I'm torn on how to read this. There is absolutely nothing the National Guard "cyber forces" can do on election day to deal with an issue. They lack the authority to respond by force and state law enforcement would have to investigate in most cases. 1/n zdnet.com/article/states…
I understand why governors want to do this. First, it shows the governors are serious about protecting their state elections. I honestly believe that many (most) governors want to protect their elections but feel powerless to do so. But the National Guard is not the answer. 2/n
State law enforcement is a better option for investigation. For countermeasures, we really need national level response (DHS/CYBERCOM). National Guard simply lacks the authority to do anything meaningful here. 3/3
After initial claims of the site vulnerability, I looked at this as well and saw the numeric IDs. The presence of a numeric ID in a given URL is not the same as saying changing it provides you access to someone else's data. More work is needed here. 1/n cbs46.com/news/democrati…
After the SB315 debacle earlier this year (also GA), you'd have to be insane (or sure your legal team could get you out of trouble and willing to deal with the hassle) to actually attempt to download additional data by changing URL parameters. For obvious reasons, I didn't try 2/
It's an interesting legal question to ask whether the guy who might have tried would be in trouble for doing so. You are definitely exceeding your intended access to the system. A prosecutor could argue that disclosing your attempt caused loss of confidence (e.g. damage). 3/n
There's been a claim that the GA state "My Voter" site is vulnerable. I'm not poking at it any more than looking at visible source (too pretty for jail and all). But it implements client side filtering and allows backticks in the name fields. 1/n
Even with identical server side filtering, that could lead to eventual command injection, depending on how the data is used. Remember that the command injection could happen later, long after it is originally inserted in a database. 2/n
Client side filtering isn't all bad, but if it's used as a replacement for server side filtering, that's where you can get into trouble. When we see client side filtering in penetration tests, it's about even odds that there's no server side input validation (or it's broken) 3/3
Threatening Russia with nonspecific cyber attacks if they meddle in our elections is not a deterrent. A deterrent must be credible. This is not. Russia must believe we can (and will) hurt them for a retaliatory cyber attack to be effective. 1/n
Patrolling a no fly zone is an effective deterrent. We don't have to balance Intelligence collection with a response. Shooting down a violating plane also hurts the adversary in a visible, tangible, and predictable manner. Cyber does none of that. 2/n
If we can hurt Russia using cyber in a visible and predictable manner (and I'm not sure we can), doing so almost certainly blinds us to intelligence we'll definitely need now that we're escalating tensions. 3/n
Let's talk a little about the CIA covert communication failure story. People (particularly not those in IR) idolize APT and their tradecraft. But it's not always that awesome. Remember that most APT are intelligence operatives. 1/n yahoo.com/tech/cias-comm…
We can learn a lot about the way APT operates by extrapolating from this CIA failure.
1: OPSEC issues happen, even for intelligence operations.
2: People often identify the OPSEC issue before it rises to a catastrophe.
3. Even when lives are obviously at stake, action may not be taken by decision makers.
Momentum is a heck of a thing and bureaucracy can stand in the way of even the most important changes. 3/n
Dear infosec (pardon the thread),
Don't celebrate too hard at the thought of jailing CEOs for failing to protect data. First, it won't pass. Even if it does, it won't mean what you might think. It won't create a SOX style environment around cyber. Sorry 1/ gizmodo.com/wyden-unveils-…
What's far more likely to happen is that GRC will rule infosec. If there's anything we don't need, it's more paperwork for paperwork's sake.
It will also bring an end to the lack of licensure in infosec. Ever wonder why there are so many requirements to be a CPA? 2/
Hint: it's not because CPA is old and infosec is new. At least part of the difference is that screwing up accounting results in jail time for someone. Screwing up infosec usually means you update your resume, blame your boss for insufficient resources, and move. 3/n
I'm going to share some resume faux pas I've seen just in the last week (each from a different resume). Attention to detail is more important than anything else in infosec. I always assume the resume is your best work and it only goes down from there. 1/n #badResume
1. Guy misspelled the name of the university he supposedly attended, but didn't graduate (surprise) 2. Lady misspelled "Georgia." This is pretty darn important since it's where she supposedly lives... 3. Guy listed out 5 bullets but only had content for 4 2/n #badResume
4. My personal favorite was the one with a cover letter explaining how proud he would be to get this job. With a competitor. He seriously recycled a cover letter from a competitor and sent it to us. This is not how you infosec. #badResume 3/n
ESET has reported that GreyEnergy is the successor to the BlackEnergy malware. I don't think there's enough data in the report to independently verify this. Note that victim overlaps are heavily considered. 1/n welivesecurity.com/2018/10/17/gre…
I don't think you can make much out of the disappearance of BE in the wild. AV vendors, like ESET, were getting good at catching it. The fact that other malware showed up as the use of BE was winding down is not itself a connection. 2/n
There's also a note that GreyEnergy has been seen targeting ICS networks. But what does that really mean? It doesn't mean that it's dedicated to ICS. ICS networks are cyber key terrain for nation state hackers and it looks like GreyEnergy is a nation state tool. 3/n
This has huge privacy implications, but as a data nerd, I'm excited to see it. As a hacker, I'm also excited. First, the hacker side: this will immediately create a market for device hacking (and forensics, $$$$) on an unprecedented scale. 1/n reuters.com/article/us-man…
If you can save $250/year on your policy by appearing to be active, but really are providing bunk data through a $50 app? Yeah, people will do that. Then when they die weighing in at 350 pounds but claiming to have run a marathon a week the last year? Forensics $$$. 2/n
But from a privacy perspective I'm horrified. It's a virtual certainty that this data will be breached at some point. It's already been shown how fitness tracker data, when de-anonymized, can create security issues (e.g. using fitness tracker information to map a SCIF). 3/n
