Aug 27 2015

Interview, Keren Elazari, Researcher and Analyst

Published by under Podcast

I was able to catch up with Keren Elazari at Black Hat.  We talked about her presentation at BSides (Hack the Future) and what it means to us as security professionals.  Keren highlights how bits are controlling atoms more and more every day and how the next 20 years are going to make the changes of the last 20 look like child’s play.

NSPMicrocast-BlackHat2015-Elazari

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Aug 20 2015

Interview, Author and trouble-maker, Jason E. Street

Published by under Podcast

I had a chance to catch up with my friend, Jason E. Street at Black Hat in order to talk to him about a few of the projects he has going on.  In addition to full time employment he’s an author, he’s working to revitalize Defcon Groups and he’s helping to publicize the efforts by hackers at Def Con to donate blood every year.  Busy guy.

Dissecting the Hack:  The V3rb0t3n Network

Defcon Groups

Interview with Jason E. Street

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Aug 19 2015

Interview, Paul Kurtz, CEO of TruSTAR

Published by under Government,Podcast

I got to catch up with Paul Kurtz, CEO of TruSTAR Technology and former advisor to the White House on cybersecurity.  Paul and I talk about his work under a President and a President Elect, information sharing and the OPM hack.  This was one of the more interesting interviews I did at Black Hat, at least for me.  Hope you enjoy it too.

Interview with Paul Kurtz, CEO of TruSTAR Technologies

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Aug 16 2015

Interview, Dr. Engin Kirda

Published by under Hacking,Podcast

I sat down for a few minutes to talk to Dr. Engin Kirda, Chief Architect at Lastline and professor at Northeastern University in Boston.  We discussed the next generation of security professionals and his BH talk about the sophistication (or lack thereof) in modern ransomeware.  And, as with all interviews this conference, I asked about the OPM hack and retribution.

Interview with Dr. Engin Kirda, Lastline

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

May 10 2015

Spying pressure mounting worldwide

It’s been an interesting ride ever since Edward Snowden came out with the revelations about NSA spying efforts two years ago.  There was a huge public outcry at first, both from the side who believes spying on your own citizens is necessary and from the side who believes spying on your own citizens is a vital tool in protecting them.  Both sides of the argument have been trying to sway public opinion, with varying degrees of success, but it’s been the spy organizations that have been getting their way as judges and lawmakers side with them for the most part.  But that’s slowly changing and there’s additional pressure mounting on both sides of the argument.  It’s only a matter of time before the pressure seeks an outlet and it may be explosive when it does.

The first problem with spying by intelligence agencies in the US was that it was so secret that most courts couldn’t even get enough information about the practices to determine who had a right to sue for relief from the situation.  You can’t sue the US government unless you can prove you have standing in a case, that you are affected by the action, but you couldn’t prove you were one of the people who were spied upon if the information is too secret to be released even to the court.  So for nearly two years, that venue of combating governmental spying has been stymied.  As of last week though, that’s started to change as the US 2nd Court of Appeals in Manhattan declared that Clause 215 of the Patriot Act did not give authorization for massive collection of phone data.  The ruling also gave the ACLU standing in the case, enabling further legal action, but stopped short of declaring the spying efforts unconstitutional.  In a move that probably didn’t surprise anyone, multiple Senators and Presidential wannabe’s called for new laws to give the NSA and other agencies the power the court just denied them.

Abroad, there’s also a lot of push back against not only American spying, but against the national organizations who are cooperating with American organizations.  Germany’s Federal Intelligence Service (BND) had been cooperating with the NSA for years, feeding the American organization information directly from their telecoms and ISP’s, enabling the NSA to track German citizens in ways the BND might not be able to.  This got mostly overlooked when it was revealed that the US was listening in on Angela Merkel’s phone calls, but recent activity and the NSA’s refusal to give justification for the information they’re asking for has caused the BND to stop cooperating with the NSA and is creating quite an uproar in Germany.  Merkel’s political party has been under a lot of pressure because of the information the BND has been providing and there have even been calls for the resignation of the German Interior Minister.

That’s the recent wins on the anti-spying front.  On the other side, advocates of spying continue to push in all sorts of ways, from asking for golden keys in encryption technologies to calls for more power from legislators and less oversight by the judiciary.  Last week’s elections in the UK have emboldened Home Secretary Theresa May to call for the re-introduction of the so-called “Snooper’s Charter” in the country.  GCHQ already has significant powers within the UK and abroad, but the Draft Communications Charter Bill would extend these powers considerably and lessen any oversight on law enforcement agencies.  The good news is that even members of her own party are critical of the bill and might not be willing to back her call for further power.

Proponents of spying powers have nearly religious respect for the governments need for these powers and the government’s restraint of their use.  Theresa May seems to believe that any judicial oversight is too much and that the government can’t be restrained or the terrorists will win.  In the US, Supreme Court Justice Antonin Scalia has long held similar beliefs and has been very vocal about it.  Last year he presented to a Fordham University class on law, strongly stating that such powers are needed and cannot be limited.  This year when he went to present, the professor had given his class a new assignment: using only publicly available information, create a dossier on Justice Scalia.  The 15 page document was presented to the Supreme Court Justice and included extensive information about his financial information and family.  Rather than take this as an example of what the NSA or any other organization has at their fingertips and a warning as to why this might be dangerous, Justice Scalia blasted the teacher and his students, questioning their ethics and judgment.  It seems that it’s okay when an impersonal national agency does it, but not when a small group of students research the Justice.

