Sunday, April 11, 2021

DDTTX Flag

  _____

     `.___,'
      (___)
      <   >
       ) (
      /`-.\
     /     \
    / _    _\
   :,' `-.' `:
   |         |  ~~~~MAGIC~~~~
   :         ;
    \       /
     `.___.' 



#PandaChipsPWND
#StPutinsGloryPWND
#ZippeNuclearPWND
#AICHAINPWND
#ImhotepBankPWND



THESE ARE YOUR TRAINING SECRETS OMG YOU FOUND THEM

+3 hit points

Tuesday, October 9, 2018

Inaugural Mental Health & Wellness Workshop at Derbycon8

This year was the first ever (as far as I can tell) Mental Health & Wellness workshop at an information security conference. For those of you that haven't heard my Hackers, Hugs, & Drugs talk a little background is called for first. I've been struggling with anxiety and depression since my mid-teens in one way or another. Poor relationships did nothing but fuel the issues I was already having. When I started interacting with the infosec community about 6 years ago I started feeling a sense of belonging. Through my trials with different medications and coping mechanisms I've started to get a little more of a handle on (or at least a better awareness) of my own mental health. I consider this community my family, more so than most blood relation that I have. This has been the first group of people that understand me and you understand others around you. When I began tweeting, posting, and talking to people at cons about anxiety, depression, and other mental health issues I realized that there are a LOT of people here that not only are struggling with this type of stuff, but trying to tackle it alone like I did for a good 10 years or so. I've had amazing conversations with some super smart and personable people, that you'd never imagine would be struggling. The kind of people that look like they have it together. I want to continue this conversation and try to make it as public and without stigma as possible.



After a year and a half giving this talk at various conferences and meetups I continued to be awestruck at the overwhelmingly positive responses. Each time I would think "Ok, maybe I've given this speech enough", I would have another person come up to me to talk about how it lead them to go get some counseling, or to change their minds about self harm or suicide. After hearing story after story I thought it would be good to continue these efforts at a larger scale. While I love speaking, it only reaches a certain number of people. We needed more. That is when the idea of the workshop came about, and honestly it did turn out to be more of a village with smaller workshops inside of it. After pitching the idea to Derbycon and getting accepted the idea started to take shape. The gofundme campaign was created and earned around $7,000 for not only this particular instance, but to donate to charity what we had left over (more details at the end, so keep reading obviously).



This room turned into something more than I could have ever envisioned. I wanted to help others by providing a quiet space and some information but it sometimes morphed into a therapeutic sharing session and conversations that I even have a hard time explaining. Our four massage therapists were never not busy, so definitely expect to see them back again next year. We fidgeted, colored, created, napped, hugged, cried, ate, and meditated; all with friends and family surrounding us in a positive and calming environment.



None of this would have been possible without the amazing help of all of the volunteers that signed up, and some that didn't really even sign up but were roped in one way or another. I'd like to especially thank @click_wire for helping with almost every aspect at the conference, and keeping me from having a few ongoing breakdowns myself. @v33na for giving us her yoga and meditation expertise as well as leading a group discussion on self care and emotional intelligence. @andMYhacks for covering some time management skills as well as always checking in and being on top of things (not just the air loungers). @JaysonStreet for his deeply touching and heart wrenching talk, he sure knows how to command a room. The responses and interactions with him as our final speaker left the whole room in tears. @0rphik for all of the help setting up and continued interaction and compassion to others around you, for those that weren't crying after Jayson was done, they were when you spoke (oh, and thanks again for the book #squee). @RayRedacted for the immense amount of help and positive interactions you brought to the room as well as an awesome talk on bringing light to our lives. Both @Tr0phywifehacks and @S1r3nn for bringing your supplies and knowledge and helping so many people with it.



Our speakers and discussion group leaders @dakacki, @investigatorchi, @f0zziehakz, @brentwdesign, @ZanshinH4x, @Integgroll, @hoshin, @Blenster, @SteveGroark, @bsdbandit, @5urv1va7rix (and her amazing service dog Trevor) who not only shared personal stories, but listened to yours and taught us a lot of amazing information that wouldn't normally be covered at a conference like this.

