Sunday, July 10, 2016

Stale Blog Syndrome

It seems the only time I come here to post anything is when I am procrastinating on something else.  For example, right now I should be working on my slide deck for my talk coming up next Saturday.  If you are interested in watching me hopefully not suck too bad, come to BSidesCT 2016 at Quinnipiac University next Saturday July 2016.  Some evil person decided to put me right after the Keynote (no pressure).  So come see me if you want to learn how to deal with the business moving apps and services into Microsoft Azure from an information security standpoint.

If you want more up-to-date InfoSec write-ups feel free to check out my other blog over at  There are some interesting things about malicious JavaScript downloaders and replacing humans with technology.  For now it is back to my slide deck.


Saturday, May 2, 2015

Windows in the IoT space

So this past week the annual Microsoft Build Developer Conference happened in San Francisco.  During many of the key note talks, Microsoft announced a bunch of their new platforms and products.  Among them was Visual Studio 2015, Windows 10 Insider Preview, and Windows 10 for IoT.

For my non techie friends and family, IoT = the Internet of Things.  So what does that mean?  Well as our computing devices get smaller and smaller, we are able to create more things that can connect to the ever growing internet.  It isn't just your computer or mobile phone anymore.  We have tablets, game consoles, smart TVs and other media devices.  We now also have thermostats (Nest), home automation systems, refrigerators, toasters, small robots, cats and dogs living together MASS HYSTERIA!
For the most part this space has been frequented by micro-controller boards like the Arduino, Beaglebone, and the much smarter Raspberry Pi computers.  Newer and smaller boards have now entered the market and they have come ready for the internet. has been releasing a different board every few months.  Their first was a Wi-Fi enabled Spark Core, then came the much smaller Photon (about the size of a postage stamp), and now they have a cellular enabled board called the Electron.  

So with all this IoT growth, it is only natural that Microsoft decided to jump in the pool.  As a software company, you almost need to be in there if you want to stay relevant.  So what's this new Windows 10 IoT all about?  Well it is the latest in Microsoft's embedded OS.  As of now they are supporting 3 hardware platforms - Raspberry Pi 2, MinnowBoard Max, and Galileo.  Galileo has supported previous versions of Windows embedded but does not yet support Windows 10.  But Microsoft has instructions on how to get started anyway.  I will focus on the Raspberry Pi 2.  This latest version of Pi was released a few months ago and is a pretty impressive tiny computer (just don't use high powered camera flashes next to it).  With a 900MHz quad-core ARM Cortex-A7 processor and 1GB of RAM, it certainly has some juice to run a scaled down Windows OS.  

So what will you need to get going?  Well first a Raspberry Pi 2, availability is up and down so grab one when you can.  Next you will need something to run Windows 10 Insider Preview (current version is 10074).  I ran it in a VM but there are some very annoying bugs in the current version.  I have not run it on a physical device yet since I don't have spare laptops lying around.  You will also need Visual Studio 2015 to do development on.  Follow the instructions on their github page. Flashing the SD card is pretty straight forward.  Once the Pi is booted up, you will have a screen with some basic information including the name of the device and it's IP address.  You will need to hardwire it with ethernet as it does not appear to have any out-of-box support for your standard wireless controllers.  Once you have the device info you can connect via Powershell from your dev box.  This can be done from Windows 7 or 8.1 running updated Powershell.  There are a few other steps you must complete to finish the setup.  Unfortunately the rest of the development requires Visual Studio 2015. 

