So before sobering up and leaving Dallas Hackers last night, I did a quick (and inebriated) firetalk on some of the books I’ve read recently and my thoughts. I will update this blog post with a summary of each book and my thoughts on them. However I wanted to get this post up before I hop this flight to Tel Aviv, Israel for a week. Here’s the list. Enjoy!
It’s that time of year again! Andy’s running around like crazy. In the course of 8 days I’ll be doing 4 different talks in 3 different states. Looks like we’re closing out the year with a bang!
- 11/02 – Information Warfare Summit – Addressing Insider Threat (30 min)
- 11/04 – BSides DFW – Golden Ticket Attack with Rainmaker
- 11/09 – Orange County, CA ISSA – Hacker Carpet Bomb: Live Attack Demos
- 11/10 – NTXISSACSC5 – Addressing Insider Threat (60 min)
I’ve got some surprises in store for everyone. Stay tuned!
The other day, my friend and co-worker clued me in on a new attack he found. It worked so well, we had to share it.
As it says on their GitHub page,
Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH).
Take a look how simple it is to steal an RDP credential off the network without ever having to touch the victim’s machine. Things like certificates and network level access are important security controls you should implement to protect from attacks like this.
So I’m about to embark on another trip across the US to discuss Cyber Security controls with a bunch of different companies across the West Coast. I’m looking forward to it. However, I absolutely hate packing for trips like this. You never know what exactly life has in store for you, if the weather will cooperate, or if you might spill a ramekin of cocktail sauce down the back of your last nice shirt (true story). So anyways, I’m trying to make it easier on myself by keeping a “living packing list”. I’ll continue to update this list as time goes on with whatever need-to-have items I require while traveling. Anyways, here’s the list so far.
[ ] Dress Shirts
[ ] Slacks
[ ] Dress shoes
[ ] Belt
[ ] Underwear
[ ] Undershirts
[ ] Socks
[ ] Swimsuit
[ ] Shorts
[ ] T-Shirts
[ ] Running Shoes
[ ] Baseball Cap
[ ] Toothbrush/Toothpaste/Floss/Mouthwash
[ ] Shaving Razor/Shaving Cream/Blades
[ ] Comb/Hairbrush
[ ] Hair gel/hairspray
[ ] Nail Clippers
[ ] Deodorant
[ ] Talcum Powder
[ ] Ear Plugs
[ ] Sleep Mask
[ ] Tweezers
[ ] Hand Sanitizer
[ ] Aspirin/Tylenol
[ ] Afrin Nose Spray
[ ] Benadryl
[ ] Pens & Notepad
[ ] Laptop Charger
[ ] Laptop
[ ] Hacking Toolkit
[ ] Business Cards
[ ] Breath Mints
[ ] Dry Erase Markers
[ ] Wireless Mouse (Purposely Vulnerable)
[ ] VGA to HDMI Adapter
[ ] Sunglasses
[ ] Phone Charger
[ ] HooToo Travel Mate
[ ] Roku Stick
[ ] Amazon Dot
[ ] VR Headset
[ ] WifI Hotspot
[ ] Noise-Canceling Headphones.
[ ] Wired Headphones
[ ] Kindle
[ ] iPad
[ ] Watch Charger
[ ] Flashlight
[ ] Umbrella
[ ] USB Battery Pack
[ ] HDMI Cable
It’s a lot, but I’m able to typically carry this all in an average carry on and a brief-case or backpack. Free free to print this packing list as a PDF out as well for your own use.
I know I’m a little late to the game, but I figured I’d share my .02 regarding the most recent, and largest to date data breach…Equifax.
On September 7th, Chairman and and CEO Rick Smith of Equifax had the following video announcement. They discovered “unauthorized access” on July 29th, hired Mandiant, and now are disclosing that the breach jeopardized the personal information of 143 million American consumers’ data…potentially more than half of all Americans. Not good at all. To be specific, they also outlined that 209,000 credit cards were exposed as well as 182,000 people’s Personal Identifiable Information such as names, address, phone numbers, email addresses, etc for example). These were part of their ‘dispute documents’ which were leaked. All we know for sure is that Equifax stated “PII”. This was specific to US, Canadian, and UK consumers.