Our volunteers that watched the room, checked up on things, and were just amazing overall @oncee, @mr_minion, @SirgurdWV, @landonchelf, @secbuff, @cillic, @EricGershman and his wife Tina, Cherie, Val & my favorite puppy Fava. We also couldn't have gotten this far without the help of @HackingDave, @Karl_Creepy, Dave DeSimone and the rest of the @DerbyCon crew. Not to mention the inspiration I've gotten from @mubix with #hackingtogether and @ihackedwhat.



Also, for those of you that poured your heart out, found help, connections, friends, family, support, and whatever else you may have needed or felt like you could give at the time. I love you all and can't wait to see you again!!!!



Some final numbers and information about the workshop:

GoFundMe Info

  • Total Views: 1571
  • Total Donors: 28
  • Total raised: $7,026
  • Donating to Charity (Brain & Behavior Research Foundation): $1,321


Workshop

  • 22 volunteers
  • 8 presentations
  • 7 group discussions
  • 2 hours of yoga
  • apx 120 chair massages given
  • gallons of tears
  • 1 flattened Lintile


Up Next

  • Looking for corporate sponsors - If you're interested in donating or volunteering in any way we're looking to switch from a gofundme to corporate sponsors in some shape or form. Feel free to contact me through here or twitter.
  • Headed to @DachFest in Munich to run this again
  • Possibly doing this as a village for @BsidesLV and more

Tuesday, January 23, 2018

HIPAA vs Security: Building security into medical purchasing decisions



What the security community says about a specific industry vertical usually holds true for a good percentage of what is seen in the wild. You can ask any hacker, defender, CISO, etc what industries struggle the most and there are common themes in their answers. Top of the list includes healthcare, manufacturing, government, and financial. Some of the most heavily compliance controlled and regulated are also some of the least secure. Why is this? Is it due to administrators and senior management taking compliance standards as gospel? Maybe it’s a lack of knowledgeable staff like the blind leading the blind.



Rapid technology growth in the healthcare space definitely has not helped. Decision makers are slowly working security practices into business initiatives, but that doesn’t account for all of the security debt that has built up in this technology boom. So now what? How can business work to quickly protect their customer’s data, their own data, their products, while still doing what they do best? Do not fall into the habit of performing tasks, going through routines, or completing configuration with the mindset of “This is how we’ve always done it.” That type of mindset will only hinder progress and decrease security posture in the long run.

Humans are allergic to change. They love to say, “We’ve always done it this way.” I try to fight that. That’s why I have a clock on my wall that runs counter-clockwise.” — Grace Hopper, “The Wit and Wisdom of Grace Hopper” (1987)

How and why should security be tied to HIPAA?

The requirement to comply with one standard or the next does provide a few benefits to your organization. Certain standards leave significant room for interpretation, giving you the ability to tie security measures that should be implemented to a portion of that same standard. When compliance is involved there are now social, political, and legal components added that can be leveraged to implement security controls and process changes that may not have been possible otherwise. It also may present the opportunity to piggyback off another department that has excess budget for a project.
The Health Insurance Portability & Accountability Act (HIPAA) was enacted in 1996 as law and establishes national standards for electronic healthcare records. It includes any organization that stores or processes ePHI (Electronic Protected Health Information) healthcare providers, health plans, and clearinghouses. There are fifty “implementation specifications,” divided into administrative, physical, and technical safeguards. Most specifications listed involve having policies and procedures in place. Addressable specifications involve performing a “risk assessment” and then taking steps to mitigate the risks in a way that’s appropriate for your organization. One of the largest HIPAA penalties against a small organization was levied not because an event occurred, but because the organization failed to address the possibility. Loss of ePHI can cause significant harm to not only the patients whose data has been compromised, but also the provider and individuals at fault as they are required to report violations to the US Department of Health and Human Services (HHS), the Federal Trade Commission (FTC), and are susceptible to extremely large fines and jail time. The HHS provides a breakdown of each portion of the security rule portion of HIPAA and assistance with the implementation of the security standards.

Is HIPAA enough?

