Baseball and Information Security: Red Team vs. Blue Team

By day I'm an information security professional; By night I'm a baseball blogger.

I've been thinking a lot over the past few months about some of the similarities between the two very different areas of study. This is meant to be thought exercise to try and get down some of these thoughts as well as further fleshing out the idea.

Red team vs. Blue team

St. Louis Cardinals vs. Chicago Cubs; Boston Red Sox vs. Torongto Blue Jays; Texas Rangers vs. Los Angeles Angels of Anaheim;  Washington Nationals vs. Atlanta Braves; Philadelphia Phillies vs. New York Mets; Arizona Diamondbacks vs. Los Angeles Dodgers.

All the matchups above are teams with red vs. teams with blues. The most prolific matchup is probably the first one: Cardinals vs. Cubs. There's a long history of those two fan bases disliking each other. A lot.

It's a little more complicated than that, though. Within each team is offensive players vs. defensive players, so maybe the analogy goes better in a single game, rather than a series. So within a game you have your hitters, red team, and your fielders, blue team. But what does that make pitchers? Would pitching be the business objectives or goals. Depending on the agency it could be sensitive information or the asset that makes the business profitable. So pitchers are the business goals and the ball is the sensitive information that makes the organization operate.

A good defense/blue team is going to help minimize the impact a ball hit into play makes. There are very few no-hitters and even fewer perfect games. The same idea applies to security measures, there is no perfect defense. Someone will, at some point, get a hit or breach the network. The impact of that breach will be based on how good your defense is, but we shouldn't just focus on defense. To win the game you need to score some runs yourself and having a good red team or at least understand red teams tactics is important to win the game.

Baseball players play both sides of the game. Some are good at offense; some are good at defense. They play both sides of the game and that's something that I think also needs to be done in security.

This post first appeared on Exploring Information Security.

'Hacker Summercamp' links August 11, 2014

Meet the Puzzle Mastermind Who Designs Def Con's Hackable Badges - Kim Zetter - WIRED

This is really cool and I am jealous of anyone that got one of these badges.

Dan Geer Touts Liability Policies For Software Vulnerabilities - Sara Peters - Dark Reading

Another angle on Dan Geer’s opening keynote at Black Hat. Rafal Los linked to the full talk on Twitter if you’re interested:

John McAfee: Google and Facebook's Erosion of Privacy is a Tragedy - Phil Muncaster - Infosecurity Magazine

John McAfee had an interesting closing talk at BSides Las Vegas about privacy.

This post first appeared on Exploring Information Security.

Dealing with the ransomware known as CryptoLocker

Ransomware is some pretty nasty stuff and it’s only getting nastier. This particular piece of malware encrypts a person’s drive and then locks it from the user. To unlock it the person must pay, usually by bitcoin, to get access to the freshly encrypted data. Brian Krebs recently called 2014 ‘The Year Extortion Went Mainstream’ and one of the reasons he said that was because of online criminal activities like ransomware. One of the most well known ransomware is called CryptoLocker

There are a couple of ways that ransomware can be combatted:

Take good backups

The backups should be offline. If they’re online then attackers could potentially get access to that device and take it over. Recently, it was found that some Synologys with older firmware versions could be infected with ransomware. Which leads to the next point.

Keep your system up-to-date

This is nothing now and something that has been suggested thousands of times. Still systems are being left unpatched. I know it’s not easy, especially, when there are a lot of other things to do, but one of the easiest ways to keep your system up-to-date is to use a program like Secunia. It does most of the work for you and is fairly user friendly.

Trust your intuition online

Listen to that voice in your head telling you clicking on this link or that link is a bad idea. It’s usually right. If it feels wrong or it’s too good to be true it probably is. I leave it at that, because that’s is something else that gets mentioned a lot in ‘online safety.’

If all else fails, there's an app for that

Recently, Fox IT and FireEye teamed up to offer a free Decrypt service that will get people infected with ransomware their stuff back. I haven’t tried the service, nor do I know how well it works, but both FireEye and Fox IT are legitimate  security companies.