And adding to the pressure cooker of the spying argument, China and Russia have signed an agreement not to hack each other.  It’s probably more accurate to say they’ve agreed not to get caught at it, but this means that their considerable resources will be at least partially turned away from each other and to different projects.  There’s probably not many people who won’t identify the US as the primary target of the freed up hackers, but there are plenty of other places they can put their efforts.  In a lot of ways, it’s like to gangs agreeing not to horn in on each other’s territory while they deal with a third gang.  Add in Russia’s upcoming data localization laws and things get very interesting, very quickly.

“May you live in interesting times.” certainly applies.  There’s pressure from all sides, some wanting to increase spying, some wanting to curb the capability of Western law enforcement agencies.  Both sides have valid points, but it’s a trade-off between the security that such spying might provide versus the damages to civil liberties and personal freedom that it causes.  There’s been almost no proof that spying by international agencies makes us safer, but by the same token it’s hard to express clearly how spying damages the lives of average citizens.  In many ways this is going to be one of the defining issues of the early 21st century and will determine the future of our civilization.  Do we defend our liberties or do we give governments the power to protect us from ourselves?  Only time will tell.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

May 07 2015

RSA 2015 Interview: Mike Walls, Edgewave

Published by under Government,Podcast

I got a chance to talk to Mike Walls, Edgewave‘s Director of Cyber Operations and ex-Navy pilot on the floor of the RSA conference.  I chose Edgewave to talk to specifically because of their marketing material and the number of buzzwords they used to discribe themselves.  Mike does a fair job of defending and refining their meaning as well as highlighting some of the differences he sees between private sector and DoD incident responders.  Still, he uses ‘cyber’ a lot, one of the tells that he really did work in government.

Interview with Mike Walls, Edgewave

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

May 05 2015

RSA 2015 Interview: Jason Straight, UnitedLex

Published by under Podcast,Privacy

I got a chance to sit down with Jason Straight, SVP and Chief Privacy Officer.  Jason works on the legal side of security, meaning as a lawyer, not law enforcement.  The conversation covers international legal concerns, privacy and communicating with your own legal counsel, just to mention a few of the topics.

The interview was recorded in a busy tea house and I’ve done my best to remove as much of the noise as possible.

http://traffic.libsyn.com/mckeay/NSP-RSA2015-JasonStraight.mp3

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

May 04 2015

Dad, I want to learn to hack

Published by under Family,Hacking,Social Networking

My teenagers, like many teenagers, are curious about what their father does for a living.  They’ve been to maker faires, security conferences, unconferences, Defcon, BSides, Hack in the Box, and they’ve really enjoyed them all. They’ve heard me talk about all sorts of current events in the context of computer security.  Quite frankly, I’m a little surprised they still want to hear about security and privacy considering my propensity to monologue (aka rant) about most things security related at the drop of a hat.  But they’re both sponges and given that security has become something that’s in the public awareness, they’re still interested in security, and by extension, hacking.  Or maybe it’s security that’s ‘by extension’, because the idea of breaking into something will always be sexier than the idea of securing it.

This weekend that curiosity hit a critical threshold and the oldest Spawn asked “Dad, how can I learn to hack?” Now, I’ve never been a hacker, just a tinkerer who understands a little about a lot of things, so I did what many good security professionals do when faced with a question:  I went to Twitter.  And I got a lot of good suggestions from folks like Wim Remes (@wimremes),  Improbably Eireann (@blackswanburst), Andreas Lindh (@addelindh), Adrian (@alien8) and Erik Wolfe (@ArchNemeSys), just to name a few.  I also got some cynical feedback from Sid (@trojan7Sec), but that’s fodder for a different blog post.

Before I get to the list of sites sent to me, I have to mention another experiment I’m trying with the Spawn and for my own education.  As my co-worker, Larry Cashdollar (@_larry0), suggested I have a Raspberry Pi 2 with Kali Linux sitting in the living room waiting for the Spawn to get curious enough to start poking around on it.  I taught them how to use Putty to log into it and let them go, but it is a bit intimidating for a first time Linux user and it’s mostly sat there untouched so far.  That being said, the very first thing Spawn0 did was to change the admin password on me and lock me out of the system, until he came into my office giggling like a maniac.  It was a proud Dad moment.

