Yes, Virginia, you can hack a mainframe. My excellent friend, Phil Young, will be glad to show you how it’s done in his latest talk here from CA World 2016. “Gaps in Your Defense: Hacking the Mainframe”.

 Red teams, Blue teams. Attackers vs Defenders. But what happens when you combine the best of both? Purple teaming!

My very skilled friend, Haydn Johnson, has done a lot of research into this subject. As an adroit pentester himself, he knows about attack skills. And we’ve given a kickass talk on Blue Teams as well. Purple teaming is what happens when you take defending your realm to a whole new level. Give it a read and see what you think.  “Top 4 Tips for Purple Team Exercises”

We have several really good infosec cons going on here in Canada. One of these is Hackfest, billed as the “largest hacking event in Canada”, and is held in la belle province, Quebec. which celebrated their 8th year. With the feel of DefCon, but at a much smaller scale, Hackfest invites the true spirit of exploration and hacking. Talks are diverse, concepts are challenging, and people are really friendly. But what Hackfest has become reknowned for is its CTF. I got to do my first CTF here this year, at a Saturday night party that was more fun than any I’ve been to in ages. Everyone was having a great time, playing together, enjoying the music and light show. Hats off to you, Hackfest!

Hackfest also features outstanding training courses – the kind that are really hard to get. I’m not there yet, but this year they had an intense Corelan course and yes, people were developing exploits within 2 days.

Then there were the talks. Where do I begin? Chris NIckerson brought it with his talk on Adversarial Simulation. The industry needs reform, and he outlined a ground-breaking, earth-shaking plan on how to get us where we need to be. To move beyond colours in a crayon box.  It’s about selling integrity with the service, actually making security happen even when it’s hard.  I talk about getting people out of their silos and collaborating – Chris and his compadres actually wrote the plan. Big things are in store, if we are willing to listen to some of the brightest and most experienced minds out there. 

My friend Stephanie Carruthers, #Sn0ww, enthralled (yes!) a roomful of attendees with how to do OSINT really well. She operates her own consulting business and advises clients on social engineering, vishing, phishing and some other dark arts.

@Renderman and pal, Murdoch Monkey, gave the talk everyone was talking about with “Hacking the Internet of Dongs.”  Because really, was there a better time and place to do this? How much fun can you have on a Saturday afternoon 😉

And I had the pleasure of giving a talk on revamping Blue Teaming with my buddy Haydn Johnson. There’s nothing like a shot of whiskey before giving a 10:00 am talk. We built it from a webinar we had given for Dark Reading on how to do effective IT threat security analysis. We delved into some of our favourite things: data, monitoring, data, context; more data, the enhanced cyber kill chain and the OODA loop. It was a fantastic experience and deserves its own post. See the prezzie at http://www.slideshare.net/haydnjohnson/blue-team-reboot-hackfest

Then, at 11:00 I got to talk about some of my favourite things in A Stuxnet for Mainframes. Yes! 2 talks at Hackfest. Poutine, sight seeing  – it all went by too quickly. But, there’s always next year. A bientot!

http://hackfest.ca/en/speakers/#mainframe

Welcome to my bigger, better site! I really had to learn and earn my way up to this, and the goal is to make it worth your while to land here. Let this be a resource for you, an acknowledgement of the incredible talent within our community, a sharing of ideas and information to enrich our work and passion. So, in addition to my blog, because I just can’t seem to say enough about security, I have a daily updates section – my “catch of the day” offerings. As well, I have a page dedicated to resources, links to sites and people whose knowledge makes a difference, and my goto sources.  And then, because I am all about threat intel and connecting dots, I have added an entire section under “Event”. Here you’ll find what I’ve been compiling on my favourite categories to track trends and look for patterns: ransomware, APTs, banking heists, ICS SCADA  (whoa Stux!), DDoS, breaches and IoT Idiocy. Because when it comes to infosec & learning – I just can’t get enough.

October is Cyber Security Awareness Month. Bottom line is this: you own your own security. Much as you want to delegate it to the big guys or buy shiny blinky boxes that scan everything, you know your sh*t better than anyone else. Don’t pass the buck. Play an active role in your defense.
TIP: Reduce, reuse, recycle does NOT apply to passwords. Make ’em long, keep ’em strong, and NEVER across multiple accounts.

I know. It’s been a while. Life has a way of happening, and believe me, mine has been happening. I needed to take some personal time to just deal with everything and get my head above water.  Drama is messy stuff.

There’s a lot to be gained when you can leverage learning from personal experience.  And trust me, what I have to share in the months ahead will hopefully support others who’ve been through similar circumstances, and haven’t been able to regain their strength or their footing.  I’m just really, really glad to be back in a place again from where I can write, as I can breathe.

