Thanksgiving Pwnies

Thanksgiving is a time for giving thanks and taking a moment to reflect a bit on what has been happening in each of our lives. It is pretty remarkable that we are already nearing the end of 2015 because this has been a truly defining year for the entire security industry, and certainly for all of us at Pwnie Express. Was it not just yesterday that we were all together at RSA (and now we are already planning for the 2016 edition!)?

So, what do I give thanks for, at least professionally? It’s a big list:

  • You: Our readers, customers, loyal supporters, partners…it’s so obvious of course but it’s always important to remind you all how thankful we are that you are with us on this amazing journey. And in 2015 you also helped us with your data points for the industry’s first-ever “Internet of Evil Things” report.
  • Our world-class engineering team: Because of them not only did we launch Pwn Pulse to the entire world, they keep adding amazing new features and capabilities–and wait until you hear what we will be announcing over the next few months!
  • New Pwnies: Nearly every week in 2015 there was a new face in our offices. Growth is so exciting, especially when you are doing something like we are here at Pwnie.
  • Market recognition: Now we don’t do this for the awards, but it does feel so good when win awards.

Honestly, the list could go on and on. But let me just say thank you once more and we’ll be back next week!

 

Happy Thanksgiving!

The Stove is Hot: and Other Life Lessons We Had to Learn the Hard Way

There have been a lot of stories in the news about transportation hacks, from planes to automobiles (and I’m waiting on the train). Security threats in transportation have become both more frequent, more threatening, and – as increasingly more of our transportation becomes “hackable” – more important. Recently, very high-risk vulnerabilities were discovered in these various methods of transportation and this time, they were presented loudly and in the public eye.

My thoughts on this are simple: 1.4 million cars are recalled, but not because there was a security vulnerability that was discovered and reported to the car manufacturer. The recall happened because the general public was made aware of this flaw through the media, and it was something that they could actually see and experience.

We can be told that the stove is hot.

We can be shown that the stove is hot.

But unfortunately, it sometimes takes a more memorable incident for us to remember that – wait for it – the stove is hot.

Would I say that this more “memorable incident” should be irresponsible reporting, or irresponsible disclosure? Am I advocating a “yell first think later” stance? No, but I would like for organizations, industries, and governments to take security more seriously not just because it has become painfully clear that human lives are at risk. Not just because the direct result of inaction is a company going under. But because a security researcher has done responsible disclosure, has tried to help, without the need for a blatantly public example or demonstration needed.

We are quickly approaching a state in this society where security research and the actual discovery of these vulnerabilities is thought of as and treated as an actual crime. This brings up the question – are we trying to kill dissent, hide the truth? Or are we really trying to discover these vulnerabilities? By keeping quiet and not reacting to security researchers, we’re not helping the public. Hiding the danger from people does not keep them protected. We’re just making the stove look like it’s off – which might make it even more dangerous when they find out the hard way that it’s not.

The Insecure Internet of Things: 10 Stats

ISACA recently put out its 2015 IT Risk/Reward Barometer report, which highlights the major challenges organizations face in combating today’s Internet of Things (IoT) security issues. Here are ten stats that caught our attention from the global study of 7,016 security professionals located across 140 countries:

 

  • In the workplace, IoT devices can be a great boon for businesses. 77 percent of IT professionals say that the IoT has benefited their company, bringing things like greater accessibility to information (44 percent), greater efficiency (35 percent), improved services (34 percent) and increase productivity (25 percent). However…
  • 73 percent of IT professionals consider it a medium to high likelihood that a company will be hacked through an internet-connected device (whether it be a laptop or a Fitbit)
  • 1 in 2 believe the IT department is not aware of all the organization’s connected devices
  • 47 percent expect a cyber attack on their organization within a year’s time.
  • 1 in 3 believe their organization is unprepared for a sophisticated cyber attack
  • 72 percent don’t believe that manufacturers are implementing sufficient security measures in IoT devices
  • The #1 IoT security concern for enterprises is data leakage
  • 45 percent say the best way to keep IoT data secure is simply to not store any sensitive or classified data on devices at all
  • 63 percent believe that the IoT will result in decreased employee privacy
  • And 63 percent are not confident that they can control who has access to their information collected by IoT devices at home

 

As ISACA CEO Matt Loeb explained in a Wall Street Journal article, “Workplaces are becoming more difficult to secure as connected devices like fitness bands and smartwatches spread in popularity and make their way to the office on the wrists and in the pockets of employees. If these seemingly harmless devices connect to your company’s networks or servers and share and store information, they create more entry points where such information can be compromised. Cybercriminals realize this. Many of your employees probably don’t.”

