Security Hygiene is Boring and Critical

This has been said many times before by people many times more credentialed than me. There are sexy vulnerabilities out there that take considerable expertise to understand. Then there are vulnerabilities or configurations that are the equivalent of leaving your car door unlocked.

The calculation so often made goes like this: “it hasn’t happened before”, or “I’ll only be gone for a few minutes”.

Oddly, many who have an incredibly honed financial sense about them and who understand that ‘past performance does not equal equal future results’, have great difficulty extending this concept elsewhere. But nowhere is it more applicable than in security. Past performance does not equal future results! (Or you may have been hacked in the past and you don’t know it.)

The oversight that causes an organization to get hacked in the first place is likely something simple. Are you missing two-factor authentication? Are you still using a default login? Is your password “Spring2019” and do you use it everywhere? These are security concerns that don’t take heaps of expertise to understand; they are boring and critical.

Attackers don’t want to work hard to steal data or install ransomware, so they’re likely to look for simple vulnerabilities or poorly configured networks in order to get the job done. Don’t sweat the small stuff, sweat the simple stuff.

“The Cuckoo’s Egg:” An Old Story – New to Me

Two weekends ago I finished reading “Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World”. (Please read previous blog entry to learn more.) I was amazed at how many of “Tribe of Hackers” contributors recommended an old book, “The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage,” which was written by Clifford Stoll in 1989.

The story actually begins at Lawrence Berkeley National Laboratory in 1986. I won’t go into too many details about the setting or the time. In computer years, it was ages ago. So my question: “How could such an old book about tracking down a hacker be so routinely recommended by a slew of highly knowledgeable and well-respected info sec professionals?”

Turns out cybersecurity hasn’t changed much. In “The Cuckoo’s Egg,” the hacker who is being tracked by Stoll, an astronomer, is aided by of the following: 1) default credentials, 2) processes that run as root, but shouldn’t, 3) well-known vulnerabilities, 4) the fact that folks can be fooled into entering their credentials into fake sites, 5) the desire of organizations to not share information, 6) the fact that various US agencies described this sort of attack as not their ‘bailiwick’, 7) the fact that various agencies don’t have the expertise to fully comprehend the risk to their data and network infrastructures, and 8) that organizations could not possibly imagine someone actually penetrating their ‘high security’ environments. I’m sure I’m missing a few, but you get the idea.

Besides being a great old book, published when I was a curious, modem tapping, BBS surfing adolescent, it’s an excellent primer on the foundations of modern cybersecurity. Sure, the technology has changed, but fundamentals haven’t moved an inch. Maybe all cybersecurity professionals have heard of this book except for me, but if you haven’t, consider reading it. Even if you’re not after the education, it’s wonderfully entertaining.

“Tribe of Hackers” Wins the Day

It’s weird how I found out about “Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World”. I saw a photo on Twitter of a fellow Luther Collage alum, Ben Tomhave, showing that he was featured as one of the ‘tribe’. “What’s this about?” I asked myself.

As it turned out, this was a book soon to be released by Threatcare, a firm that is an active, generous purveyor of learning and community building in cybersecurity.

I love books and learning learning, and I’m relatively new to cybersecurity. Though I would hazard to guess that a majority of people in this field feel like they are ‘relatively new’. For people like me, books like this are pure gold. (I can’t say I’ve read many books like this one, however.)

Jeshua with books.

The crowning glory of this recent publication is thought-diversity. (Yes, I just hyphenated those two words together.) You can read a chapter by one contributor who says that ‘user security awareness’ is the biggest bang-for-the-buck toward improving organizational security. The next will say ‘asset inventory’. I love this.

The bang-for-your-buck question is just one simple example. There is a WHOLE LOT more going on in this book than that. It’s loaded with practical advice on building your career, getting along with others, and learning from your mistakes. Sure there is a lot varying ideas, but they all lead to a few core truths. One of these core truths is that cybersecurity is all about PEOPLE. That is even if you like the term ‘cyber’ which one author explains ‘holds no real meaning any more’. I love this too.

This collection of industry wisdom is a rare find. Hats off to Marcus J. Carey and Jennifer Lin and all the contributors who had the fortitude to put these reflections down on paper for people like me. 🙂 “Tribe of Hackers” wins the day! Check it out: https://www.threatcare.com/tribe-of-hackers/

Postman API Learning, Testing, and Development

I’m pretty late into to the API game. Recently I was on a call with a handful of security engineers and they explained that they couldn’t afford to have their people staring at console screens any more. Instead, they rely almost entirely on API’s to automate and streamline their work. I’ve been hearing about API development forever but I’d not gotten past the first hurdle: how to start. My answer to this is Postman.

