being the expert of becoming the expert (or not at all)

Read an article this morning, Ten Unmistakable Signs You’ve Stayed At Your Job Too Long, which I thought I would comment about on here for each bullet point, but then I decided that was pretty boring. However, a few points kept bouncing around in my head. They are:

1. As you look ahead at your projects over the next 12 months, you don’t see anything that you haven’t already done a million times before.

4. You know every procedure in your company. You know every piece of software. You know the purpose (and the time and location) of every standing meeting. You know so much that people constantly ask you for advice — but knowing as much as you do, you should have a lot more influence than you have.

5. Your muscles aren’t growing. You can’t even remember the last time you did something really cool at work or learned something powerful. At this point, you are just treading water.

Now, this can easily dive deep into a conversation about innovation and corporate tolerance to (minor) failure. But I wanted to put that aside since that is a topic that is beaten to death (even in my own head). Even talking about corporate culture is a bit out of my scope (though very relevant).

But my main interest was this question:

Do you want an employee (or to be an employee) who is best at what they do and already an expert in their daily tasks, or one who is driven to learn, but not yet necessarily the expert at their daily tasks?

I’ve posted the question elsewhere, and gotten good, thoughtful answers. In the end, I don’t think it terribly matters as long as I’m happy in my self and job and progress. Be good at what I learn, and have enough latitude to learn (which implies not necessarily being good yet), with small non-fatal stumbles, when the opportunity arises. It’s possible being an “expert” is the wrong frame of mind to have, like saying your idol for CEO is Steve Jobs, which just isn’t realistic and will ultimately be unrequited.

small list of online paid and some free security training coursewares

Around Q4 2016, I started shopping around for access to some technical learning/courseware sites. The main impetus was to get my own personal learning back on a semi-regular track, and a side purpose of preparation for earning my OSCP. I’ve had these notes floating around in my “training ideas” notes for a while now, and I wanted to get them out, but not lose them. And hey, that’s why I have a blog!

Please note that theses are not all-inclusive and the prices may be off (some of them may be 2016 holiday pricing). I have seen some ITProTV courses, but what I went with for myself was PluralSight and LinuxAcademy access. The former I’ll likely keep active, but the latter will be something I probably drop off after 2017. I really like PluralSight’s offerings so far, and LinuxAcademy is going to nicely fulfill some desire to round out my Linux knowledge. Most everything else in the paid flavors I probably have not tried out enough to comment on them. The free stuff will probably stay in my training ideas/to-do lists in some form or other.

training/courseware sites (prices as of ~Q1 2017)
PENTESTERACADEMY—–$99 first month, $39 after 100 max video plays (can download them, though)
LYNDA COURSES -free 10 day trial, 19.99 or 29.99/mo, latter allows video download
codeacademy.com: python – automate scans —free course, $19.99/mo for extras
securitytube-training —$39/mo
***ITPRoTV —courses site, $57/mo
gogotraining —$37.50/mo
pluralsight —-$29/mo or $299/yr, free trial for 10 days
cbtnuggets.com —-$84/mo, 1 free week
packt —29.99/mo ebooks and videos

linux primers: linuxacademy —videos, 7 days free, $29/mo, downloadable audio
pentesterlab.com/bootcamp —exercises and videos, $19.99/mo
Safari Books Online monthly sub for access
Qwiklabs.com access
HackingDojo courses/lab $99/mo
https://www.hacking-lab.com/index.html

some free courses or training to consume
metasploit unleashed free course
SecurityTube – Buffer Overflows, Assembly/Debugging —-free video site
cybrary.it – advanced pen testing (and others) —-free
FSU Offensive Computer Security free course —free, youtube vids and slides
SSTEC Tutorials on YouTube (Kali Linux): https://www.youtube.com/channel/UCHvUTfxL_9bNQgqzekPWHtg
Bhargev Tandel Kali and other pen testing channel: https://www.youtube.com/user/bhargavtandel
***OpenSecurityTraining.info —-free, some video, many just slides
linux primers: penguintutor.com —free, text tutorials
linux primers: debian-tutorials.com —-blog style

