Thursday, October 23, 2014

Hacking the Human Firewall -- Social Engineering

"There wouldn't be any carnies if there weren't any rubes." I love that quote.

Mangled english aside, it's an incredible astute insight.  It's attributed to P.T. Barnum but I've had trouble sourcing it.

 As technical security and controls have become more advanced, the "traditional" technical exploitation is no longer the preferred vector of attack. Technology has caught up significantly in regards to external network defense.

Unfortunately, much of this is reactionary. The educational, budgetary and management threshold for many of these solutions is very high, forcing many technology staffers to dedicate their time and resources to maintaining those controls.

 The problem is simple: threats evolve.

While you are making sure that the ingress firewall rules as correct, the logs are recording external attempts at exploitation and you've tested the latest patches, the external attacker is far ahead of you.

I'm always amused watching depictions of "hackers" on television and in film. Buzzwords are thrown out, the hacker has 17 terminal windows with green text flying by, and amazingly the hacker does something in 15 seconds that sends the entire system crashing upon itself. Those cases are exceedingly rare. For every Heartbleed, Stuxnet and Remote File Inclusion discovery, there are thousands of attacks that are simple, low-tech and depend on the user to do the hard work for me.

Ingress firewall rules are extremely important. Patching the system should occur regularly. You should have an IDS implemented. Those are all technical controls that need to be implemented.

I often say, "You can't use a technical control to fix an administrative problem."

You users are your human firewall. The drawbacks to that are clear:

1. Many times, they're the only line of defense.
2. ....and they're on the front lnes
3.  They have discretionary access over data and assets.

It's a recipe for disaster. Every major InfoSec incident you can point to with retailers over the past few years were driven by Social Engineering and client side exploitation at some point, if not entirely.

There are a lot of techniques for performing these actions. Phishing emails, phone calls, physical breaches, out-of-band attacks, public information farming are all used to great effect with these breaches.

There are a few simple rules you can start following to minimize these:

1. Don't post information publicly
2. Carefully curate and guard your online presence
3. Remove discretionary risk management and security from staff members.
4. Scrub metadata in all materials.


Pretty easy list of things to do.

....to be continued...

Friday, October 3, 2014

OSCP - A crash course in brain surgery

Everyone who has gone through the OSCP process has a story to tell.

I had been mulling it for years and things have gotten in the way. I always thought of it as the "kali course" or "backtrack course." I was intrigued but as I've been doing this job for quite a while, I didn't prioritize it.

I wish I did this much, much, much sooner.

Waxing intellectual about the state of the field

Before you go any further, ask yourself why you are doing this and if you have the right tools for this.

Pentesting is "5 minutes of 'fun' and 5 hours of paperwork." If I've trained you, you asked me about my job or InfoSec in general, you've head me say that repeatedly.  I'll say it again.

Anyone can break into a server, workstation or network with enough commitment.

Father time is undefeated.

Being a great pentester or infosec specialist means being able to explain an attack, exposure or risk in an easily digestable format. My general rule is that you should be able to hand your report off to a 10 year old and they can understand what needs to be done and why. You job is not to root every server you touch, trick every user into clicking your phishing emails or making IT staff melt-down after commandeering their workstations remotely.  Your job is to understand and demonstrate risks to an organization so that they are able to meaningfully act upon your report, improving their security posture.

If you can't explain an attack, prove it was successful, suggest a remediation based on your knowledge, all while  providing data, documentation and the social skills needed to survive a possibly contentious or confrontational hand-off meeting, you are in the wrong business.

You are in a job where if you're doing your job correctly, unfortunately, you're going to be making people look bad. People may (and do) have their employment terminated based on your findings. It's not "fun", "sexy" or even "exciting" most of the time. It's research, documentation and adaptability. It's 30 hour sessions, learning about a subject that takes years of mastery in a few hours. It's like spinning plates in a minefield, except those plates are about 100 yards apart and you're blindfolded.

...that's the 10,000 foot view of your role as a trusted advisor...


There's much more to it than that.

Information Security is big business. It's getting MUCH bigger thanks to a multitude of factors. Regulations, criminals, APTs, media reports and the steady stream of sensationalist news channel fodder are just a few.

