Ask The Experts: Devaluing 0-days

Earlier this week, I heard an awesome speech at Columbus BSides about the economics of Exploit Kits and E-Crime. As a follow-up, I thought it would be worthwhile to ask my fellow MSI co-workers if they felt there was a way to devalue 0day vulnerabilities.

Jim Klun responded with…

I don’t think you can ever really – given how Internet/computer usage has been universally adopted for all human activity – devalue the worth of a 0-day. The only thing I can imagine is making the chance of a 0-day being discovered in an area of computing that really matters as small as possible. So that means forcing – through law – all sensitive infrastructure (public or private) and comm channels to subscribe to tight controls on what can be used and how things can work. With ongoing inspection and fines/jail time for slackers. Really.. don’t maintain your part of the Wall properly, let the Mongols in and get some villages sacked, and its your head.

I would have techs who are allowed to touch such infrastructure (or develop for it) uniformly trained and licensed at the federal level. Formal process would exist for them doing doing 0-day research and reporting. Outsiders can do same…. but if they announce without chance for defensive response, jail.  And for all those who do play the game properly and find 0-days within the reduced space of critical infrastructure/software  – money and honor.

Brent Huston added his view…

Thats a tough question. Because you are asking to both devalue something, yet make it valuable for a different party. This is called market transference.

So for example, we need to somehow change the “incentive” to a “currency” that is non-redeemable by bad guys. The problem with that is – no matter how you transfer the currency mechanism, it is likely that it simply creates a different variant of the underground market.

For example, let’s say we make 0-days for good guys redeemable for a tax credit, so they can turn them into the IRS and get a tax credit in $ for the work… Seems pretty sound…Bad guys can’t redeem the tax credits without giving up anonymity. However – it reenforces the underground market and turns potential good guys into buyers.

Plus, 0days still have intrinsic value – IE other bad guys will still buy them for crime as long as the output of that crime has a value. Thus, you actually might increase the number of people working on 0day research. This is a great example of where market transference might well raise the value of 0days on the underground market (more bidders) and the population attackers looking for them (to sell or leverage for crime).

Lisa Wallace also provided her prospective…

Create financial incentives for the corporations to catch them before release. You get X if your product has no discovered 0-days in Y time.

Last but not least, Adam Hostetler weighed in when asked if incentives for the good guys would help devalue 0days…

That’s the current plan of a lot of big corporations, at least in web apps. I don’t think that really devalues them though. I don’t see any reasonable way to control that without strict control of network traffic, eavesdropping etc, or “setting the information free”.

OpenSSH Patch Released

If you’re using version 5.4-7.1 of OpenSSH, you should install the latest patch as soon as possible. The patch is for a critical vulnerability that can be exploited to reveal private keys to a malicious server. The vulnerability is tied to an undocumented feature called “roaming”. The roaming feature allows an OpenSSH client to resume an interrupted SSH session. If for some reason you’re unable to install the patch at this time, the vulnerable code can also be disabled by inserting “UseRoaming no” into the global ssh_config(5) file or adding “-UseRoaming=no” to the user configuration in ~/.ssh/config.
Despite the fact that this vulnerability is being compared to Heartbleed, it is not quite as severe. Exploiting this vulnerability would require a client to connect to a malicious SSH server. Heartbleed could be exploited by attacking the SSH server directly. However, it is still worth addressing this newly discovered vulnerability as soon as possible.

GRUB2 Authentication Bypass Vulnerability

A vulnerability has been discovered in the GRUB2 boot loader that affects versions dating back to 2009. GRUB2 is the default boot loader for a variety of popular Linux distributions including Ubuntu, Red Hat and Debian. The vulnerability can be exploited by pressing the backspace button 28 times when the boot loader asks for your username. This sequence of keys places the user into a “rescue shell”. An attacker could leverage this shell to access confidential data or install persistent malware.

It’s worth noting that the vulnerability requires access to the system’s console. Even if your organization has proper physical security controls in place, this issue should still be addressed as soon as possible. Ubuntu, RedHat and Debian have already released patches for this vulnerability.

We’re not a target

One of the most frustrating phrases I’ve heard as an IT professional is, “We’re not a target.”

Using HoneyPoint, I have created “fake companies” and observed how they are attacked. These companies appear to have social media profiles, web pages, email servers and all of the infrastructure you would expect to find within their industry. The companies are in a variety of verticals including but not limited to Financial, Energy, Manufacturing and after analyzing the data collected during this process, I can definitively state that if your company has an internet connection, you’re being targeted by attackers.

Within hours of creating a HoneyPoint company, we typically begin to see low-level attacks against common services. These often involve brute-force attacks against SSH or Telnet. Regardless of the fake company’s industry, we’ve noticed that more complicated attacks begin within days of exposing the services and applications to the internet. These have ranged from the attackers attempting to use complicated exploits to the installation of malware.

During our “fake companies” testing, we even “accidentally” exposed critical services such as MSSQL and LDAP to the internet. The attackers were always vigilant, they often attempted to take advantage of these exposures within hours of the change taking place. One of my favorite moments that occurred during this test was watching how quickly attackers started to use an exploit after it was released. In some cases, we noticed the exploit being used within hours of it becoming public. These are both great examples of why it’s worthwhile to have 3rd parties review your infrastructure for vulnerabilities or misconfigurations on a regular basis.

Even if you don’t think your company has anything to “steal”, you still need to take measures to protect your systems. You might not be protecting PHI or Social Security Numbers but you can’t underestimate the bad guys desire to make money. Even if attackers don’t find any data worth stealing, they’ll always find a way to profit from the exploitation of a system. A great example of this occurred last year when it was discovered that attackers were hacking SANs to install software to mine for cryptocurrency. It’s even been reported that attackers are exploiting MySQL servers just to launch Distributed Denial of Service (DDoS) attacks. So, even if your bare metal is worth more than the data it hosts, it doesn’t mean that attackers won’t attempt to use it to their advantage.