from rob fuller: dumping laps passwords with ldapsearch

From Rob Fuller comes this article on dumping LAPS passwords using ldapsearch. LAPS is a Microsoft solution to manage and randomize local admin passwords on member systems. To do so, these passwords are stored in AD. For old, non-updated LAPS implementations, a user can just read these. Current installations require an extra permission. These permissions usually mean that abusing LAPS is a “win more” type of situation (i.e. you already pwn the domain, so now you can pwn more). But, there may be situations where some users who are not full admins in AD do administrate systems enough to have this access (maybe help desk persons or departmental admins). Also, it’s worth noting this weakness as part of knowing your risk when handing out privilege accounts. For instance, Sam may be given a privileged account, but keep in mind that Sam probably also now has access to read local admin passwords, which may or may not have been knowingly intended. Similarly, any account that has this access that is disclosed/cracked means all these passwords should be changed as well.

effort is being made today to groom fake online personas

Most people think of phishing attacks as flash-in-the-pan events; you get a contact that looks like spam, treat it as spam, and delete it. But criminal organizations are becoming better about social engineering via social media these days. And they are taking their time to create fake personas, groom contacts, and eventually gain trust enough to influence a target’s behavior to do something they normally wouldn’t, such as open a file. SecureWorks has one such story posted, and it’s eye-opening to see the amount of effort that an attacker may go through to target a particular person or organization. (Though to be fair, the web cam porn industry has probably been doing this for years, as have ‘revenge porn’ criminals, and state-sponsored espionage since the start of the internet.)

from cnn: networking as an introvert

I normally just get news from CNN and not actual useful advice. But this is two in as many days! Anyway, How do I network if I am an introvert? I’m an introvert. I’m terrible about small talk and I tend to assume more people don’t want to know me or respect my viewpoints. I can always get past that, but it does take time. More time than small interactions usually allow. This article has some great advice that rings of truth.

Fake interaction. I never really thought of “small talk” as “fake interaction,” but I have to admit that phrase is appropriate. Introverts often have an internal personality and their external one is more guarded and is often made to mimic their audience. This then feeds a little bit of the imposter syndrome. As the article suggests, we introverts still should just be ourselves and try to let that guard down a little bit. Life is short, and people do care about us and our opinions and expertise.

Asking questions. Just like in dating, a good way to break the ice or open dialogue for someone who doesn’t “do dialogue,” is to ask questions. Most people like talking about themselves, and the attention is a positive feedback loop. Ask question, interject when possible, and be attentive. This works on pretty much everyone. But, what questions to ask? Aren’t all the ice breakers part of that damn small talk that we hate? Well, sometimes. For events, ask what someone does for work. Ask them how they decompress from life in IT/infosec. Ask them something that pertains to the talk you’re waiting on or just saw (did you understand all of that, or that was amazing, I’ve always wanted to…). Offer your name, and if you’re present in online communities, make sure they know that name as well. Even just a small interaction works, and you can then ping them later in the social space. I really like the article’s suggestion of, “What’s your favorite part of your work?” or some variation of.

Meet fewer people as a goal. Pick people sitting near you or someone else off to the side. Be interested, say hi, and introduce yourself. Consider this like a video game quest. Talk to 3 people at this all-day con that you didn’t know before, get their name and maybe where they work if it is that kind of event. And already be comfortable and ready to divulge your online screenname if you have one. If not comfortable, make one that will be comfortable to give up.

Just meet people. I don’t think introverts should go into “networking” with a specific goal of meeting people for job hookups. That is exactly the sort of fake interaction we’re terrible at doing. Instead, do some networking with the goal of just meeting people and sharing names and some information about each other. That doesn’t need to be faked, and can start that somewhat long road us introverts tread to getting to know someone better.

careerisms to reflect on

Sometimes I read an article and really like it. Sometimes I just like parts of an article. Sometimes I like parts, and really have nothing to say about it, but want to keep it or some soundbytes from it around for personal reflection. The article, Career advice you hear all the time that’s actually bunk, is one such source.

