Damn you demo gods!

Ok so WiFi pews!

We have a few things setup!

Firstly the TP-Link to show how poor their defaults are (on most of their kit I find ITW)

You can crack the key space here in 4 minutes on a laptop with not mega GPU

One of the WiFi participants managed to capture the key material and then crack the hashes from the TP-link so they won some swag! (A shadow router and a tp link usb WiFi adaptor #ironic)

What didn’t work during the workshop was capturing a hash from the WPA2 PSK network on the UniFi gear…. And I don’t know why!

So time to investigate!
ok so to explain the UNIFI setup a bit:

we have a Unifi Express 7! This has an ethernet WAN port. So because we want to have this as a mobile lab, we combine it with a GL-iNet Router via ethernet then we can use that router to get an internet connection (either WIFI repeater, Ethernet, USB 4G Modem)

(we could use other kit but this works well)

so here we have the GL-AXT1800 in WIFI repeater mode! so now are UNIFI router has internet access!

What could happen when you ban or put barriers in front of things on the internet?

Surely nothing bad could happen, because you are restricting of banning the bad thing right! *inserts Anakin/Padme meme*

#OnlineSafetyAct #UK So let's look at the scenario:

Controls have been placed in front of adult content sites (where the visitor is 'from the UK')

I just stole a load of files using AnyDesk from a machine with MDE on it (EDR) (this is a demo they aren’t real files and I’m the owner)

30 files stolen…..

How many are in the logs as being accessed?
As you can see here there are not 30 device events

also I can't see any DeviceFIleEvents because there were no files created or deleted/modified etc.

I have hacked the Apple Advanced data protection disablement in the UK! Haha take that you bastards!!!! ✌️🤓 😜🥸

lol

The government don’t use SQqqqqlllllllll 🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣

Oh boy 🤣🤣🤣🤣🤣🤣🤣🤣

What else don’t they use? Oracle? Windows? VMware sphere? Come on 🤣🤣🤣🤣🤣🤣🤣🤣 I have some news for people! The internet is visible to people... I know shocking isn't it!

ROFL

*puts kettle on*

nao.org.uk/wp-content/upl… looks similar as almost every org I've worked with (super broad generalisation)

legacy systems oh my! wait till we see what runs in the private sector! (don't tell anyone about those 2008 servers!)

Morning world! Slept ‘ok’ (not great not terrible)

So yesterday I was doing some mitm6 over public WiFi (in the lab) and whilst I was speeding dns responses to Microsoft Google Facebook Twitter etc.

My web clients simply did not follow the responses and went to the actual sites!

Anyone know why? (It’s probably something like dnssec etc.) Now in this instance it’s not even spoofing (you would see an event)

Let’s grab a windows laptop!

twitter have rolled out audio calls on twitter using STUN.

Be warned if you call someone the recipient (and anyone in the traffic path) can see your egress IP.

Apple private relay does not cover this. Microsoft teams uses STUN

basically every single P2P audio probably uses this:

Whats app
Facebook Messenger
Signal
Telegram
can you do audio calls in Snapchat?

This is the common protocol....

this IP leakage is in everything (signal has a feature to mask it) and for all the others you need to either accept how it works or use a vpn etc.

You know every time you visit a webpage your IP leaks right?

Or just use LTE/xG and CGNAT....

had a request from someone.... time to deploy...

HOME EDITION! (WTF!) ok what we need to do is odd.. we need to fuck with the OOBE experience...

The customer is stuck in a loop during the setup process

ok so true OFFLINE backups are hard. but you can look at layered approaches or there's immutable backups etc.

I'm showing this because this works for more than backups.

and YES it's complex from an identity plane point of view (that's the whole point!) now it gets complicated in the details. If you do this with servers/storage and locations you own Plane 4 can litterally be physically isolated at it's management/access plane. Think of a hypervisor and where the networks are physically split (outside of the requirement to have… twitter.com/i/web/status/1…

Major 🇬🇧 Bad Cybers recently:

🇬🇧 Capita Breach
🇬🇧 Manchester Uni "Cyber Incident" (probably ransomware actors!)
🇬🇧 MoveIT Breaches (Boots, BA, BBC) and more! 🇺🇸🌎 Azure Portal DDoS'd (Alegedly by AS Sudan... (i think if it was them someone gave them some kit/money to use!)

ok the installer had some bugs.. there's a 2023.2a now that has err taken out many hours of the day to get nowhere LOL

Shall we go do some cyberz? Sort of simple this one, chrome triggered an SMB connection to google on install. The binary is signed by google, the file size is not elevated. It looks legit.. but it triggered an alarm 🚨 (also bear with me I have a headache… :( ) Now I’m gonna deploy a quick vm locally. Windows 11. Then deploy MDE.

Had an awesome time this morning with @Tzardan where I learnt something about #politics and then we chatted about the #cyber security society challenges and how #communication is key to helping #solve todays and tomorrows cyber #challenges! 🫡❤️🇬🇧🤗 I also promise I did not jack into their net ;) 😈

#Veeam Community Edition Install on server 2022 for the #Ransomware Lab Backup and Replication License Agreement goes brrr
I ACCEPT

ok let's #ransomware some servers! (in a lab of mine not for real coz it's NASTY!)

VMs go BRRRRR

But wait... we are gonna look at how we can PROTECT, RESPOND and RECOVER! I'm going to deploy @Veeam to help me (coz I like the product, it rocks!) to start with I'm going to just do some PREP. We are going to need to think about Initial Access then Escalation to Domain Admin and then RAMPAGE!

NCSC CAF 3.1
Vulnerability management IGPs (indicators of good practise) let's take a look at some real world stuff... "You do not understand the exposure of your essential function to publicly-known vulnerabilities."
I think 90+% of orgs will meet this criteria..

this would put most orgs at NOT ACHIEVED.

"You do not mitigate externally-exposed vulnerabilities promptly."

most orgs aren't that… twitter.com/i/web/status/1…

The idea management need to not really understand computer science and security in depth is probably partly why our world has such a shit cyber security posture! If you think management decisions should be made as n uninformed zombie please think again… same as… twitter.com/i/web/status/1… I’m assuming the people that think this:
A) have not led and managed teams (fixed or project based) and
B) have a CISSP and not much else

😂😂😂😂😂

ok my day plan has changed! time to make a tea and then I think I'm going to do some work on SECURITY ORGANISATIONAL DESIGN for orgs that have:
> HERITAGE (people used to call this LEGACY)
and
> PRODUCT! now remember the first rules of org design are there are NO RULES of org DESIGN! but there are good vs bad ideas! there are also a million different different ways orgs organize their businesses so this is not ever going to fit an org (if it does it's luck!) but it's some food… twitter.com/i/web/status/1…

some notes on thoughts about the STATE OF CYBER in 2023 I might write a rpeort based on attack surface mapping data and incidents to back this up so it’s more than just: oh that guy Dan doesn’t know what he’s on about