This is drawing a lot of ire from the infosec crowd because there's no obvious causality. We SHOULD be careful not to assign causality where there is none. But this data IS valuable and we shouldn't dismiss it because it lacks a causal link. 1/n comparitech.com/blog/informati…
The study authors note that the biggest problem with this sort of study is the sample size is small. There simply are not that many publicly traded companies that have suffered significant breaches available to study. There are also many factors, making causality difficult. 2/n
Some interesting takeaways: Stock price goes down immediately after a breach, but recovers quickly after. This doesn't surprise me at all. @RenditionSec works a lot of breach cases and this tracks with our experience in privately held companies. 3/n
I've had a number of people note that the Nuremberg Trials counter my argument that Park following lawful orders is a consideration in evaluating his actions. Let's talk about this, because I think it's wrong (for multiple reasons). 1/n
First, to use Nuremberg as a reference point, we are equivocating hacking Sony with the Holocaust. I'm not ready to go there. Some people are saying "but if he hacked the power grid, that would be equivalent." Irrelevant, since that's not what happened here. 2/n
I don't think nation state hacking of Sony should meet the definition of a war crime. I do think hacking can be. For instance, hacking a hospital and changing dosages of medication to kill patients would probably be a war crime. 3/n
Charging individual North Korean government hackers as individuals is a human rights issue. Assuming the intrusions have been correctly attributed to Park (not a given), unlike me, he likely had zero choice in his actions. This is not okay. 1/n documentcloud.org/documents/4834…
People living in North Korea don't get a choice when the government comes calling. There are countless stories of atrocities where whole families are imprisoned (or worse) for defying the orders of the government. We know what would have happened if Park refused to hack Sony. 2/n
Park's only crime is his talent. Because he was selected to be educated in Computer Science (probably based on aptitude), his trajectory was set. Now that he faces indictment, his trajectory is likely set too. Park will never be turned over to the US for trial. 3/n
Last year, my kid interviewed me about my job for a school project. One of the questions was "what's the most important trait for someone thinking of going into your field?" I said "natural curiosity." On reflection, I think I was wrong. 1/n
If she asked me again, I'd tell her curiosity is important. But much more important than that is "A commitment to lifelong learning, even when the subject bores the heck out of you." I've heard many talk of the need for constant learning (I do regularly myself). 2/n
What I don't think I've ever heard (or said) is "most of the stuff I learn for my job I have to choke down and I hate every second of it." Commitment to lifelong learning is easy if it's stuff you actually want to learn. I'll note that a lot of infosec isn't. 3/n
Just had some fun at the office. An esx server had an issue earlier today and crashed. Admin brought everything back up and powered on all the VMs. Everything looked good. I went to use a VM and can't get to it. Can't ping it. Nmap to it and something's there. 1/n
Problem is that it's not the right something. I ask our admin and he checks the VM from the ESX server console. He says "it shows a duplicate IP." This is a problem because it's a static assignment - so what has my IP?! 2/n
Also, I hear someone in the SOC say "oh <expletive deleted>! Guys, we've got a problem!" They saw the nmap scan and alerted on it immediately. It looked super sketch because of how I did it. Bottom line, I'm happy I have our SOC for our customers AND watching us. 3/n
I literally can't get @USPS to deliver mail. They're pissed we blocked off one of the entrances to our parking lot to stop people (including the mail carrier) from breaking the law and bypassing a stop sign. 1/2
A @USPS supervisor is here now. Just heard my COO say "this isn't he said/she said - I have CCTV." Followed by "no, I'm not pulling CCTV for you. If I have to pull it, I'm sending it to the local news and you can answer them why you can't do your job." #gonnaBeAbadDay 2/2
Also, blocking the other entrance was not because we care about the stop sign. People are speeding through the lot, obviously not in control. I have employee safety and insurance issues to deal with. 3/3
For those claiming MFA doesn't impact organizational productivity, stop looking at it from your view. Look at it from the organization's view. People lose MFA tokens and can't log in. People have to change MFA devices (new phone, new token, etc). Helpdesk handles "issues." 1/n
Only infosec would claim that this has no impact. Doctors don't give diabetics news that they'll have to test blood sugar followed by "it's just a prick after every meal, so it won't have any impact." When we make claims that are OBVIOUSLY false, this lowers our credibility. 2/n
Feel free to say "the productivity impacts of MFA are insignificant compared to the benefits." BTW, I personally believe this. But I believed in the Easter bunny too. I have anecdotal evidence for both. At most, only one of them is real. 3/n
It's easy to make a government joke, but this is really the result of lobbying Congress. So many gun violence statistics can't be tracked electronically by the people who need them for decision support because that's outlawed in various spending bills. 1/n
And before I go further, I'll state that I'm a gun owner and support intelligent gun rights. But when the CDC isn't legally allowed to track gun violence deaths in the same way they track literally all other death, that's dumb and we have a problem. 2/n
I don't think either side can make a good argument when the numbers are being intentionally concealed. In court, when something is being intentionally hidden, the court assumes the worst (spoliation). I can't come to any other conclusion here - the number MUST be bad. 3/n
The words "quick" and "forensics" should not appear next to each other ever. If "quick" is the most important functional requirement, then forensics is off the table. Reputable firms don't take standalone engagements for "5 hours of forensic analysis." 1/n
The reason is that we know we can't get usable results to you in 5 hours. Remember, we have to write a contract, access the media, image the media, process the media, analyze the evidence, write a report, and brief the report. All of this takes time. 2/n
On this note, if you have a firm promising you answers in 5 billable hours, this is a real warning sign. Run away. I often get usable results in 5 hours of analysis, but: 1. That's not including all that other stuff I have to do. 2. That's not a full forensic exam.