No matter what policies you’ve put in place to regulate BYOD and minimize the risk of IoT threats, you face a losing proposition. Wireless and wired devices will continue to proliferate inside and around your organization, and if you haven’t made device detection and fingerprinting a top priority, this new study should serve as a wake-up call.

Learn how Pwnie Express can arm your security team to win the BYOD battle and see all the things you’ve been missing by visiting here.  

InfoSec Cons – What is the future? (Part 2: The Future)

(Continued from Part I: The Present)

 

SK: OK, so now we’ve done a lot of talking about the great improvements in some of the cons, and what you’ve seen a lot of improvement in this year. What do you think didn’t work this year? What is concerning to you?

I think this year one of the things I saw – and I think I may be a part of the problem – is the cosplay factor. I didn’t think about it until Russ Rogers brought it up, but I think a lot of people are going to “play hacker” instead of going to learn to be a hacker. It particularly came across at a couple of cons this year; it seemed that people weren’t really there to learn, they were there to be seen. They’re not really there to network, they’re there to play. I feel entitled to say that because I was one of the fakest and cosplay-iest attendees ever when I started attending ten years ago. I’m going to address it in my talk next year – I went to DEF CON 12 thinking about how a hacker was supposed to act, without actually learning… and it made me look like an idiot.

DEF CON, Derby Con, Shmoocon should never be equated with Comic Con.

 

SK: What about the beginners? The ones who don’t know any other way?

When I first went, I was already on the technical side. I had my CISSP in 2001, but didn’t go to my first con until 2004. I’ve been in InfoSec since 2000. I was four years in the industry before I got to go to a DEF CON. By then – seeing the stereotypes on the news, seeing them on the Internet – I got that romanticized version of “this is what it’s about”. I don’t want to say I was wrong, because people in those places aren’t necessarily wrong. I was simply ignorant, and there’s nothing wrong with being ignorant. I have a problem with being stupid. Being ignorant changes because you can learn. I showed up to DEF CON being very ignorant, but I learned. I get the sense that some people at these conferences are willfully ignorant. I don’t think they truly want to be a part of the community. They just wanna party (without giving anything back).

I can’t particularly talk about giving back anything from a technical standpoint; I’d like to think that I’ve helped the community in other ways. Communities are about contributions, not just “happy feelings” and cosplay.

SK: What are a few new conferences you’re excited about?

Conferences that I’m excited about – to hear about – are obviously skewed towards ones that I’m going to be a part of (which should be interesting). There’s going to be a BSides Tanzania; Jack Daniels has been reopening some BSides. There’s a conference I’m going to the Maldives. Think about that – the Maldives is concerned about InfoSec!

What I’m really excited about is that it is now a topic of conversation and something for people to meet and discuss all over the world. It is not an American problem, it is not a first-world problem…. it is a global issue. And the world is responding to it by getting together and forming conferences to discuss this. There are people waking up all over the world and realizing that their information has to be secured.

 

SK: So you would say that it’s important for the American security community to start paying attention to Global cons?

I think it all came to a head for me last year when I did my talk “Around the World in 80 Cons.” One of the reasons I’m working with DEF CON Groups is to make it a global action. Because of the way that we are connected and communicate today we can no longer have the audacity to think that any one country or group can solve these issues by themselves. We are all in this together and these are global problems that require global solutions and global action. It doesn’t take a tsunami or an earthquake or a hurricane to show that what happens in one region impacts the entirety of the world. I consider myself a citizen of the world, not just a citizen of the US. I love my country, but I love my planet just as much.

 

SK: Here’s a hard question, then: what do you think “The State of the Con” is today?

The state of most conferences today are – whether they realize it or not – uncertain. I think our community and industry as a whole is at a crossroads. Where is it going to go from here?

The conferences themselves are at a crossroads: as they grow, they eventually become the victim of their success. In some sense it’s a product of the way that society is evolving and becoming more tolerant of hackers, with TV shows, etc. demystifying what a hacker is and what InfoSec is. Learning about (though we hate the word cyber) cybersecurity, people are starting to understand how it’s used and why it’s used that way and what it actually means.

Because of this, I think we are becoming a better force for good to educate the general populace. The cons, though, are at a crossroads – there’s a chance that they may devolve into a place where people go because they saw it on TV and think it’s cool (they just want to “play” at the community). I think we’re at a point where things might also take a bad turn: people will be more afraid of “hacking”, and these conferences will become less acceptable, and it may reflect poorly on them or even be illegal to go to these conferences.

 

SK: Is there any way to answer or begin to solve these huge issues?

Of course I always like to make grandiose statements, but I generally also like to give a solution, or at least something positive to say. In this case I can admit: I’m not smart enough to have that answer. I don’t know. The people running these conferences are smarter than me, and have more experience than me, and I can’t presume to give them advice on these things. A lot of the people who criticize these conferences also don’t know. They don’t have any solutions. They just criticize.
I’ll just say that I don’t know what the solution is, but I have faith that the people working on it have a better grasp on it all.