At this point and time, there is not an alternative to getting data back from a ransomware infection. You either need to avoid ransomware altogether, reinstall your operating system and have good backups, or use the FireEye/Fox IT service. If you try the service I would love to hear your experiences with it.

This post first appeared on Exploring Information Security.

What vendors should not do at security conference

This is what not to do if you're a vendor at a security conference.

Sure sex sells, but a lot of the people going to a security conference are PROFESSIONALS. What turns on security professionals at a security conference are products that work well and vendors that can technically explain that product.

Leave the half naked women at home. 

This post first appeared on Exploring Information Security.

Terrifying 'Hacker Summercamp' links August 7, 2014

BSides Las Vegas - Incidents happen, react and learn from them - Dan Raywood - IT Security Guru

Adam Shostack opened the BSides Las Vegas conference with a talk titled "Beyond good and evil." The gist of the talk is to be more open about incidents that occur within the organization. The idea is that the transparency will not only benefit the breached but also those looking to learn from a breach.

Black Hat 2014 and Media Fud - Bill Brenner - Liquidmatrix

Read this and you'll understand why I the word 'terrifying' led the title of this post.

CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them - Kim Zetter - WIRED

In the opening keynote at Black Hat, Dan Greer suggested, among other things, that the U.S. government buy up all the zero-day vulnerabilities and release them to the public. This would allow companies to close a lot of vulnerabilities in their software and applications. I like the idea, I just don't think we'll ever see it happen.

This post first appeared on Exploring Information Security.

InfoSec links August 6, 2014

The NSA's Cyber-King Goes Corporate - Shane Harris - Foreign Policy

Join Army -> Rise to four-star general ->Become head of NSA -> Setup surveillance state -> Retire -> Create new security software to detect “cyber-intruders” -> profit

Why the Security of USB Is Fundamentally Broken - Andy Greenberg - WIRED

Welcome to my paranoia. USB drives are a wonderful thing. They really are. Unfortunately, they can be configured or programmed to be an awful thing and that is a scary thing. Never plug an untrusted, or unknown, USB anything into your computer. Ever!

Announcing EMET 5 - Security Research and Defense Blog - Microsoft

EMET is a fantastic tool and one of the easiest, quickest and cheapest ways to improve the security on your computers. I would highly recommend downloading it and giving it a try at home and at work.

This post first appeared on Exploring Information Security.

Exploring Information Security: What is cryptography

JustinTroutman

In the fourth edition of the Exploring Information Security (EIS) podcast, I talk to the smooth sounding Justin Troutman a cryptographer from North Carolina about what cryptography is.

Justin is a security and privacy research currently working on a project titled, "Mackerel: A Progressive School of Cryptographic Thought." You can find him on Twitter (@JustinTroutman) discussing ways in which crypto can be made easier for the masses. Be sure to check out his website for more information.

In the interview Justin talks about

  • What cryptography is

  • Why everyone should care about cryptography

  • What some of it's applications are

  • How someone would get started in cryptography and what are some of the skills needed

Leave feedback and topic suggestions in the comment section below.

This post first appeared on Exploring Information Security.

InfoSec links July 29, 2014

Banks: Card Breach at Goodwill Industries - Brian Krebs - Krebs on Security

Who steals from Goodwill? Honestly.

What's the worst thing you can say to a sysadmin? - Naked Security - Sophos

I had no idea there was such a thing as SysAdmin day, let alone that it’s been going on for the past 15 years.

The Barnaby Jack Few Knew: Celebrated Hacker Saw Spotlight as 'Necessary Evil' - Jordan Robertson - Bloomberg

A profile on Barnaby Jack whom I’ve heard only good things about.

This post first appeared on Exploring Information Security.

InfoSec Links July 28, 2014

Here's How Easy It Could Be for Hackers to Control Your Hotel Room - Kim Zetter - Wired

The attack surface for hotels will increase as more electronic amenities are added to rooms. Security should be kept in mind from both the hotel side and the guest side.

