More Speaking Events!

More events to add to the calendar:

May 5th – CISO Thought Leadership Forum – Dallas,TX Panelist on Insider Threat.

May 12-13 – BSides Denver – Denver CO

May 20th – BSides Cincinnati  – Cincinnati OH

June 20th – Optive ES3 – Denver CO

July 12th – CyberArk Impact – Boston MA

Inbetween all this, I’ve got my regular Advisor duties to attend to. Somewhere in all this, I’m taking the wife and kids to Easter Island in the middle of the South Pacific. After this, I think I’m going to take a couple months off to refresh and brush up on some new content.

 

The Government won’t Protect your Privacy. Here’s how you can do it instead.

Last month Congress passed a resolution overturning an Obama-era FCC rule that mandated ISP’s to get their customers’ consent before sharing their browser history with other companies. The rules are additionally required ISPs to protect that data from hackers and inform customers of any data breaches.

The resolution was passed by the Senate in a partisan vote and was promptly signed by the President shortly thereafter.  I have my own political beliefs and I’ll keep them to myself, the Internet has enough of people openly sharing their political opinions. Unlike most, I know I don’t have the whole story on just about every topic, so I’ll keep to the points I do know, and that’s internet security and your privacy.

This is extremely valuable to businesses, but I can’t see how this is a benefit to the American citizen in any way. During the previous elections and debates, at no time was something like this even discussed. I’m disappointed.

From the reading I did, the reason this got passed was because ISP’s stated that companies such as Google & Facebook were profiting off their consumers’ browsing habits…why couldn’t the ISP’s? Technically speaking, they’re right. These mega Internet titans aren’t your friends advocating for your privacy. We, the consumer, are the product.

What you don’t see here is that this is just a dog & pony show. None of this really actually matters. ISP’s have been able to sell your web browsing data for quite some time. It’s just something you didn’t realized you signed up for when you blew past the terms and services of your ISP contract. All this proved was that they can continue to still do just that.

“The consequences of passing this resolution are clear: broadband providers like AT&T, Comcast, and others will be able to sell your personal information to the highest bidder without your permission. No one will be able to protect you, not even the Federal Trade Commission that our friends on the other side of the aisle keep talking about.”

– Representative Anna Eshoo (D-CA)

Wrong. 

I beg to differ. We as tech savvy citizens of the internet do indeed have the ability to protect ourselves. Here are 4 tips I recommend:

  1. Clearing your cookies or your browsing history doesn’t help. They’re tracking the DNS queries and your actual internet traffic. The solution to this is using a Virtual Private Network (VPN for short). In my opinion, this is the best solution to protecting your internet traffic from ISPs. All an Internet service provider will see is encrypted VPN traffic…nothing more. However, you need to trust your VPN as they’ll see all the data. You need assurance that logs are not kept and your information is not being sent to a 3rd party. I highly recommend Private Internet Access. These guys are legit. It’s very simple to use. They support regular at home internet access, but also have VPN clients for Android and Apple as well. I don’t go anywhere unless I’m on a VPN.
  2. Don’t use Google. I know it’s so pervasive, it’s hard to get away from. Use search engines like DuckDuckGo.com instead.
  3. Chrome tracks your history even if you use other search engines, so try using a more security focused web browser that doesn’t phone back home to Mountain View or Cupertino CA. Tor Browser is probably the best known for protecting your privacy, but that can be a little much for some folks. Other browsers I recommend are Comodo DragonSRWare Iron Browser, or White Hat Aviator:
  4. Face it, if you sign up for a social network with online marketing, you’re going to be tracked for demographics. I recommend creating multiple profiles with fake data to follow businesses, celebrities, movies…basically anything other than your close friends and family.  There’s a new social network called Mastodon that I’ve discovered and I highly recommend. I need to feel it out some more, but I’ll be doing a blog post on Mastodon shortly.

One last takeaway here. I see so many people saying this is Trump’s fault. Partially they’re right. He did sign the resolution. However, the following people share an equal part of the blame:
Read more “The Government won’t Protect your Privacy. Here’s how you can do it instead.”

Another Email from Reddit

I should start off by saying I apologize if this isn’t the best forum to ask the following question, or if you get bombarded with these types of requests. I’ve been following /r/CISSP for the last couple weeks as I am planning to begin studying for it after I attempt the ITIL Foundation exam in the next week.

