managing pseudonyms with compartmenalization

Found around Twitter this weekend, I read a blog post by CryptoCypher titled Managing Pseudonyms with Compartmentalization: Identity Management of Personas. It’s been a while since I’ve read an article like this. I’ve talked about being anonymous online many years ago, but rarely have followed through with any sort of rigid process (obviously). Still, it’s a good thing to look into, especially if you have some reason to stay mostly anonymous or just compartmentalize your digital life a bit more.

It’s still hard to be anonymous and hidden online. Even career criminals have problems, as any expose by Brian Krebs will illustrate with gleeful prose. But it’s still a skill that is useful to most anyone, and a little more particularly useful to pen testers. Even if it’s something as benign as an online presence for some company or domain or fake person that is used in phishing or social engineering or red team campaigns.

malformed requests and headers leading to creative http attacks

Excellently detailed post on PortSwigger’s blog during exploration of reverse proxies and other http traffic shenanigans. And I like this shot of reality across the bow:

They also shared that the interception system was originally constructed as part of CleanFeed, a government initiative to block access to images of child abuse. However, it was inevitably repurposed to target copyright abuse.

infosec training might just be a thing, ya know?

Article at DarkReading titled: SIEM Training Needs a Better Focus on the Human Factor. Pretty short article, but has a good point to make.

Training from SIEM vendors is based on how to use their products. This is and should be required to properly use any solution, but it isn’t enough. SIEM is a tool, and the focus must also be on the individual(s) wielding the tool.

By changing the focus to individuals, the core problem can start to be addressed. For example, assume you or another staff member attended training on how to catch the bad guys using a SIEM system. The focus, rather than being on maintaining/using a SIEM product, is on things such as which data sources are important, why they’re important, and how to enrich those data sources so they make more sense, add context, and are more useful. The training may also include various methods to intentionally set up events to automatically send alerts on unauthorized activity. Would this individual not be better equipped to use any SIEM platform?

Yes, to the last question! This is why I believe in knowing how security works. Knowing how the surgical, smaller tools work. And exactly what you’re looking at and looking for. If you know the basics and have a strong foundation, you can probably wield any larger tool with a small amount of time to learn the specifics to that tool. Not only that, but you can even ask about and properly evaluate a new tool better!

I also like a sub-point the author makes by using PowerShell malware detection as an example. Vendors aren’t going to teach an analyst what to look for. You have to learn it elsewhere or figure it out. And that’s not necessarily intuitive. That’s part of the sauce that makes infosec practioners a somewhat advanced profession.

interviews with security leaders

Came across a series of interviews on Misti.com. There are currently 4 parts and might be more. Each part focuses on another professional in infosec: Christy Wyatt CEO of a security firm, Kristy Westphal Security Manager, Summer Craze Fowler Technical Director of Cybersecurity Risk & Resilience, and Georgia Weidman CTO.

They’re all good interviews, but I have to say I like the Westphal interview the best. Some good, pragmatic insights. Though the Fowler interview also has some amazing insight as well!

Focusing on operational resilience rather than solely on cybersecurity is critical. Operational resilience is the ability to achieve objectives before, during, and after a disruptive event, and then return to normal operating condition as quickly as possible. We do not want to protect our digital assets for the sake of protection alone—we are doing this in support of business/organization objectives. Cybersecurity should not be a “bottom up” activity, and it should start with the top organizational mission/objectives. Bridge the gap between business and technology using risk-informed decision making!

quickly loading empire stagers at sc0tfree

This blog post over at sc0tfree talks about real world attacks using a Rubber Ducky. The article focuses on quickly getting Empire loaded. These are pretty sweet, and I like the context offered at the start about what works and doesn’t and why he cares about speed of execution.

When looking for a project to do with a Rubber Ducky, this post is a go-to place. (Note the post also links over to Stagers 101 over at PowerShell Empire.)