How Thieves Can Hack and Disable Your Home Alarm System - Kim Zetter - Wired

It looks like some home security companies have some work to do in the security arena. Codes are being transmitted in a way that allows someone with the right equipment to capture your home alarm system code and they don’t necessarily need to be standing in front of your house. I like the idea of rotating numbers similar to what you get with two-factor authentication.

The App I Used to Break Into My Neighbor's Home - Andy Greenberg - Wired

This is scary. And even more scary is the fact that the company who designed an app to make keys with a picture seems to downplay some of the concerns surrounding that technique.

This post first appeared on Exploring Information Security.

AddThis, the White House, and Privacy Badger

White House Website Includes Unique Non-Cookie Tracker, Conflicts With Privacy Policy - Peter Eckersley - Electronic Frontier Foundation

The company AddThis has been playing around with a replacement for cookies. The idea is that each computer handles browser traffic slightly different, so give it a pen and paper and let it draw a visualization of what that looks like. A cool idea, but it essentially means AddThis is fingerprinting all computers for tracking purposes. Not a good thing for privacy and apparently the White House dot gov is one of many sites running this new fangled voodoo from AddThis. There is a way to mitigate this though and it comes in the way of EFF’s recently released browser extension, Privacy Badger.

The extension is easy install. Simply, go to this site and click on the link for your browser. Accept the installation of the extension. Once the extension has been installed a badger icon will appear in the top right corner of the browser and a page will open explaining what the different indicators mean.

  • Green means you’re not being tracked.

  • Yellow means the site is tracking you, but on a whitelist. The cookie in question may be needed to view the page properly.

  • Red means the content has been disallowed.

Clicking on the extension icon will open up a panel with the list of domains that are being either blocked or allowed. You can change setting for the domain by sliding the bar left or right.

The extension is really easy to install and use and improves your privacy while surfing the internet. I’ve been using it for a little while now and I haven’t noticed any significant performance issues. I have noticed that I am no longer creeped out by ads that display service or equipment from email conversations with other people.

Another extension I highly recommend is NoScript for Firefox. According to Bruce Schneier, it appears that extension will block most of this stuff as well. NoScript requires a little more involvement, as it blocks everything by default and you have to decide what to allow, but it is one of the easiest things you can do to improve your own personal security as you browse the internet.

If you have anything further to add or other suggestions for safe browsing, leave a comment below.

 This post first appeared on Exploring Information Security.

InfoSec links July 24, 2014

"Severe" password manager attacks steal digital keys and data en masse - Dan Goodin - ars technica

I’ve never liked the idea of putting my passwords in the cloud and that’s essentially what you’re doing with these web based password managers. The fact that research has determined them to be vulnerable does not sway me to put my passwords online.

Automobile Industry Accelerates Into Security - Kelly Jackson Higgins - Dark Reading

Automobile security is about to become a major thing. Unlike a computer, if a car is hacked it could mean life or death for someone. I’ve read several articles recently that give encouraging signs that some automobile makers are taking car security seriously.

Security Firm Manages To Access Deleted Data On Used Android Devices - Red Orbit

iPhone users carry on. According to this article, old Android phones do not exactly wipe the drive when a reset to factory defaults is initiated. Apparently, all that does is delete or erase the index file, so the phone can’t find the old data. Forensic tools on the other hand are very capable of finding the old data. Great if you realize you need something; not so great if you don’t need anything. The workaround is to enable encryption on the device, then do a factory reset. Encrypting the drive will make it so that when the index file is deleted the data becomes unreadable because the encryption key is lost.

This post first appeared on Exploring Information Security.

Public infosec links July 21, 2014

How to remove your house from Google Street View - Graham Cluley - welivesecurity

Google is mapping the world, which does come with privacy concerns. However, there is a way for someone to request that their home be blurred on Google Maps street view.