One thing to note about Windows IoT, it comes with remote debugging enabled.  So I would recommend not tossing this on the public internet until it is production ready.  Visual Studio 2015 does have some IoT management features, hopefully that will allow you to enable/disable remote debugging when required.  The geek in me is loving all this, but the security guy wants to start drinking heavily.  The world is becoming more and more connected each day.  Some of these technologies are improving our lives in various ways.  We have more energy efficient homes, doctors can perform maintenance on healthcare devices without surgery, parents can keep track of their children, and brew masters can monitor their brewing processes without spending long hours at the brewery.  But with every newly connected device there is a new possible risk for exploitation.  Nothing is unhackable.  If a vendor tells you this, they are lying.  So if it can be turned on or off, it can probably be hacked.  But without hacking we would probably not have our most successful breakthroughs in science and technology.  Just like the discovery of nuclear power, it is both a great energy resource and extremely destructive force if put in the wrong hands.  

So, don't be afraid of the Internet of Things, go out there, make something!  Who knows maybe that something will be used in future space explorations or help an amputee walk again!  

Tuesday, January 20, 2015

Not a lot of drool lately... but how bout hacking in the mainstream eh???

"You work dark alleys, I work the dark nets..."  So that is the tag line that Patricia Arquette's character drops during the latest trailer for the next installment of CSI, CSI: Cyber.  It was bound to happen sooner or later.  With high profile breaches like Sony Pictures, Target etc etc..  Hollywood is cashing in on the idea of digital terrorists and cyber criminals stealing anything not secured stored in a fireproof, airtight container at the bottom of an ocean.  Seriously it is terrible out there.  It was hard enough keeping track of the latest vulnerabilities and exploits so we can defend out networks, but now this stuff has hit the main stream.  So this is both a good thing and a bad thing.

I'll start with the positives...  We, as security pros, now have a way to explain to our non-technical associates and managers about the dangers of the internet.  Granted the material in the TV and Movie versions of our daily lives is a bit inaccurate (I'm being nice), it is still being put out there.  Sure we can go back to great movies like WarGames and Sneakers, but they are a bit dated (Sneakers is still my favorite).  Swordfish was a good flick as far as action goes and well Halle Berry made it even more tolerable, but know one out there is going to hack the NSA in 60 seconds at gun point and... well you saw the movie.  Oh wait I was supposed to be positive here.  So yeah it gets the concepts in front of the civilians.  They now know there is a danger out there in the digital landscape.  Information is not as private as we once thought and anyone with motive and ability will do their best to get at it.  This will certainly help those of us who struggle with securing budget to improve our current environment.  That larger budget will help us bring in additional staff, train our current employees and install that SEIM we've been wanting all these years.  Now when the CIO questions your budget you just need to say "Because Blackhat!".  OK, you will need to do more than that but it will certainly help sway their opinion on your needs.  Also I say "CIO" because there are still big corps out there that have not yet gone the route of having an official CISO to handle InfoSec.  Also no reason you Sys Admins can't use the same argument.

OK so the negatives were mixed in with the positives a bit.  Something that I think these Hollywood interpretations of hacking may do is set an unrealistic expectation on our current security teams.  I mean, companies are going to expect their IR teams to be able to handle themselves in a firefight, or decrypt anything with a power cable attached to it, and maybe even go toe-to-toe with trained assassins while getting root on the Unix server.    Sounds exciting huh?  Believe me there are days where we wished it was a little more exciting.  The reality of it is that our jobs, on the outside, do not look all that awesome to the non-tech folks.  I mean if they tried to make a movie about what most of us due but still include action, this would be the result:

Don't get me wrong, in our minds and what we see, we do pretty exciting stuff.  But some folks may just think we are nerding out over some code or the latest gadget.  Now we can scoff at this latest trend in Hollywood or we can use it as a tool like we use PCI or HIPAA, to get what we want from our senior management.

Well, ranted enough for the day.  I'll have more here in the coming weeks I imagine.  For now you can also head over to Nutmeg Infosec and keep up with some stories there!

Sunday, November 2, 2014

It's been a busy October but it is over!

So on top of the regular work activity, I have been trying to put together an active security meetup here in the great state of Connecticut.  Doing that and helping the wife put together our annual Halloween party, has certainly sucked away some vital blog writing time.  But the holiday is over and the next couple are usually pretty tame so back to the keyboard!