You know what makes you an "infsosec rock star"? First, lets start with what doesn't: 1. Getting sloppy drunk at conference parties 2. Soldering the coolest badge (even though there are some really cool badges) 3. Getting caught up in infosec drama
I could continue the negative list for a LONG time, but I'll stop there. What makes you a "rock star"? (ugh, I'm nauseas just using that term) 1. Mentoring - teach what you know to others 2. Listening to others - none of is as smart as all of us
3. Securing infrastructure - lots of the real rock stars are completely unknown and work in the shadows doing some of the most important work in our field 4. Researching the unknown - everything known was unknown until someone else found it (and shared it, see #1)
Just got off the train and there are taxi drivers waiting at the station saying "same price as Uber and Lyft, but we're already here." Not a bad marketing play since Lyft is consistently taking 2-3x as long to show up as "estimated" on the app. 1/2
I used to say one of the biggest benefits of rideshare is knowing you'll have a clean car (unlike most taxis). That used to be the case. But taxis are getting cleaner and rideshare is getting dirtier. This taxi is far better than most Lyft I've done recently. 2/2
That said, I took 2 taxis in NYC where they let me out blocks from the destination. One time I didn't know and the other they said "it's just over a block that way" (I had luggage). That never happens with rideshare, where the app enforces GPS dropoff. 3/3
To anyone traveling to NYC, I cannot recommend against the Millennium Hotels strongly enough. The rooms look like they are from the 80's, the staff is rude, and they know they have problems. There's a contract fixer here trying to turn the brand image around (and failing so far).
I seriously had better service at a Holiday Inn earlier this year. This is not a five star hotel chain. The Millennium offers you a place to lay your head, that's it. If you're looking for:
Power outlets near the bed
Towels that aren't threadbare
Stay somewhere else.
I could go on, but I'll close with these photos of my room. I'm seriously not walking barefoot in my own room. If there's another conference here, it will happen without me.
My favorite "n00b litmus test" is to scan a post for the word "just" - VERY few things in infosec can be boiled down to a "just" and these posts almost always lack substance. Posts that say "obviously" and "it's not hard" are similarly likely to contain little value. 1/n
Infosec is amazingly complex. If the problems were easy to solve, we'd have "just" enabled the evil bit in all TCP communications. Seriously, does anyone think we're sitting on a solution to all the breaches? If so, why?! 2/n
I see some really experienced people fall victim to this too. I think hindsight bias is to blame. Situations may seem obvious after the fact, but intrusions are rarely so straightforward. Even root cause (the root of the root) can be difficult to *really* determine. 3/n
I've had several people contact me who will only discuss issues with Caesar's security offline (many are people I know, none of the incidents were the ones I'd heard about previously). Threats of permanent bans for speaking out is the opposite of transparency. 1/2
I recognize the tough balance Vegas security must achieve following events there, but playing storm trooper is just plain dumb. Sunlight is the best disinfectant, and that's just as true here as anywhere. I've heard enough to know I'm not staying at a Caesar's property again. 2/2
And who knows. Perhaps down the road Caesar's will sort this out and publish a transparency report (among other things). Until then, I'm out. 3/3
@find_evil@zackwhittaker I think the tweet that started this thread is well short of what you claim above. But I don't think it's biased. You raised a question about Khalil and Zack was able to confirm that he's not in custody, posting a picture of their conversation as proof. Nothing wrong with that.
@find_evil@zackwhittaker BTW, I have no position in the Khalil camp. We've met in passing, but I wouldn't list him as an associate. I do have issues with people seeing an arrest and pointing out that they "knew there was something up with that person" as supposed evidence of guilt. 1/2
@find_evil@zackwhittaker Because I fully expect one day I'll be detained crossing customs into another country or there will be a knock on my door at home. I hope when that happens, people don't talk about my past as supposed "evidence" that I'm a bad person. 2/2