The Rise of Thin, Mini and Insert Skimmers - Brian Krebs - Krebs on Security

There are devices that can be attached to an ATM that can grab your credit card information and pin number. The stuff is meant to look like it’s part of the ATM. If you can wiggle something loose at an ATM it’s probably not meant to be there. Look for anything that appears to be out of place on an ATM.

Beware Keyloggers at Hotel Business Centers - Brian Krebs - Krebs on Security

Malware on a public machine is not all that surprising. Using a public computer for personal accounts is never a good idea. I would recommend avoiding public computers all together, but if you must I would be very careful what information you access on that machine.

This post first appeared on Exploring Information Security.

InfoSec links July 18, 2014

It Is Idiotic To Hand Out Your Twitter Password to Prove Passwords Are Dead - Kashmir Hill - Forbes

How a journalist distributed denial-of-service (DDoS) his account in one easy step. He tweeted out his Twitter password with two-factor authentication on. He wanted to prove that two-factor authentication was a fantastic security measure. To my knowledge no one has gotten into his Twitter account yet, however, he has had to switch phone numbers.

Project Zero - A Team of Star-Hackers Hired by Google to Protect the Internet - Mohit Kumar - The Hacker News

I can’t help but get a little giddy about this. Sounds very Avengers like and a new way to think about information security. I have on my board at work “Hunt Teams,” which is an idea I heard on a podcast. The team essentially tries to prove that the organization hasn’t been hacked yet.

Meet Google's Security Princess - Clare Malone - Elle

A wonderful read on Google’s Security Princess (her title choice) Parisa Tabriz. She’s the hacker hired by Google to break into Google. The article talks about her background and rise to a security manager of 30 people at Google. It’s Friday, take about 15 minutes through this article. You won’t be disappointed.

This post first appeared on Exploring Information Security.

Infosec links July 16, 2014

2014: The Year Extortion Went Mainstream - Brian Krebs - Krebs on Security

Extortion has been around for a while, but it looks like it might be the hot new strategy for online criminals to make money. The idea is that you get a letter in the mail requesting that you pay the extortionists in bitcoins or have your business or person languished online via negative publicity. Of course there’s also the good ol crypto locker malware that encrypts your hard drive and holds all your data hostage until you pay. Fun times.

The 5 Biggest Cybersecurity Myths, Debunked - Peter W. Singer and Allan Friedman - WIRED

Interesting list about the five cyber security myths:

  • Cybersecurity is unlike any challenge we have faced

  • Every day we face "millions of cyber attacks"

  • This is a technology problem

  • The best (cyber) defense is a good (cyber) offense

  • "Hackers" are the biggest thread to the internet today

You may not agree with all of them, but they should at least make you think about several issues involving information security.

The State of Metric Based Security - Gavin Millard - Infographic

Metrics are something I’ve always wanted to get into. This infographic doesn’t discuss how to do metrics, but instead looks at who is doing metrics and to what effect. Good read if you want to see how companies are viewing metrics within information security. I’m planning on having a future podcast about the topic.

This post first appeared on Exploring Information Security.

InfoSec links July 15, 2014

Pandemiya Emerges As New Malware Alternative To Zeus-Based Variants - Fraud Report - EMC/RSA

This is a breakdown on some new malware called Pandemiya. It’s being offered as an alternative to the widely popular Zeus trojan. The price tag is between $1500-$2000.  

Crooks Seek Revival of 'Gameover Zeus' Botnet - Brian Krebs - Krebs on Security

The previously dead Gameover Zeus botnet is apparently making a comeback. After the initial takedown, the owners of the botnet laid low for a while. Now it appears they’re trying to bring it back. The old botnet is still in lockdown, so this appears to be an effort to rebuild the botnet from the ground up.

