With all that self promotion bullshit behind me, I’d like to address some of you that have made claims of my move to the dark side (vendor). I am still the guy who goes by the mantra of “Don’t Buy Shit!”, and that will never change. I for one strongly believe in the proven flow of People, Processes, Technology. There has been a lot of debate back and forth on the concept of the inexperienced CISO, regardless of what side of the fence you are on you must at least acknowledge that we have a serious problem in the industry.

 ”After a breach the right thing to ask your vendor for is the morning after pill not a condom.”

While I am fairly new to the industry in terms of marketing and sales, I am just appalled at some of the expectations inexperienced CISOs make of vendors. I am almost willing to believe that shady vendor practices were born through shady client requests. We are all in the business of making money, and I get it. If you don’t take the clients money then someone else will. As greedy as we are as individuals, we provide almost no value to the consumer and the industry as a whole when we engage in these types of practices.

As security professionals we are used to money getting tossed our way after an incident… I like to call them reactionary dollars which are for the most part used to bring a feeling of warmth and goodness to the cockles of C level individuals. The question remains how much faith is too much to put in the hands of your vendors? Without a thorough analysis of the inner workings of your organization, it is impossible for any external entity to make recommendations on where your reactionary dollars are best spent.

A recent incident at an organization has led the CISO to reach out with an open ended request, that for the shadier vendor would instantly shine dollar signs. “We think we might of had a breach, we’re not sure when, how or why, but we need you to come here and monitor the network for everything”

How do you approach that? Do you take advantage of the organization and sell them your (Insert magic Anti-Apt, Blinky, Cyber Monitoring Unicorn Here)? Who is really to blame for the path our industry has taken when it comes to magic?

An experienced CISO would take a step back and first determine the problem. Identify weaknesses in his processes and take steps to remediate and implement an effect risk management program. This is where experience comes into account and will allow your organization to make strategic decisions based on risk and not based on fear, uncertainty and doubt. Reactionary dollars will run out and when they do can you definitively say that you have done what you could to reduce your organizations’ exposure?

In a perfect world you would have infinite resources to implement security controls that address every potential threat against your organization. This is not a perfect world. and resources are limited. Don’t rely on your product vendors to tell you where you need to spend your dollars. Every organization will in some way shape or form be popped.. It’s the cost of doing business in the global economy, and as such we must adapt to the threat and act accordingly. As an organization you need to depend on your CISO to keep a level head and make informed decisions both day to day and during a breach. If your CISO doesn’t understand that warm and fuzzies aren’t bottled by (insert product vendor here), then use the incident to reconsider the strategy for the position.

The excerpt below has a statement which we know is false according to the release last week. “According to the Missouri Sheriff’s Association Executive Director Mick Covington tells KHQA that the most the hackers got from their organization were email addresses” Original

According to the release txt the release will contain

The booty contains: 

   [*] Over 300 mail accounts from 56 law enforcement domains
   [*] Missouri Sheriff account dump (mosheriffs.com)
       7000+ usernames, passwords, home addresses, phones and SSNs
   [*] Online Police Training Academy files
       PDFs, videos, HTML files
   [*] "Report a Crime" snitch list compilation (60+ entries)
   [*] Plesk plaintext server passwords (ftp/ssh, email, cpanel, protected dirs)

This latest release potentially puts the lives of many innocent civilians in harms way.. The following is an an excerpt of an informants e-mail to MN police.

Name:
Email: 

I live at XXXXXX The home from standing in my front lawn
looking at the road using the clock method is at 10 oclock I am only
using this because they dont have numbers on the house. They have all
different types of cars comming and going at different times of day
and night. They dont stay longer that 5 minutes most shorter than
that. I cant prove any of it but if I were to guess they deal drugs
out of the home. I am not sure if this will help but I wanted to
report it any way. I put my name up but do want to remain anonymous
so no retaliation or fights with the neighbors.

An attack of this nature was made easier because all 70 Domains were hosted on
a single system. Looking through the release that was posted
appears that although the servers each had what appears to be there own
authentication files, they were easy to pull once access was obtained.