HIPAA has been put in place as law as a standard of compliance. It has *not* been put into law as an exact roadmap to secure infrastructure. It is a guarantee that with a secure infrastructure, compliance will follow. For example, the HHS points out

Four implementation specifications are associated with the Access Controls standard.
1. Unique User Identification (Required)
2. Emergency Access Procedure (Required)
3. Automatic Logoff (Addressable)
4. Encryption and Decryption (Addressable)

While both 3 and 4 are both addressable, they are not a requirement, rather you're permitted to have a compensating control, or documentation on why you can not meet them. Doing that as opposed to implementing them, would be akin to "accepting risk" on something you shouldn't be accepting risk on. Not only are there some items that aren’t specific requirements, but the documentation also leaves a lot of room for interpretation. Security practitioners will often look down on HIPAA as a standard. However every environment is different, so there is no standard or guidelines out there that are going to be the “end all, be all” answer. HIPAA can definitely be incorporated into a security architecture plan that includes in-depth knowledge and strategy, so can most other compliance standards. By using it as a guideline to implement a proper design both compliance and security can be achieved.

Building security into medical purchasing decisions

Malicious attackers are using multiple vectors including exploiting vulnerabilities in medical devices and printers. Networked medical devices represent a significant security challenge for hospitals, because their IT teams cannot upgrade the underlying operating system and third party applications embedded into these devices. Many medical devices using older versions of Windows and Linux have known security vulnerabilities and are at risk of malware contamination. The vendors supplying these devices sometimes will not allow them to be updated, or have their own remote process and procedure to do any type of update at all. When a third party vendor comes in to show off their new product, here are a few questions that should be asked prior to any purchasing decisions being made as well as a general secure answer.

Support:

Is remote access required for support? If remote access is needed for support, it should be only enabled when needed, and segmented from accessing any other devices in the environment. Remote access clients should not be installed on any endpoints as that scenario gives unmonitored and possibly unlogged access into the network. All remote access should be over a secured network, logged, using multi-factor authentication, and segmented to least access needed.

Updates:

Who is in charge of endpoint software updates? No matter if software updates are provided by the vendor to be applied by an internal team, or applied by the vendor themselves, they should be tested in the environment prior to deployment.

Who is in charge of endpoint OS updates? It is recommended that updates are distributed in the same manner as the rest of the enterprise. If using WSUS, separate deployment groups can be created if needed.

Application/Device:

Does it require any third party applications? (Java, Adobe Acrobat, any type of SQL server, etc) Hopefully not. Having third party applications such as Java, Adobe Reader, etc significantly reduces the overall security of the endpoint. If there is no way of getting around this, third party software updates should be managed automatically and timely. Configurations on any type of database, web, or other service server should be hardened and patched to sufficient standards as well.

Is there support for upgrading third party applications to the latest patched version? If the vendor doesn’t support upgrades, move on to another vendor. As time moves on, more and more vulnerabilities will be discovered and the application’s security will continue to decline.

Do any firewall ports (host or network) need opened? If they have specifics that’s great! A good vendor should have the specific incoming and outgoing ports documented as well as what external IP address they will need access to. This complies with least access. Port forwarding should never be an approved option, and any direct communication involving sensitive data should traverse over a secure connection.

What data access is required? Many medical devices need interface access to other portions of the infrastructure. Whether it be data in an EMR, scheduling data, x-rays, etc knowing what type of data access is needed and in what matter it will be obtained is valuable information for asset management and documentation.

Is data stored on disk or in memory on the device, and if so, what type? You can’t protect data if you don’t know where it resides or how it moves throughout the organization. Knowing where the sensitive data is and how it is structured will go a long way in ensuring the correctly formatted rules are in place.
Data at Rest: Data in databases, on file servers, or in custom applications not only should be identified as previously stated, but also encrypted and in a secure physical location.
Data in Motion: Common avenues of data access to pay attention to (and their ports) are FTP (21), SFTP(22), SMTP(25), HTTP/APIs(443/80/8080), SMB(445). Any network monitoring solution should be able to alert on sensitive data in transit.
Data in Use: Data that can be exfiltrated using things like CDs, USB drives, or with copy/paste to external websites from the user endpoints.

What security testing is applied? Software should go through regular penetration tests and code audits. Usually companies that have bug bounties are more security conscious as well.

Are the endpoints added to the domain? In a windows environment (which the majority if not all of medical organizations are) adding all endpoints to the domain or a subdomain is preferred to leaving them to be managed manually. The security options are far greater when a client is domain joined as opposed to just sitting on the network doing its own thing. However, prior to even connecting a vendor device to the network, it should be offline scanned for malware and viruses.