It has been a year of extraordinary highs and lows. I have been so fortunate to realize opportunities I’d only dreamed of, experiences that I will treasure for life, and answers to prayers I had not said aloud. As a counterbalance I have lived through what I would not wish on another human being, and had to give up what had been my life in order to rescue myself and reclaim my life. Cryptic? Well, I am @3ncr1pt3d for a reason.

Through all of this I have been blessed by friends who stood by me, steadfast and true, unlike other people in whom we are told to put our trust. These friendships stand as pillars of truth to me, reminders that it is worth fighting for what we believe, even when we think we stand to lose all, or fear we may stand alone. Family and home should never mean having to apologize for or explain who you are, or god forbid, being afraid or ashamed to be your own person. You, my friends, know who you are, and that you have my eternal gratitude and love. And I will be there for you, and for others, as you have been here for me.

Finding my way to the Security community was like finally finding my way home. I have met some extraordinary people on my journey, and am learning so much from them.  These relationships are gifts that enrich my life, just as everyday is a reward in itself of learning and personal growth. I know how lucky I am to find the thing I truly love, and do it.  But like many others here, the price I paid cannot be measured in dollars.

So now, here I am, resolute, renewed, and ready for the next stage of this great adventure. I hope you’ll join me!

This is about backdoors and Pandora’s boxes. It is monolithic in its implications, and everyone who is anyone right now is weighing in.  Because this matters. Start by reading the letter by Tim Cook and Apple, defending privacy against dangerous precedents. My stance here does NOT justify the behaviour or actions of the terrorists in San Bernardino, or  terrorism anywhere.  This is about our privacy, and our rights.  And once the decision is made, there will be no turning back.

2015 has been one heck of a year for those of us in the Security Community. I’d like to pay a little hommage to the year that was, and celebrate the incredible community that is – InfoSec!

(to the tune of that famous ditty from Sound of Music)

Three heads of state who do not get encryption

Fighting the black hoodie hacker description  (I wear purple)

Cleaning up after what Patch Tuesday brings

These are my InfoSec least favourite things

Munin’s got lore

Lesley helps more

DA’s Storytime

This is what’s great when you’re in InfoSec

Security hack sublime

EULA and Wassenaar setting the rules

Researchers disclose to be treated like fools

Zero day brokers who act like they’re kings

These are my InfoSec least favourite things

BSides reaches

Each con teaches

We’ve got stuff to share

This is what’s great when you’re in InfoSec

Security hackers care

Shadow; BYOD; Password disgrace

No DRP or insurance in place

Check mark security, blinky box pings

These are my InfoSec least favourite things

When we mentor

When we disclose

When we all unite

This is when InfoSec truly is great

Hack all the things – that’s right!

In the wake of the recent VTech breach big questions are being raised about Big Data.  It’s prompted an excellent response by many knowledgeable folks within infosec which is good, because this is a conversation we’ve needed to have for some time. The data just keeps building and I hate to say this but any sense of control we think we may have over it, especially as regards our Privacy, is illusory at best. Right now what I see is the Titanic sailing straight into a massive iceberg of insecurity.

I wrote a piece in response for LinkedIn Pulse, but I want to build off that here, because there is so much more that needs to be said. We’re battling a culture of entitlement and indifference, which casts a dark shadow across everything we think we know and understand.  BYOD reigns supreme. The IOT has run amuck right into our once-regulated work spaces. And when it comes to IT, now it seems everyone is doing it for themselves. Because who needs guidelines when you’ve got google? It’s not just the stuff, it’s the attitude. Which is creating a huge problem: how do we secure what we don’t know?

So what’s going on with BYOD anyway?  The view from the trenches isn’t pretty.  ”cyber security policy success is having the authority to tell the userbase no and having that decision stick.” @da_667 tweet and “telling users no, when it matters,  to protect themselves and your company network” @lslybot tweet #abusepolicy.  How do we regulate a society that is essentially device-driven?

It isn’t just the servers and desktops at the office… everywhere we go, anything we touch – we’re connected. Fitbits, Applewatches, tablets, flash drives, Smartphones – this ability to portably “plug in,” and then help ourselves is one we don’t understand and we’ve lost any control over it we had.

In our corporate realm, we have regular users and superusers.  And for good reason. We need privileges in order to do certain things and we need privilege hierarchies to establish the right levels of access. With higher levels of privilege come higher levels of risk.  The problem is that what we’re seeing happen in organizations and companies is a less discriminating assignment of privilege.

