Posts

UNSECURITY Episode 121 Show Notes

/in /by

Happy Tuesday! It’s time to get ready for another episode (#121) of the UNSECURITY Podcast!

Not sure if you caught it last week, but there was an open U.S. Senate hearing on Tuesday (2/23). The hearing was titled “Hearing on the Hack of U.S. Networks by a Foreign Adversary” and lasted about two and a half hours. The hearing was about the events surrounding the SolarWinds Orion Hack, and what we can do to prevent (or at least reduce the likelihood of) similar events in the future. Witnesses included some well-known people in our industry:

  • Kevin Mandia, CEO of FireEye
  • Sudhakar Ramakrishna, CEO of Solarwinds
  • Brad Smith, President of Microsoft
  • George Kurtz, President and CEO of CrowdStrike

This hearing was a big deal because U.S. policymakers are trying to figure out what to do, and how “to make sure this doesn’t happen again.” If policy makers draft policy based solely on what these witnesses said, we might be in some serious trouble!

There were some really interesting things said during the hearing, and we’re going to share our thoughts on today’s show.

So, let’s do this! These are the notes for episode 121 of the UNSECURITY Podcast.

SHOW NOTES – Episode 121 – Tuesday March 1st, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 121, the date is March 2nd, 2021, and joining me as usual is my good friend, Brad Nigh. Good morning Brad!

Quick Catching Up

  • What’s new?
    • Working on S2Org r3, IR assessment, and other things.
    • The Gray Matter Society
    • Who would make a good guest next week?
  • Anything else new at FRSecure and/or SecurityStudio?

The Meat

Open Hearing: Hearing on the Hack of U.S. Networks by a Foreign Adversary – https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary

  • Kevin Mandia’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-022321.pdf
  • Sudhakar Ramakrishna’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-sramakrishna-022321.pdf
  • Brad Smith’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-bsmith-022321.pdf
  • George Kurtz’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-gkurtz-022321.pdf
  • The hearing went ~2 1/2 hours, did you make it through it all?
  • So, Amazon Web Services didn’t show up. They haven’t been forthcoming or helpful
  • An interesting Q&A (starting at 1:22:08) from Senator Wyden (D-OR)
    • Senator Wyden: The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves. My view is that message leads to privacy violating laws and billions of more taxpayer funds for cybersecurity. Now it might be embarrassing, but the first order of business has to be identifying where well-know cybersecurity measures could have mitigated the damage caused by the breach. For example, there are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic internet. So, my first question is about properly configured firewalls. Now the initial malware in SolarWinds Orion software was basically harmless. It was only after that malware called home that the hackers took control, and this is consistent with what the Internal Revenue Service told me. Which is while the IRS installed Orion, their server was not connected to the Internet, and so the malware couldn’t communicate with the hackers. So, this raises the question of why other agencies didn’t take steps to stop the malware from calling home. So, my question will be for Mr. Ramakrishna, and I indicated to your folks I was going to ask this. You stated that the back door only worked if Orion had access to the internet, which was not required for Orion to operate. In your view, shouldn’t government agencies using Orion have installed it on servers that were either completely disconnected from the internet, or were behind firewalls that blocked access to the outside world?
    • Mr. Ramakrishna: Thanks for the question Senator Wyden. It is true that the Orion platform software does not need connectivity to the internet for it to perform its regular duties, which could be network monitoring,  system monitoring, application monitoring on premises of our customers.
    • Senator Wyden: Yeah, it just seems to me what I’m asking about is network security 101, and any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world, and you basically said almost the same thing. My question then, for all of you is, the idea that organizations should use firewalls to control what parts of their networks are connected to the outside world  is not exactly brand new. NSA recommends that organizations only allow traffic that is required for operational tasks, all other traffic ought to be denied. And NIST, the standards and technology group recommends that firewall policies should be based on blocking all inbound and outbound traffic with exceptions made for desired traffic. So, I would like to go down the row and ask each one of you for a “yes” or “no” answer whether you agree with the firewall advice that would really offer a measure of protection from the NSA and NIST. Just yes or no, and ah, if I don’t have my glasses on maybe I can’t see all the name tags, but let’s just go down the row.
    • Mr. Mandia: And I’m gonna give you the “it depends”. The bottom line is this, we do over 6oo red teams a year, firewalls have never stopped one of them. A firewall is like having a gate guard outside a New York City apartment building, and they can recognize if you live there or not, and some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard. It’s ah, in theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.
    • Senator Wyden: I don’t want to use up all my time. We’ll say that your response to NSA and the National Institute of Standards is “it depends”. Let’s just go down the row.
    • Mr. Ramakrishna: So my answer Senator is “yes”. Do standards such as NIST 800-53 and others that define specific guidelines and rules.
    • Senator Wyden: Very good.
    • Mr. Smith: I’m squarely in the “it depends” camp.
    • Senator Wyden: OK.
    • Mr. Smith: For the same reasons that Kevin said.
    • Senator Wyden: OK, I think we have one other person, don’t we?
    • Mr. Kurtz: Yes, and I would say firewalls help, but are insufficient, and as Kevin said, and I would agree with him. There isn’t a breach that we’ve investigated that the company didn’t have a firewall or even legacy antivirus. So, when you look at the capabilities of a firewall, they’re needed, but certainly they’re not be all end goal, and generally they’re a speed bump on the information super highway for the bad guys.
    • Senator Wyden: I’m going to close, and uh, my colleagues are all waiting. Bottom line for me is that multiple agencies were still breached under your watch by hackers exploiting techniques that experts had warned about for years. So, in the days ahead it’s gonna be critical that you give this committee assurances that spending billions of dollars more after there weren’t steps to prevent disastrous attacks that experts had been warning about was a good investment. So, that discussion is something we’ll have to continue, thank you Mr. Chairman.
  • Other thoughts and discussion about the hearing.
  • There was general consensus amongst the witnesses that there’s a strong need for mandatory reporting of cyber attacks