As I’m starting my InfoSec career (I currently have ~2 years work experience), my thought has always been to build a broad foundation of understanding as I feel to really understand/succeed in Security, it requires an understanding of Networking, System Administration, Management/Business, and Tools. Because of this, I’ve started working toward a variety of certifications, and will slowly start building those foundations up, while working on more specific Security certifications too. I currently hold the following certifications, Cisco: CCNA R&S and Security; CompTIA: Security+, CSA+, and CASP; EC-Council: CEH; Microsoft: MCSA 2k12; Splunk: Power User. I’ve run across your idea of “cert-snowballing” and I think it’s a great idea, and builds somewhat on top of what I was already doing.

I plan on continuing this year and trying to attain the MCSE: Cloud Platform and Infrastructure, as well as the Splunk Certified Admin this year after my CISSP (or in my case, Associate of ISC2). There are a lot of other certs I want to work toward after these: LFCS (CentOS), eJPT, CCNP RS/Sec, VMware, and more. But, I thought I would ask if you had any advice or thoughts on how you might recommend me snowballing my certs as my current job works primarily with Splunk/ACAS(Nessus) and I have the ability to study for a wide variety of technologies, whatever I feel would be useful going forward.

I appreciate you taking the time to read this wall of text, and any thoughts/advice you might have.

Respectfully,

Scott

Hey Scott,

First off, wow. You’ve built quite the collection of certifications and skillsets already. Congratulations. With the credentials you’ve already obtained, you’re already a formidable candidate. With that said, it looks like you have a wide and varying skillset. I think it’s time you dial it in a little and pick a specialization. It appears network security and perhaps SIEM & Analytics might be something your interested in focusing on? Honestly, pick your what you’re passionate about before anything else. It doesn’t have to be about money. That comes on its own. Figuring out what I want to do long-term is something I’m struggling with myself. I’m trying to decide if I should go for the OSCP or take the CCSP next. I still don’t know what I want to be when I grow up. 🙂

I think additionally, you might want to look into some mentoring. I had some very powerful mentors in the past and wouldn’t be where I am today without them. I’m currently looking to find someone to assist me with taking my career to the next level. I suggest you do the same. https://infosecmentors.net/ is a site I recently discovered. You might want to check that out.

Anyways, my .02: I think you should continue to read /r/cissp and continue to study. However, I think the SSCP would be a better bang for your buck at the moment. You can get the full-fledged certification instead of having to settle for the associate. All the knowledge you’d gain would be applicable to the CISSP anyway. Plus, you can take the remainder of the time to aquire other certifications between now and your 5th year.

Lastly, I think you’d be a really good candidate for a position I’m looking to hire. If you’re interested in working from home, making hella good money, and becoming a thought leader in the industry let me know. I love my job and I think you would too! https://www.cyberark.com/career-search/#!/job_region=35

CFP Submission Template

So while at HouSecCon, I was politely told told how bad my CFP’s were. The gentleman didn’t pull any punches, but overall he did make some good points. I don’t think I was taking the CFP process seriously as I had no idea what it actually entailed. He said that this was being reviewed by your peers in the industry and you really should put your best foot forward. With that said, he directed me to a few resources to improve my game. This is only part of it.

Here is a really good CFP template I recommend you build off of. I blatantly ripped this off of the BSides Las Vegas site, who subsequently blatantly ripped it off the ShmooCon site.

Read more “CFP Submission Template”

Email from Reddit

I like giving back to the InfoSec community. I figure they’ve done so much for me so it’s only fair that I give back as well. As part of that, I moderate /r/CISSP. My goal is to provide up to date study materials, and answer any questions that come my way.

Recently a user reached out to me with a Direct Message. His questions were so relevant that I thought it would be good to post on the blog as well.

I’m the guy from this thread. What languages would be useful for me to learn? I’m learning python through learnpythonthehardway and -bash/ssh from overthewire.org but, I don’t really know how I would start to practice for the things I would do in a job. As stated in my thread, I am hoping to get a job in either government or a corporation.

What are some good blogs for CyberSecurity to follow and in general things that I should always keep up to date on pertaining to the field?

How long should I study for SEC+? I was thinking of picking a book around the end of the semester, study through summer and hopefully get the cert in time to put it on my resume for internships in October.