So like I said, I have been working on getting some of the security pros in the state out of their corporate offices and into the laid back setting of a meetup.  We had one decent meetup so far and I am planning on finishing out the year with at least 2 more.  I will also be moving many of my security related posts over to the new meetup site -  Along with the main site, we have a meetup group too.  So if you are in the CT area and you want to share your experience with others, feel free to check us out.  We meet once a month, currently at NESIT Hackerspace in Meriden.  We try to have a couple people do short presentations on topics of interest that vary from the typical hackery of pen testing, to defensive strategies as well.  You can also follow us on Twitter @NutmegInfoSec.

So that is all for now, I should have something techie up in a couple days, going to do a short write up on the Ubiquity UniFi Access Point and if you head over to NutmegInfoSec, there will be a brief post about building your own Tor router using a Raspberry Pi.

Saturday, September 13, 2014

Good on you Microsoft!

So as I began writing this, I sit and stare at my other computer "preparing" to configure Windows after the latest batch of Microsoft updates have been installed.  But I won't let that bother me as it hasn't blue screened...

So in a recent ZDNET article, Microsoft is being held in contempt-of-court for not handing over data, that is stored on servers in Ireland, to US Federal Prosecutors despite a warrant.  So those of us who have worked for/with companies that have an international present, in particularly within the EU, know that it isn't a simple matter of saying "oh we own the servers, so we have the final say in what we do with that data..."  Fortunately/Unfortunately (depending how you look at it), the EU privacy laws are much stronger than most other countries.  So the fortunate part of this is that it puts our wonderful "World Police" mentality into check.  People need to play nice around here, so if a foreign government is willing to work with us on something, then cool.  If not, guess you need to go a different route in the prosecution.

So if Microsoft said, "Sure buddy!  here you go, all the foreign internetz!"  Then they risk breaking the law in the foreign country.  So damned if you do, damned if you don't.  I once had to do some forensic work on a system in another country.  That branch of the company needed to have their export folks and the privacy law dogs review the system before allowing me to take a forensic image.  Even though we were the parent company, we still had to allow them to approve it.  So it is a sticky matter when dealing with these situations.  The "Unfortunate" part of all this is if one is doing a forensics investigation on something critical like a targeted attack, well time is everything!  Lawyer types are not known for their speedy response on a decision.

So what are your thoughts?  I'd be interested in hearing them.

Wednesday, September 10, 2014

It's Always the User's Fault...

Throughout our career as Information Technology/Security professionals, we have, at one point or another, blamed a user for the problem.  Granted there are some pretty good cases out there where it certainly is their fault; for example, using the CD tray as a coffee cup holder, or spilling soda in the keyboard then denying that they did it, and maybe attempting to fix the problem themselves and only making it worse.  Seriously, one time I was working for University and I had to come up and check on a staff member's computer.  I look at it and see a bunch of the power cables hanging out of the case.  I look at them and ask if they attempted to fix it themselves, and they straight up denied it.  So yeah we like to blame them for most, if not all of the problems.  In Security we are no better.

The debate is a hot one these past few weeks in lieu of the latest series of breaches, in particular the celebrity photos being leaked.  Now our first two comments on the matter are usually "You shouldn't take nude photos of yourself with your phone if you don't want it on the internet..." and "Why are you not using strong passwords!!?!?!?!"  To those of us in security, these things are just common sense.  For those not in this particular industry, they put trust in us to secure a system so they don't have to worry about such things.  This is a pretty logical assumption from someone NOT in the security profession.  But we all no better, don't we?  Contrary to popular belief, this is something that was not instantly built into our DNA.  It took years of experience to make us hardened pessimists of all things tech.  We have seen what happens when things don't work right.  We have worked for companies who have cut corners on a product just to get it out the door.  We all know security is looked upon as a cost center, not a revenue driver.  So if it comes down to making a product so simple to use that even the likes of the Kardashians can figure it out, then sometimes security is tossed out.

