Archive for category Defense

Windows 10 Decontamination Scripts

One of the main benefits of our setup we have is that our system will not update automatically. The main problem though, is that it will not update automatically. But we still do want security updates, so it would be nice to let those through, while still blocking any other unwanted updates and the other undesirable activity that is also conducted from the same process (svchost.exe). So instead, I installed Python and wrote my own, which was far less difficult than I had originally assumed since you can generally scrape all the info you want from

, , ,

No Comments

Hack-back in the Real World

ProtonMail just recently (yet briefly) bragged about shutting down a phishing campaign that it was the target of by hacking back the phishing server… Earlier this year, a member of the US Congress (Rep. Tom Graves) proposed the “Active Cyber Defense Certainty Act (ACDC)” to amend US law to allow private entities, with mandatory reporting requirements to law enforcement, to conduct certain forms of hack-back… Following this proposal, discussion online exploded… My timeline was filled with “If people tried hack-back, this would happen!” but you don’t have to hypothesize. You can see what did happen in the myriad examples of hack-back in the real world. So below I assembled a list of publicly recorded hack-backs, with the results of each and reference to original sources.

No Comments

Using a Fully Untrusted Cloud

Cloud services can save a lot of time and money, but security is a frequent concern. You use the providers as a data store right now, but it is not simple to do so in a way that is available and flexible for live applications, keeps information confidential from the cloud provider and prevents the cloud provider from silently corrupting data to break your security model. The good news is that by layering existing technologies on top of each other, we can achieve those goals.

The basic idea is to use the untrusted system as a remote block storage device, then layer an encrypted mapped block device on top of that using LUKS to keep the cloud provider from seeing the data contents, then layer a filesystem that performs both metadata and data checksumming on top of that.

No Comments

Human Adversaries – Why Information Security Is Unlike Engineering

A common theme among information security commenters and keynotes is that infosec can and either will or should evolve to be more like structural engineering, product safety, and public health, as they have all but eliminating the risk of dying in a commercial aircraft accident or dying from polio. Why don’t we follow the same process to stop getting hacked? It would be nice if attackers were just a disease, pest, or accident that we could vaccinate, spray, or certify away. But we have intelligent, adaptive, goal-driven, human adversaries. So let’s learn from the fields that have been dealing with them for centuries.

, , , ,

No Comments

Stop doing input validation

“Buffer overflows Injection attacks DoS attacks Memory leakage Information disclosure Compromised systems” What is the common factor between all of those vulnerability classes? If you have heard advice on how to prevent or fix them, chances are that advice prescribed input validation. It’s a glib and common answer, especially to address most web application vulnerabilities: […]

, , , , ,

No Comments

How to run a secret drug empire and hide your incriminating evidence*

-or- New tools to stop common laptop data thefts Why your OPSEC advice is wrong The internet security and privacy communities, law enforcement realms, all sides of the drug war, and the world as a whole have been enraptured by the unfolding saga of the Silk Road, the tor-hidden giant marketplace of illicit goods, and […]

No Comments

Easy Smart Card SSH Setup

If you manage systems with important data on them, you want to make sure you use the strongest form of authentication possible. Passwords are the worst form of authentication you can have, prone to theft, re-use, and hard to remember. SSH keys are much better, but the most secure option is to use a smart […]

, ,


CCDC and CTFs – Addressing the Criticisms

As you may know, I’ve been involved with red teaming all levels of the CCDC, but I’ve also taken part in a number of CTF competitions. CCDC is one of a number of defense competitions growing in popularity, including the high-school level Cyber Patriot and military academy CDX. These stand in contrast to the longer-running Capture-The-Flag competitions commonly found at hacker conferences and elsewhere, which tend to focus on finding exploits for pieces of software. Defensive exercises have come under harsh criticism in the past few years, so are they really doing any good?

One of the most outspoken critics of CCDC has been Chris Eagle. He compares his significant experiences in the Defcon CTF, which his team has won twice, and defensive competitions, primarily with CDX….

Chris Eagle (surprisingly honestly) said “I have pigeonholed myself into the binary software analysis arena.” He continued to explain how NPS has developed many tools that make them really good at the Defcon CTF but aren’t applicable to the real world, since they’re tailored to alert on Defcon flags and those specific types of binaries, and would be unlikely to alert on real attacks. As he said, “It’s really kinda focused on the game” and “We’ve gamed the game a lot” since “We’d seen the same kind of game three times.”

We have also seen a number of students at CCDC develop their own scripts and tools to use at CCDC. The difference I see is that so far, all the custom tools I have seen students employ could be used on real networks as well to harden systems or detect & disable real malware. This is another indication that CCDC, as opposed the Defcon CTF finals, is not teaching students how to “game the game” it’s teaching them how to defend a real network.


A Comparison of HTTPS Reforms

An old adage in cryptology is that encrypting data is always easy, but key distribution is always hard. Just a few days ago, Google reported that yet another wrongfully-issued certificate had been found for Google’s domains. As a result of many incidents and problems with CA-issued certificates, many different proposals have been made to improve the system. Google’s Certificate Transparency page compares some of the proposals; but it did not include my favorite idea, I thought it did not do justice to some of the other competing proposals, and it glossed over some of CT’s big issues. I evaluated all the proposals according to these criteria and put together the below spreadsheet to compare their strengths and weaknesses.

, , , , , , , , , , , , ,


Catching dropped executable files without a sandbox

One common technique used by a lot of exploits, malware, and obfuscated software is to dynamically generate or download an executable or DLL file, run it or load it, then delete it. I frequently catch even legitimate software doing this, but I am always curious as to what executable code the authors are trying to hide. Saving those automatically generated files is a core feature of any decent sandbox out there, but in many cases, you see this activity on a production system and don’t know where the file is coming from. Especially if it only happens infrequently, it often doesn’t make sense to try to put the whole system in a sandbox. So instead, I just use a simple trick with NTFS file permissions.

, ,