The Need For 3rd Party Assessments

     I’ve previously written about the fact that I was MicroSolved customer prior to joining the company as an employee in 2014. Despite the fact my team was running our own vulnerability assessments and penetration tests, I felt it was important that I occasionally hired a MSI to perform these services as well. As sharp as my team was, MSI always was able to provide us with actionable intelligence that we could use to improve our risk posture. Now that I have performed these assessments as a consultant, I have seen first-hand the importance of hiring a 3rd party to assess your network.
     When you support a production network, you can inadvertently grow a set of blinders towards certain portions of the infrastructure. This could be something as simple as forgetting about a subnet or inadvertently ignoring a legacy system. When you bring in a 3rd party to assess your network, you’re going to deal with a team that has no preconceived notions about the systems and can truly look at the infrastructure holistically. As funny as it sounds, their lack of institutional knowledge can be an asset.
     Both as a consultant and as an employee, I’ve seen Managers and Executives that are absolutely shocked by the results of a 3rd party assessment. Despite the fact that they were assured that mechanisms were in place to limit the risk and effectiveness of an attack, the 3rd party identified significant areas of concern. This doesn’t necessarily indicate that the employee was intentionally withholding information. It could be something as simple as them being unaware that a certain system or portion of the network exists.
     As an IT Manager or Executive, you’re forced to place a high level of trust in your team. You can’t monitor and oversee everything. You have to take their word that networks are properly segmented and that systems are being patched. I’m not necessarily stating that you can’t trust your employees. However, I do think that it’s worthwhile to occasionally bring in someone to watch the watchers.

Privacy Concerns With Facebook’s iPhone App

I just wanted to give everyone a quick example of why you should always exercise caution when modifying an application’s privacy settings.

Facebook is rolling out a feature in the US that allows people to automatically identify and share things they’re listening to or watching. It’s important to keep in mind that this leveraging this feature requires that you grant Facebook access to your iPhone’s microphone. This means that Facebook will turn on your microphone every time you write a status update. It is worth considering the sacrifice in privacy compared to the convenience that you gain by leveraging this feature. Is it really worth allowing an organization to hear your conversations just so you can gain the ability to easily share what TV show you’re watching?

Facebook has stated that they do not record or archive these transmissions. However, using this feature requires that you trust that a 3rd-party (Facebook) will handle your data appropriately. Do you really need to provide them with this data? Does it really save you that much time to have your background noise automatically analyzed? These are questions you should ask yourself prior to providing Facebook with this level of access.

Hiring Data Analysts Who Love Security

MSI is growing again! We are interested in talking to folks about a full time position in our Columbus HQ to help our Intelligence Team.

If you dig being heads down with data, performing deep research and chasing threats around the Internet, this is the gig for you! These folks will be focused primarily on threat profiling, research of companies, crime rings and security news from around the world. The job requires you be familiar with Linux,  have an understanding of information security and to be a power user of the Internet. You should also enjoy python, BASH scripting, command line kung fu and staying bleeding edge current on security happenings. Light public speaking on webinars and conference calls, familiarity with the Mac and excellent writing skills are also preferred.

MSI is an interesting place to work. Our team is seriously dedicated to helping our clients. We are known for doing excellent work, thinking outside the box, going deep into a problem and laser focusing on customer success. Our conversations among team members are fast and full of high density data exchange. It is exciting, fulfilling and demanding work, but we do it with joy, precision and mindful innovation!

Sound like something you might enjoy? If so, get in touch. Send your resume and a cover letter that explains why you are the best choice for our team to You can also touch base with me on Twitter if you have questions (@adamjluck). We hope to hear from you if you truly love deep diving on data and hammering out the truth from content all around the web!

Last Week in InfoSec

In case you weren’t able to catch up on the news last week, I’ve published some of the top Information Security stories that were identified by TigerTrax.

Have a great week!


How to pick your next employee

MSI seems to be growing every day. As we bring on new staff, we are working hard to make sure that we maintain our existing corporate culture. It can be difficult to identify whether or not an individual has the necessary traits to be a successful employee. However, it’s important to think of the hiring process as an opportunity rather than a challenge.

The first thing I look for in a new employee is curiosity. To me, this is far more important than intelligence. An employee can always learn about how to support a specific system or perform a process. I think it’s much more important to find an individual that wants to understand WHY we use a specific process or HOW a system works. This is a trait that can’t be taught.

The next thing I look for is the ability to adapt. The Information Technology field changes rapidly. The latest and greatest piece of technology seems to be obsolete soon after it is published. It’s worthwhile to identify an individual that can handle these changes well.

IT professionals typically have to wear many hats. In my short career, I’ve served as an Information Security Officer, Help Desk Manager, Systems Administrator, Penetration Tester, Security Consultant, Infrastructure Manager, Intelligence Engineer and Pre-Sales Engineer. Typically those roles weren’t assigned until after I accepted a position. Due to the frequent shift in responsibilities, an IT professional must be flexible.

You may be wondering how you can spot these traits in an during an interview or by viewing the individual’s resume and LinkedIn profile. To discover a potential employee that is curious, look to see if they list diverse interests. If you’re attempting to identify an employee who has the ability to adapt to changes and remain flexible, look and see if they’ve supported a wide variety of systems and processes during their career.

Finally, it’s important to consider whether or not you enjoy spending time with this person. In some cases, you’ll spend more time with them than your own family. You could discover an employee with all the right traits and skills but will be in a difficult situation if your personalities clash. In short, take some extra time to look past someone’s employment history and discover whether or not they have the skills that can’t be taught.