With all of that,  people are attracted to the business for a variety of reasons. Most of the time the reasons are

  • Money
  • Esteem
  • Knowledge
  • Ego
There's nothing wrong with any of them, necessarily. Expectations are the problem.

You're not going to get incredibly rich in this business. You'll do very well for yourself. If your only motivation is money, you're a risk. Teaching someone without ethics who is also motivated by money how to perform illegal acts in a way that are hard to catch is extremely stupid.

Those folks tend to wash out quickly. They move on to the next "big thing." Even if they're ethical, they're not putting the time in to hone their skills and knowledge.

Esteem, respect? A pentester craves not these things.

As simple as it is to pull off some basic yet devastating attacks, the knowledge to avoid them, remediate them or identify an attack when it's occurring is the one reason you should be taking the course. It's a huge commitment.

I've been doing this for a long time. I thought I was very good at it. If there is anything I've learned in this course it's to be humble, take some pain, and only though sufferance will true enlightenment occur. ;) Heh, heh, heh.

The good stuff....

If you've made it through all of that, thank you for sticking it out.

From the OSCP site:

"The Offensive Security Certified Professional (OSCP) is the world’s first completely hands on offensive information security certification. The OSCP challenges the students to prove they have a clear practical understanding of the penetration testing process and lifecycle through an arduous twenty four (24) hour certification exam." http://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

OSCP is a crash course in brain surgery. Plain and simple. You're handed some materials, run through some extremely focused technical videos, labs and exercises and left to explore a network completely foreign to you with just about every OS flavor you can imagine. You have nothing to go on except for your wits, the skills you brought with you (or learned) and a Kali Linux machine.

A lot of security and IT courses like to overstate how arduous, taxing or comprehensive they are. They like to tell you how relevant they are, how much it's in demand (or will be.) Many like to tell you  how you're going to become a rockstar after reading a book, memorizing terms and procedures and regurgitating them in a timed multiple choice exam.

I compare those things to watching ER for a few weeks and then calling yourself a cardiologist.

OSCP/Pentesting with Kali is none of those.

I say, without qualification, that OSCP is the single most difficult technical challenge I have ever taken on (....and I do this for a living.)

You're cut loose with a list of initial IPs. All information gathering and enumeration is your job, just like the real world. It's black box pentesting. The goal is to equip you with the same tools the "bad guys" have.

You're going to lose all of your free time. Your spouse is going to forget who you are. You're going to dream about servers and problems. You're going to wake up in the middle of the night with a sore forehead from banging your head on the keyboard. You're going to run to your computer, freshly inspired with something you over looked and 8 hours later, finally get that /etc/shadow file you covet.

You are going to hate the world.

Luckily, there are great rewards in all of this. There are machines you're going to "pop a shell" on easily and buzzsaw through. They've done a great job of tuning the difficulty and rewards to drive you insane but give you a real sense of achievement when you're done with a machine. You're going to fully understand the insanity, complexity and humility required to do this job. It's grueling.

I do take issue with a few things. The biggest issue I have with the course is the lack of straightforward support from the course designers. The forums are good, the IRC channel is hit and miss and the infamous "try harder" philosophy of providing support is not helpful.

The forums are great as they're archival and a resource without giving anything away. They're very mindful of the overarching theme of "try harder" without being obnoxious about it. You won't get quick responses and you can get a nudge in the right direction.

The IRC channel is a mixed bag. Your best bet is developing a core of folks you trust and that know their stuff. I've found myself helping others without asking questions. I don't want to ask questions or have anything come easy but occasionally I've reached out to others to see what their opinions are. This is key to survival. A fresh perspective and walking away for a few hours will often be beneficial.

You'll find a few folks begging or lying to get more information. I've run into this a few times. I understand a bit more why the "try harder" response is so prevalent. Some people just want the letters or have it handed to them. I polled to see who wanted to discuss PAIN and got a quick response. I was asked what I had found and I pounded it out furiously, anxious to compare notes. The reply: "I got nothing. thanks for the info. that's a good start." I wanted to defenestrate the guy.

(funny sidenote: I jumped back into the channel and saw this person poll again on it. I found who he was discussing with, copy/pasted my conversation and said, "If he tells you any of this, here's where he got  it." The reply was hilarious and that idiot was NOT happy with what happened next.)


....to be continued...