Honestly, if you’re looking to learn a language for a particular cert (specifically the CISSP), I wouldn’t bother. Coding/Scripting isn’t part of the Sec+, SSCP, or CISSP. HOWEVER…if you’re looking to get some more advanced hacking/pentest stuff (GPEN,OSCP,etc), you can’t go wrong with python. Depending on where you want to go in your career (red/blue/purple) will depend on what sort of skillset you should acquire.

SEC+ shouldn’t take you long. I’d say take no more than 30-45 days to study and take the exam. Everyone learns differently. Me? I can’t stand reading. Put a book in front of me and I’ll fall asleep in a matter of minutes. Online video training? That works as long as you keep the keyboard away from me so I can’t alt-tab out and surf reddit or something (oh the irony). Classroom? Oh hell yeah. I’m all about classroom training.

There’s a lot of resources online. I’m not much on the infosec blogs. Twitter however is where it’s at. It’s the primary social media of infosec practitioners. Podcasts are also a great resource. I personally listen to the The Cyberwire, Defensive Security, Southern Fried Security, Paul’s Security Weekly, and a few others. Also, check the sidebar on the /r/cissp page. The links there are legit. I swear ITPro.tv and skillset.com are my favorites.

Lastly, where are you based out of? The infosec community is a very close knit group. We look out for each other. I personally know a guy in Dallas that’s looking for a summer intern. Let me know where you’re out of and perhaps I can hook you up.

One other thing that I forgot to mention is that the CISSP requires 5 years of relevant work in the domains to be considered for the certification. Considering that you’re just coming out of school, you’re not going to be even in consideration for the full certification. You’d be getting the associates. I’d personally wait until you have some more certifications under your belt, more experience in the field before you tackle the CISSP. It’ll come much easier to you as well by that time. 

Easy way to stop ransomware!

So I’m here today in Houston at HouSecCon.

Listening to Michael Gough he had a fantastic idea. It’s near impossible to retrain the end user from double-clicking. Rather we need to be smart and disassociate the malicious filetype with the underlying engine running it. This was done OOTB with .ps1 files. We should just do the same with all the other file types.  This can be done via group policy. For home users, this is not possible. So…I wrote a script to do this for you. Feel free to download it here. 

@echo off
echo ” ____ ”
echo ” | _ \ __ _ _ __ ___ ___ _ __ _____ ____ _ _ __ ___ ”
echo ” | |_) / _` | ‘_ \/ __|/ _ \| ‘_ ` _ \ \ /\ / / _` | ‘__/ _ \ ”
echo ” | _ < (_| | | | \__ \ (_) | | | | | \ V V / (_| | | | __/ ”
echo ” |_|_\_\__,_|_| |_|___/\___/|_| |_| |_|\_/\_/ \__,_|_| \___| ”
echo ” | __ )| | ___ ___| | _____ _ __ ”
echo ” | _ \| |/ _ \ / __| |/ / _ \ ‘__| ”
echo ” | |_) | | (_) | (__| < __/ | ”
echo ” |____/|_|\___/ \___|_|\_\___|_| ”
echo ” By: Andy Thompson”
echo ” www.MeteorMusic.com”
echo ” @R41nM4kr”

assoc .js=poss_bad
assoc .jse=poss_bad
assoc .wsf=poss_bad
assoc .wsh=poss_bad
assoc .hte=poss_bad
assoc .lng=poss_bad
assoc .ps1=poss_bad
assoc .cmd=poss_bad
assoc .bat=poss_bad
assoc .vbs=poss_bad
assoc .vbe=poss_bad
ftype poss_bad=c:\Program Files\Windows NT\Accessories\wordpad.exe %1

echo “Done! Have a great day!”

pause

 

Preventing PTH with Two Small Checks.

I read up harmj0y’s blog over the weekend and he had some killer points I wanted to share with you all. More than anything, just some major takeaways from this.

KB2871997 – Microsoft’s attempt to block pass the hash. More than anything it just complicates it, but doesn’t resolve it. It does a lot of good things to help prevent, but doesn’t resolve the issue.   The patch created two new SIDS that can be used with group policy to block local admin accounts from remote login (with one large exception). Any authenticated user to AD can enumerate policies to see if this is enabled on a client’s network.  PTH for local accounts with the exception of the RID 500 (local built in administrator) account are blocked.