I recently watched the National Geographic Breakthrough episode named Cyber Terror which included Jayson Street (and team) attempting to gain access to some banks overseas. I like the part where Jayson recognizes that his engagement is really just about getting access to the USB ports on a system and proving something bad could be done. He just needed something like a “Hello World” notepad to pop up, and record that as proof. He didn’t need a long stager or execution time or strange cmd windows opening to plant a backdoor. But the point is that he could have done that.

recruiters and divulging current salary

LinkedIn is a strange experience when used as a news feed. I feel like I have very little control over what is given to me, and a good 3/4ths of it isn’t really relevant. Plus there’s tons of these little “10 ways to be happy,” posts that, while inspirational, are less impactful when you can get 10 of them per 5 minutes while browsing any social media platform (incidentally, I prefer imgur’s picture formats for quick consumption and favoriting for later).

But sometimes I find interesting inspiration in strange places. For instance, this Forbes article: The Recruiter Got Mad When I Wouldn’t Divulge My Salary. I don’t have a problem with recruiters or divulging what I need to, but the article is a reminder to take charge of yourself in the process, but also be realistic about the recruiter relationship as well. To question questions, and keep everything in context without offering more than is necessary. (I always feel squirmish when talking about my current or past salary. That goes away if we’re talking target or asking salaries, interestingly enough!)

Why the heck is this here? Because it’s relevant to me, and in a professional world, relevant to the greater experience of being in infosec. I’ve had bad interactions with a particular firm or two earlier in my career to the point where I won’t bother them ever again (and believe me, I felt like a bother!). But I’ve had great interactions as well. Kinda like dating or finding jobs, it’s a numbers game as well as a personal effort game.

But really, I wanted to save this link for future attitude encouragement; there’s a certain self-confident-optimism-without-being-arrogent between the lines of this article that I really tapped into. That’s why I’m saving this.

using powershell to pull monthly microsoft patches

A few months ago, Microsoft changed their patching release format, for better or worse. I imagine in 4 years, we’ll consider this for the better. But for now, moving the cheese kinda sucks. Getting monthly patch details is also a bit annoying as it’s more self-serve these days. But it can at least be done, and reports can be quickly pulled for what got released in a current month. For instance, check out PowerShell scripts here and here for some ideas. These do depend on having PowerShell 5 installed which requires an extra step in Windows 7 to get Win7AndW2K8R2-KB3191566-x64.msu (aka Windows Management Framework 5.0) loaded. This will open up the ability to grab things off the PowerShell gallery, aka central repository of cmdlets and scripts. Also needed is an API key, which is free and individually issued. Instructions should be in the first link.

Is this perfect? No. The report is a bit unwieldy and is a reminder of all the various product types you have to track just to answer, “What Windows 7 patches are there?” or “What non OS products are covered?” But getting the data can be very easy, and from there mangling of the information can happen with some custom scripting on the auditor’s end. We also now have to start remembering and talking about CVE or KB numbers rather than the slightly more memorable MSYY- format. At least we got MS17-010 in before the cutover! In addition, rather than just 1 MSYY- number covering 14 IE updates, all 14 updates are now treated separately. This means we now have months where there are 100 updates issued, where before this could be chunked and only called 12 updates. Not a huge deal, mostly just semantics.

Probably the most frustrating part of the update is the rolling Security Update cumulative quality roll-up that happens every month. Every month a packaged OS security roll-up will supersede the previous month’s roll-up. In poorly tested patching implementations, this may mean that a particular system that is not patched might never be over 30 days out of compliance, since every 30 days the old patch is no longer applicable and the new one starts a new clock. It’s a weird setup, but makes sense in a way and I’m sure we’ll get used to it.

retesting and notetaking

Good blog read from pentesterlab.com about retesting in regards to pen tests and report writing. I like the points made about keeping detailed notes, from keeping Burp requests and application-specific output/input to keeping tool-agnostic notes and recreation steps so someone with their own tools can quickly verify/validate.

During my time in the PWK labs, note-taking was highly important. Most of the time, it is done in order to reroot a box later on or to provide detailed information for the lab report that can accompany the exam report. I approached my reports with a few goals.

