Archive

Category Archives for "Security"

EQGRP tools are post-exploitation

A recent leak exposed hackings tools from the "Equation Group", a group likely related to the NSA TAO (the NSA/DoD hacking group). I thought I'd write up some comments.

Despite the existence of 0days, these tools seem to be overwhelmingly post-exploitation. They aren't the sorts of tools you use to break into a network -- but the sorts of tools you use afterwards.

The focus of the tools appear to be about hacking into network equipment, installing implants, achievement permanence, and using the equipment to sniff network traffic.

Different pentesters have different ways of doing things once they've gotten inside a network, and this is reflected in their toolkits. Some focus on Windows and getting domain admin control, and have tools like mimikatz. Other's focus on webapps, and how to install hostile PHP scripts. In this case, these tools reflect a methodology that goes after network equipment.

It's a good strategy. Finding equipment is easy, and undetectable, just do a traceroute. As long as network equipment isn't causing problems, sysadmins ignore it, so your implants are unlikely to be detected. Internal network equipment is rarely patched, so old exploits are still likely to work. Some tools appear to target Continue reading

Hey lawyers, I’m not your client

We can't talk casually with lawyers, at parties or infosec conferences. For one thing, it's an ethical problem for them, as they put a couple minute's thought into a question that can have lifelong consequences for a you. For another thing, it puts them legal jeopardy if you (falsely) think there is an attorney-client relationship. This makes lawyers boring people at parties, because all they can discuss is nonsense like sports scores.

In an attempt to remedy this situation, so I can talk casually about the law, I'm writing the following open-letter:

Dear Lawyers:
Unless there is a written agreement signed by you and me, I'm not your client. I understand that I should not interpret any comment as actual legal advice. I know that we are talking about hypothetical situations, and that I should not try to apply that information to my own situation. I know that we are often making jokes, and taking such things seriously as "legal advice" would be against my interests. I'm the one at fault, deliberately instigating you into discussing hypotheticals and making such jokes, for the lulz.
Sincerely,
Robert Graham
Of course, I don't know if this letter will actually help lawyers chillax Continue reading

National interest is exploitation, not disclosure

Most of us agree that more accountability/transparency is needed in how the government/NSA/FBI exploits 0days. However, the EFF's positions on the topic are often absurd, which prevent our voices from being heard.

One of the EFF's long time planks is that the government should be disclosing/fixing 0days rather than exploiting them (through the NSA or FBI). As they phrase it in a recent blog post:
as described by White House Cybersecurity Coordinator, Michael Daniel: “[I]n the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.” Other knowledgeable insiders—from former National Security Council Cybersecurity Directors Ari Schwartz and Rob Knake to President Obama’s hand-picked Review Group on Intelligence and Communications Technologies—have also endorsed clear, public rules favoring disclosure.
The EFF isn't even paying attention to what the government said. The majority of vulnerabilities are useless to the NSA/FBI. Even powerful bugs like Heartbleed or Shellshock are useless, because they can't easily be weaponized. They can't easily be put into a point-and-shoot tool and given to cyberwarriors.

Thus, it's a tautology saying "majority of cases vulns should be disclosed". It has no bearing on the minority of bugs the NSA is interested in -- Continue reading

Auto Renew Let’s Encrypt Certificates

I’m a big fan of Let’s Encrypt (free, widely trusted SSL certificates) but not a big fan of most of the client software available for requesting and renewing certificates. Unlike a typical certificate authority, Let’s Encrypt doesn’t have a webui for requesting/renewing certs; everything is driven via an automated process that is run between a Let’s Encrypt software client and the Let’s Encrypt web service.

Since the protocols that Let’s Encrypt uses are standards-based, there are many open source clients available. Being security conscious, I have a few concerns with most of the clients:

  • Complication. Many of the clients are hundreds of lines long and unnecessarily complicated. This makes the code really hard to audit and since this code is playing with my crypto key material, I do want to audit it.
  • Elevated privilege. At least one of the clients I saw required root permission. That’s a non starter.

I can’t remember how, but I discovered a very clean, very simple client called acme-tiny at github.com/diafygi/acme-tiny. This script was obviously written by someone who shares the same concerns as I do and I highly recommend it to others.

I used acme-tiny to request my initial certificates — and it Continue reading

Technology Short Take #70

Welcome to Technology Short Take #70! In this post you’ll find a collection of links to articles discussing the major data center technologies—networking, hardware, security, cloud computing, applications, virtualization…you name it! (If there’s a topic you think I’m missing, I’d love to hear from you.)

Networking

  • MTU in OpenStack Neutron has been, as this article by Sam Yaple points out, a bit of a touchy subject. Fortunately, it looks like progress has been made on that front, so check out Sam’s post for more details.
  • Jason Edelman has an article from back in January that describes the use of Big Switch’s Big Cloud Fabric (BCF) and Big Monitoring Fabric (BMF) in conjunction with Ansible (via some Ansible modules that Jason himself developed).
  • Dwayne Sinclair covers the basics of SpoofGuard in NSX, and how to interact with SpoofGuard via API, in this article.
  • This article is a bit more OpenStack-focused, but given that it focuses pretty heavily on Neutron I thought it’d fit better here in the “Networking” section. The article talks about how to use the --allowed_address_pairs extension to build a highly-available proxy server instead of using LBaaS.
  • Numan Siddique describes the native DHCP support available in OVN (Open Continue reading

I gamergate Meredith Mciver

One of the basic skills of hackers is "doxxing". It's actually not a skill. All you need to do is a quick search of public records databases through sites like Spokeo, Intelius, and Ancestry.com and you can quickly dox anybody.

During the Republican convention, Trump's wife plagiarized Obama's wife in a speech. A person in the Trump organization named "Meredith Mciver" took the blame for it. Trump haters immediately leapt to the conclusion that this person was fake, pointing out her Twitter and Facebook accounts were created after the controversy started.

So I'm going to go all gamergate on her and see what I can find.

According to New York public records, somebody named "Meredith Mciver" has been working for a company called the "The Trump Organization" as "Staff Writer" for many years. Her parents are Phyllis and James Mciver. Her older sister is Karen Mciver. She has an apartment at  588 W End Avenue in Manhattan (though I won't tell you which apartment -- find out for yourself). Through Ancestry.com, you can track down more information, such as her yearbook photo from 1962.

Now, all these public records could be fake, of course, but that would require Continue reading
1 142 143 144 145 146 181