So, without further ado, here’s  a list of the suggestions:

  • Untrusted – This was the first suggestion I received and the one that Spawn0 immediately latched onto.  He completed everything but the last level in one afternoon.  His feedback was that it’s not exactly a ‘hacking’ tutorial, but that it’s interesting and fun none the less.
  • Metasploitable – Another request by Spawn0 was a suggestion for a Linux VM for him to play with and learn on.  Metasploitable is a great tool for exactly that, especially when it’s coupled with the Kali Linux RPi system for testing from.
  • Over The Wire – “learn and practice security concepts in the form of fun-filled games” pretty well sums it up.  I’ve always maintained that security and hacking are more about the thought processes behind decisions than they are about the technology and this helps build the foundations for those thoughts.
  • Hack This Site – This one came in while he was in the depths of Untrusted, so it hasn’t been tested yet.  I played with it when it first came out and I’m interested to see how it’s evolved and how a young adult can learn from the site.
  • Cybrary.it – More of a library than a tutorial, there’s still a lot of information to be gained from this site.  I’m not going to encourage the Spawn to become a CISSP, though I may point him in the direction of the CCNA.  Foundational networking is more important than having knowledge that’s a mile wide and an inch deep.
  • Hacking: The Art of Exploitation – Back to my theme of understanding the foundations, this book looks at the underlying ideas of hacking. Originally published in 2003 and updated in 2008, it’s still recommended reading today.  Thanks to my team at Akamai, I brought home a copy of Future Crimes by Marc Goodman from RSA, and both of the Spawn are taking turns reading it.  Might explain the uptick in hacking interest.
  • Mathy Vanhoef – I was pointed to the Memory Hacking blog post, but there’s a lot of crammed into a few posts on this site.  Probably beyond a beginner, and some of it’s beyond my understanding as well.

I don’t necessarily want either of my underlings … I mean children … to follow in my footsteps and become security professionals, but I’m a strong believer in exploring as many different interests as possible.  And anything they learn about hacking, from the underlying philosophies to the technical details, will be helpful in their future.  No matter what they decide to do with their lives, knowing how to program, how to hack and how to things work at the bits and bytes level are going to be important in their futures.  And it gives me an excuse to dust off some of my own skills as well.

More suggestions for sites to add to the list are appreciated.

Edited to add suggestions from Twitter:

  • From @gianluca_string – Exploit Exercises – A host of virtual machines to beat upon and break.  Gianluca Stringhini says he’s using in his hacking class this semester.
  • A glaring oversight when talking about teaching kids to hack was HacKid Conference.  Both of the Spawn consider this to be the best experiences they’ve ever had at a security conference.  Wish I could take them again, but living in the UK makes it unlikely. (hat tip to @beaker and apologies for missing this the first run through)
  • From @EricGershman – PicoCTF – This was a competition targeting middle and high school students from last year, but it’s been continued with access given to teachers for tracking of their students.
[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Oct 21 2014

Posting other places

Published by under Blogging

I’ve been blogging for some other sources lately.  It’s interesting to be creating articles for someone other than myself, because I put more thought into it and spend more time trying to organize my thoughts and outline the article before I put virtual pen to paper.  I’m writing for IBM’s Security Intelligence blog (they’re an Akamai partner) and InfoSecurity Magazine regularly and contributing to other venues as opportunity comes up and time allows.  Blog post, articles, webinars, presentations, or just shooting the breeze about security, I do it all.

  • Don’t Track My Children – Title’s pretty self-explanatory.  I don’t want my children to be subject to constant tracking and observation just to go to school.
  • How to Present Security Topics to a Non-security Audience – I wrote this after I had the privilege of presenting at a Cloud event in Prague last month.
  • Why is “Security Intelligence” so Hard – Marketing teams call their products ‘security intelligence’, but the reality is most of the products barely rise to the level of information, let alone intelligence.  It’s a pet peeve and I feed it often.
  • Heartbleed and Shellshock: The New Norm in Vulnerabilities – I’ve been talking to a lot of my co-workers lately and we all expect there to be more vulnerabilities of this level in the near future.  On the other hand, I’ve gotten feedback from people basically stating this isn’t anything new, it’s just that the latest vulnerabilities have better PR and logos.  You have to love logos.
  • Setting a Dangerous Precedent: It’s Foreign – Where in I posit that the US and UK governments are setting a dangerous standard by saying it’s okay for them to hack foreign computers in pursuit of criminals because it lets other governments do the same.

More coming, but I thought I’d give you a wrap of my recent posts, just in case you missed them.  Am I my own link bait?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Oct 14 2014

Wake up to a POODLE puddle

TL:DR – Disable SSL immediately.

As of this morning SSL appears to be dead or at least dying.  The POODLE vulnerability in SSL was released last night, basically revealing a vulnerability in the way that SSL v3 uses ciphers and allows an attacker to make a plain-text attack against the encrypted traffic.  This makes the third major vulnerability released on the Internet this year and is another warning that this level of vulnerability discovery may be the new shape of things to come.

I’m not going to try to explain POODLE in detail, or give you a nice logo for it.  Instead I’ll just point to the better articles on the subject, a couple of which just happen to be written by my teammates at Akamai.  I’ll add more as I find them, but this should tell you everything you need to know for now.

Update: It’s estimated that SSLv3 accounts for between 1% and 3% of all Internet traffic.

And since there’s not an official logo for it yet, I present …. The Rabid Poodle!

Rabid Poodle

Rabid Poodle

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Next »