The whole point of the article is twofold:

  1. It’s not the group policy that’s actually blocking the PTH of local account(though the other stuff is good), but rather “token filtering”. This is applicable to all local admin accounts with the exception of the RID 500 (built in local admin) account is it runs in a non-filtered state. Meaning, you can still PTH with the built-in local admin account.
  2. The registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy (which doesn’t exist by default) set to 1 grants high-integrity sessions to all remote connections thus enabling PTH of all local accounts. MS actually suggests doing this in a number of times (which is really a bad idea):\

So…..

KB2871997 = Good
LocalAccountTokenFilterPolicy = Bad

 

Check for these things next time you’re dealing with a client.

Oh yeah, at the end, he states that unique creds render this whole point moot. He mentions LAPS, which is fine…but whatever…

What he doesn’t mention is that PTH is still a huge issue with DOMAIN accounts.

Yes, I do work for a Privileged Account Security Company, so I am biased here. As long as domain accounts are being managed in a responsible way, that’s all I care about. This is where pushing the functional model of privileged accounts really proves its value in preventing pass the hash attacks.  I’ll probably go into further depth on that topic in a later blog post.

Also, harmj0y is the MAN. Main creator and contributor for Powershell Empire, Veil-Framework, and Bloodhound. The guy is a legend and deserves much respect.

Thanks and have a great week.

GIAC – GPEN Certified!

I took my GPEN certification exam on Thursday and I passed. I was rather nervous to be honest about the exam considering two of my fellow co-workers struggled with it. I waited until the very last day to take the exam and I’m glad I did. Luckily I scored a 91%. Even though it was open book, it was a doozy of an exam. I had my notes, index, and the texts to work from…and it was still a challenge. TBH – I’m really proud of my index (no I won’t share it with you). It looks like a unicorn threw-up on a notebook, but it had just about everything I needed. I’m also excited because I scored high enough to be in the advisory council and to possibly be a SANS mentor! I’m very humbled and honored!

Just a little tip thought: I won’t go into specifics, but I would advise anyone taking the exam to brush up specifically on the netcat switches and really learn scapy backwards and forwards. Not only will it help you with the exam, but I’ve found myself using both tool in my day to day roles a lot now.

So…what’s the first thing I do now that I don’t have a certification deadline looming over me? Go pick out another cert to tackle. My wife tells me that I’m goal driven. I need a goal to strive for if I want to be productive. At this point I’m strongly considering either the CCSP from (ISC)2 or one of the Amazon certifications. I need to skill-up on cloud a little bit before I go after the OSCP. So let me know. What do you think? What certification should I go after next?

 

One last thing….

 

Dearest people outside of the realm of InfoSec,

Someone mentions the word ‘Penetration’ in proper context, and you folks lose your damn minds. Get your heads out of the gutter. Thanks.

Speaking Engagements!


So, I’m going to be a little busy the next few weeks. Not entirely sure how many gigs I’ve got booked, but here’s my speaking calendar booked out so far…

Oh yeah, sometime between all of this I’m doing my regular job responsibilities and studying for my GPEN. Wish me luck!

Cloudflare Leaks data from potentially millions of sites. #CloudBleed

 

So when Tavis Ormandy from Google’s Project Zero called out cloudflare last week, it perked my interest. I knew SOMETHING what up. What exactly…no idea. I’m not a genius like Tavis. Tavis discovered a memory leak at cloudflare leaking information  from all sites that use Cloudflare’s service. That’s over two million sites. Not two million passwords…two million websites!

Cloudflare has since fixed the problem…literally hours after the issue was disclosed. What concerns me is that this has been leaking information since September of last year.  Cloudflare has made an official announcement and lessons learned. That’s great. However, what’s concerning is that it’s hasn’t, and probably won’t release a list of all the affected sites. I guarantee many of these sites won’t ever. Some of the more notable sites are:

Uber.com
okcoupid.com
Authy.com
Fitbit.com
account.leagueoflegends.com
4chan.org
patreon.com
medium.com
coinbase.com
Glassdoor.com
Fiverr.com
Adafruit.com

and many many many more…

For a full list of all the compromised and potentially compromised sites, check out this github page or download the full list (22mb).

So what now? Really, it’s better to just go ahead and change all your passwords. That’s right…all of them. Make sure your passwords are UNIQUE and complex. Use a password manager like lastpass, keepass, or if you’re an enterprise organization I hear CyberArk is pretty good. 🙂