News

News stories to cover this week, include:

Wrapping Up – Shout Outs

Good talk! It will be interesting to see what legislation comes out of Washington in response to SolarWinds.

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

Episode 109 Show Notes – Information Security @ Home

/in /by

This is Episode 109, and we’re continuing our Information Security @ Home series.

We’re smack dab in the middle of the holiday season. Lots of people are going to receive neat, new electronic gadgets as Christmas gifts. Who doesn’t like cool new gadgets?! Your refrigerator can order milk before you’re out of milk, your dishwasher can send you messages when the dishes are done, your television can remind you it’s time to veg out on the couch for the latest episode of The Undoing, and your doorbell can show you who’s at the door while you’re away. We LOVE gadgets! (even if they end up killing us)

But wait! What about information security? What about privacy? What about safety?

Herein lies some problems. Problems that we (infosec folks) want to help you avoid.

Information security is an afterthought, if it’s ever a thought at all! We continue to connect more devices, install more apps, and stream more things. Home networks become more complex, and most people don’t even know what they’re trying to protect. This is your home network, and it’s your responsibility to use it responsibly. Nobody cares about the protection of you and your family more than you. It’s time to step up and learn some basics before this gets any more out of hand. (it’s already out of hand, but it’s not too late)

So…

In case you didn’t know, we’re less than 16 days from Christmas!

…and less than 23 days left in 2020!

I’m not sure what I’m more excited for at this point, Christmas or 2021. 2020 can suck it. Well, I guess it already has. Here’s to an awesome end to an ______ year!

I’ll (Evan) be leading the discussion this week, and these are my notes.

SHOW NOTES – Episode 109

Date: Wednesday December 9th, 2020

Episode 109 Topics

  • Opening
  • Catching Up
  • Information Security @ Home
    • Picking up where we left off in episode 108
    • Demonstration – The router/firewall
      • Finding your router.
      • Logging into your router.
      • Changing the default password.
      • Poking around a little bit.
    • What’s on your network anyway? You can’t possibly protect the things you don’t know you have.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey oh! Welcome to episode 109 of the UNSECURITY Podcast. We’re glad you’ve joined us. The date is December 9th, 2020 and I’m your host Evan Francen. Joining me is my pal and co-worker, Brad Nigh. Good morning Brad!

