Category Archives: Opinion

Introducing Tomce

Posted on by
6
Today I am thrilled to announce that Tomce Kuzevski has joined the MSI team as an intelligence analyst, working on TigerTrax, analytics and machine learning focused services. I took a few minutes of Tomce’s time to ask some intro questions for you to get to know him. Welcome Tomce, and thanks for helping us take TigerTrax services to the next level! 
 
Q – Tomce, you are new to MSI, so tell the readers the story of how you developed your skills and got your spot on the Intelligence Team.
 
A- Ever since I was a kid, I was always into computers/electronics. I can’t tell you how much money my parents spent on computer/electronics for me, for them only to last a week or so. I would take them apart and put them back together constantly. Or wiping out the hard drive not knowing what I did until later. 
 
Growing up and still to this day, I was always the “go to kid” if someone needed help on computers/electronics which I didn’t mind at all. I enjoyed trying to figure out the issue’s. The way I learned was from failing and trying it myself. From when I was a kid to now, I still enjoy it and will continue to enjoy. I knew I wanted to be in the Computer/IT industry. 
 
I know Adam through a mutual friend of ours. He posted on FB MSI was hiring for a spot on their team. I contacted him about the position. He informed me on what they do and what they’re looking for, which was right up my alley. I am consistently on the internet searching anything and everything. I had a couple interviews with Brent and the team, everything went how it was suppose to. Here I am today about 7 weeks into it and enjoying it! That’s how I landed my spot on the MSI team.
 
Q – Share with the readers the most interesting couple of things they could approach you about at events for a discussion. What kind of things really get you into a passionate conversation?
 
A- I really enjoy talking about the future of technology. Yet, it’s scary and mind blowing at the same time. Being born in the 80’s and seeing the transformation from then to now, is scary. But, laying on the couch holding my iPhone while skyping my cuzin in Europe, checking FB and ordering a pizza all in the palm of my hands is mind blowing. I cant imagine what the world will be like in next 25 years. 
 
 
Q – I know that since joining our team, one of your big focus areas has been to leverage our passive security assessment and Intel engine – (essentially a slice of the TigerTrax™ platform) to study large scale security postures. You recently completed the holistic testing of a multi-national cellular provider. Tell our readers some of the lessons you learned from that engagement?
 
A- I absolutely could not believe my eye’s on what we discovered. Being such a huge telecom company, having so many security issues. I’ve been in the telecom business 5 years prior to me coming to MSI. I’ve never seen anything like this before. When signing up for a new cell phone provider, I highly recommend doing some “digging” on the company. We use our phones everyday, our phones have personal/sensitive information. For this cell phone provider being as big as they are, it was shocking! If you’re looking for a new cell phone provider, please take some time and do some research. 
 
 
Q – You also just finished running the entire critical infrastructures of a small nation through our passive assessment tool to support a larger security initiative for their government. Given how complex and large such an engagement is, tell us a bit about some of the lessons you learned there?
 
A- Coming from outside of the IT security world, I never thought I would see so many security issues at such a high level. It is a little scary finding all this information out. I used to think every company at this level wouldn’t have any flaws. Man, was I wrong! From here on out, I will research every company that I use currently and future. You cant think, “This is a big company, there fine” attitude. You have to go out and do the research.  
 
Q – Thanks for talking to us, Tomce. If the readers want to make contact with you or read more about your work, where can they find you?
 
You can reach me @TomceKuzevski via Twitter. I’am constantly posting Information Security articles thats going on in todays world. Please don’t hesitate to reach out to me. 

State Of Security Podcast Episode 10

Posted on by
5

Episode 10 is now available! 

This time around, we get to learn from the community, as I ask people to call in with their single biggest infosec lesson from 2015. Deeply personal, amazingly insightful and full of kindness to be shared with the rest of the world – thanks to everyone who participated! 

Podcast Episode 9 Available

Posted on by
1

Check out Episode 9 of the State of Security Podcast, just released!