Glenn Beck's The Blaze Site Serving Malicious Ads - Pat Belcher - invincea

My care meter for politics:

don’t care |-|---------------------| care

Glenn Beck can be a bit of a hot topic, but it’s his site I want to focus on, The Blaze. It’s been discovered that his site, via advertising, is serving up malware to people that visit the site. The site is not compromised, it’s the ad services that are running on his site. Ad services do not vet the people who submit ads, which makes it easy for nefarious folk to submit ads with malware attached to them. The Blaze, according to the article, is ranked the number two political site on the web, thus making it a target for these kinds of ads. If you see an ad that is of interest you, I would suggest doing a google search instead of clicking the ad.

This post first appeared on Exploring Information Security.

Infosec links July 11, 2014

Kaspersky Lab uncovers new Android and iOS spying tools - Ian Barker - betanews

A company called Hacking Team has developed a trojan that can spy on both Android and iOS devices. It’s delivered via spear phishing and malware that gets the trojan installed when the phone is synced with an infected computer. Most of the functions appear to be for surveillance purposes. I wonder who would want to purchase such a thing.

More on Hacking Team's Government Spying Software - Bruce Schneier - Schneier on Securit

Well ethical governments of course. At least that’s who Hacking Team claims they sell the trojan to. What’s the criteria for an ethical government?

  • Must be nice to citizens

  • Must feed the hungry

  • Must provide hugs

  • Must not surv$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

The Ex-Google Hacker Taking on the World's Spy Agencies - Andy Greenberg - WIRED

Really interesting profile on Marquis-Boire who used to work for Google as a security researcher, but now works for First Look Media. His job, to keep journalists who handle sensitive information, e.g. Gleen Greenwald, safe.

This post first appeared on Exploring Information Security.

InfoSec links July 10, 2014

Facebook manipulates 700k users' newsfeeds in secrete study prompting backlash - ABC News Australia

Apparently, Facebook has been manipulating people’s timelines in the interest of SCIENCE! What’s interesting to me is that most of the people I talked to about this, really didn’t have a problem with it. Facebook’s terms of service is certainly going to cover their ass in this instance, but I don’t know that I like the fact that they’re playing with people’s timelines to gauge and emotional reaction. I deleted my Facebook account several months ago, but my wife and several family members and friends are on the site. I’d hate to find out that they’re all pissed off because Facebook is experimenting on them.

How Google Map Hackers Can Destroy a Business at Will - Kevin Poulsen - WIRED

Small businesses beware. Your competition could potentially change information on Google that could impact your business. I would highly suggest managing, or getting someone to manage, your online presence.

Enterprise Social Cyber Attack Inforgraphic - ZeroFox

This is an interesting infographic on how attackers are leveraging social media to phish or get someone to install malware.

This post first appeared on Exploring Information Security.

Update Adobe Flash

“Weaponized” exploit can steal sensitive user data on eBay, Tumblr, et al. - Dan Goodin - ars technica

Update Adobe Flash. A new technique has been discovered that would allow an attacker access to a user’s credentials for certain sites. The vulnerability seems to revolve around JSONP. Which if you work at an organization that utilizes this type of coding in your websites you might want to have your website developers take a look at this blog post, explaining the technique.

This post first appeared on Exploring Information Security.

Exploring information security: What is a Chief Information Security Officer

In the third edition of the Exploring Information Security (EIS) podcast my infosec cohort Adam Twitty and I talk to the Wh1t3 Rabbit, Rafal Los, about what exactly a Chief Information Security Officer, otherwise known as CISO, is.

Rafal Los presenting at BSides Nashville

Rafal Los presenting at BSides Nashville

Rafal Los (@Wh1t3Rabbit) is the Director of Solutions Research at Accuvant. He produces the Down The Security Rabbithole podcast and writes the Following the Wh1t3 Rabbit security blog. On several occasions he's tackled the CISO role within an organization on both his podcast and blog.  I would highly recommend both if you're in the infosec field or looking to get into it.

In the interview Rafal talks about:

  • What a CISO is

  • What role does a CISO fill in an organization

  • Who skills are needed to be an effective CISO

  • The different types of CISOs

Leave feedback and topic suggestions in the comment section.

This post first appeared on Exploring Information Security.