[Brad] Cue Brad.

[Evan] It’s nice to come up for air this morning, and it’s nice to hang out with you man. How you doing?

Quick Catchup

It’s 4th quarter, I’m now a week and a half behind and it’s only getting busier. Hopefully Evan is in a better mood than episode 106.

We’ll discuss a thing or two…

Topics:

Transition

Information Security @ Home

[Evan] Last week, we got into some of the important things we should be doing at home. When I say “we” I mean everybody, security people and non-security people alike. We mentioned that step #1 should be to change the default password on your home router. We talked about it, gave some advice, and pointed people in the right direction. Today, I’d like for you and I to demonstrate how to change a router password and talk about it while we’re doing it. After this, we’ll poke around a little inside the router’s configuration. Once we’re done with that, we can move on to the next task; finding out what’s on your network.

Sound good?

[Brad] Cue Brad.

Begin discussion

Information Security @ Home Discussion

  • Picking up where we left off in episode 108
  • Demonstration – The router/firewall
    • Finding your router.
    • Logging into your router.
    • Changing the default password.
    • Poking around a little bit.
  • What’s on your network anyway?
    • Why is this important?
    • What you should do next…

Transition

[Evan] Alright. Good stuff. Hopefully our listeners learned a thing or two. For those who already knew this stuff, hopefully they’ll share with others.

That’s that. On to some news…

News

[Evan] Crazy stuff going on in this industry. What’s new? Well, here’s a few things that caught our eye this week:

[Evan] That’s a lot of news for one day, and that’s only the tip of the iceberg.

Wrapping Up – Shout outs

[Evan] That’s it for episode 109. Thank you to all our listeners. We dig you. Also, thank you Brad! Who you got a shoutout for today?

[Brad] We’ll see.

[Evan] Next week, we’ll continue the Information Security @ Home discussion. We’ll dig in a little more on identifying system on your home network and talk about patching. In the meantime, send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and this other guy is on Twitter at @BradNigh. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 93 Show Notes – DEFCON & Team Ambush

/in /by

Hey reader person, hope you are well!

Today marks the seventh day since I left the 80th annual Sturgis Motorcycle Rally. My wife and I do not show any COVID symptoms, so that’s good news. Only 7 more days of self-isolation and we’ll be back to semi-normal (assuming there is such a thing anymore).

Women In Security Series

Last week was the ninth, and final, installment in the Women in Security Series. It was a great experience for Brad and me. I may post a full write up soon, including the things we learned and places people can go to help (or for help). For now, here was the all-star lineup:

  • Part OneEpisode 84 – Renay Rutter (an information security business/IT executive)
  • Part TwoEpisode 85 – Lori Blair (a 35-year information security veteran)
  • Part ThreeEpisode 86 – Victoria Fogarty (relatively new to the industry)
  • Part FourEpisode 87 – Kristin Judge (founder and CEO of the Cybercrime Support Network, SC Media “Women in IT Security Influencer” in 2017, former Director of Government Affairs at the National Cyber Security Alliance (NCSA), thought leader, and all-around amazing information security expert)
  • Part FiveEpisode 88 – Andrea Hatcher (Senior majoring in Cybersecurity Analytics and Operations at Pennsylvania State University)
  • Part SixEpisode 89 – Judy Hatchett (Information security corporate leader and expert formerly with Accenture, Best Buy, SUPERVALU, 3M, Fairview Health Services, and current VP, Information Security and CISO at Surescripts)
  • Part SevenEpisode 90 – Amy McLaughlin (Information security leader and expert in education, having served with the State of Oregon, the Consortium for School Network (CoSN), Chemeketa Community College, and Oregon State University)
  • Part EightEpisode 91 – Theresa Semmens (Chief Information Security Officer at the Nevada System of Higher Education, former AVP/Chief Information Security Officer at the University of Miami, and former Chief Information Security Officer at North Dakota State University)
  • Part NineEpisode 92 – Lee Ann Villella (Senior Enterprise Security Sales Consultant at FRSecure, Program Director for the Minnesota Chapter of the Information Systems Security Association, and member of the Cyber Security Summit Advisory Board Committee)

A HUGE thanks to all the women who gave their time to talk to us!