Once you have an API you want to consume, you can start doing ‘POST’ and ‘GET’ requests pronto and see results immediately. Also, one critical tipping point for me was when I watched a number of the introductory videos that Postman provides. For example, I didn’t understand what the ‘Test’ section was for. The videos demonstrated that this is where you can write JavaScript to traverse the JSON files which are the results of your requests.

Currently, I’m only using a free account. I’m in learning mode, but as I move toward doing more work with API’s in the future, I’ll absolutely be using Postman to test and verify my efforts. It’s also a great introduction in the security advantages and disadvantages of using API’s.

Anyone else who has a desire to dig into API’s and consider what they can do to add value to your work, try Postman. And don’t forget to check out a few of their tutorial videos.

Discovering “2600 Magazine: The Hacker Quarterly”

Not long ago I did one of those “Strengths Finder” assessments put out by the folks at gallupstrengthscenter.com. At the top of my “strengths” list was the designation “Learner”. It essentially confirmed what I already almost knew — that I enjoy learning or getting to a point of understanding on a variety of topics.

Recently a colleague at work recommended that I consider taking at look at the 2600 Magazine. So I did. I read the Kindle version of the most recent edition. What I really enjoy about reading the Hacker Quarterly is that it is filled with articles written by people who love to learn and understand things, specifically related to computers and technology.

Also, as someone who works in cyber security, it is exceedingly helpful for me to understand the types of vulnerabilities that are written about in Hacker Quarterly articles. For example, I read an article by an individual who was able to ‘investigate’ a very larger number of routers in Malaysia. Initially, he had resource constraints, but discovered that by using a Spot Instance at AWS he could considerably broaden his reach at a very low cost: ten dollars. I’ll be seeking to understand these AWS Spot Instances and the impact they may have on the security of organizations in the future.

By and large the spirit of the “Hacker Quarterly” is centered around learning and understanding. And the culture of the group is such that criminal activity is frowned upon, though they do skirt the edges of legality from time to time. To have a window into this world is marvelous. I’m now reading through a whole ‘digest’ of issues from the past year. And if you’re a “Learner” like me, I suggest you do the same. Here’s their website: https://www.2600.com/

Holiday Hacking with SANS

Perpetual learning is paramount for folks in any profession, but I’ve found that for individuals who work in cyber security it is absolutely critical. A significant part of the work I do involves knowing what risks lurk both in the wild (and internally) that can stand in the way of an organization’s future success. Staying up with these risks, mitigation techniques, and controls is vital.

There are all types of learning that help new concepts find a home in my brain. One comprehensive learning experience that I recommend for anyone in cyber security is an event put out each year by SANS, which is an organization that trains cyber security professionals. The event is called the SANS Holiday Hack Challenge.

This year 9-year-old son helped me in ways that blew my mind. His little mind went after small details that I thought were insignificant that turned out to be a pretty big deal. He was very excited by what he was able to uncover…and so was I.

The SANS Holiday Hack challenge introduces cyber security professionals and pen-testers to new technologies and opens their minds to risks and mitigation techniques that they had not previously considered. I greatly enjoy their ‘terminal challenges’ which provide hints toward solving objectives. Never before had I decrypted http2 traffic using Wireshark and SSL keys. So awesome! Here’s the link for this years’ challenge which has been a wild ride for me, to say the least: https://www.holidayhackchallenge.com/2018/.

Stop in and poke around. Solve a terminal challenge or two then put it on your holiday to-do list for next year. You won’t regret it!

Seeing the Cloud

How much of the world’s IT infrastructure is in the cloud now and much of it will be in the cloud in five years? I’m sure there is nearly solid data somewhere to answer those questions. Regardless, it is happening and it won’t be long until most IT infrastructure is in the cloud.

Oddly, though, in my conversations with other IT professionals, it seems like we’re finding we’ve arrived late to the party. With the advent of “the cloud” organizations are finding that there are all sorts of solutions out there that don’t necessarily need the involvement of traditional IT. In much of the IT world, our perception is that this process is more gradual when in fact it is accelerating.

So the real question is not whether “the cloud” is coming, but whether we see it coming. If we want to make sure cloud implementation is done properly and doesn’t completely hose our respective organizations, we must learn as much as we can in a very short period of time.