Over 70 US law enforcement institutions were attacked including:

20jdpa.com, adamscosheriff.org, admin.mostwantedwebsites.net,
alabamasheriffs.com, arkansassheriffsassociation.com,
bakercountysheriffoffice.org, barrycountysheriff.com, baxtercountysheriff.com,
baxtercountysherifffoundation.org, boonecountyar.com, boonesheriff.com,
cameronso.org, capecountysheriff.org, cherokeecountyalsheriff.com,
cityofgassville.org, cityofwynne.com, cleburnecountysheriff.com,
coahomacountysheriff.com, crosscountyar.org, crosscountysheriff.org,
drewcountysheriff.com, faoret.com, floydcountysheriff.org, fultoncountyso.org,
georgecountymssheriff.com, grantcountyar.com, grantcountysheriff-collector.com,
hodgemansheriff.us, hotspringcountysheriff.com, howardcountysheriffar.com,
izardcountyar.org, izardcountysheriff.org, izardhometownhealth.com,
jacksonsheriff.org, jeffersoncountykssheriff.com, jeffersoncountyms.gov,
jocomosheriff.org, johnsoncosheriff.com, jonesso.com, kansassheriffs.org,
kempercountysheriff.com, knoxcountysheriffil.com, lawrencecosheriff.com,
lcsdmo.com, marioncountysheriffar.com, marionsoal.com, mcminncountysheriff.com,
meriwethercountysheriff.org, monroecountysheriffar.com, mosheriffs.com,
mostwantedgovernmentwebsites.com, mostwantedwebsites.net,
newtoncountysheriff.org, perrycountysheriffar.org, plymouthcountysheriff.com,
poalac.org, polkcountymosheriff.org, prairiecountysheriff.org,
prattcountysheriff.com, prentisscountymssheriff.com, randolphcountysheriff.org,
rcpi-ca.org, scsosheriff.org, sebastiancountysheriff.com, sgcso.com,
sharpcountysheriff.com, sheriffcomanche.com, stfranciscountyar.org,
stfranciscountysheriff.org, stonecountymosheriff.com, stonecountysheriff.com,
talladegasheriff.org, tatecountysheriff.com, tishomingocountysheriff.com,
tunicamssheriff.com, vbcso.com, woodsonsheriff.com

A file listing of all virtual hosts

////////////////////////////////////////////////////////////////////////////////
// ENOUGH TALK… TIME TO RIDE ON THESE PIG MOTHAFUCKAS !!! BRING ON THE HACKLOG
////////////////////////////////////////////////////////////////////////////////
$ ls -al /var/www/vhosts/
total 332

and now for the passwords.. If you notice, just looking at the hashes some of the
users had used the same password for multiple vhosts.

// CAT’N HUNDREDS OF .HTPASSWD FILES IN ONE COMMAND LIKE A BOSS

$ cat /var/www/vhosts/*/pd/*
2010user:$1$YfJPNAST$w9rRAaYhAMjpkw.GRLUD90
jdpa:$1$e1JbcQkZ$sR59gW8uPd/6Dyae9xneL0
jdpa:$1$uBEldfcW$mzSY61wj97PN41JWNPcA9/
jdpa:$1$e1JbcQkZ$sR59gW8uPd/6Dyae9xneL0
acsoms:$1$/OuADgxB$l7pPU2kXeKlw7Iz9NLGID.
acsoms:$1$uDsXPWpq$mhRoR3B3JicVBpuHWxYue1
acsoms:$1$uDsXPWpq$mhRoR3B3JicVBpuHWxYue1
code:$1$7.KAx/YD$J7SuxsDsBOij.qgPD3GJ60
code:$1$7.KAx/YD$J7SuxsDsBOij.qgPD3GJ60
alsa:$1$gg9rFhvF$S41htlhsl3AJYZu4dKWR50
alsa:$1$RnNxf5wV$NMmcQvODrjBzyi0RI1MqO.
alsa:$1$RnNxf5wV$NMmcQvODrjBzyi0RI1MqO.

Fortunately for us, some of the talks are being streamed live via the Blackhat Uplink which is being run by INXPO.com. While I find it amusing that a Security Conference is being hosted by a company that passes the username in plain text within the context of the URL (https://vts.inxpo.com/scripts/Server.nxp?LASCmd=AI:1;F:US!100&ShowName=Black%20Hat%20Uplink%20Presents%20
Black%20Hat%20USA%202011&UserName=Boris%20Sverdlik&PreviousLoginCount) I do appreciate the effort.

So with Black Hat ending today and the real festivities about to begin, It’s interesting to see just how mainstream the venue has become. I had a missed most of the talks yesterday, so I can’t speak to them for the most part. Of course what Con would be complete without the proverbial initial prank. This years pranks start with a fire alarm going off during the first track.. Security be warned, you have a “hacker” amongst you who in his spare time at the conference will be messing with your systems. We are not reacting, because it’s nothing new.

I did catch a few minutes of Macs in the Age of the APT by ALEX STAMOS + AARON GRATTAFIORI + TOM DANIELS + PAUL YOUN + B.J. ORVIS

I do have a real problem with the use of APT. Macs are just as susceptible as any other OS. WTF does APT mean here?