What’s Up Next

This week, we’re going to catch up with a good friend (fresh back from DEF CON) and then we may delve into another series.

A Good Friend

We’re going to take this week (episode 93) to catch up with FRSecure’s Director of Technical Solutions and Services, Oscar Minks. Oscar leads FRSecure’s Technical Services Team, a group of amazing information security experts who provide world-class incident response and best-in-class technical services (penetration testing, blue teaming, red teaming, purple teaming, research, etc., etc.).

The timing is perfect because Oscar’s back after DEF CON Safe Mode and the team impressed a helluva lot of folks there!

While my wife and I were in Sturgis, FRSecure’s Team Ambush was awake for many, many hours competing at DEF CON Safe Mode. The team competed in four events over the four day online conference; CMD+CTRL, OpenSOC Blue Team Village CTF, Biohacking Device Lab CTF, and Hack the Plan[e]t.

Last year, the team kicked ass in the Warl0ck Gam3s CTF, but that’s old news now. Warl0ck Gam3s CTF is gone this year, and it was time for these guys to switch things up.

CMD+CTRL

A description provided by the organizers:

Learn to see web applications from an attacker’s perspective. CMD+CTRL is an immersive hacking experience designed to teach the fundamentals of web application security. Explore vulnerable web applications, discover security flaws, and exploit those flaws to earn points and climb up the leaderboard.

After attacking an application for yourself, you’ll have a better understanding of the vulnerabilities that put real applications at risk – and you’ll be better prepared to find and fix those vulnerabilities in your own code.

Remember that these websites are intentionally vulnerable, so any information sent to these sites is not secure. Never enter any sensitive information on these sites, including passwords, credit card numbers, or Social Security Numbers.

200 teams competed in this “Security Innovation cyber range” and our guys finished 2nd, only 50 points behind the winning team, n0j,

Full results are here.

OpenSOC Blue Team Village CTF

OpenSOC is a Digital Forensics, Incident Response (DFIR), and Threat Hunting challenge meant to teach and test practical incident response skills in an environment that’s as close to “the real thing” as it gets. This isn’t just another CTF. The platform was built to train real-world responders how to handle real-world situations.

There were more than 800 participants, more than 500 challenges, more than 350 teams, and more than 20 hours of  content in this CTF.

Team Ambush took home 9th place, finishing with the same number of points as the winning team. In a tie, the team that finished first wins.

Biohacking Device Lab CTF

This CTF was a little out of our team’s comfort zone, but this didn’t stop them from excelling! Some of the stats:

  • 30 volunteers building infrastructure, creating challenges, verifying flags, and solving support issues
  • 2 medical devices, connected in a volunteer’s home (not connected TO the volunteer)
  • 1 CTF vulnerability reported, fixed, and disclosed
  • 200+ players on 150+ teams from 15+ countries
  • 14,000+ flag submissions, with 5,700+ solves, on 150+ challenges
  • 150,000+ total points scored over 75 consecutive hours

Team Ambush took 7th! This is amazing considering most of our team had very little experience hacking medical devices.

Hack the Plan[e]t

Hack the Plan[e]t is a first-of-its-kind CTF: a slice of modern city life integrating both Internet of Things (IoT) and ICS environments with interactive components for competitors to test their skills and knowledge. Play for a few minutes or plan to stay for many hours as the challenge grows. The ICS Village will deliver a compelling experience using real IT and industrial equipment for all skill levels and practitioner types.

