Archive for category Defense
Cloud services can save a lot of time and money, but security is a frequent concern. You use the providers as a data store right now, but it is not simple to do so in a way that is available and flexible for live applications, keeps information confidential from the cloud provider and prevents the cloud provider from silently corrupting data to break your security model. The good news is that by layering existing technologies on top of each other, we can achieve those goals.
The basic idea is to use the untrusted system as a remote block storage device, then layer an encrypted mapped block device on top of that using LUKS to keep the cloud provider from seeing the data contents, then layer a filesystem that performs both metadata and data checksumming on top of that.
A common theme among information security commenters and keynotes is that infosec can and either will or should evolve to be more like structural engineering, product safety, and public health, as they have all but eliminating the risk of dying in a commercial aircraft accident or dying from polio. Why don’t we follow the same process to stop getting hacked? It would be nice if attackers were just a disease, pest, or accident that we could vaccinate, spray, or certify away. But we have intelligent, adaptive, goal-driven, human adversaries. So let’s learn from the fields that have been dealing with them for centuries.
“Buffer overflows Injection attacks DoS attacks Memory leakage Information disclosure Compromised systems” What is the common factor between all of those vulnerability classes? If you have heard advice on how to prevent or fix them, chances are that advice prescribed input validation. It’s a glib and common answer, especially to address most web application vulnerabilities: […]
-or- New tools to stop common laptop data thefts Why your OPSEC advice is wrong The internet security and privacy communities, law enforcement realms, all sides of the drug war, and the world as a whole have been enraptured by the unfolding saga of the Silk Road, the tor-hidden giant marketplace of illicit goods, and […]
If you manage systems with important data on them, you want to make sure you use the strongest form of authentication possible. Passwords are the worst form of authentication you can have, prone to theft, re-use, and hard to remember. SSH keys are much better, but the most secure option is to use a smart […]
As you may know, I’ve been involved with red teaming all levels of the CCDC, but I’ve also taken part in a number of CTF competitions. CCDC is one of a number of defense competitions growing in popularity, including the high-school level Cyber Patriot and military academy CDX. These stand in contrast to the longer-running Capture-The-Flag competitions commonly found at hacker conferences and elsewhere, which tend to focus on finding exploits for pieces of software. Defensive exercises have come under harsh criticism in the past few years, so are they really doing any good?
One of the most outspoken critics of CCDC has been Chris Eagle. He compares his significant experiences in the Defcon CTF, which his team has won twice, and defensive competitions, primarily with CDX….
Chris Eagle (surprisingly honestly) said “I have pigeonholed myself into the binary software analysis arena.” He continued to explain how NPS has developed many tools that make them really good at the Defcon CTF but aren’t applicable to the real world, since they’re tailored to alert on Defcon flags and those specific types of binaries, and would be unlikely to alert on real attacks. As he said, “It’s really kinda focused on the game” and “We’ve gamed the game a lot” since “We’d seen the same kind of game three times.”
We have also seen a number of students at CCDC develop their own scripts and tools to use at CCDC. The difference I see is that so far, all the custom tools I have seen students employ could be used on real networks as well to harden systems or detect & disable real malware. This is another indication that CCDC, as opposed the Defcon CTF finals, is not teaching students how to “game the game” it’s teaching them how to defend a real network.
One common technique used by a lot of exploits, malware, and obfuscated software is to dynamically generate or download an executable or DLL file, run it or load it, then delete it. I frequently catch even legitimate software doing this, but I am always curious as to what executable code the authors are trying to hide. Saving those automatically generated files is a core feature of any decent sandbox out there, but in many cases, you see this activity on a production system and don’t know where the file is coming from. Especially if it only happens infrequently, it often doesn’t make sense to try to put the whole system in a sandbox. So instead, I just use a simple trick with NTFS file permissions.
DerbyCon this year was awesome as usual. I presented “The Infosec Revival: Why owning a typical network is so easy, and how to build a secure one.” The video is here on Youtube: Or you can check out the slides here: The RDP video is here: And the VM isolation video is here: I should […]
Unless you have not patched your domain controller in the past five years, chances are, if an intruder gets domain admin or enterprise admin level access, they probably did it through credential theft. One of the biggest recurring themes of countless intrusion and pentest reports is that to accomplish lateral movement and privilege escalation to […]