InfoSec Cons and the Future (Part 1: The Present)

(An Interview with Jayson E. Street – find Part II HERE)

 

SK: I’d like to start off by having you talk a bit about your experience with conferences in general – what are some general thoughts?

I have gone to conferences all over the world to speak (with no shame); I have spoken to every kind of crowd, from three to two thousand and everything in between. I’ve spoken to government officials and business people, from people who were just getting into the industry, to people who are not in InfoSec at all, and may have shown up to the conference because they were interested in it. I’ve spoken to people with every kind of opinion with every kind of person, because I love hearing from people with strong views.

I have seen a lot of different conferences, and I think there’s one unifying thing that people forget to observe when they think about conference culture. One observation that they forget about. The one simple truth that ties every conference I’ve seen together.

Someone is going there to learn.

Someone is going there because they need to know something; someone will find an answer when they go. They’re looking for help, they’re looking for knowledge, they’re looking for someone to help them with the issues that they face. That’s why they exist, why they’re needed, and why people go. That is why I gladly ignore the crazy number of cons. In my opinion, there aren’t too many cons as long as there’s someone there that wants to hear somebody speak.

 

SK: What about specialized talks within conferences?

I think some conferences are figuring out how to give people the talks they really want (which are often very specialized), and I do like conferences that are starting to have straight offensive tracks or straight defensive tracks. It’s a great way for people to hear someone speak on a topic they’re definitely interested in.

 

SK: While these conferences may be great places for veterans of the security industry to meet, talk, and learn, the industry is growing very quickly and there are lots of people who are now showing up but not industry veterans. Are these cons a place for beginners?

One of the things I like seeing (for example, at Bsides London and 44con) is a newbie track. Not just newer talks, or newer questions, but people who have never spoken before. Shmoocon does a great job of trying to get first-time speakers, and careers have been spawned there. DEF CON has DEF CON 101, which is specifically designed for this. DEF CON is great because it makes those talks approachable. Granted, I think every one of my talk is a 101 talk – but there’s a place for lots more of them!

 

SK: So while lots of cons are going out of there way to be a place for both experienced pros and beginners, we still hear those “con horror stories.” Do you think conference culture can be toxic?

I try not to talk about the conferences I don’t like, only about the conference culture I love. That being said, I do have a list of conferences I will never attend again. For example, I went to a conference this year that was one of the most inclusive, clique-ish, boutique conferences I have ever witnessed. I had a wow moment there: people talk about some of the bigger cons – DEF CON, or ShmooCon, or DerbyCon – and how they don’t feel included. My response to that now is that, having being on the outside of the “cool crowd” at a con – is “oh, no, trust me, you have not seen anything.” Some of the larger cons can seem exclusive at times, because they are so big and overwhelming, but there are conferences that actually pride themselves on excluding the “plebes”. I’ve never been looked so down on just because I’m not “one of the cool kids.”

 

SK: So then what do we do about the conferences that aren’t trying to be exclusive, but can end up seeming exclusive because of their overwhelming size?

I know it’s very hard for a lot of people in this industry: it’s very hard to talk to someone. The great thing about conference culture is that at most of the conferences I’ve attended – no matter how big or small – there was somebody you could meet and talk to. Go into a talk? The person sitting next to you is interested in that topic, just like you. That is your conversation starter. You share that interest – you are there for that interest.

I particularly like the cons that have embraced that kind of community bonding. For DEF CON, l0ST has created several badges that force you to socialize. One of the best badges that’s been out there was from DEF CON 19 or 20, with Egyptian symbols and a microcomputer. It was great because you had to socialize. You had to interact, you had to talk to other people. You had to go up to people to make sure you had to talk to people outside of your group to try and spark conversations.

 

SK: Do you think this can necessarily be applied by people besides you? You’re so incredibly social.

Conferences have tried to make it more social, but I’ve gotta say – at some point it’s still on the person. Stated without judgement and without condemnation, but it’s a fact. I wish people were as sociable as me, but not everyone is… which is probably a good thing.

But people should keep in mind that there’s a lot of incentive to be sociable. From starting at DEF CON 12, to Derby Con 1, to going to so many of these conferences when I was first starting out, I benefited from being social. When I was just a network security administrator at a financial organization in the midwest, never did I feel that I didn’t have an opportunity to meet someone, or bother someone, or interact with someone – even the important someones. DEF CON 12 was when I first met HD Moore, and so many other “big names”. They were accessible and willing to talk; they showed what this community was about. They were the examples that people should follow. Everything I do now is from the example that I learned from those people.