Is there any application/device specific logging? If so, this could be helpful to collect into a SIEM or managed detection service for alerting or aggregating for later use in the event of any IR performed.


Tuesday, December 19, 2017

Top 50 Women Shaping the Future of Information Security

MOST LISTS LIKE THESE ARE COMPLETE AND TOTAL BULLSHIT AND YOU SHOULD FEEL BAD FOR CLICKING ON THIS

Thursday, June 15, 2017

Know Thy Audience: A Guide to Sounding Professional (or not)

      I recently had a discussion with some friends about conduct in and out of the workplace, which led to a larger discussion that how someone speaks in different situations has an impact on the general perception of their knowledge and competency. A couple days after this I thought I'd compile a list of words that shouldn't be used if you want to be taken seriously. I already knew a couple of the words/phrases that were like nails on a chalkboard to me (no matter the situation really), but I wanted to get your input as well. (See tweet here). I originally thought this list could be used for almost any setting, but then thought I should break it down a little further. In a world where memes have broken into every day life by being on the news, in advertisements, and even at work it's sometimes hard for some to make a distinction as to when certain behaviors and phrases are acceptable. It's not only wording that we should worry about either. It's the entirety of your being. Yes you should be happy being yourself and shouldn't bow down to please the entire world. That being said, you should always still remain clean cut, take showers, apply deodorant, wear clean clothes, and not punch people in the face as they walk by.
     We should first break social and professional settings up into different categories. Each of these categories are going to have different sub-levels as well.

  1. Home - This is where you reside or spend time with close friends. Out on the patio grilling and drinking beer, playing video games, or binging on Netflix. You are free to act as asinine as you want with little to no repercussions to your actions. Of course there are rules of conduct at home, just like anywhere else. You don't wear your shoes on the carpet, you need to rinse your dishes, but you can still lounge around in your underwear with your hands down your pants with no judgement or impact to your overall path in life.
  2. General Public -  Obviously a step above the home life. You wear respectable clothing depending on where you're headed. A 5 star restaurant will demand different attire and attitude then waltzing into Walmart at 3a.m., but they are still in view of strangers of different backgrounds and situations. You'll speak with a little more clarity, as inside jokes and rules from home aren't widely known to the rest of the masses.
  3. Professional Event - There are so many different sub-levels of professional events. You may be an industry leader at a very formal suit & tie event, or it could just be a local meetup of peers. At any level there is a certain amount of professionalism and tact that others will associate with you based on your words, how you dress, your demeanor, and actions. I've had soooo many conversations with people and with people in the same room as me that were insanely smart and helpful. How you act could be the difference in them blowing you off or offering you a job, book deal, or other opportunity.
  4. Workplace - Again, so may different sub-levels depending on the industry you work in, your role, and the company you work for. Over the last several jobs I've had there are vastly different rules as to what is and isn't appropriate. Sometimes I've had to cover up my tattoos, in other positions I could have had a face tattoo and bright pink hair with not even a second glance. So many decisions are based on how you read the situation. While I believe the majority of at least the USA is becoming more liberal in regards to judging people based on how they look, how you act and speak is still going to be a reflection of your persona overall. If the same person walked in to talk to an executive, to apply for a job, to sell a widget, or whatever....one time wearing a well fit suit and tie & speaking intelligently and the next time came in wearing last night's clothes and talking like a hoodrat, who makes the better first impression? I don't give two shits if they can accomplish the exact same thing, because perception matters!!
  5. Social Media - Now Social Media is where it can get super fuzzy. There are a million different types of platforms for different reasons. While there are still private groups and direct messages you should always be aware that no matter how private it is, there is always the possibility of what has been written or shared to be shown publicly at any point in time. Whatever is on the internet stays there forever. You can actually break up social media into the 4 categories above. However it still all depends on context. I personally have a fairly open Facebook account, filled with a lot of different infosec people. Additionally I have security groups setup according to levels of trust. While this helps to a certain point, there's nothing stopping someone from taking a screenshot of anything that I might post and sharing it publicly or privately without me knowing. I have a public Twitter account as well, composed of a majority of information security professionals at different levels. I expect everything that I tweet to be seen by my employer, future employer, friends, family, and obviously the NSA. I personally try to keep it a good balance of quality content mixed with my own ranting and raving. However there are industry leaders that may only post on their infosec specialty. They are a higher content to crap ratio and will end up with a higher following and potentially better business and opportunities because of it.
Below is a list compiled from Twitter and Facebook of almost everything I've been sent. I've broken it up into "slang" and "industry annoyances". Either list should be used sparingly unless you're at home, at that point I don't really care what you say or how you say it. Slang is best suited for at home or depending on your end goal or personal situation could be used in the workplace or social media (again, in moderation). The industry annoyances come from the repetitive sales meetings, conference calls, and overall professional bullshit that most of us have to deal with daily. I personally think the terms listed here can have their place (in moderation....repeat much?) in making thoughts and strategy well articulated.