This episode runs around an hour and features a very personal interview with me in the hot seat and the mic under control of @AdamJLuck. We cover topics like security history, my career, what I think is on the horizon, what my greatest successes and failures have been. He even digs into what I do every day to keep going. Let me know what you think, and as always, thanks for listening!

Podcast Episode 8 is Out

Posted on by
1

This time around we riff on Ashley Madison (minus the morals of the site), online privacy, OPSec and the younger generation with @AdamJLuck. Following that, is a short with John Davis. Check it out and let us know your thoughts via Twitter – @lbhuston. Thanks for listening! 

You can listen below:

Just a Quick Thought & Mini Rant…

Posted on by
4

Today, I ran across this article, and I found it interesting that many folks are discussing how “white hat hackers” could go about helping people by disclosing vulnerabilities before bad things happen. 

There are so many things wrong with this idea, I will just riff on a few here, but I am sure you have your own list….

First off, the idea of a corp of benevolent hackers combing the web for leaks and vulnerabilities is mostly fiction. It’s impractical in terms of scale, scope and legality at best. All 3 of those issues are immediate faults.

But, let’s assume that we have a group of folks doing that. They face a significant issue – what do they do when they discover a leak or vulnerability? For DECADES, the security and hacking communities have been debating and riffing on disclosure mechanisms and notifications. There remains NO SINGLE UNIFIED MECHANISM for this. For example, let’s say you find a vulnerability in a US retail web site. You can try to report it to the site owners (who may not be friendly and may try to prosecute you…), you can try to find a responsible CERT or ISAC for that vertical (who may also not be overly friendly or responsive…) or you can go public with the issue (which is really likely to be unfriendly and may lead to prosecution…). How exactly, do these honorable “white hat hackers” win in this scenario? What is their incentive? What if that web site is outside of the US, say in Thailand, how does the picture change? What if it is in the “dark web”, who exactly do they notify (not likely to be law enforcement, again given the history of unfriendly responses…) and how? What if it is a critical infrastructure site – like let’s say it is an exposed Russian nuclear materials storage center – how do they report and handle that? How can they be assured that the problem will be fixed and not leveraged for some nation-state activity before it is reported or mitigated? 

Sound complicated? IT IS… And, risky for most parties. Engaging in vulnerability hunting has it’s dangers and turning more folks loose on the Internet to hunt bugs and security issues also ups the risks for machines, companies and software already exposed to the Internet, since scan and probe traffic is likely to rise, and the skill sets of those hunting may not be commiserate with the complexity of the applications and deployments online. In other words, bad things may rise in frequency and severity, even as we seek to minimize them. Unintended consequences are certainly likely to emerge. This is a very complex system, so it is highly likely to be fragile in nature…

Another issue is the idea of “before bad things happen”. This is often a fallacy. Just because someone brings a vulnerability to you doesn’t mean they are the only ones who know about it. Proof of this? Many times during our penetration testing, we find severe vulnerabilities exposed to the Internet, and when we exploit them – someone else already has and the box has been pwned for a long long time before us. Usually, completely unknown to the owners of the systems and their monitoring tools. At best, “before bad things happen” is wishful thinking. At worst, it’s another chance for organizations, governments and law enforcement to shoot the messenger. 

Sadly, I don’t have the answers for these scenarios. But, I think it is fair for the community to discuss the questions. It’s not just Ashley Madison, it’s all of the past and future security issues out there. Someday, we are going to have to come up with some mechanism to make it easier for those who know of security issues. We also have to be very careful about calling for “white hat assistance” for the public at large. Like most things, we might simply be biting off more than we can chew… 

Got thoughts on this? Let me know. You can find me on Twitter at @lbhuston.

Podcast Episode 7 Now Available

Posted on by
1

The newest version of the State of Security Podcast is now available. You can go the main page here, or listen by clicking on the embedded player below.

This episode features:

This episode is a great interview with Mark “Phork” Carey. We riff on the future of technology & infosec, how machine learning might impact security in the long term, what it was like to build the application-centric web with Sun, lessons learned from decades of hardware hacking and whole lot more! The short for this month is with @pophop, so check out what the self-proclaimed “elder geek” has to say as he spreads some wisdom. Let us know what you think and send in ideas for other folks you would like to hear on the podcast. 