 

SK: Do you think that as the industry grows – and it’s clearly growing quickly – that this kind of camaraderie and accessibility will change?

There’s been a lot of talk about how big these conferences have gotten. I’ll be the first one to say that this past DEF CON that I was upset afterwards by looking at facebook posts – of friends of mine! – and realizing that there were people I knew at DEF CON and I never saw them. The biggest misconception of DEF CON now is that people still consider it a single conference. It is no longer just a conference. It’s not like a Derby, or a ShmooCon, or one of the many B-Sides. It’s really almost like a hacker burning man, with villages (they’re called villages!) catering to the various interests you may have.

There’s something so cool about the fact that you can spend your whole entire con at a “whole conference” dedicated to what you specialize in – the Hardware Village, Wireless Hacking, etc. When you do that, it’s a very small con for you. All the people you want to see, things you want to learn about, are there. But because of your one badge, you still have the opportunity to go to the others. An entire conference dedicated to every kind of specialty is at your fingertips.

Derby Con is currently dealing with the growing pains of getting bigger. From its very creation, it has always been an accessible “family vibe”. I’ve never seen an instance of a speaker not talking to a first timer. You see regulars just hanging out at the bar, buying drinks, or getting drinks, or just drinking and available to talk to (and for those who don’t drink, just hanging out and being available to talk to).

The front driveway is sometimes totally crowded with people just having great conversations. The lobby is full, and it is an equal opportunity place for everybody to mingle. That is not a size issue, not a clique- issue… it is a fact that is part of Derby Con. It’s just an accessible place to meet people. Dave always tries to make it feel like the family. Some people take that the wrong way, by thinking as though it’s “only” for the family, but no –  he’s trying to suggest that there’s no exclusion to that family.

 

(Continued Here)

Social Engineering Attacks: What You Need to Know

Attacks on US enterprise systems and infrastructure continue to increase in severity and quantity. Some target specific organizations themselves, seeking their “crown jewels” such as intellectual property. Other attacks are carried out solely for financial gain, and target both consumers and the organizations that hold consumers’ personally identifiable information. While some high-profile attacks make splashy headlines – nation state espionage and high-profile data leaks – countless others remain undisclosed and, too often, unrecognized by victim organizations until after crippling damage has been done.

Social engineering represents a major and ever-increasing threat to businesses. Attackers know that a company’s weakest link is its employees, and they will continue to find new, innovative ways to exploit this via sophisticated phishing attacks and other methods. Here’s a look at some of the most common social engineering attacks today:

 

  • Spearphishing: Contrary to popular belief, today’s spearphishing attacks are highly calculated and carefully crafted to be relevant and un-alarming to the user. It’s not as easy as most people think to spot a spoof, so employees must be trained to question and validate unprompted links by calling the sender, sending a separate follow-up email or checking via services such as https://www.virustotal.com/.
  • The rogue technician: Under the guise of technicians or delivery people, stealthy social engineers walk right into organizations and can physically compromise the network. Employees should heed basic “stranger danger” trainings and ensure anyone who enters the building has an appointment or pre-established purpose.
  • Malicious websites: Often, malicious websites are disguised as corporate or partner sites, and will prompt visitors to update java/Adobe or install a specific plug-in. Users should always close the browser and open a new one to directly update java or Adobe from their official sites. If users are prompted for a specific program or missing plug-in, they should close the browser and send an email to the website asking about the specific configuration issue.
  • Device attacks: The rampant adoption of personal, connected technologies by workers and their reliance upon them for day-to-day business communications has provided exponentially more pathways for bad actors and social engineers – and they cannot be secured. Organizations need new ways to detect employee-owned and rogue devices in and around their workplaces to gain the full visibility needed to prioritize security response, reduce alert fatigue and provide situational intelligence to implement real-time remediation.

 

Since so many employees today use their personal devices at home and on the job, enhanced awareness and employee training on the dangers of social engineering is more critical than ever before. This starts with focusing on the devices they’re carrying, where they are being used, and what they are connecting to.

Here are four best practices for employees to follow to reduce their own personal attack surface, as well as that of your organization:

 

  • Don’t connect to open wifi: Anybody can connect to them, and there could be traps set up to trick you (sneakily labeled hotel wifi, free wifi, airport wifi, etc.).
  • Configure your phone so it does not automatically search for and connect to wifi: Always require your phone to “ask to connect” instead of connecting automatically.
  • If you don’t need your wifi and Bluetooth, turn them off while you’re out and about: Period.
  • Password-protect your phone: Don’t let your device fall into the wrong hands without a password in place – particularly if you use your personal phone for business use. Also set up the “wipe phone” feature after several incorrect password attempts.

 

Stay safe out there!