  • Slang

    • AF
    • Amazeballs
    • Bad boy
    • Bae
    • Bigly
    • Boi
    • Boo
    • Buh
    • Cray
    • Dope
    • Ehrmagerd
    • Fam
    • Fleek
    • For realz
    • Gucci
    • Hashtag
    • IKR?!
    • Ktksbai
    • Like a boss
    • Lit
    • Literally can't even
    • Make some noise
    • Mos def
    • Please 1) check yourself before you 2) wreck yourself
    • Rekt
    • Right?!
    • Salty
    • Savage
    • Swag
    • Thic
    • Thot
    • Totes
    • Triggered
    • Turnt
    • Woke (in any form)
    • Yo
    • Yolo


  • Industry Annoyances

    • "50 shades of X" (Play off of 50 Shades of Gray)
    • "Make $noun $adjective again" (Play off of Make America Great Again)
    • "training" as a countable noun
    • Actually
    • All intensive purpose
    • And that being said
    • Any form of "splaining"
    • At the end of the day
    • Basically
    • But do you?
    • Circle back down the drain
    • Cyber
    • For fun and profit
    • Gartner
    • Having said that
    • If you will
    • Irregardless
    • Just so you know
    • Obviously
    • Per se
    • Please advise
    • Simply
    • Sun Tzu quotes
    • To be honest
    • To your point
    • Touch base


A special thanks to @haydnjohson for the insight

Other stuff from my amazingly stylish friend @Cyb3r_Assassin
https://www.wsj.com/articles/why-dressing-for-success-leads-to-success-1456110340
https://www.facebook.com/gqstyle/videos/10154695302463658/?hc_ref=SEARCH

Wednesday, January 18, 2017

Credit Card Skimmers and Your Security

Recently an article was published in the News Messenger titled “Credit card skimmer found at a gas station in Bellevue” highlighting a recent sweep for these devices covering 60 of the 88 counties in Ohio. So what are credit card skimmers? Skimming is an electronic method of capturing a victim's personal information used by identity thieves. The skimmer is a small device that scans a credit card and stores the information contained in the magnetic strip. Many times this device is placed over top or within the original credit card processing machine and can be difficult to detect at first glance.

Skimmers can be placed pretty much everywhere that credit card transactions take place. Gas pumps, ATMs, and lottery machines all being good examples. They can be bought up front for several hundred dollars online, and then have the added cost of the electronic components used to store or transmit the stolen credit card data. Data can be stored locally to the skimmer or some newer models have been known to transmit the data over Bluetooth. Criminals will also add or have built-in pinhole cameras or add another PIN pad over the original to capture the PIN being used.

So what can you do to protect yourself against these types of devices?
Be vigilant and aware of the devices you are putting your credit cards through. 

  • Try not to use ATMs that are not located in publicly visible and well-lit areas.
  • Whenever you enter your debit card's PIN, Just assume there is someone looking. Maybe it's over your shoulder or through a hidden camera. Cover the keypad with your hand when you enter your PIN.
  • Stop and consider the safety of the ATM before you use it. The ATM inside a grocery store or restaurant is generally safer than the one that is outside on the sidewalk. 
Check for tampering.
  • Look for odd protrusion or off-color components on a card reader.
  • Check for some obvious signs of tampering at the top, near the speakers, the side of the screen, the card reader itself, and the keyboard.
  • If something looks different, such as a different color or material, graphics that aren't aligned correctly, or anything else that doesn't look right, don't use it.
  • If you're at the bank, it's a good idea to quickly take a look at the ATM next to yours and compare them both. If there are any obvious differences, don't use either one, and report the suspicious tampering to your bank.
  • Even if you can't see any visual differences, push at everything. ATMs are solidly constructed and generally don't have any jiggling or loose parts. 
  • Most skimmers are glued on top of the existing reader, they will obscure the flashing indicator.