What makes this worse is that the CFO and two presidents of Equifax’s business units sold share between 3 and four days after the breach was discovered. Equifax reported that these people had no knowledge of the breach and were not subject to insider trading laws. At the same time, SEC filings show the sales worth 1.8 million were not pre-planned. Working for a publically traded company, General rule of thumb, is not to trade when the company creates a blackout period. In the event there is some non-public information they become subject to said blackout period until the announcement is made public. I can’t believe that a breach was detected, Mandiant was contracted, and at no time the CFO wasn’t made aware of this. Incident Response plans almost always notify HR, Finance, Payroll, Legal, and Marketing in the event of a serious incident. Either this is gross negligence or insider trading. Pick one.
An additional note: At this time there is no attribution as to who the attacker(s) are.
Most of you know I work for a particular Privileged Account Security company. It’s sort of hard to unplug for your job when you really love what you do. With that said, sometimes when I’m off the clock, I’ll still work on some pet projects. This is one of them. In CyberArk’s Enterprise Password Vault version 9.7, they introduced a really cool new feature. Privilege Session Manager Remote Desktop Proxy. SysAdmins typically push back on any security control because they tend to introduce hurdles in their day to day operations. Security shouldn’t hinder operations as they’ll tend to be avoided or even worse yet, circumvented. So PSMRDPP was developed to allow for Privilege Sessions to be initiated without having to authenticate and logon to the web interface. Using native RDP tools, you can access your privileged accounts. It’s really cool!
Anyways, I developed a script to build out the RDP links automatically that interface with the PSM Proxy server. It also works with Devolutions Remote Desktop Manager Sorry, only works in the paid version. They crippled the powershell functionality in the free version. Anyways, I’ve put the script up on GitHub. I’m going to continue to improve on the script, but for now you’re welcome to use it. It works great!
Delete Temporary Internet Files
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
Delete Form Data
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
Delete all files and settings stored by Add-ons
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351
Date and Time Properties
RunDll32.exe shell32.dll,Control_RunDLL timedate.cpl
RunDll32.exe devmgr.dll DeviceManager_Execute
Folder Options – General
RunDll32.exe shell32.dll,Options_RunDLL 0
Folder Options – Search
RunDll32.exe shell32.dll,Options_RunDLL 2
Folder Options – View
RunDll32.exe shell32.dll,Options_RunDLL 7
RunDll32.exe shell32.dll,Control_RunDLL main.cpl @1
Mouse Button – Swap left button to function as right
Map Network Drive Wizard
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect
RunDll32.exe shell32.dll,Control_RunDLL ncpa.cpl
Organize IE Favourites
Open With Dialog Box
Rundll32 Shell32.dll,OpenAs_RunDLL File.ext
Plays a waveform sound
Printer User Interface
Printer Management Folder.
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder
RunDll32.exe Shell32.dll,Control_RunDLL powercfg.cpl
Stored Usernames and Passwords
Safely Remove Hardware Dialog Box
Rundll32 Shell32.dll,Control_RunDLL HotPlug.dll
RunDll32.exe shell32.dll,Options_RunDLL 1
RunDll32.exe shell32.dll,Control_RunDLL nusrmgr.cpl
Windows Security Center
RunDll32.exe shell32.dll,Control_RunDLL wscui.cpl
Windows Fonts Installation Folder
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL FontsFolder
RunDll32.exe shell32.dll,Control_RunDLL firewall.cpl
I’m heading to BSidesLV, DEFCON25, & Blackhat in Las Vegas this week. It’s going to be a great time and I’m really looking forward to it. Here’s some standard best practices I try to follow when attending a InfoSec related conference.