“Passion is not something you follow. It’s something that will follow you…”

“…put your head down and focus on becoming so good you can’t be ignored. It’s typically at this point that you’ve gained the leverage needed to shape your working life into a true source of passion.”

Take this advice instead: “Be valuable.”

You’re never hired for your skills or experience alone, she says. Managers hire you to make their lives easier and to make them look good in front of their bosses and clients.

“Meet your deadlines.”

“Leap when opportunity knocks.” (As opposed to only sticking loyally to a company for many years.)

“Build your value” (Rather than building your brand online.)

managing pseudonyms with compartmenalization

Found around Twitter this weekend, I read a blog post by CryptoCypher titled Managing Pseudonyms with Compartmentalization: Identity Management of Personas. It’s been a while since I’ve read an article like this. I’ve talked about being anonymous online many years ago, but rarely have followed through with any sort of rigid process (obviously). Still, it’s a good thing to look into, especially if you have some reason to stay mostly anonymous or just compartmentalize your digital life a bit more.

It’s still hard to be anonymous and hidden online. Even career criminals have problems, as any expose by Brian Krebs will illustrate with gleeful prose. But it’s still a skill that is useful to most anyone, and a little more particularly useful to pen testers. Even if it’s something as benign as an online presence for some company or domain or fake person that is used in phishing or social engineering or red team campaigns.

malformed requests and headers leading to creative http attacks

Excellently detailed post on PortSwigger’s blog during exploration of reverse proxies and other http traffic shenanigans. And I like this shot of reality across the bow:

They also shared that the interception system was originally constructed as part of CleanFeed, a government initiative to block access to images of child abuse. However, it was inevitably repurposed to target copyright abuse.

infosec training might just be a thing, ya know?

Article at DarkReading titled: SIEM Training Needs a Better Focus on the Human Factor. Pretty short article, but has a good point to make.

Training from SIEM vendors is based on how to use their products. This is and should be required to properly use any solution, but it isn’t enough. SIEM is a tool, and the focus must also be on the individual(s) wielding the tool.

By changing the focus to individuals, the core problem can start to be addressed. For example, assume you or another staff member attended training on how to catch the bad guys using a SIEM system. The focus, rather than being on maintaining/using a SIEM product, is on things such as which data sources are important, why they’re important, and how to enrich those data sources so they make more sense, add context, and are more useful. The training may also include various methods to intentionally set up events to automatically send alerts on unauthorized activity. Would this individual not be better equipped to use any SIEM platform?

Yes, to the last question! This is why I believe in knowing how security works. Knowing how the surgical, smaller tools work. And exactly what you’re looking at and looking for. If you know the basics and have a strong foundation, you can probably wield any larger tool with a small amount of time to learn the specifics to that tool. Not only that, but you can even ask about and properly evaluate a new tool better!

I also like a sub-point the author makes by using PowerShell malware detection as an example. Vendors aren’t going to teach an analyst what to look for. You have to learn it elsewhere or figure it out. And that’s not necessarily intuitive. That’s part of the sauce that makes infosec practioners a somewhat advanced profession.

interviews with security leaders

Came across a series of interviews on Misti.com. There are currently 4 parts and might be more. Each part focuses on another professional in infosec: Christy Wyatt CEO of a security firm, Kristy Westphal Security Manager, Summer Craze Fowler Technical Director of Cybersecurity Risk & Resilience, and Georgia Weidman CTO.

They’re all good interviews, but I have to say I like the Westphal interview the best. Some good, pragmatic insights. Though the Fowler interview also has some amazing insight as well!

Focusing on operational resilience rather than solely on cybersecurity is critical. Operational resilience is the ability to achieve objectives before, during, and after a disruptive event, and then return to normal operating condition as quickly as possible. We do not want to protect our digital assets for the sake of protection alone—we are doing this in support of business/organization objectives. Cybersecurity should not be a “bottom up” activity, and it should start with the top organizational mission/objectives. Bridge the gap between business and technology using risk-informed decision making!

quickly loading empire stagers at sc0tfree

This blog post over at sc0tfree talks about real world attacks using a Rubber Ducky. The article focuses on quickly getting Empire loaded. These are pretty sweet, and I like the context offered at the start about what works and doesn’t and why he cares about speed of execution.