Work with your bank.


  • If you haven’t already, you should switch to a chip-enabled credit or debit card. New MasterCard and Visa rules that went into effect Oct. 1, 2015, put merchants on the hook to absorb all costs of fraud associated with transactions in which the customer presented a chip-based card yet was able to take advantage of it. The chip cards encrypt the cardholder data and are far more expensive and difficult for card thieves to clone.
  • Timely reporting is very important in cases of fraud, so be sure to keep an eye on your debit and credit card transactions. Personal finance apps like Mint.com can help ease the task of sorting through all your transactions. 
  • Try to use a credit card whenever possible. A debit transaction is an immediate cash transfer and requires making a FDIC claim which can take weeks to be processed.
  • Pay attention to your phone. Banks and credit card companies generally have very active fraud detection policies and will immediately reach out to you, usually by phone or SMS, if they notice something suspicious. Responding quickly can mean stopping attacks before they can affect you, so keep your phone handy.


For additional information as well as more in-depth guides for detecting skimmers you can visit this collection of blog posts http://krebsonsecurity.com/all-about-skimmers/

Thursday, August 11, 2016

My Biggest Weakness

Most job interviews ask the question "What is your biggest weakness". Some can give answers that aren't really weaknesses at all, but reworded strengths to get around answering the actual question. After working not only in infosec, but the technology industry for so long, I know exactly what my biggest weakness is. For the most part I can not speak in absolutes (see what I did there). I can't tell a customer "Yes our product will catch this ransomware", "Our customer service will handle your case this way each time", or "This blinky box will fix this issue". The only way I can speak in absolutes is when I have all of the data from a specific incident and can prove that it would happen with hard facts. Science yo.

Part of me thinks that this behavior is one of the larger results of my lack of self confidence in what I do day to day. The other part of me stands firm and says "No, that's bullshit. You don't KNOW for a fact that it will do X, because you don't have all of the data. Telling the customer that is being honest and not blowing smoke up their asses". We all constantly have Sales Engineers giving us flashy sales presentations on how their tech is the best in the market and always been, while we attempt to disseminate the actual technology from the sales and marketing pitch.

I've always been trusted by my peers and leadership to offer up point blank and blunt honesty when asked. I've given that on interviews as my biggest weakness before. Honestly it can be a weakness and not speaking in absolutes is a subsection of that. I'm not going to tell you a lie to make our company or myself look any better than we are in reality. I've turned down some amazing career opportunities due to the lack of confidence I have in a company or product. I knew that I wouldn't be right for the role because I'd have to bullshit my way around the true facts of the technology too often.  Giving the answer of "I can be too honest sometimes." in an interview can steer the conversation in a few ways. I've been asked to give an example of times when I was too honest and it bit me in the ass. Actually that doesn't happen extremely often, but it can rub people the wrong way or make them think I'm not as good at what I do as the next person. I may or may not be better than the next person, but at least you'll know what I'm telling you isn't sugar coated.

I'd like to think I'm not too harsh or a ballbuster when stating the facts, but I do know that I can come off like that to certain personality types. I've been told to speak in absolutes for everything before, and the first time I've felt comfortable doing so is when writing my book. The reason? Because I've researched the hell out of every piece of it. My biggest fear is letting other's down or misinforming someone that is reading it. I am able to speak authoritatively because I've had the time to do the research and come up with enough information to put it forth in the writing. This is something I constantly struggle with, as well as overwhelming self doubt on a regular basis, but continue to work on daily.

Either as a customer or practitioner, where do you stand on the matter? If you're paying for a service or looking to get a service, do you have red flags that appear when someone guarantees you a product will do something? I think in this day and age you should. Every piece and part of our moving industry changes daily, there isn't a piece of software or hardware out there that is guaranteed to work 100% of the time. When there is a 100% is when I'll be comfortable phrasing sentences with "This WILL" or "EVERY TIME".