Let’s move on… Kaminsky, has gone the corporate route (Shirt & Tie) since his validation of DNSSEC. I’ll leave DNSSEC for a later time, as I’m still trying to grasp why people think this is a good idea.

McAfee publishes their award winning piece on Operation Shady Rat, using terms like Cyber and APT across the board. Needless to say, all of the data is relatively old (in security terms 8 months is Ancient History). Just more evidence of the incompetence of a good chunk of these so called security professionals we rely on to reduce our exposure. The attacks outlined within the document are not advance to any extent. These are the types of attacks that for the most part should be considered low hanging fruit, but the “Security Pros” aka Mr CISSP tasked with Risk Management, are oblivious to them.

J. Oquendo wrote a very interesting piece expanding on this titled “That Shady Rat was Only a Security Peer”

Symantec, has it’s own piece on the this uber sophisticated attack and dives deeper into the attack flow.

Apparently Vanity Fair does security reporting as well these days, as they also have a piece speaking for the most part to the attention that the report has gotten as well as an interesting tidbit of information.

“Shady rat’s command-and-control server is still operating, and some organizations, including the World Anti-doping Agency, were still under attack as of last month. (As of Tuesday, according to a WADA spokesman, the group was unaware of any breach, but “WADA is investigating” McAfee’s discovery.)”

Since we are talking McAfee, we should probably also touch on their excellent marketing plan.. Babes and Motorcycles… While there has been plenty of controversy on the intertubez about this, I personally do not see anything wrong with it. Formula One and other major companies have always used sex to sell. Information Security is a funny animal, what other industry can you mass market something that does absolutely nothing and have the product sell itself due to marketing? Why wouldn’t you throw sex into the mix? All I can say is.. RIGHT ON McAfee, next year get Unicorns with Boobs!

With that said, I’d like to take a minute to review the talks I did get to watch..

First up. Chris Paget.. I have followed Chris’s work since seeing some videos from ShmooCon 2009 on RFID and his earlier GSM Hacking. I’m unsure why he would submit “Microsoft Vista: NDA-less The Good, The Bad, and The Ugly” for a BlackHat topic? Vista for the most part is dead, if it hasn’t been completely killed off yet, then someone should get the thermite. This would of made a great white paper, but a talk post user accepted EOL not so much. Oh, and Chris… This had to of been the funniest moment of the entire cast. Were you shocked or awed

Next up
Staring into the Abyss: The Dark Side of Security and Professional Intelligence by Richard Thieme

All I can say is wow… what a speaker, no slides no bullshit. I haven’t been so wrapped up in a talk in a long time. Every security professional should sit down and here him speak on the the generic misnomers that are going around our industry like wildfire lately. The physical borders that had previously separated countries have been knocked down by globalization. Time to start thinking that way. I’m ordering his book Mind Games

Last up.
WORKSHOP – Infosec 2021: A Career Odyssey by Lee Kushner & Mike Murray

While I have met Lee before and have worked with him on a few opportunities, I am somewhat conflicted about this presentation. We all know the HR Drones are trained to use CISSP as a requirement for even the most basic IT Security position. Instead of giving a presentation on what we already know, how about going out and citing real world examples of what security professionals do and how the certification does not apply directly to their roles. I have been in information securiy/risk management for over a decade and on the management side of the house for the last five years or so. I cringe every time I see a job req for the hands on security types where the requirements outline a CISSP. Did you know that everyone in that room that raised a hand when asked if they are a CISSP, according to Dorsey Morrow are in violation of the Ethics agreement?

I’m not knocking the full presentation as it got better towards the end, but come on.. This is nothing new. Oh and Dorsey, I know your reading this F ISC2.

Infosec,Drunks and Ducks

John Foster hosting the Money Updates (Which might just become regular)

@Abhaxas makes an appearance
Spridel forgets his password
X25Princess trolls tinychat in a BIKINI

With most of the regular hosts away at #blackhat #bsides or DC, we had some new guests..

Enlight2k
UrbanFox
Psyxx
nuhbleach

Infosec,Drunks and Ducks

Trolling the Examiner
@Abhaxas gets vanned, dies or something mid show.. We just keep Going…

Talk About Defcon and some other news…

Regular Hosts
Aricon
IllWill
Spridel
Abhaxas

Infosec,Drunks and Ducks

John Foster (@dezlock) joins to discuss his interesting piece on the libertarian view in response to paypal Link

Regular Hosts
Aricon
IllWill
Spridel
Abhaxas

Infosec,Drunks and Ducks

Drunken Mess Weekend Show…

Regular Hosts
Aricon
IllWill
Spridel
Abhaxas