We have all these devices, and a pervasive BYOD culture, demanding access to the networks and the data, all that lovely “big data”. And so we comply. We keep opening doors that should just. Stay. Closed.

When it comes to Access and Privileged identity management, we aren’t controlling what we can and need to control.  Per Erika Chikowski, while 92 percent of organizations in the US have some user monitoring in place only 56 percent are handling privileged identity management. Almost a third of those companies do not have someone actually analyzing or auditing how and when employees and contractors have privileged access to systems on even a weekly basis.  Meanwhile, 60% of IT decision makers admit to sharing their credentials.

In her recent piece “Employee Password Habits that Could Hurt Enterprises“, Erica shows that we’re still not learning despite recent breaches and training programs. As the line between personal and professional grows more blurry, 60% of employees do work activities from a personal device and 55% of employees do personal activities on work devices.  Work data is accessed from personal devices more than once a day by over one third of employees. Passwords remain an Achilles heel that the most novice attacker can exploit to gain access to our networks and then find their way, or stumble upon, our corporate crown jewels.  Half of employees reuse passwords at work and that number only increases for personal use. Remember that blurred line – it factors in here.

Cutbacks and reductions mean fewer guardians at the gate in IT.  Under pressure to keep things running and meet demands, we resort to the path of least resistance so that we are “simplifying the process.”

Okay. Why not enable users to resolve some of their own problems by raising their status?

What the heck? Let Marketing have access to all the data – it’s just reports.

Why not? Let people update corporate social media accounts – there’s nothing to worry about there.

But here’s the bottom line: Privilege loses its meaning when that account status is being freely handed out.

“It is scary to think that this many people consider it normal for employees to have access to data that they shouldn’t have and for companies to not know where their missing data has gone.”

– David Gibson, VP at Varonis.

One word: exposure.

It is as bad as it sounds. When an employee shares company data from a mobile device with an unauthorized app or third party, he or she is a mere click away from placing corporate data at a significant risk. Data leaks can also be caused by application vulnerabilities exploited by malware. According to a March2015 IBM-Sponsored Ponemon institute Study, nearly 40 percent of companies, including many in the Fortune 500, aren’t properly securing the mobile apps they build for customers.

Add to that “9 in 10 websites leak user data to parties of which the user is likely unaware”.  This is according to work done by Tim Libert of University of Pennsylvania.   We are talking about siphoning and sharing data everywhere.  So when Joe from work goes to a site like AirBnb to book his trip to Regina, the user data gets sent to 9 other sites on average . These include Google, Facebook and WordPress.  Factor in that 6 in 10 sites generate third-party cookies, while 8 in 10 load javascript from external parties onto users’ computers. How do you control what you don’t even know?

This scenario is bad enough for your personal information. Now imagine an employee is accessing unauthorized sites. And don’t count on the Do Not Track me setting in the browser. Press it all you like. It’s like that button at the traffic light. Nothing really happens.

There are a whole host of security issues when it comes to data. So what happens when individuals operate as individuals, and make independent decisions about data storage and transmission? What do you do when your greatest security threat comes from within?

Lets talk Legalities. While business may love that employees pay for their own devices, and BYOD is all about convenience, it comes at a cost and everyone needs to be prepared. You can’t protect what you don’t know. And with Shadow it/Shadow data, you are exposed. I’ve spoken with Chris Case, the resident expert on cyber insurance at Dan Lawrie insurance brokers.  Most businesses have no idea what they are really covered for. Here’s a sobering thought: the insurance you currently have won’t cover breaches. You need Errors and Omissions, and to make sure your riders address the new cyberrisks your data and reputation face. No. Insurance does not replace good security fundamentals, but it is a mandatory component in your security toolkit.

Let me reiterate something Mark Nunnikhoven recently wrote in his recent piece “The Attack Surface of Data” on LinkedInPulse. He re-establishes a point we all need to remember: The more data you have, the greater the value it is, then the greater your risk. But people keep putting more data out there, and storing it in places it can’t be kept safe. Mark points out that, as we here know too well, security is an after-thought at best. “Typically security teams are faced with dealing with the aftermath of collection decisions. That’s unfortunate because the easiest way to secure the data is simply not to every have it in the first place.”

The situation has evolved drastically from what we are used to protecting. This requires a different level of data breach prevention at the point of network entry. One where we need to really understand  the risk profile of the device and the user.

“It’s not good enough to merely resist the rise of BYOD, if people can still access corporate e-mail when they get home…”
John McAfee

Because at the end of the day, what do our continued efforts to secure the corporate walls mean when this is the current reality?