Using a Fully Untrusted Cloud

Cloud services can save a lot of time and money, but security is a frequent concern. You use the providers as a data store right now, but it is not simple to do so in a way that is available and flexible for live applications, keeps information confidential from the cloud provider and prevents the cloud provider from silently corrupting data to break your security model. The good news is that by layering existing technologies on top of each other, we can achieve those goals.

The basic idea is to use the untrusted system as a remote block storage device, then layer an encrypted mapped block device on top of that using LUKS to keep the cloud provider from seeing the data contents, then layer a filesystem that performs both metadata and data checksumming on top of that.

No Comments

Yeoman Angular Bootstrap

Although I have done a lot of software development on different projects, I am not great at making nice looking UI’s. Someone recently told me it would be easy to set up a simple but nice looking webapp starting with a quick Yeoman Angular tutorial. What follows is my actual experience. Step 1: Get development […]

, ,

No Comments

Human Adversaries – Why Information Security Is Unlike Engineering

A common theme among information security commenters and keynotes is that infosec can and either will or should evolve to be more like structural engineering, product safety, and public health, as they have all but eliminating the risk of dying in a commercial aircraft accident or dying from polio. Why don’t we follow the same process to stop getting hacked? It would be nice if attackers were just a disease, pest, or accident that we could vaccinate, spray, or certify away. But we have intelligent, adaptive, goal-driven, human adversaries. So let’s learn from the fields that have been dealing with them for centuries.

, , , ,

No Comments

Why the government shouldn’t pay for your college (or most other things)

Recently there has been a renewed push, from presidential candidate Bernie Sanders to the “Million Student March” protests, to have 100% government funded college in the US, and similar policies under the banner of socialism. I thought the below tweet captured my thoughts on the matter well, but it also generated its share of negative […]

No Comments

How I used dead drop C2 to hide malicious traffic

Over the past few years, I have been organizing, participating in, and frequently writing software for CCDC red teams. This year, as I’ve been starting to dust off the code, spin up VM’s and test things to see if they still work, it seems my last-ditch covert channel for control and data exfiltration is no longer working. This method was one of my favorites, and to my knowledge was never found by the blue teams…

More advanced solutions, rather than establishing a connection in or out, use a legitimate third party service you can both send data to and read data from as a dead drop site. Dead drop style C2 is more complex, since you must encode and encapsulate your data to fit the medium; there is normally no inherent direction of data flow, just posted or not. Data blobs will almost certainly be read multiple times, out of order, and by every client that is using this C2 method. As a result, you must largely implement your own addressing, sequencing and tagging, and de-duplication for this to be more than a toy proof of concept.

No Comments

Stop doing input validation

“Buffer overflows Injection attacks DoS attacks Memory leakage Information disclosure Compromised systems” What is the common factor between all of those vulnerability classes? If you have heard advice on how to prevent or fix them, chances are that advice prescribed input validation. It’s a glib and common answer, especially to address most web application vulnerabilities: […]

, , , , ,

No Comments

On Suicide and Ashley Madison

Suicide is a difficult topic to discuss. It has claimed many well-known individuals in society at large and in information security. It is a difficult topic for me to discuss since one of my best friends in college committed suicide just a few years ago, something I still struggle to talk about. As many of you know, I am a veteran, and far too many of my fellow veterans have also taken their own lives, at a rate far higher than the population at large. There have been a number of high-profile suicides in my home town recently…

It’s been about 3 1/2 weeks since the dump was released. In a random selection of 20-37 million people matching Ashley Madison’s user demographics, at least 250 to over 400 people have committed suicide. If three Ashley Madison users have committed suicide, they would have a suicide rate 1/100th that of the population at large. What’s going on?

No Comments

On Wassenaar

Our goal is to increase security, but unfortunately, the proposed rules are too broad and will have negative effects on our legitimate vulnerability and intrusion software research, limiting our ability to defend against cyber intrusions. … I fear the primary result of the proposed regulations is to enable federal regulators to arbitrarily fine and prosecute anyone in security or software development on whim, simultaneously the biggest reason to oppose these regulations and the biggest reason regulators may push them through anyway.

No Comments

Credential Assessment – Mapping Privilege Escalation at Scale

I recently gave the following presentation at CanSecWest. (cansecwest.com) You can see the slides below:

No Comments

How to run a secret drug empire and hide your incriminating evidence*

-or- New tools to stop common laptop data thefts Why your OPSEC advice is wrong The internet security and privacy communities, law enforcement realms, all sides of the drug war, and the world as a whole have been enraptured by the unfolding saga of the Silk Road, the tor-hidden giant marketplace of illicit goods, and […]

No Comments