Can you make things extremely functional without skimping on security?  Certainly!  Is it easy?  Hell no!  But then if it was, many of us would not have jobs.  So how do we fix this?  After all it is a growing problem that doesn't seem to get better despite everything we tweet and post about.  I think first, the main stream media just needs to stop... seriously, they are horrible at covering these types of news stories.  Rather they need to get more REAL experts to comment and offer sensible recommendations.  The larger news outlets are getting better at it by bringing folks in like Dave Kennedy (Trusted Sec) or tapping Dan Kaminski.  But the smaller stations are really not there.  So if you know folks at your local news organizations, reach out to them and let them know you have the answers!  As for the companies who make these products, well the only way we can help is by taking on the difficult position of working for them and making things right.  Then again, they have to be willing to compensate such positions appropriately.

Ok, I think that is it.  Guess I'll shut up for now.  I have some letters to write to my local news outlets!

Story of an IT Pro: Volume 2 "The Choice"

If you haven't read Volume 1 "The Beginning", check it out now.

So fast forward from that time where I worked in K-12.  I had worked for the school system for a little over 4 years and it was time to move on.  For those that have been in IT for a while, you know that the jobs can get stale which can cause you to burn out.  I was there and it was time to go.  I took a job with a consulting company which offered a nice pay increase as well as possible training opportunities (later I found this to be exaggerated a bit).  The job was a love/like/hate relationship.  I loved the amount of experience I was getting from all the different environments and systems.  I loved that I had people above me that had much more knowledge than I did on a number of related topics.  I liked most of the people I worked with.  I hated the travel.  Now I had an idea that I would be on the road a bit more than a normal 9-5 with a standard commute, but it does drain you and can cause you to make some poor decisions in handling your job.  Now that being said, I still would not have traded that experience.  I think 5 years doing the same job in IT is a pretty good run.  Will I ever take on a job like this again? Certainly not, but I would still recommend that if you are new to the industry, a consulting job will be your best bet to gain a significant amount of experience.  Just do your research on the company before hand.  That is all I will say on the matter in this post.  I may right something in the future on the topic.

Back to the story... So I was getting burned out and InfoSec was just starting to become a hot topic, at least in my world.  We had one guy in the company that held a strong interest in the art of penetration testing.  Sadly, at this time, there was little call for it.  We mainly did vulnerability assessments since no one wanted to pay for the full penetration test and/or risk having their systems down if we succeeded in the test.  This field of study fascinated me.  So I began doing some heavy research in the topic.  I provisioned some systems in my home lab to play with and started using twitter so I can follow some pros.  I filled my iPhone with all sorts of security podcasts.  I was really into it.  After I learned that with good security, one can eliminate a number of the small day-to-day fires that Sys Admins have to deal with, I made a choice to pursue this as a career.  So I updated my professional development plan and let my manager know this is what I want to do.  And shortly after that, the lead engineer for Security Services gave his notice.  Well I still tried to take on more security related tasks but eventually, it was time to look for something new.

Remember that thing about burning out?  Due to a couple bad calls on my part, it was decided that the company and I were no longer a good fit.  I was able to take a nice semi-paid 3 week vacation before going back to consulting.  I took a job with another consulting company to pay the bills.  But it was not the job I was looking for.  If it wasn't clear, the choice I made was to pursue a career in Information Security.  I really didn't know what that meant exactly.  I did know what I didn't want to do, and that was to have to troubleshoot printer issues forever.  So I was determined to find the job that would support my new goals.  I wanted to find things before they became problems.  I wanted to prevent the common day-to-day fires caused by improper anti-virus software installs and poorly configured firewalls.  During that short stint with that other consulting company, I was presented an opportunity to take on a Security Administrator role in a local not-for-profit insurance company.  So I jumped at!  You have to do what is good for you.  So you find that new job, write your resignation letter, and part ways...

Continued in Volume 3: Career Advice