First, I wanted to be able to follow my own notes to re-root a box 2 days or 2 months from the time those notes were taken. I did end up redoing every box in the labs at least once through my notes alone. Second, I want there to be enough detail to create whatever report I need to create, or help those who have questions about a box in my social media circles. Third, I wanted to create a report that I would be just as good giving to a client as to the OffSec admins for grading. And part of that is making sure that next year when the test is repeated (either by me, a teammate, or a competitor), validation can be done quickly and accurately.

As a consumer of pen test reports, I really want to be able to understand the issue, which requires giving me very clear notes and evidence. And hopefully enough information that I can verify the issue, and validate a fix post-implementation. I also want to make sure my non-technical boss can consume the issue using summaries and higher level language for impact and criticality.

Heck, pen testing isn’t the only place I practice this. During my many years of being a systems admin doing support tickets, I try my best to put as much detail into tickets as I can. I want to make sure if I need to check the ticket again in 8 months, I have everything I need without needing to respend time learning something that is hazy. I want to make sure anyone else who reads the ticket can also piece details together without spending time. And I usually want to help educate whomever submitted the ticket so they can either do better, know what to reference in the future, or maybe just have an idea of what I do for them. 🙂

This is really about three things: documentation skills, communication skills, and empathy to put yourself into a reader’s shoes.

web categorization is just another line of defense

Quickly read and re-read a blog post at MDSec: Categorisation is not a security boundary. The post itself is nice and talks about evading web page category blocking in a few different ways for red teams looking to get phishing attack success.

My problem is the title doesn’t match the content. Nowhere does the post itself back up this title. Yes, you can evade web categories, but I’m not sure anyone is truly saying that web category blocking is insurmountable. Does it protect from a dedicated attacker? No. Does it protect against some 2-month-old watering hole location? Yeah, probably. It helps protect against known things, and probably is more useful to controlling productivity and things you should block for regulation or legal issues, but the control itself isn’t dead. Which is how I read that title. The author even says that, “Domain categorisation can often prove a thorn in the side of many red teams…”

It’s a minor thing, but I also don’t see any alternative solution. (I imagine the alternative somoene would give is deep inspection with magic rather than a domain-matching category allow/deny.) In security, we can poke holes in probably 99% of all controls (often due to the poor implementation of good controls!), but that doesn’t mean we go to the CSO and say these solutions are worthless.

If I wanted to get a little more specific, I don’t think “security boundary” is the proper term to use. I think it’s more of a “line of defense.”

endless supply of red team tips by vincent yiu

Need some inspiration or just some new ideas or thoughts? Red Teaming Tips by Vincent Yiu is an amazing list of tips and hints and tricks and links for both red and blue teams (but mostly red). I have no idea how I’m going to consume all of these… This is the sort of list you could read one of every week and learn what he means, and still never run out of new ideas. Seriously, I need a way to do that and stick to it!

upgrading to fully interactive shells

I really wish I had seen a blog post like, “Upgrading simple shells to fully interactive TTYs,” back when I was still actively taking the PWK/OSCP lab. The scenario of having a non-interactive shell is already maddeningly annoying, but it’s even more frustrating when accidentally killing or otherwise messing up the shell when using a poorly chosen command. I’ll need to set up a box or two to test some of these out on. Maybe grab something compatible off vulnhub.

generation x or a millenial or a xennial?

I was born in 1977. This technically tends to make me part of Generation X, but I have never identified with that at all. I’ve identified more with Millenials, though I would have grown up, gone through highschool, and graduated college well before I had a cell phone of any type in hand. So, I found this article interesting, as I think it makes a good point about this little gap of time between Gen X and Millenials that I greatly identify with: There’s Now a Name for the Micro Generation Born Between 1977-1983. I really like the identifier of having an analog childhood and digital adulthood. Definitely agree with that, as I got my first computer around midway through high school (for writing papers, learning, but mostly I got into Doom), and while video games were a huge part of my childhood, I wouldn’t call that digital to any degree. It was probably not until around late high school that I started “getting online,” and then it was just myself and not part of a social thing with other kids I knew. I hadn’t heard this term before, and just needed to capture it down for future reference.