- Laptop Behavior
- Do not bring your laptop, unless specifically required. Try only using your your phone connected via VPN.
- Do not leave your laptop unattended at any time.
- Do not check-in your laptop as luggage.
- Turn off WiFi and Bluetooth.
- Printing, scanning, faxing
- Do not print from or scan to your laptops
- Internet access and connectivity
- Unless absolutely necessary for a job function, disable WiFi.
- Disable Bluetooth on your computer and phone.
- Disable NFS connectivity on your phone and computer.
- If Wifi is absolutely required, ONLY use your own provided wifi. I used a JetBack/MiFi and connect ONLY to that device.
- Always use a VPN as soon as you obtain WiFi access.
- Do NOT plug any network cable into the laptop.
- Do not plug any USB storage devices (hard drives, sticks, network adapters, Raspberry Pi’s, etc) into the laptop or phone.
- Document behavior
- Do not work on internal or sensitive documents in public.
So I took a little vacation to a tiny little rock out in the middle of the South Pacific. Isla de Pascua, Rapa Nui, Easter Island…whatever you want to call it, it was amazing. What an incredible time I will never forget. It was a little odd not having phone, internet, or any sort of tether back to society. At the same time, it was really nice to literally be off the grid for some time. However. It’s all done. Break’s over. It’s time to get back in the swing of things.
A day after getting back, I packed up and headed to Denver at the Optiv ES3 summit to do a brand new talk on insider threat. I love the city of Denver, so I’m always happy to get invited back out there. The talk, despite being my first presentation on the topic, went really well. The talk was well attended, and well received. Plus, at the end of the day I got to hang out and talk with Brian Krebs. That was great! I’m planning on heading back out to Denver sometime in August, but until then…there’s a LOT more to be done. (btw – the goatee got a good trip shortly after this picture.)
There’s a lot going on between now and even August. First off, I’ve got to make it out to Phoenix for a few client visits and prep for a round of forums I’m presenting later in Q3. I’ll fly back late Friday night. Then it’s up to Boston this coming Sunday. I’m presenting two new presentations at the CyberArk 2017 Impact Summit in Boston. I’ll be talking on Ransomware. The goal is to focus particularly on the WannaCry and NotPetya ransomworms and defensive strategies to address the next generation of Ransomware. The next talk, is what I’m REALLY excited about. My good buddy Len Noe and I are basically going to carpet-bomb the audience with live demos of real penetration testing tools. A few of the things we plan to demo are the PoisonTap, BashBunny, Inveigh and Responder, the Wifi Pineapple, and my favorite live demo…MouseJack (code injection on a machine not even connected to the network). It’s going to be a lot of fun. I also built one hell of a powerpoint presentation to go along with it. Something like 7 slides and 2.9GB. I rendered the slides as video and have scenes from Hackers playing silently in the background. Whichever breakout presentation gets the highest marks gets to present to the mainstage. Either way, it’s gonna be off the chain!
After Impact, we’ve got the CyberArk Midyear Sales Kickoff. I don’t have any expectations there, other than it’s going to be a lot of work while we’re up there. After that, I have one week back in Dallas (unless something comes up, which it typically does). After that…it’s off to Vegas for Hacker Summer Camp! Woo hoo! For Blackhat, I don’t get to attend, but I actually have to work the event. I absolutely love Blackhat. You get to meet a lot of great and interesting people. After that it’s onward to BSides and DEFCON 25. I’ve been waiting all year for this. As soon as I heard it was at Caesar’s this year, I made sure my room was reserved. Due to my wife’s travel hacking, I have status at Caesars. I get a nice big room (photo below was the last time I stayed at Caesar’s Palace earlier this year at Gartner), access to free services, and the VIP lounge. So…now I have 3 friends staying with me in the room and live video feeds of the talks downstairs if they’re too packed. I’m really looking forward to it.
So yeah, that’s just July. August is gonna be crazy too!