 

Are you hacking!? There’s no hacking in baseball!

Posted on by
4

My Dad called me earlier this week to ask if I heard about the FBI’s investigation of the St. Louis Cardinals. My initial reaction was that the investigation must be related to some sort of steroid scandal or gambling allegations. I was wrong. The Cardinals are being investigated for allegedly hacking into the network of a rival team to steal confidential information. Could the same team that my Grandparents took me to see play as a kid really be responsible for this crime?

After I had time to read a few articles about the alleged hack, I called my Dad back. He immediately asked me if the Astros could have prevented it. From what I have read, this issue could have been prevented (or at least detected) by implementing a few basic information security controls around the Astros’ proprietary application. Unfortunately, it appears the attack was not discovered until confidential information was leaked onto a pastebin site.

The aforementioned controls include but are not limited to:

  1. Change passwords on a regular basis – It has been alleged that Astros system was accessed by using the same password that was used when a similar system was deployed within the St. Louis Cardinals’ network. Passwords should be changed on a regular basis.
  2. Do not share passwords between individuals – Despite the fact that creating separate usernames and passwords for each individual with access to a system can be inconvenient, it reduces a lot of risk associated with deploying an application. For example, if each member of the Astros front office was required to have a separate password to their proprietary application, the Cardinals staff would not have been able to successfully use the legacy password from when the application was deployed in St. Louis. The Astros would also have gained the ability to log and track each individual user’s actions within the application.
  3. Review logs for anomalies on a regular basis – Most likely, the Astros were not reviewing any kind of security logs surrounding this application. If they were, they might have noticed failed login attempts into the application prior to the Cardinals’ alleged successful attempt. They also might have noticed that the application was accessed by an unknown or suspicious IP address.
  4. Leverage the use of honeypot technology – By implementing HoneyPot technology, the Astros could have deployed a fake version of this application. This could have allowed them to detect suspicious activity from within their network prior to the attackers gaining access to their confidential information. This strategy could have included leveraging MSI’s HoneyPoint Security Server to stand up a fake version of their proprietary application along with deploying a variety of fake documents within the Astros’ network. If an attacker accessed the fake application or document, the Astros would have been provided with actionable intelligence which could have allowed them to prevent the breach of one of their critical systems.
  5. Do not expose unnecessary applications or services to the internet – At this point, I do not know whether or not the Astros deployed this system within their internal network or exposed it to the internet. Either way, it’s always important to consider whether or not it is necessary to expose a system or service to the internet. Something as simple as requiring a VPN to access an application can go a long way to securing the confidential data.
  6. Leverage the use of network segmentation or IP address filtering – If the application was deployed from within the Astros internal network, was it necessary that all internal systems had access to the application? It’s always worthwhile to limit network access to a particular system or network segment as much as possible.

Honestly, I hope these allegations aren’t true. I have fond memories of watching the Cardinals win the World Series in 2006 and 2011. I would really hate to see those victories tarnished by the actions of a few individuals. However, it’s important that we all learn a lesson from this..whether it’s your email or favorite team’s playbook…don’t overlook the basic steps when attempting to secure confidential information.

The Mixed Up World of Hola VPN

Posted on by
4

Have you heard about, or maybe you use, the “free” services of Hola VPN?

This is, of course, a VPN, in that it routes your traffic over a “protected” network, provides some level of privacy to users and can be used to skirt IP address focused restrictions, such as those imposed by streaming media systems and television suppliers. There are a ton of these out there, but Hola is interesting for another reason.

