Archive for category Uncategorized

Hack-back in the Real World

ProtonMail just recently (yet briefly) bragged about shutting down a phishing campaign that it was the target of by hacking back the phishing server… Earlier this year, a member of the US Congress (Rep. Tom Graves) proposed the “Active Cyber Defense Certainty Act (ACDC)” to amend US law to allow private entities, with mandatory reporting requirements to law enforcement, to conduct certain forms of hack-back… Following this proposal, discussion online exploded… My timeline was filled with “If people tried hack-back, this would happen!” but you don’t have to hypothesize. You can see what did happen in the myriad examples of hack-back in the real world. So below I assembled a list of publicly recorded hack-backs, with the results of each and reference to original sources.

No Comments

Hoarder

A few years ago, I gave a DerbyCon presentation on the Ambush open-source host intrusion prevention system I was working on, as well as evasion techniques you can use against systems like that, implemented in the hoarder project. Ambush was an interesting project in dynamic system-wide user-mode hooking which has since faded away a bit, […]

No Comments

Supply Chainsaw: Practical software supply chain attacks for everyone

I recently presented Supply Chainsaw: Practical software supply chain attacks for everyone at the OPCDE technical security conference in Dubai.
To summarize:

No Comments

Climate Change Archive

For another short detour from information security… Climate policy is again in the news. The past year has seen record high temperatures, the election of a US President who claimed global warming was a hoax invented by the Chinese (then later backed off), and the 10th anniversary of probably the most authoritative decision regarding climate […]

No Comments

Just Too Much Administration – Breaking JEA, PowerShell’s New Security Barrier

Update – 10/9 The PowerShell team has been very responsive in addressing these issues. The documentation should be updated soon (if not yet). Lee Holmes from the PowerShell team also addressed these issues in another DerbyCon presentation: https://www.youtube.com/watch?v=JDtUmue9mIw&feature=youtu.be&t=1766 tl;dr Just Enough Administration (JEA) is a new Windows 10/Server 2016 feature to create granular least privilege […]

No Comments

Intercepting Passwords to Escalate Privileges on OS X

A few weeks ago, a lot of attention was paid to Dropbox for “hacking” macs. Dropbox asked for your admin password when it was installed, then used that root access to enable privileges later even if you try to disable them. Despite the internet’s indignation and Dropbox’s impoliteness, Dropbox wasn’t exploiting any vulnerability or breaking […]

, ,

No Comments

The Security Pretend Game – Sudo and Runas

Common wisdom would have you believe when you run sudo that you are only granting root privileges to one command at one point in time. In reality, you are granting root privileges to any hacker who has ever run any code in any process at any previous time in your account and decided they wanted escalated privileges.
Use completely unprivileged accounts for day-to-day tasks, then log out and log in with a privileged, trusted account for privileged tasks; don’t use runas or sudo from your day-to-day account; it eliminates the security benefits of using the unprivileged account.
Control should always flow from a more privileged and more trusted environment to the less privileged, untrusted environment; going the other way, even when presenting credentials, only allows those credentials to be stolen and hackers to ride up to the higher privileges. This is not a new idea; it is why Microsoft’s #1 recommendation to secure privileged accounts from credential theft is to make it so you cannot log into a privileged account from an ordinary, untrusted workstation. But this principle frequently seems to be forgotten.

No Comments

Why the government shouldn’t pay for your college (or most other things)

Recently there has been a renewed push, from presidential candidate Bernie Sanders to the “Million Student March” protests, to have 100% government funded college in the US, and similar policies under the banner of socialism. I thought the below tweet captured my thoughts on the matter well, but it also generated its share of negative […]

No Comments

On Suicide and Ashley Madison

Suicide is a difficult topic to discuss. It has claimed many well-known individuals in society at large and in information security. It is a difficult topic for me to discuss since one of my best friends in college committed suicide just a few years ago, something I still struggle to talk about. As many of you know, I am a veteran, and far too many of my fellow veterans have also taken their own lives, at a rate far higher than the population at large. There have been a number of high-profile suicides in my home town recently…

It’s been about 3 1/2 weeks since the dump was released. In a random selection of 20-37 million people matching Ashley Madison’s user demographics, at least 250 to over 400 people have committed suicide. If three Ashley Madison users have committed suicide, they would have a suicide rate 1/100th that of the population at large. What’s going on?

No Comments

Credential Assessment – Mapping Privilege Escalation at Scale

I recently gave the following presentation at CanSecWest. (cansecwest.com) You can see the slides below:

No Comments