learnings from the battlefield

The past 12 months have seen 6 New Zealand security professionals embark on a volunteer project that is focused on finding security issues that concern New Zealand businesses and our address space. This group has become known as “Threat Safari”.

A large percentage of the findings that we’ve made are phishing sites and dumped credentials, but we’ve also made some significant achievements in discovering and aiding the resolution of botnet and malware infrastructure in New Zealand.

This post was originally published in May of this year, and has been updated and republished to accompany my purplecon talk: Roast Criminals, Not Marshmallows.


Continue reading “learnings from the battlefield”

revisiting the watering hole – again

One of the most popular developments of mine, and in my opinion one of the most effective at what it is aimed to do, is the Pond Security Awareness Framework. In the last post I made regarding it, I had introduced the concept of mutliple campaigns and collaboration via SignalR. Multiple users could work on the same campaign, saving and resuming work on them whenever they please. My problem was, however, that the attack vector was still limited to email – I wanted more. So, I have introduced an API, meaning that any method of attack can be used where code can be executed to POST to a URL.

Further to this, the code has now – finally – been made public under the Apache license.
Continue reading “revisiting the watering hole – again”

building stronger walls

Speaking at OWASP NZ Day 2016 was certainly quite an experience. Prior to it I had only really spoken to local user groups: 30-50 people max – so being thrown in front of 600 pretty clued up people was, as some would say, akin to being thrown into the deep end. Sadly, I remain quite disappointed that I didn’t manage to catch many of the afternoon talks due to having a bright idea of taking the 6:30am flight to Auckland and subsequently falling asleep in my hotel room during the lunch break. However, what I did manage to see made one thing very clear: the only way a higher standard of security can be produced by your developers is by working alongside them as opposed to taking the stance of a dictator – shooting down their code, questioning their competency and generally doing anything that makes it clear you’re the boss.

In this post I’ll provide a recap on the main content of my talk: the ideas and solutions behind making security a core focal point of your development with minimal disruption to standard processes.
Continue reading “building stronger walls”

revisiting the watering hole

Earlier this year, in May, I wrote about a phishing framework that I used to mount a company wide phishing campaign – for testing purposes, of course. Since then several other companies have used the application for the same purpose, and there has been some real interest in it within the local security community. This interest sparked a revival of the project: complete rearchitecture, redesign and rethinking of how it should be used. Whilst the code isn’t quite ready for public release and I haven’t started on documentation, in this post I’ll outline the new architecture and demonstrate a campaign from beginning to end. Continue reading “revisiting the watering hole”

lord of the flies

The popularity of a security consultant within a development oriented organisation is most certainly bi-polar. Occasionally, after thwarting a breach or reporting a bug directly to a developer rather than through JIRA (where it would expose their incompetence), we are gifted the opportunity of feeling a little more human and receive – for once – some warmth from our fellow compatriots. Most of the time, however, we’re that troll under the bridge pulling at peoples ankles, standing in their way and grunting orders at them as they try to cross. On the other hand, the reality is that the very nature of our jobs is to protect and help others, and to do so requires a solid understanding of all layers of the stack. So, for the most part we’re not grunting orders whilst having no clue as to what we’re talking about: we’re making well informed observations that warrant attention.

Many a dev shop I’ve stepped into can be likened to the Lord of the Flies, where the developers are so focused on design, functionality and UX that they lose touch with what really makes a product: engineering. Design may sell a product, but without solid engineering it will almost certainly see a short lifespan, significant downtime, no sales via word-of-mouth and/or reputational harm. What I’ve been trying to teach developers is that security not only has the function of protecting data and users, but it also promotes robust engineering. Making security a priority throughout the entire design and development process ultimately forms a more reliable product that will require less ongoing downtime to patch bugs – allowing developers to focus more on functionality and design during post go-live sprints. Think of it this way: if you cut corners when constructing the foundations and frame of a house, only to later discover that there is a critical issue with either, you’re going to have one hell of a time trying to address the issue without seriously impacting it’s occupants. So, the key to forcing a shift toward secure development practices is education: knowing vulnerabilities and their impact, coding securely, testing and how to efficiently integrate standards into projects. An effective tool to illustrate this and to get developers adopting more of a hacker mindset are HackMe applications. Previously I developed and released vuln_demo, however I’ve recently ended this project and created FooBl0g. Continue reading “lord of the flies”

negative reinforcement

Security Questionnaires and Wiki’s are all well and good: they tick the auditors boxes and teach those who already have a vague comprehension of security an extra thing or two… but, they fail at reinforcing their teachings. To most they are yet another painful administration exercise that you unwillingly undertake on a regular basis. They are completed, yet people still consistently fall for the same tricks. So, is there any way to begin reinforcing the basic principles that we are forever trying to shove down the throats of staff?
Continue reading “negative reinforcement”

knowledge is safety

Numerous research projects have proven that a large percentage (arguably a majority) of people fall victim to crime online – a percentage that is growing every year. I have always been of the belief that criminals operate on the bleeding edge of technology, and defenses are constantly playing catch-up with them. Research – and logic – also indicates that these ‘advanced’ attacks ultimately rely on the exploitation of human vulnerabilities to succeed, at least enough to get a foot-hold in the target system whereafter traditional methods are employed. Many organisations and security vendors fail to realise this, which may be intentional (to ensure the profitability of their products), and promote the use of active measures to protect users from such attacks, neglecting the root cause that is uneducated users.

In a bid to do things a bit differently I have spent considerable time putting together an education program for staff, their families and friends. After looking at what some other companies were doing, it seemed the trend was to publish a single document that listed a bunch of do’s and do-not’s and only required a signature to verify that the reader had digested it. Furthermore, the scope of it was really only limited to how their interacted with their workstations – not the wider network (including the internet). I see several issues with this:

  • As it does not test the reader, it does not provide a measurement to security staff of their level of risk.
  • The real risks users will face in our networks will be from the internet.
  • It is inherently boring, so is likely to be treated like software T&C’s and accepted with little to no attention paid to it’s contents.

So, what I wanted to do was piece together a program that provides feedback to me, is enjoyable and adaptable to varying levels of existing knowledge.
Continue reading “knowledge is safety”