This CTF had 275 registered users, and Team Ambush placed 16th. The full scoreboard is here; https://hacktheplanet.ctfd.io/scoreboard

Really looking forward to this episode with Oscar. Oh, by the way, Brad Nigh (my co-host) also participated!

Another Series

We’re kicking around some ideas for our next series, and so far the leading candidate is a “Security in Healthcare” series. Stay tuned!

Let’s get to it!

Brad was supposed to lead the show this week, but since he participated at DEF CON with Oscar, I’m (Evan) going to take it. These are my notes.

SHOW NOTES – Episode 93

Date: Monday, August 17th, 2020

Episode 93 Topics

  • Opening
  • Catching Up
  • Closing Out the Women in Security Series
  • DEF CON Safe Mode & Team Ambush
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Good morning. Thanks for tuning into the UNSECURITY Podcast. I’m Evan Francen, my co-host is Mr. Brad Nigh, this is episode 93, and the date is August 17th, 2020. Brad, Good morning!

[Brad] You know and love Brad! Brad will chime in here because he’s cool and stuff.

[Evan] Also joining us is my good friend and FRSecure’s awesome Director of Technical Solutions and Services, Oscar Minks. Good morning and welcome Oscar!

[Oscar] He does what Oscar does.

[Evan] It’s been a while since we had you on the show Oscar, and I’m super excited to talk to you about your team’s performance at DEF CON Safe Mode this year! Before we dive in though, let’s do what we always do first, catch-up a little.

Catching Up

Quick discussion about last week, the weekend, or whatever else comes to mind.

  • How are you guys?
  • Tell me about your weekend quick.
  • Anything in particular that you’re excited about?

[Evan] Brad, what’s up? What have you been up to and how was your weekend?

[Brad] Gives us the skinny…

[Evan] Oscar, your turn brother. Tell us things.

[Oscar] He tells us things.

[Evan] Alright, I guess it’s my turn now. Here’s my update…

Transition

Closing Out the Women in Security Series

[Evan] As you know, we just wrapped up our Women in Security Series. We hope that everyone enjoyed it and we also hope we’re all better off for it. Huge thank you to Renay, Lori, Victoria, Kristin, Andrea, Judy, Amy, Theresa, and Lee Ann! We talked to some incredible people during that series!

Brad, what’s one thing that sticks out for you?

[Brad] Gives us his one thing. 🙂

[Evan] Yeah, the one thing that sticks out for me is how important it is for us all to help each other, regardless of gender, race, background or anything else. People who shut others out or make them at all feel uncomfortable are jerks.

DEF CON Safe Mode & Team Ambush

[Evan] Alright, on to you Oscar! Tell us about DEF CON Safe Mode. You too Brad, I hear you did some work with the team also.

Open discussion about DEF CON, Team Ambush, the process, the results, etc.

30 minutes(ish)

[Evan] I’m so proud of you guys and the team! You’re not only VERY skilled, but you all do things right. We need to have you back on a future show so you can share how you build teams. People could really learn from you about how to build an incredible team and how to keep them together!

How about some quick news stuff? A few stories to cover quick. Oscar, you got chops, you can stay and comment if you’d like. Just chime in.

News

[Evan] Alright, here’s some newsy things that I thought were interesting this past week:

Wrapping Up – Shout outs

[Evan] Alright, it’s that time again. We’re at the end of the show and we get time to give a shout out or two.

Do either of you have shout outs to give this week?

[Brad and/or Oscar] We’ll see.

[Evan] Oscar, thanks for joining us again! Team Ambush kicked ass this year and I’m pumped to see what the team does over the next year.

Got questions or suggestions for us? Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Mr. Nigh is @BradNigh.

Oscar, you’re a relatively quiet guy online. Is there a particular way you want people to find you?

Lastly, be sure to follow our show on Twitter (@UnsecurityP), and follow the companies we work for, SecurityStudio (@studiosecurity) and FRSecure (@FRSecure).

That’s it, talk you all again next week!