whatever you want to call it, it was amazing. What an incredible time I will never forget. It was a little odd not having phone, internet, or any sort of tether back to society. At the same time, it was really nice to literally be off the grid for some time. However. It’s all done. Break’s over. It’s time to get back in the swing of things.

A day after getting back, I packed up and headed to Denver at the Optiv ES3 summit to do a brand new talk on insider threat. I love the city of Denver, so I’m always happy to get invited back out there. The talk, despite being my first presentation on the topic, went really well. The talk was well attended, and well received. Plus, at the end of the day I got to hang out and talk with Brian Krebs. That was great! I’m planning on heading back out to Denver sometime in August, but until then…there’s a LOT more to be done. (btw – the goatee got a good trip shortly after this picture.)

There’s a lot going on between now and even August. First off, I’ve got to make it out to Phoenix for a few client visits and prep for a round of forums I’m presenting later in Q3. I’ll fly back late Friday night. Then it’s up to Boston this coming Sunday. I’m presenting two new presentations at the CyberArk 2017 Impact Summit in Boston. I’ll be talking on Ransomware. The goal is to focus particularly on the WannaCry and NotPetya ransomworms and defensive strategies to address the next generation of Ransomware.  The next talk, is what I’m REALLY excited about. My good buddy Len Noe and I are basically going to carpet-bomb the audience with live demos of real penetration testing tools. A few of the things we plan to demo are the PoisonTap, BashBunny, Inveigh and Responder, the Wifi Pineapple, and my favorite live demo…MouseJack (code injection on a machine not even connected to the network).  It’s going to be a lot of fun. I also built one hell of a powerpoint presentation to go along with it. Something like 7 slides and 2.9GB. I rendered the slides as video and have scenes from Hackers playing silently in the background. Whichever breakout presentation gets the highest marks gets to present to the mainstage. Either way, it’s gonna be off the chain!

After Impact, we’ve got the CyberArk Midyear Sales Kickoff. I don’t have any expectations there, other than it’s going to be a lot of work while we’re up there.  After that, I have one week back in Dallas (unless something comes up, which it typically does). After that…it’s off to Vegas for Hacker Summer Camp! Woo hoo!  For Blackhat, I don’t get to attend, but I actually have to work the event. I absolutely love Blackhat. You get to meet a lot of great and interesting people. After that it’s onward to BSides and DEFCON 25. I’ve been waiting all year for this.  As soon as I heard it was at Caesar’s this year, I made sure my room was reserved. Due to my wife’s travel hacking, I have status at Caesars. I get a nice big room (photo below was the last time I stayed at Caesar’s Palace earlier this year at Gartner), access to free services, and the VIP lounge. So…now I have 3 friends staying with me in the room and live video feeds of the talks downstairs if they’re too packed. I’m really looking forward to it.

So yeah, that’s just July. August is gonna be crazy too!

Mastodon

So recently, the InfoSec community has made a mass exodus from Twitter to a new social network. This is an interesting one. Everyone’s moving to Mastodon. Mastodon is a free, open-source social network made up of federated servers. It’s a decentralized platform that doesn’t have a single company running, storing, and manipulating (for commercial gains) your data. Anyone can stand up a Mastodon server, however most simply pick out a server from the long list and participate.

From an end-user perspective, this is a twitter replacement. It’s very similar in that you have a limited (albeit longer character limit) to work within. Tweets are now called “toots” (yeah…sorry about that). Retweets are now boosts.

I’m still on the fence about the entire thing. I’m afraid it might not have enough traction in the social media market to be successful. However, I’m not going to complain. Rather I’m going to logon and participate. You can find me at Rainmaker@Mastodon.cloud.

 

More Speaking Events!

More events to add to the calendar:

May 5th – CISO Thought Leadership Forum – Dallas,TX Panelist on Insider Threat.

May 12-13 – BSides Denver – Denver CO

May 20th – BSides Cincinnati  – Cincinnati OH

June 20th – Optive ES3 – Denver CO

July 12th – CyberArk Impact – Boston MA

Inbetween all this, I’ve got my regular Advisor duties to attend to. Somewhere in all this, I’m taking the wife and kids to Easter Island in the middle of the South Pacific. After this, I think I’m going to take a couple months off to refresh and brush up on some new content.

 

The Government won’t Protect your Privacy. Here’s how you can do it instead.

Last month Congress passed a resolution overturning an Obama-era FCC rule that mandated ISP’s to get their customers’ consent before sharing their browser history with other companies. The rules are additionally required ISPs to protect that data from hackers and inform customers of any data breaches.

The resolution was passed by the Senate in a partisan vote and was promptly signed by the President shortly thereafter.  I have my own political beliefs and I’ll keep them to myself, the Internet has enough of people openly sharing their political opinions. Unlike most, I know I don’t have the whole story on just about every topic, so I’ll keep to the points I do know, and that’s internet security and your privacy.

This is extremely valuable to businesses, but I can’t see how this is a benefit to the American citizen in any way. During the previous elections and debates, at no time was something like this even discussed. I’m disappointed.

From the reading I did, the reason this got passed was because ISP’s stated that companies such as Google & Facebook were profiting off their consumers’ browsing habits…why couldn’t the ISP’s? Technically speaking, they’re right. These mega Internet titans aren’t your friends advocating for your privacy. We, the consumer, are the product.

What you don’t see here is that this is just a dog & pony show. None of this really actually matters. ISP’s have been able to sell your web browsing data for quite some time. It’s just something you didn’t realized you signed up for when you blew past the terms and services of your ISP contract. All this proved was that they can continue to still do just that.

“The consequences of passing this resolution are clear: broadband providers like AT&T, Comcast, and others will be able to sell your personal information to the highest bidder without your permission. No one will be able to protect you, not even the Federal Trade Commission that our friends on the other side of the aisle keep talking about.”

– Representative Anna Eshoo (D-CA)

Wrong. 

I beg to differ. We as tech savvy citizens of the internet do indeed have the ability to protect ourselves. Here are 4 tips I recommend:

  1. Clearing your cookies or your browsing history doesn’t help. They’re tracking the DNS queries and your actual internet traffic. The solution to this is using a Virtual Private Network (VPN for short). In my opinion, this is the best solution to protecting your internet traffic from ISPs. All an Internet service provider will see is encrypted VPN traffic…nothing more. However, you need to trust your VPN as they’ll see all the data. You need assurance that logs are not kept and your information is not being sent to a 3rd party. I highly recommend Private Internet Access. These guys are legit. It’s very simple to use. They support regular at home internet access, but also have VPN clients for Android and Apple as well. I don’t go anywhere unless I’m on a VPN.
  2. Don’t use Google. I know it’s so pervasive, it’s hard to get away from. Use search engines like DuckDuckGo.com instead.
  3. Chrome tracks your history even if you use other search engines, so try using a more security focused web browser that doesn’t phone back home to Mountain View or Cupertino CA. Tor Browser is probably the best known for protecting your privacy, but that can be a little much for some folks. Other browsers I recommend are Comodo DragonSRWare Iron Browser, or White Hat Aviator:
  4. Face it, if you sign up for a social network with online marketing, you’re going to be tracked for demographics. I recommend creating multiple profiles with fake data to follow businesses, celebrities, movies…basically anything other than your close friends and family.  There’s a new social network called Mastodon that I’ve discovered and I highly recommend. I need to feel it out some more, but I’ll be doing a blog post on Mastodon shortly.

One last takeaway here. I see so many people saying this is Trump’s fault. Partially they’re right. He did sign the resolution. However, the following people share an equal part of the blame:
Read more “The Government won’t Protect your Privacy. Here’s how you can do it instead.”