That other reason is that it turns the client machine into “exit nodes” for a paid service offering by the company:

In May 2015, Hola came under criticism from 8chan founder Frederick Brennan after the site was reportedly attacked by exploiting the Hola network, as confirmed by Hola founder Ofer Vilenski. After Brennan emailed the company, Hola modified its FAQ to include a notice that its users are acting as exit nodes for paid users of Hola’s sister service Luminati. “Adios, Hola!”, a website created by nine security researchers and promoted across 8chan, states: “Hola is harmful to the internet as a whole, and to its users in particular. You might know it as a free VPN or “unblocker”, but in reality it operates like a poorly secured botnet – with serious consequences.”[23]

In this case, you may be getting a whole lot more than you bargained for when you grab and use this “free” VPN client. As always, your paranoia should vary and you should carefully monitor any new software or tools you download – since they may not play nice, be what you thought, or be outright malicious. 

I point this whole debacle out, just to remind you, “free” does not always mean without a cost. If you don’t see a product, you are likely THE PRODUCT… Just something to keep in mind as you wander the web… 

Until next time, stay safe out there!

Artificial Intelligence – Let’s Let Our Computers Guard Our Privacy For Us!

Posted on by
6

More and more computer devices are designed to act like they are people, not machines. We as consumers demand this of them. We don’t want to have to read and type; we want our computers to talk to us and we want to talk to them. On top of that, we don’t want to have to instruct our computers in every little detail; we want them to anticipate our needs for us. Although this part doesn’t really exist yet, we would pay through the nose to have it. That’s the real driver behind the push to achieve artificial intelligence. 

Think for a minute about the effect AI will have on information security and privacy. One of the reasons that computer systems are so insecure now is because nobody wants to put in the time and drudgery to fully monitor their systems. But an AI could not only monitor every miniscule input and output, it could do it 24 X 7 X 365 without getting tired. Once it detected something it could act to correct the problem itself. Not only that, a true intelligence would be able monitor trends and conditions and anticipate problems before they even had a chance to occur. Indeed, once computers have fully matured they should be able to guard themselves more completely than we ever could.

And besides privacy, think of the drudgery and consternation an AI could save you. In a future world created by a great science fiction author, Charles Sheffield, everyone had a number of “facs” protecting their time and privacy. A “facs” is a facsimile of you produced by your AI. These facs would answer the phone for you, sort your messages, schedule your appointments and perform a thousand and one other tasks that use up your time and try your patience. When they run across situations that they can’t handle, they simply bring you into the loop to make the decisions. Makes me wish this world was real and already with us. Hurry up AI! We really need you!

Should MAD Make its Way Into the National Cyber-Security Strategy?

Posted on by
Reply

Arguably, Mutually Assured Destruction (MAD) has kept us safe from nuclear holocaust for more than half a century. Although we have been on the brink of nuclear war more than once and the Doomsday clock currently has us at three minutes ‘til midnight, nobody ever seems ready to actually push the button – and there have been some shaky fingers indeed on those buttons! 

Today, the Sword of Damocles hanging over our heads isn’t just the threat of nuclear annihilation; now we have to include the very real threat of cyber Armageddon. Imagine hundreds of coordinated cyber-attackers using dozens of zero-day exploits and other attack mechanisms all at once. The consequences could be staggering! GPS systems failing, power outages popping up, banking software failing, ICS systems going haywire, distributed denial of service attacks on hundreds of web sites, contradictory commands everywhere, bogus information popping up and web-based communications failures could be just a handful of the likely consequences. The populous would be hysterical! 

So, keeping these factors in mind, shouldn’t we be working diligently on developing a cyber-MAD capability to protect ourselves from this very real threat vector? It has a proven track record and we already have decades of experience in running, controlling and protecting such a system. That would ease the public’s very justifiable fear of creating a Frankenstein that may be misused to destroy ourselves.

Plus think of the security implications of developing cyber-MAD. So far in America there are no national cyber-security laws, and the current security mechanisms used in the country are varied and less than effective at best. Creating cyber-war capabilities would teach us lessons we can learn no other way. To the extent we become the masters of subverting and destroying cyber-systems, we would reciprocally become the masters of protecting them. When it comes right down to it, I guess I truly believe in the old adage “the best defense is a good offense”.

Thanks to John Davis for this post.