Nearly every day I find myself reading about cloud security risks right along side incredible cloud solutions for problems that would normally be much harder to solve. At the same time, many cloud solutions create problems that we’ve never seen before. With the flip of a switch something private can become public: see S3 buckets. And it isn’t so much that the cloud is insecure, but how we connect to the cloud, whether this is through our API infrastructure or open ports that maybe shouldn’t be…open. The only answer I have for all of this is that we need to learn, learn, learn, learn…and fast.

Jeshua

People Hacking: What does the future hold?

So, generally, the easiest way for hackers to get into an organization is by convincing users do to something: click on an email attachment or a link, make a phone call, share information, etc. For all the technological advances that have sprung forth in the past decade, this is still among greatest challenges faced by security professionals: figuring out how to keep people from following hackers’ instructions.

Our biggest vulnerability is also our greatest asset. We can make thoughtful decisions quickly. And sometimes our decisions aren’t so thoughtful because we’re in the midst of doing other things, or generally too distracted to slow down and think through what is being asked of us. This little glitch in our code is all an attacker needs.

Exploiting this human vulnerability is all an attacker needs to get us to act in a way that is not in our best interest. This is the nature of a hacker-victim relationship. But are there other ways that people are getting hacked that maybe aren’t as overt as this? Think of the decisions we make daily. How many of them are in our best interest or the best interest of our friends and family.

We make snap decisions all the time that aren’t really based on sound logic. I bet any one of us can look back over the course of the case and think about an action we took that wasn’t ideal. It’s a given. If we didn’t make decisions relatively quickly, our brains would grind to a halt and we’d become mostly ineffective at making our way through this world. But as technology gets better and better at humans hacking other humans (think targeted advertising through machine learning algorithms), we should pause to ask ourselves whether we’re on the right track. Will this lead us to a better humanity? Just throwing that question out there. It can go a myriad of different ways. Thanks for reading.

Jeshua

MFA for Flip Phone Dinosaurs Like Me

I’m one of the last remaining people in this world who don’t have a smart phone. I’ll often be in a group if fellow IT professionals and pull out my flip phone to check the time. “Is that a flip phone?” someone will ask as they lean forward in their chair and peer down at my hands, attempting to figure out what would cause someone who is steeped in technology every day to carry this sort of relic. As I lift it up, all heads turn my way, mouths open and nostalgic signs fill the air. Onlookers talk of a simpler time when we were free from 24/7 social media and and subservient to on-the-fly navigation from real maps and sheets of MapQuest printed haphazardly on white glossy paper, barely legible.

Because I don’t have a smart phone, I’m often looking for alternative ways of doing things that people normally do with smart phones. One of these things is MFA or multi-factor authentication. If you use AWS, it is generally a good idea to have MFA for your root account. They don’t allow SMS for their second factor any more, so I spent a few hours looking around for an option. I did look at some hardware keys like the Yubikey, which I may check out eventually, but I needed something cheap and now. Enter the “Authenticator Extension” (https://github.com/Authenticator-Extension), which you can get through your Chrome browser extensions.

It is TOTP compatible, which covers quite a few sites. I can use it for AWS, Facebook, etc. I probably won’t use it for LastPass because I’d like to have a paper backup of such a critical second factor. The “Authenticator Extension”, as it is so generically called, works great for me using my Chromebook, which often acts as more cumbersome, less convenient, and less connected Smart Phone for me. I recommend it.

Jeshua

Chromebook Chrazy

I’ve been a Linux user at home for quite some time. We were a Windows family very early on but ran into issues with viruses. I resurrected a super old laptop and put Lubuntu on it and gave it to my wife.  It worked well for years. After a while, one thing or another wouldn’t work, so on a whim I got her a Chromebook. Nearly everything she does is online, and she’d already started using Google docs when on the Lubuntu PC. As a result, the transition was peachy! After watching her tote that thing around the house for a year or so, and noticing how carelessly she worried about charging the battery or booting it up, I decided I needed one too!

It’s done quite well for me. Occasionally, I have to jump over to my Ubuntu desktop for more high-powered activity, but 80% of my computing at home is on the Chromebook. This experience and the evolution of computing as it moves into the cloud is leading me to believe that the days of everyone running around with what is essentially their own personal server, are numbered. I’m guessing in about five to eight years, computing will be cloud focused even more than it is now and people won’t really own traditional laptops any more.

Jeshua