When looking for a project to do with a Rubber Ducky, this post is a go-to place. (Note the post also links over to Stagers 101 over at PowerShell Empire.)

I recently watched the National Geographic Breakthrough episode named Cyber Terror which included Jayson Street (and team) attempting to gain access to some banks overseas. I like the part where Jayson recognizes that his engagement is really just about getting access to the USB ports on a system and proving something bad could be done. He just needed something like a “Hello World” notepad to pop up, and record that as proof. He didn’t need a long stager or execution time or strange cmd windows opening to plant a backdoor. But the point is that he could have done that.

recruiters and divulging current salary

LinkedIn is a strange experience when used as a news feed. I feel like I have very little control over what is given to me, and a good 3/4ths of it isn’t really relevant. Plus there’s tons of these little “10 ways to be happy,” posts that, while inspirational, are less impactful when you can get 10 of them per 5 minutes while browsing any social media platform (incidentally, I prefer imgur’s picture formats for quick consumption and favoriting for later).

But sometimes I find interesting inspiration in strange places. For instance, this Forbes article: The Recruiter Got Mad When I Wouldn’t Divulge My Salary. I don’t have a problem with recruiters or divulging what I need to, but the article is a reminder to take charge of yourself in the process, but also be realistic about the recruiter relationship as well. To question questions, and keep everything in context without offering more than is necessary. (I always feel squirmish when talking about my current or past salary. That goes away if we’re talking target or asking salaries, interestingly enough!)

Why the heck is this here? Because it’s relevant to me, and in a professional world, relevant to the greater experience of being in infosec. I’ve had bad interactions with a particular firm or two earlier in my career to the point where I won’t bother them ever again (and believe me, I felt like a bother!). But I’ve had great interactions as well. Kinda like dating or finding jobs, it’s a numbers game as well as a personal effort game.

But really, I wanted to save this link for future attitude encouragement; there’s a certain self-confident-optimism-without-being-arrogent between the lines of this article that I really tapped into. That’s why I’m saving this.

using powershell to pull monthly microsoft patches

A few months ago, Microsoft changed their patching release format, for better or worse. I imagine in 4 years, we’ll consider this for the better. But for now, moving the cheese kinda sucks. Getting monthly patch details is also a bit annoying as it’s more self-serve these days. But it can at least be done, and reports can be quickly pulled for what got released in a current month. For instance, check out PowerShell scripts here and here for some ideas. These do depend on having PowerShell 5 installed which requires an extra step in Windows 7 to get Win7AndW2K8R2-KB3191566-x64.msu (aka Windows Management Framework 5.0) loaded. This will open up the ability to grab things off the PowerShell gallery, aka central repository of cmdlets and scripts. Also needed is an API key, which is free and individually issued. Instructions should be in the first link.

Is this perfect? No. The report is a bit unwieldy and is a reminder of all the various product types you have to track just to answer, “What Windows 7 patches are there?” or “What non OS products are covered?” But getting the data can be very easy, and from there mangling of the information can happen with some custom scripting on the auditor’s end. We also now have to start remembering and talking about CVE or KB numbers rather than the slightly more memorable MSYY- format. At least we got MS17-010 in before the cutover! In addition, rather than just 1 MSYY- number covering 14 IE updates, all 14 updates are now treated separately. This means we now have months where there are 100 updates issued, where before this could be chunked and only called 12 updates. Not a huge deal, mostly just semantics.

Probably the most frustrating part of the update is the rolling Security Update cumulative quality roll-up that happens every month. Every month a packaged OS security roll-up will supersede the previous month’s roll-up. In poorly tested patching implementations, this may mean that a particular system that is not patched might never be over 30 days out of compliance, since every 30 days the old patch is no longer applicable and the new one starts a new clock. It’s a weird setup, but makes sense in a way and I’m sure we’ll get used to it.